PDA

View Full Version : Batter Up: W32/Bagle.RC.worm - hldrrr.exe (think got rid of wintems.exe & mdelk.exe)



EasyEEE
2008-01-22, 03:22
Ok, as others, I have been infected with several tojans.

Ready to listen to the Masters. ;)

I had scanned the files with Norton's Anti-Virus prior to executing the file. Of course, it said it was clean. Obviously, it wasn't. It uninstalled Norton's Anti-Virus and Firewall uninstalled upon execution. Unable to reinstall.

Ran several on-line scanners, all claiming to have removed files, even tried to follow the replied walk-throughs. I believe I managed to get rid of wintems.exe and mdelk.exe, but at this point, who knows.

I still have the hldrrr.exe / Bagle.RC.worm. Fun.

Can't install Spybot.

I ran Deckard's System Scanner (DSS) earlier, and forgot to save the two files. Now, it will only create one. Is there a work around for that?

Ok, ready to do it. :D

EasyEEE
2008-01-22, 04:23
Deckard's System Scanner v20071014.68
Run by Owner on 2008-01-21 21:20:44
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:20:44 PM, on 1/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT4016
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe"
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe"
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196686463109
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - https://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Unknown owner - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe (file missing)
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 7370 bytes

-- Files created between 2007-12-21 and 2008-01-21 -----------------------------

2008-01-21 20:54:40 0 d-------- C:\Program Files\Trend Micro
2008-01-21 15:42:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-21 15:42:04 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-21 15:15:50 0 dr-h----- C:\Documents and Settings\Owner\Recent
2008-01-20 11:18:19 0 d-------- C:\Documents and Settings\Owner\DesktopErunt
2008-01-20 00:00:00 102664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys <Not Verified; Trend Micro Inc.; ActiveClean>
2008-01-19 23:59:07 0 d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-01-19 15:02:59 0 d-------- C:\WINDOWS\BDOSCAN8
2008-01-19 12:35:58 0 d-------- C:\WINDOWS\pss
2008-01-18 23:27:58 0 d-------- C:\Program Files\RegSupreme Pro
2008-01-18 19:24:16 0 d-------- C:\WINDOWS\Sun
2008-01-18 19:24:16 0 d-------- C:\Documents and Settings\Owner\Application Data\Sun
2008-01-18 13:10:43 0 d-------- C:\Program Files\Lavasoft
2008-01-18 13:10:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-18 13:10:22 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-18 12:59:41 1158 --a------ C:\WINDOWS\mozver.dat
2008-01-18 12:41:46 0 d-------- C:\Program Files\Ontrack
2008-01-18 10:12:01 0 d-------- C:\Program Files\Symantec Client Security
2008-01-18 10:04:50 0 d-------- C:\Sym EndPoint
2008-01-17 09:04:56 0 d-------- C:\Program Files\QuickTime
2008-01-15 16:02:24 0 d-------- C:\HJSplit
2008-01-13 20:43:09 0 d-------- C:\Program Files\MediaMonkey
2008-01-13 20:34:59 0 d-------- C:\Music
2008-01-13 20:22:08 25088 -----n--- C:\WINDOWS\system32\CTSVCCTL.EXE <Not Verified; Creative Technology Ltd; Creative Service Control>
2008-01-13 20:22:08 44032 -----n--- C:\WINDOWS\system32\CTSVCCDA.EXE <Not Verified; Creative Technology Ltd; Creative Service for CDROM Access>
2008-01-13 14:47:27 0 d-------- C:\Documents and Settings\Owner\Application Data\SampleView
2008-01-13 14:42:03 0 d-------- C:\Documents and Settings\LocalService\Application Data\iolo
2008-01-13 14:41:15 74703 --a------ C:\WINDOWS\system32\mfc45.dll
2008-01-13 14:40:08 0 d-------- C:\Documents and Settings\Owner\Application Data\iolo
2008-01-13 14:40:08 0 d-------- C:\Documents and Settings\All Users\Application Data\iolo
2008-01-13 11:45:14 0 d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-01-13 11:43:51 2917 --a------ C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
2008-01-13 11:43:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-13 11:40:27 0 d-------- C:\Program Files\Apple Software Update
2008-01-13 11:40:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-07 16:36:41 669184 --a------ C:\WINDOWS\system32\pbsvc.exe
2008-01-06 23:27:42 0 d-------- C:\Program Files\YourWare Solutions
2008-01-04 10:22:56 0 d-------- C:\Program Files\Activision
2008-01-04 10:20:17 0 d--hs---- C:\WINDOWS\ftpcache
2008-01-03 19:19:11 0 d-------- C:\Program Files\Electronic Arts
2008-01-03 18:09:40 0 d-------- C:\Saved
2008-01-03 16:26:39 0 d-------- C:\Program Files\NVIDIA Corporation
2008-01-03 16:25:50 0 d-------- C:\Program Files\NVIDIA nTune Performance Application
2008-01-02 23:28:52 0 d-------- C:\WINDOWS\nview
2008-01-02 22:52:12 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-01-02 22:52:11 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-01-01 23:45:48 0 d-------- C:\Program Files\ASUS
2008-01-01 23:21:46 0 d-------- C:\Program Files\SpeedFan
2008-01-01 13:38:20 0 d-------- C:\Mini CD DVD Images
2008-01-01 11:22:49 0 d-------- C:\Program Files\RivaTuner v2.06
2007-12-24 11:33:01 0 d-------- C:\Program Files\DVD Decrypter
2007-12-24 11:27:23 0 d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-24 11:27:22 0 d-------- C:\Program Files\DVD Shrink
2007-12-23 06:59:14 0 d-------- C:\Documents and Settings\Owner\Application Data\Creative
2007-12-23 05:19:06 0 d-------- C:\Program Files\Common Files\Creative
2007-12-23 05:19:05 0 d--h----- C:\Program Files\Creative Installation Information
2007-12-23 05:15:25 0 d-------- C:\Program Files\Creative
2007-12-22 22:59:36 0 d-------- C:\Documents and Settings\Owner\Application Data\Nero
2007-12-22 22:57:35 0 d-------- C:\Program Files\Nero
2007-12-22 22:57:35 0 d-------- C:\Program Files\Common Files\Nero
2007-12-22 22:57:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-12-22 22:26:44 0 d-------- C:\Program Files\DVD2one V2
2007-12-22 22:23:42 0 d-------- C:\Documents and Settings\Owner\Application Data\PgcEdit
2007-12-21 20:33:13 0 dr-h----- C:\Documents and Settings\Owner\Application Data\SecuROM
2007-12-21 14:10:28 0 d-------- C:\Program Files\Sierra Entertainment
2007-12-21 03:00:20 0 d-------- C:\Program Files\MSXML 4.0




End of Part 1

EasyEEE
2008-01-22, 04:23
Part 2 of Deckard's System Scanner


-- Find3M Report ---------------------------------------------------------------

2008-01-21 15:07:34 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-21 14:55:07 0 d-------- C:\Program Files\Symantec
2008-01-21 14:48:16 0 d-------- C:\Program Files\Common Files
2008-01-20 11:04:05 0 d-------- C:\Documents and Settings\Owner\Application Data\NewsBin
2008-01-19 19:50:25 0 d-------- C:\Program Files\Google
2008-01-19 19:24:20 0 d-------- C:\Program Files\Digital Media Reader
2008-01-18 23:42:52 0 d-------- C:\Program Files\eMule
2008-01-18 10:08:20 0 d-------- C:\Documents and Settings\Owner\Application Data\U3
2008-01-18 09:41:07 40 --a------ C:\WINDOWS\system32\profile.dat
2008-01-12 21:18:16 0 d-------- C:\Program Files\Microsoft Games
2008-01-04 00:17:59 0 d-------- C:\Program Files\NewsBin
2008-01-03 16:41:36 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2007-12-20 20:12:51 0 d-------- C:\Program Files\Common Files\Microsoft Games
2007-12-18 12:59:36 0 d-------- C:\Program Files\IrfanView
2007-12-08 10:06:54 0 d-------- C:\Documents and Settings\Owner\Application Data\Microsoft Games
2007-12-08 07:53:57 0 d-------- C:\Program Files\DAEMON Tools
2007-12-07 21:13:07 0 d-------- C:\Documents and Settings\Owner\Application Data\CyberLink
2007-12-07 14:41:11 0 d-------- C:\Documents and Settings\Owner\Application Data\PlayFirst
2007-12-07 14:39:55 0 d-------- C:\Documents and Settings\Owner\Application Data\GameHouse
2007-12-07 14:31:17 0 d-------- C:\Program Files\GameHouse
2007-12-06 23:01:45 0 d-------- C:\Documents and Settings\Owner\Application Data\Talkback
2007-12-06 22:55:18 0 d-------- C:\Documents and Settings\Owner\Application Data\Mozilla
2007-12-06 22:45:46 0 d-------- C:\Documents and Settings\Owner\Application Data\Jane s Hotel
2007-12-06 16:50:20 0 d-------- C:\Documents and Settings\Owner\Application Data\DivX
2007-12-05 01:41:00 1626112 --a------ C:\WINDOWS\system32\nwiz.exe
2007-12-05 01:41:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2007-12-05 01:41:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2007-12-05 01:41:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2007-12-05 01:41:00 1474560 --a------ C:\WINDOWS\system32\nview.dll
2007-12-05 01:41:00 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2007-12-05 01:41:00 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2007-12-05 01:41:00 425984 --a------ C:\WINDOWS\system32\keystone.exe
2007-12-04 20:21:58 0 d-------- C:\Program Files\AC3Filter
2007-12-04 20:20:19 0 d-------- C:\Documents and Settings\Owner\Application Data\Google
2007-12-04 20:04:39 0 d-------- C:\Program Files\DivX
2007-12-04 20:01:49 0 d-------- C:\Documents and Settings\Owner\Application Data\WinRAR
2007-12-03 20:33:18 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-12-03 20:33:18 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-03 20:33:18 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-03 20:33:16 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-03 16:39:35 0 d-------- C:\Program Files\Common Files\Adobe
2007-12-03 15:07:24 0 d-------- C:\Documents and Settings\Owner\Application Data\InstallShield
2007-12-03 11:40:47 0 d-------- C:\Program Files\QuickPar
2007-12-03 08:44:01 0 d-------- C:\Program Files\McAfee
2007-12-03 08:08:19 0 d-------- C:\Program Files\SystemRequirementsLab
2007-12-03 07:37:58 0 d-------- C:\Program Files\Napster
2007-12-03 07:11:33 0 d-------- C:\Program Files\Pure Networks
2007-12-03 07:10:08 0 d-------- C:\Program Files\Common Files\AOL
2007-12-03 07:10:03 0 d-------- C:\Documents and Settings\Owner\Application Data\AOL
2007-12-03 06:19:18 0 d-------- C:\Documents and Settings\Owner\Application Data\McAfee.com Personal Firewall
2007-12-03 06:15:39 0 d-------- C:\Documents and Settings\Owner\Application Data\Macromedia
2007-12-03 02:06:16 0 d-------- C:\Program Files\Microsoft Works
2007-12-03 02:06:05 0 d-------- C:\Program Files\MSN Encarta Plus
2007-12-03 02:04:56 0 d-------- C:\Program Files\Common Files\Nullsoft
2007-12-03 02:04:56 0 d-------- C:\Documents and Settings\Owner\Application Data\You've Got Pictures Screensaver
2007-12-03 02:04:35 0 d-------- C:\Program Files\Common Files\Real
2007-12-03 02:04:32 0 d-------- C:\Program Files\Real
2007-12-03 02:04:20 0 d-------- C:\Program Files\Viewpoint
2007-12-03 02:03:44 335 --a------ C:\WINDOWS\nsreg.dat
2007-12-03 02:03:36 0 d-------- C:\Program Files\Common Files\Roxio Shared
2007-12-03 02:03:23 0 d-------- C:\Program Files\Common Files\InstallShield
2007-12-03 02:02:30 0 d-------- C:\Program Files\Realtek
2007-12-03 02:01:22 0 d-------- C:\Program Files\Microsoft Digital Image 2006
2007-12-03 02:01:16 4 --a------ C:\WINDOWS\Pix11.dat
2007-12-03 02:00:13 0 d-------- C:\Program Files\Java
2007-12-03 01:59:54 0 d-------- C:\Program Files\Common Files\Java
2007-12-03 01:55:26 0 d-------- C:\Program Files\Microsoft ActiveSync
2007-12-03 01:55:06 0 d-------- C:\Program Files\Microsoft.NET
2007-12-03 01:50:34 0 d-------- C:\Program Files\CyberLink
2007-12-03 01:49:52 0 d-------- C:\Program Files\Common Files\New Boundary
2007-12-03 01:47:44 2 -r-hs---- C:\USER
2007-12-03 01:46:53 0 d-------- C:\Program Files\CONEXANT
2007-12-03 00:42:45 60 --a------ C:\WINDOWS\system32\SYSDRV.DAT
2007-12-03 00:41:37 0 d-------- C:\Program Files\Windows NT
2007-12-03 00:41:35 0 d-------- C:\Program Files\Movie Maker
2007-12-03 00:41:34 0 d-------- C:\Program Files\Messenger
2007-12-03 00:38:18 0 d-------- C:\Program Files\Windows Plus
2007-12-03 00:38:18 0 d-------- C:\Program Files\Online Services
2007-12-03 00:38:18 0 d-------- C:\Program Files\MSN Gaming Zone
2007-12-03 00:38:18 0 d-------- C:\Program Files\microsoft frontpage
2007-12-03 00:38:18 0 d-------- C:\Program Files\Common Files\SpeechEngines
2007-12-03 00:38:18 0 d-------- C:\Program Files\Common Files\ODBC
2007-12-03 00:38:18 0 d-------- C:\Program Files\Common Files\MSSoap
2007-12-03 00:38:14 0 d-------- C:\Documents and Settings\Owner\Application Data\Identities
2007-11-29 17:30:28 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-11-29 17:28:24 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-11-29 17:28:24 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-11-28 16:52:32 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-10-25 10:26:48 53248 --a------ C:\WINDOWS\bdoscandel.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [09/22/2005 01:36 PM C:\WINDOWS\RTHDCPL.EXE]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [08/27/2005 08:09 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [01/10/2008 03:27 PM]
"Power2GoExpress"="C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" [09/29/2007 04:53 PM]
"nwiz"="nwiz.exe" [12/05/2007 01:41 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [12/05/2007 01:41 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/05/2007 01:41 AM]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [08/12/2005 07:16 PM]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [01/07/2005 08:07 PM C:\WINDOWS\system32\HdAShCut.exe]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/05/2005 11:56 PM]
"CLMLServer"="C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe" [09/27/2007 11:10 PM]
"CLJ"="" []
"CHotkey"="zHotkey.exe" [12/08/2004 08:57 PM C:\WINDOWS\zHotkey.exe]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 06:43 PM C:\WINDOWS\ALCMTR.EXE]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 02:00 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [10/08/2004 05:03 AM]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [09/04/2007 07:25 PM]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [12/06/2007 07:06 AM]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [11/23/2006 05:12 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Power2GoExpress"=NA

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"EnableLUA"=0 (0x0)

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ecb3481-a1a7-11dc-98a5-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480




-- End of Deckard's System Scanner: finished at 2008-01-21 21:21:04 ------------

EasyEEE
2008-01-22, 04:27
Ice Sword Process:

Process:

System Idle Process
System
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Documents and Settings\Owner\Desktop\IceSword\IceSword122en\IceSword.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\alg.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehRec.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\zHotkey.exe

EasyEEE
2008-01-22, 04:28
Ice Sword Win32 Services:

Started Service:

Service Name:ALG Display Name:Application Layer Gateway Service
Service Name:AudioSrv Display Name:Windows Audio
Service Name:COMSysApp Display Name:COM+ System Application
Service Name:Creative Service for CDROM Access Display Name:Creative Service for CDROM Access
Service Name:CryptSvc Display Name:Cryptographic Services
Service Name:DcomLaunch Display Name:DCOM Server Process Launcher
Service Name:Dhcp Display Name:DHCP Client
Service Name:Dnscache Display Name:DNS Client
Service Name:ERSvc Display Name:Error Reporting Service
Service Name:EventSystem Display Name:COM+ Event System
Service Name:Eventlog Display Name:Event Log
Service Name:FastUserSwitchingCompatibility Display Name:Fast User Switching Compatibility
Service Name:HTTPFilter Display Name:HTTP SSL
Service Name:LmHosts Display Name:TCP/IP NetBIOS Helper
Service Name:McrdSvc Display Name:Media Center Extender Service
Service Name:NVSvc Display Name:NVIDIA Display Driver Service
Service Name:Netman Display Name:Network Connections
Service Name:Nla Display Name:Network Location Awareness (NLA)
Service Name:PlugPlay Display Name:Plug and Play
Service Name:PnkBstrA Display Name:PnkBstrA
Service Name:PolicyAgent Display Name:IPSEC Services
Service Name:PrismXL Display Name:PrismXL
Service Name:ProtectedStorage Display Name:Protected Storage
Service Name:RasMan Display Name:Remote Access Connection Manager
Service Name:RemoteRegistry Display Name:Remote Registry
Service Name:RpcSs Display Name:Remote Procedure Call (RPC)
Service Name:SENS Display Name:System Event Notification
Service Name:SSDPSRV Display Name:SSDP Discovery Service
Service Name:SamSs Display Name:Security Accounts Manager
Service Name:Schedule Display Name:Task Scheduler
Service Name:SharedAccess Display Name:Windows Firewall/Internet Connection Sharing (ICS)
Service Name:ShellHWDetection Display Name:Shell Hardware Detection
Service Name:Spooler Display Name:Print Spooler
Service Name:TapiSrv Display Name:Telephony
Service Name:TermService Display Name:Terminal Services
Service Name:Themes Display Name:Themes
Service Name:TrkWks Display Name:Distributed Link Tracking Client
Service Name:UMWdf Display Name:Windows User Mode Driver Framework
Service Name:W32Time Display Name:Windows Time
Service Name:WebClient Display Name:WebClient
Service Name:aawservice Display Name:Ad-Aware 2007 Service
Service Name:dmserver Display Name:Logical Disk Manager
Service Name:ehRecvr Display Name:Media Center Receiver Service
Service Name:helpsvc Display Name:Help and Support
Service Name:lanmanserver Display Name:Server
Service Name:lanmanworkstation Display Name:Workstation
Service Name:nTuneService Display Name:nTune Service
Service Name:seclogon Display Name:Secondary Logon
Service Name:srservice Display Name:System Restore Service
Service Name:winmgmt Display Name:Windows Management Instrumentation



Under SSDT, there are 7 red entries of sptd.sys.

EasyEEE
2008-01-22, 04:36
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, January 21, 2008 8:01:29 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/01/2008
Kaspersky Anti-Virus database records: 526068
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 134770
Number of viruses found: 3
Number of infected objects: 45
Number of suspicious objects: 0
Duration of the scan process: 03:34:53

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6cm3zby8.default\cert8.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6cm3zby8.default\history.dat Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6cm3zby8.default\key3.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6cm3zby8.default\parent.lock Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6cm3zby8.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6cm3zby8.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\6cm3zby8.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\6cm3zby8.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\6cm3zby8.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\6cm3zby8.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Power2Go\CLML\CLDB.db Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008012120080122\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HXM6BIOM\b64_3[1].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HXM6BIOM\b64_3[2].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LKRU6YW8\b64_3[2].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SRAF89YK\b64_2[1].jpg Infected: Trojan.Win32.Pakes.bwy skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SRAF89YK\b64_3[1].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP10\A0001424.exe Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP10\A0001431.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP10\A0001442.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP10\A0001443.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP10\A0001450.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP10\A0001490.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP10\A0001493.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP10\change.log Object is locked skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000139.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000141.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000142.exe Infected: Trojan.Win32.Pakes.bwy skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000144.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000145.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000146.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000147.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000148.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000149.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000150.exe Infected: Trojan.Win32.Pakes.bwy skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000151.exe Infected: Trojan.Win32.Pakes.bwy skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000152.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000155.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000156.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000158.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000159.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000176.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000177.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP5\A0000299.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP5\A0000300.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP5\A0000317.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP5\A0000318.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP6\A0000452.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP6\A0000453.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP6\A0000460.exe Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP6\A0000484.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP6\A0000494.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP6\A0000660.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP6\A0000663.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP6\A0000730.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP6\A0000734.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP7\A0000940.exe Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB896256$\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{F2E3B076-8525-4719-81D2-4BC095B5A3A6}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\dllcache\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_53c.dat Object is locked skipped
D:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP10\change.log Object is locked skipped

Scan process completed.

Rorschach112
2008-01-22, 15:43
Hello



Please run Icesword (http://mail.ustc.edu.cn/~jfpan/download/IceSword122en.zip)


If you get a lot of "red entries" in an IceSword log, don't panic.

Step 1 : Close all windows and run IceSword. Click the Processes tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Write down the PathName of any processes in red color. Then click on LOG at the top left. It will prompt you to save the log, call this Processes and save it to your desktop.


Step 2 : Click the Win32 Services tab and look out for red colored entries in the services list. Write down the Module name of any services in red color, you will need to expand out the Module tab to see the full name. Then click on LOG. It will prompt you to save the log, call this Services and save it to your desktop.


Step 3 : Click the Startup tab and look out for red colored entries in the startup list. Write down the Path of any startup entries in red color. Then click on LOG. It will prompt you to save the log, call this Startup and save it to your desktop.


Step 4 : Now, click the SSDT tab and check for red colored entries. If there are any, write down the KModule name.


Now post all of the data collected under the headings for :

Processes
Win32 Services
SSDT
Startup

EasyEEE
2008-01-22, 23:16
Thanks for the reply. All other requested information has been posted. Rebooted before posting that and haven't rebooted or made any system changes/attempts to fix since posted. Just a few games of Freecell. Appreciate the help!




Startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RTHDCPL
RTHDCPL.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Recguard
%WINDIR%\SMINST\RECGUARD.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
readericon
C:\Program Files\Digital Media Reader\readericon45G.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QuickTime Task
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Power2GoExpress
"C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
nwiz
nwiz.exe /install

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvMediaCenter
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvCplDaemon
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSKDetectorExe
C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
High Definition Audio Property Page Shortcut
HDAShCut.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ehTray
C:\WINDOWS\ehome\ehtray.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CLMLServer
"C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CLJ


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CHotkey
zHotkey.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Alcmtr
ALCMTR.EXE

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
swg
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
NVIDIA nTune
"C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
DAEMON Tools
"C:\Program Files\DAEMON Tools\daemon.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
CTSyncU.exe
"C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
drvsyskit
C:\WINDOWS\system32\drivers\hldrrr.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
mule_st_key
C:\Documents and Settings\Owner\Application Data\m\flec006.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
german.exe
C:\WINDOWS\system32\wintems.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
desktop.ini


C:\Documents and Settings\Owner\Start Menu\Programs\Startup
desktop.ini

Rorschach112
2008-01-23, 02:34
Can you post all the logs please

I can't get started till I see them.

EasyEEE
2008-01-23, 02:38
Yup, I'll post them again. Thanks. -Brad

EasyEEE
2008-01-23, 02:48
Processes


Process:

System Idle Process
System
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Documents and Settings\Owner\Desktop\IceSword\IceSword122en\IceSword.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehRec.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Application Data\m\flec006.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\zHotkey.exe




Win32 Servies:

Started Service:

Service Name:AudioSrv Display Name:Windows Audio
Service Name:COMSysApp Display Name:COM+ System Application
Service Name:Creative Service for CDROM Access Display Name:Creative Service for CDROM Access
Service Name:CryptSvc Display Name:Cryptographic Services
Service Name:DcomLaunch Display Name:DCOM Server Process Launcher
Service Name:Dhcp Display Name:DHCP Client
Service Name:Dnscache Display Name:DNS Client
Service Name:ERSvc Display Name:Error Reporting Service
Service Name:EventSystem Display Name:COM+ Event System
Service Name:Eventlog Display Name:Event Log
Service Name:FastUserSwitchingCompatibility Display Name:Fast User Switching Compatibility
Service Name:HTTPFilter Display Name:HTTP SSL
Service Name:LmHosts Display Name:TCP/IP NetBIOS Helper
Service Name:McrdSvc Display Name:Media Center Extender Service
Service Name:NVSvc Display Name:NVIDIA Display Driver Service
Service Name:Netman Display Name:Network Connections
Service Name:Nla Display Name:Network Location Awareness (NLA)
Service Name:PlugPlay Display Name:Plug and Play
Service Name:PnkBstrA Display Name:PnkBstrA
Service Name:PolicyAgent Display Name:IPSEC Services
Service Name:PrismXL Display Name:PrismXL
Service Name:ProtectedStorage Display Name:Protected Storage
Service Name:RasMan Display Name:Remote Access Connection Manager
Service Name:RemoteRegistry Display Name:Remote Registry
Service Name:RpcSs Display Name:Remote Procedure Call (RPC)
Service Name:SENS Display Name:System Event Notification
Service Name:SSDPSRV Display Name:SSDP Discovery Service
Service Name:SamSs Display Name:Security Accounts Manager
Service Name:Schedule Display Name:Task Scheduler
Service Name:ShellHWDetection Display Name:Shell Hardware Detection
Service Name:Spooler Display Name:Print Spooler
Service Name:TapiSrv Display Name:Telephony
Service Name:TermService Display Name:Terminal Services
Service Name:Themes Display Name:Themes
Service Name:TrkWks Display Name:Distributed Link Tracking Client
Service Name:UMWdf Display Name:Windows User Mode Driver Framework
Service Name:WebClient Display Name:WebClient
Service Name:aawservice Display Name:Ad-Aware 2007 Service
Service Name:dmserver Display Name:Logical Disk Manager
Service Name:ehRecvr Display Name:Media Center Receiver Service
Service Name:helpsvc Display Name:Help and Support
Service Name:lanmanserver Display Name:Server
Service Name:lanmanworkstation Display Name:Workstation
Service Name:nTuneService Display Name:nTune Service
Service Name:seclogon Display Name:Secondary Logon
Service Name:srservice Display Name:System Restore Service
Service Name:winmgmt Display Name:Windows Management Instrumentation




SSDT

7 red entries of sptd.sys




Startup

Startup:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
desktop.ini


C:\Documents and Settings\Owner\Start Menu\Programs\Startup
desktop.ini


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
swg
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
NVIDIA nTune
"C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
DAEMON Tools
"C:\Program Files\DAEMON Tools\daemon.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
CTSyncU.exe
"C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
drvsyskit
C:\WINDOWS\system32\drivers\hldrrr.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
mule_st_key
C:\Documents and Settings\Owner\Application Data\m\flec006.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
german.exe
C:\WINDOWS\system32\wintems.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RTHDCPL
RTHDCPL.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Recguard
%WINDIR%\SMINST\RECGUARD.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
readericon
C:\Program Files\Digital Media Reader\readericon45G.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QuickTime Task
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Power2GoExpress
"C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
nwiz
nwiz.exe /install

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvMediaCenter
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvCplDaemon
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSKDetectorExe
C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
High Definition Audio Property Page Shortcut
HDAShCut.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ehTray
C:\WINDOWS\ehome\ehtray.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CLMLServer
"C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CLJ


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CHotkey
zHotkey.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Alcmtr
ALCMTR.EXE

Rorschach112
2008-01-23, 02:55
Perfect :)

Backup Your Registry with ERUNT
Please use the following link and scroll down to ERUNT and download it.
http://aumha.org/freeware/freeware.php
For version with the Installer:
Use the setup program to install ERUNT on your computer
For the zipped version:
Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe



Now for the fix. Close all windows and run IceSword.exe. Do not restart your until the very end to ensure the fix works

Step 1 : Click the Processes tab and right-click on the following red colored processes one by one and choose "Terminate Process". This will kill the rooted processes.

C:\Documents and Settings\Owner\Application Data\m\flec006.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\wintems.exe


Step 2 : Now, we have to delete the rooted files. Click the File button. This will display a Windows Explorer type interface. Navigate to the following file(s) in bold and delete them if present.

C:\Documents and Settings\Owner\Application Data\m\flec006.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\german.exe
C:\Documents and Settings\All Users\Application Data\hidires\hidr.exe


Step 3 : Now, we have to delete the rooted registry keys. Click the Registry button. This will display a regedit type interface. Navigate to the following registry keys in bold and delete them if present.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srosa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\srosa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\srosa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\srosa


Next navigate to these registry keys and delete the registry values in bold

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
drvsyskit
C:\WINDOWS\system32\drivers\hldrrr.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
mule_st_key
C:\Documents and Settings\Owner\Application Data\m\flec006.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
german.exe
C:\WINDOWS\system32\wintems.exe

Then reboot your PC and run IceSword again. Save new logs from the "Processes", "Win32 Services", and "Startup" tabs, taking note of any red entries from them and from the SSDT tab.

EasyEEE
2008-01-23, 03:41
The following files were not found:

C:\WINDOWS\system32\german.exe
C:\Documents and Settings\All Users\Application Data\hidires\hidr.exe


Pretty sure the following entry was not there (may have been, and I may have deleted it per your intrusctions):

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srosa


ControlSet003 and ControlSet004 didn't exist:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\srosa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\srosa


Processes


Process:

System Idle Process
System
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Documents and Settings\Owner\Desktop\IceSword\IceSword122en\IceSword.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Application Data\m\flec006.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\zHotkey.exe




Win32 Services

Started Service:

Service Name:AudioSrv Display Name:Windows Audio
Service Name:Browser Display Name:Computer Browser
Service Name:COMSysApp Display Name:COM+ System Application
Service Name:Creative Service for CDROM Access Display Name:Creative Service for CDROM Access
Service Name:CryptSvc Display Name:Cryptographic Services
Service Name:DcomLaunch Display Name:DCOM Server Process Launcher
Service Name:Dhcp Display Name:DHCP Client
Service Name:Dnscache Display Name:DNS Client
Service Name:ERSvc Display Name:Error Reporting Service
Service Name:EventSystem Display Name:COM+ Event System
Service Name:Eventlog Display Name:Event Log
Service Name:FastUserSwitchingCompatibility Display Name:Fast User Switching Compatibility
Service Name:HTTPFilter Display Name:HTTP SSL
Service Name:LmHosts Display Name:TCP/IP NetBIOS Helper
Service Name:McrdSvc Display Name:Media Center Extender Service
Service Name:NVSvc Display Name:NVIDIA Display Driver Service
Service Name:Netman Display Name:Network Connections
Service Name:Nla Display Name:Network Location Awareness (NLA)
Service Name:PlugPlay Display Name:Plug and Play
Service Name:PnkBstrA Display Name:PnkBstrA
Service Name:PolicyAgent Display Name:IPSEC Services
Service Name:PrismXL Display Name:PrismXL
Service Name:ProtectedStorage Display Name:Protected Storage
Service Name:RasMan Display Name:Remote Access Connection Manager
Service Name:RemoteRegistry Display Name:Remote Registry
Service Name:RpcSs Display Name:Remote Procedure Call (RPC)
Service Name:SENS Display Name:System Event Notification
Service Name:SSDPSRV Display Name:SSDP Discovery Service
Service Name:SamSs Display Name:Security Accounts Manager
Service Name:Schedule Display Name:Task Scheduler
Service Name:ShellHWDetection Display Name:Shell Hardware Detection
Service Name:Spooler Display Name:Print Spooler
Service Name:TapiSrv Display Name:Telephony
Service Name:TermService Display Name:Terminal Services
Service Name:Themes Display Name:Themes
Service Name:TrkWks Display Name:Distributed Link Tracking Client
Service Name:UMWdf Display Name:Windows User Mode Driver Framework
Service Name:W32Time Display Name:Windows Time
Service Name:WebClient Display Name:WebClient
Service Name:aawservice Display Name:Ad-Aware 2007 Service
Service Name:dmserver Display Name:Logical Disk Manager
Service Name:ehRecvr Display Name:Media Center Receiver Service
Service Name:helpsvc Display Name:Help and Support
Service Name:lanmanserver Display Name:Server
Service Name:lanmanworkstation Display Name:Workstation
Service Name:nTuneService Display Name:nTune Service
Service Name:seclogon Display Name:Secondary Logon
Service Name:srservice Display Name:System Restore Service
Service Name:winmgmt Display Name:Windows Management Instrumentation




SSDT

7 red entries of sptd.sys




Startup

Startup:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
desktop.ini


C:\Documents and Settings\Owner\Start Menu\Programs\Startup
desktop.ini


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
swg
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
NVIDIA nTune
"C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
DAEMON Tools
"C:\Program Files\DAEMON Tools\daemon.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
CTSyncU.exe
"C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
drvsyskit
C:\WINDOWS\system32\drivers\hldrrr.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
german.exe
C:\WINDOWS\system32\wintems.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
mule_st_key
C:\Documents and Settings\Owner\Application Data\m\flec006.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RTHDCPL
RTHDCPL.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Recguard
%WINDIR%\SMINST\RECGUARD.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
readericon
C:\Program Files\Digital Media Reader\readericon45G.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QuickTime Task
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Power2GoExpress
"C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
nwiz
nwiz.exe /install

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvMediaCenter
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvCplDaemon
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSKDetectorExe
C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
High Definition Audio Property Page Shortcut
HDAShCut.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ehTray
C:\WINDOWS\ehome\ehtray.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CLMLServer
"C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CLJ


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CHotkey
zHotkey.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Alcmtr
ALCMTR.EXE

Rorschach112
2008-01-23, 14:51
Something is stopping it from being removed

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1 (http://subs.geekstogo.com/ComboFix.exe)
Link 2 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 3 (http://www.forospyware.com/sUBs/ComboFix.exe) Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

EasyEEE
2008-01-23, 20:44
Walked away while it was doing it's scan. When I came back, apparently my system crashed (honestly doesn't do that very often at all).

What WAS interesting, was, a Windows Alert that Windows Firewall was blocking Flec06.exe or whatever... and asked if I wanted to keep blocking or allow. I allowed it to keep blocking.

Why that is interesting, is, everytime I check Windows Security, the Windows Firewall has been disabled. This is the first time since infection, that it appears Windows Firewall has remained active through a re-boot.

Anyway, does the log file get created or would there have been an option or notpad window open up?

Here is the HiJackThis Log following the auto-crash/reboot/whatever happened:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:41, on 2008-01-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Owner\Application Data\m\flec006.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT4016
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe"
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe"
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [german.exe] C:\WINDOWS\system32\wintems.exe
O4 - HKCU\..\Run: [mule_st_key] C:\Documents and Settings\Owner\Application Data\m\flec006.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196686463109
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - https://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Unknown owner - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe (file missing)
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 7614 bytes

Rorschach112
2008-01-23, 21:05
Try run ComboFix again, if it crashes then try it in Safe Mode

EasyEEE
2008-01-23, 21:10
System did not reboot/crash.

ComboFix Scan completed in just a couple of minutes.

ComboFix 08-01-23.2 - Owner 2008-01-23 14:06:37.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1595 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\wintems.exe
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SROSA
-------\srosa




((((((((((((((((((((((((( Files Created from 2007-12-23 to 2008-01-23 )))))))))))))))))))))))))))))))
.

2008-01-23 13:21 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-22 21:40 . 2008-01-23 09:49 70,660 --a------ C:\WINDOWS\system32\mdelk.exe
2008-01-22 21:38 . 2008-01-23 09:51 <DIR> d-------- C:\WINDOWS\system32\drivers\down
2008-01-22 21:38 . 2004-10-08 05:03 837,281 --------- C:\WINDOWS\system32\drivers\hldrrr.exe
2008-01-21 20:54 . 2008-01-21 21:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-21 15:42 . 2008-01-21 15:42 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-21 14:55 . 2008-01-21 14:55 <DIR> d-------- C:\Deckard
2008-01-20 00:00 . 2008-01-22 10:40 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-19 18:24 . 2008-01-19 18:24 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-19 18:24 . 2008-01-19 18:24 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-19 15:02 . 2008-01-20 08:04 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-18 23:27 . 2008-01-21 15:01 <DIR> d-------- C:\Program Files\RegSupreme Pro
2008-01-18 19:24 . 2008-01-18 19:24 <DIR> d-------- C:\WINDOWS\Sun
2008-01-18 13:10 . 2008-01-18 13:10 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-18 13:10 . 2008-01-18 14:13 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-18 12:59 . 2008-01-18 12:59 1,158 --a------ C:\WINDOWS\mozver.dat
2008-01-18 12:41 . 2008-01-18 12:42 <DIR> d-------- C:\Program Files\Ontrack
2008-01-18 10:12 . 2008-01-18 10:17 <DIR> d-------- C:\Program Files\Symantec Client Security
2008-01-18 10:04 . 2008-01-18 10:05 <DIR> d-------- C:\Sym EndPoint
2008-01-17 09:04 . 2008-01-17 09:05 <DIR> d-------- C:\Program Files\QuickTime
2008-01-15 20:11 . 2007-12-17 13:53 159,458 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-01-15 16:02 . 2008-01-21 20:28 <DIR> d-------- C:\HJSplit
2008-01-13 20:43 . 2008-01-13 20:43 <DIR> d-------- C:\Program Files\MediaMonkey
2008-01-13 20:34 . 2008-01-13 22:58 <DIR> d-------- C:\Music
2008-01-13 20:22 . 1999-12-13 01:01 44,032 --------- C:\WINDOWS\system32\CTSVCCDA.EXE
2008-01-13 20:22 . 1999-11-18 01:00 25,088 --------- C:\WINDOWS\system32\CTSVCCTL.EXE
2008-01-13 14:41 . 2008-01-13 14:41 74,703 --a------ C:\WINDOWS\system32\mfc45.dll
2008-01-13 11:40 . 2008-01-13 11:40 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-07 16:36 . 2008-01-07 16:36 669,184 --a------ C:\WINDOWS\system32\pbsvc.exe
2008-01-06 23:27 . 2008-01-06 23:27 <DIR> d-------- C:\Program Files\YourWare Solutions
2008-01-04 11:15 . 2008-01-17 10:27 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2008-01-04 11:15 . 2008-01-07 16:36 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-01-04 11:15 . 2008-01-17 10:28 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-01-04 11:15 . 2008-01-04 11:15 319 --a------ C:\WINDOWS\game.ini
2008-01-04 10:22 . 2008-01-04 10:22 <DIR> d-------- C:\Program Files\Activision
2008-01-04 10:20 . 2008-01-04 10:20 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-01-03 19:19 . 2008-01-03 19:19 <DIR> d-------- C:\Program Files\Electronic Arts
2008-01-03 18:09 . 2008-01-21 20:27 <DIR> d-------- C:\Saved
2008-01-03 16:26 . 2008-01-03 16:26 <DIR> d-------- C:\Program Files\NVIDIA Corporation
2008-01-03 16:25 . 2008-01-03 16:25 <DIR> d-------- C:\Program Files\NVIDIA nTune Performance Application
2008-01-02 23:28 . 2008-01-15 20:35 <DIR> d-------- C:\WINDOWS\nview
2008-01-02 23:28 . 2008-01-15 20:11 164,081 --a------ C:\WINDOWS\system32\nvapps.xml
2008-01-02 23:28 . 2007-12-05 01:41 17,737 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-01-02 23:09 . 2007-12-05 01:41 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-01-02 22:52 . 2008-01-02 22:52 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-01-02 22:52 . 2008-01-02 22:52 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-01-01 23:45 . 2008-01-01 23:45 <DIR> d-------- C:\Program Files\ASUS
2008-01-01 23:21 . 2008-01-07 23:36 <DIR> d-------- C:\Program Files\SpeedFan
2008-01-01 18:58 . 2008-01-01 23:21 45 --a------ C:\WINDOWS\system32\initdebug.nfo
2008-01-01 13:38 . 2008-01-01 13:38 <DIR> d-------- C:\Mini CD DVD Images
2008-01-01 11:22 . 2008-01-01 11:23 <DIR> d-------- C:\Program Files\RivaTuner v2.06
2007-12-24 11:33 . 2007-12-24 11:33 <DIR> d-------- C:\Program Files\DVD Decrypter
2007-12-24 11:27 . 2007-12-24 11:27 <DIR> d-------- C:\Program Files\DVD Shrink
2007-12-23 05:19 . 2008-01-13 20:58 <DIR> d--h----- C:\Program Files\Creative Installation Information
2007-12-23 05:19 . 2007-12-23 05:19 <DIR> d-------- C:\Program Files\Common Files\Creative
2007-12-23 05:15 . 2008-01-13 20:58 <DIR> d-------- C:\Program Files\Creative

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-23 00:23 --------- d-----w C:\Program Files\eMule
2008-01-21 20:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-21 19:55 --------- d-----w C:\Program Files\Symantec
2008-01-20 00:50 --------- d-----w C:\Program Files\Google
2008-01-20 00:24 --------- d-----w C:\Program Files\Digital Media Reader
2008-01-13 02:18 --------- d-----w C:\Program Files\Microsoft Games
2008-01-08 23:35 --------- d-----w C:\Program Files\Common Files\Nero
2008-01-04 05:17 --------- d-----w C:\Program Files\NewsBin
2007-12-23 03:57 --------- d-----w C:\Program Files\Nero
2007-12-23 03:26 --------- d-----w C:\Program Files\DVD2one V2
2007-12-22 01:33 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-12-21 19:10 --------- d-----w C:\Program Files\Sierra Entertainment
2007-12-21 08:00 --------- d-----w C:\Program Files\MSXML 4.0
2007-12-21 01:12 --------- d-----w C:\Program Files\Common Files\Microsoft Games
2007-12-18 17:59 --------- d-----w C:\Program Files\IrfanView
2007-12-08 12:53 --------- d-----w C:\Program Files\DAEMON Tools
2007-12-08 12:49 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-12-07 19:31 --------- d-----w C:\Program Files\GameHouse
2007-12-05 07:53 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2007-12-05 06:41 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-12-05 06:41 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-12-05 06:41 8,523,776 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-12-05 06:41 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-12-05 06:41 7,435,392 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-12-05 06:41 6,901,760 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-12-05 06:41 6,549,504 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-12-05 06:41 5,773,568 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-12-05 06:41 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-12-05 06:41 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-12-05 06:41 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-12-05 06:41 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-12-05 06:41 385,024 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-12-05 06:41 35,328 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-12-05 06:41 35,328 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-12-05 06:41 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-12-05 06:41 3,710,976 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-12-05 06:41 3,420,160 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-12-05 06:41 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-12-05 06:41 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-12-05 06:41 2,498,560 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-12-05 06:41 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-12-05 06:41 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-12-05 06:41 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-12-05 06:41 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-12-05 06:41 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-12-05 06:41 1,474,560 ----a-w C:\WINDOWS\system32\nview.dll
2007-12-05 06:41 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-12-05 06:41 1,228,800 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-12-05 06:41 1,089,536 ----a-w C:\WINDOWS\system32\nvcuda.dll
2007-12-05 06:41 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-12-05 01:21 --------- d-----w C:\Program Files\AC3Filter
2007-12-05 01:04 --------- d-----w C:\Program Files\DivX
2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-04 01:33 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-04 01:33 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-12-03 21:39 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-03 16:40 --------- d-----w C:\Program Files\QuickPar
2007-12-03 13:44 --------- d-----w C:\Program Files\McAfee
2007-12-03 13:08 --------- d-----w C:\Program Files\SystemRequirementsLab
2007-12-03 12:37 --------- d-----w C:\Program Files\Napster
2007-12-03 12:11 --------- d-----w C:\Program Files\Pure Networks
2007-12-03 12:10 --------- d-----w C:\Program Files\Common Files\AOL
2007-12-03 07:06 --------- d-----w C:\Program Files\MSN Encarta Plus
2007-12-03 07:06 --------- d-----w C:\Program Files\Microsoft Works
2007-12-03 07:04 8,552 ----a-w C:\WINDOWS\system32\drivers\asctrm.sys
2007-12-03 07:04 --------- d-----w C:\Program Files\Viewpoint
2007-12-03 07:04 --------- d-----w C:\Program Files\Real
2007-12-03 07:04 --------- d-----w C:\Program Files\Common Files\Real
2007-12-03 07:04 --------- d-----w C:\Program Files\Common Files\Nullsoft
2007-12-03 07:03 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2007-12-03 07:03 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-03 07:02 --------- d-----w C:\Program Files\Realtek
2007-12-03 07:01 --------- d-----w C:\Program Files\Microsoft Digital Image 2006
2007-12-03 07:00 --------- d-----w C:\Program Files\Java
2007-12-03 06:59 --------- d-----w C:\Program Files\Common Files\Java
2007-12-03 06:55 --------- d-----w C:\Program Files\Microsoft.NET
2007-12-03 06:55 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-03 06:50 --------- d-----w C:\Program Files\CyberLink
2007-12-03 06:49 --------- d-----w C:\Program Files\Common Files\New Boundary
2007-12-03 06:46 --------- d-----w C:\Program Files\CONEXANT
2007-12-03 05:38 --------- d-----w C:\Program Files\Windows Plus
2007-12-03 05:38 --------- d-----w C:\Program Files\microsoft frontpage
2007-11-29 22:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-11-29 22:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-11-29 22:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-11-29 22:28 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-11-28 21:55 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-11-28 21:53 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-11-28 21:53 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-11-28 21:53 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-11-28 21:53 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-11-28 21:53 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-11-28 21:53 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-11-28 21:52 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:39 228,864 ----a-w C:\WINDOWS\system32\wmasf.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2004-10-08 05:03 837281]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 19:25 81920]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-12-06 07:06 167368]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-11-23 17:12 851968]
"german.exe"="C:\WINDOWS\system32\wintems.exe" [ ]
"mule_st_key"="C:\Documents and Settings\Owner\Application Data\m\flec006.exe" [2008-01-23 09:49 96772]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 13:36 14854144 C:\WINDOWS\RTHDCPL.EXE]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-08-27 08:09 139264]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"Power2GoExpress"="C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" [2007-09-29 16:53 2680104]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 19:16 1121792]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 20:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 23:56 64512]
"CLMLServer"="C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe" [2007-09-27 23:10 122880]
"CLJ"="" []
"CHotkey"="zHotkey.exe" [2004-12-08 20:57 550912 C:\WINDOWS\zHotkey.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
"EnableLUA"= 0 (0x0)

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-01-17 14:03:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-23 14:07:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

Rorschach112
2008-01-23, 21:14
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:


KillAll::

File::
C:\WINDOWS\system32\mdelk.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\Documents and Settings\Owner\Application Data\m\flec006.exe

Folder::
C:\WINDOWS\system32\drivers\down

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"german.exe"=-
"mule_st_key"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

Save this as CFScript.txt, in the same location as ComboFix.exe


http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Also post a new HijackThis log

EasyEEE
2008-01-23, 21:31
ComboFix scanned, appeared to remove the bad files/entries, rebooted, continued, created log.

ComboFix

ComboFix 08-01-23.2 - Owner 2008-01-23 14:22:08.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1603 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Documents and Settings\Owner\Application Data\m\flec006.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\mdelk.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\m\flec006.exe
C:\WINDOWS\system32\drivers\down
C:\WINDOWS\system32\drivers\down\124687.exe
C:\WINDOWS\system32\drivers\down\132234.exe
C:\WINDOWS\system32\drivers\down\134390.exe
C:\WINDOWS\system32\drivers\down\137687.exe
C:\WINDOWS\system32\drivers\down\139546.exe
C:\WINDOWS\system32\drivers\down\143531.exe
C:\WINDOWS\system32\drivers\down\14720625.exe
C:\WINDOWS\system32\drivers\down\14745734.exe
C:\WINDOWS\system32\drivers\down\14747859.exe
C:\WINDOWS\system32\drivers\down\14751312.exe
C:\WINDOWS\system32\drivers\down\14761671.exe
C:\WINDOWS\system32\drivers\down\14770984.exe
C:\WINDOWS\system32\drivers\down\14796437.exe
C:\WINDOWS\system32\drivers\down\14802640.exe
C:\WINDOWS\system32\drivers\down\14802750.exe
C:\WINDOWS\system32\drivers\down\148031.exe
C:\WINDOWS\system32\drivers\down\14808578.exe
C:\WINDOWS\system32\drivers\down\14812015.exe
C:\WINDOWS\system32\drivers\down\14844312.exe
C:\WINDOWS\system32\drivers\down\14845390.exe
C:\WINDOWS\system32\drivers\down\14853546.exe
C:\WINDOWS\system32\drivers\down\14865218.exe
C:\WINDOWS\system32\drivers\down\14871031.exe
C:\WINDOWS\system32\drivers\down\14872718.exe
C:\WINDOWS\system32\drivers\down\14873171.exe
C:\WINDOWS\system32\drivers\down\14873687.exe
C:\WINDOWS\system32\drivers\down\14877234.exe
C:\WINDOWS\system32\drivers\down\14878968.exe
C:\WINDOWS\system32\drivers\down\14911875.exe
C:\WINDOWS\system32\drivers\down\14915781.exe
C:\WINDOWS\system32\drivers\down\14923234.exe
C:\WINDOWS\system32\drivers\down\190312.exe
C:\WINDOWS\system32\drivers\down\193578.exe
C:\WINDOWS\system32\drivers\down\194031.exe
C:\WINDOWS\system32\drivers\down\198828.exe
C:\WINDOWS\system32\drivers\down\200984.exe
C:\WINDOWS\system32\drivers\down\232718.exe
C:\WINDOWS\system32\drivers\down\233484.exe
C:\WINDOWS\system32\drivers\down\236406.exe
C:\WINDOWS\system32\drivers\down\241703.exe
C:\WINDOWS\system32\drivers\down\243453.exe
C:\WINDOWS\system32\drivers\down\245484.exe
C:\WINDOWS\system32\drivers\down\246093.exe
C:\WINDOWS\system32\drivers\down\246843.exe
C:\WINDOWS\system32\drivers\down\270250.exe
C:\WINDOWS\system32\drivers\down\272859.exe
C:\WINDOWS\system32\drivers\down\29338000.exe
C:\WINDOWS\system32\drivers\down\29341859.exe
C:\WINDOWS\system32\drivers\down\29343687.exe
C:\WINDOWS\system32\drivers\down\29345671.exe
C:\WINDOWS\system32\drivers\down\29350109.exe
C:\WINDOWS\system32\drivers\down\29352515.exe
C:\WINDOWS\system32\drivers\down\29368203.exe
C:\WINDOWS\system32\drivers\down\29371015.exe
C:\WINDOWS\system32\drivers\down\29371234.exe
C:\WINDOWS\system32\drivers\down\29376687.exe
C:\WINDOWS\system32\drivers\down\29378734.exe
C:\WINDOWS\system32\drivers\down\29380359.exe
C:\WINDOWS\system32\drivers\down\29380921.exe
C:\WINDOWS\system32\drivers\down\29384109.exe
C:\WINDOWS\system32\drivers\down\29390015.exe
C:\WINDOWS\system32\drivers\down\29391968.exe
C:\WINDOWS\system32\drivers\down\29392437.exe
C:\WINDOWS\system32\drivers\down\29392734.exe
C:\WINDOWS\system32\drivers\down\29393843.exe
C:\WINDOWS\system32\drivers\down\29395640.exe
C:\WINDOWS\system32\drivers\down\29396937.exe
C:\WINDOWS\system32\drivers\down\29427640.exe
C:\WINDOWS\system32\drivers\down\29429765.exe
C:\WINDOWS\system32\drivers\down\29436031.exe
C:\WINDOWS\system32\drivers\down\302578.exe
C:\WINDOWS\system32\drivers\down\304953.exe
C:\WINDOWS\system32\drivers\down\310906.exe
C:\WINDOWS\system32\drivers\down\43844406.exe
C:\WINDOWS\system32\drivers\down\43848078.exe
C:\WINDOWS\system32\drivers\down\43850421.exe
C:\WINDOWS\system32\drivers\down\43892437.exe
C:\WINDOWS\system32\drivers\down\43895375.exe
C:\WINDOWS\system32\drivers\down\43898000.exe
C:\WINDOWS\system32\drivers\down\43941828.exe
C:\WINDOWS\system32\drivers\down\43944203.exe
C:\WINDOWS\system32\drivers\down\43944390.exe
C:\WINDOWS\system32\drivers\down\43952187.exe
C:\WINDOWS\system32\drivers\down\43954203.exe
C:\WINDOWS\system32\drivers\down\43956906.exe
C:\WINDOWS\system32\drivers\down\43957593.exe
C:\WINDOWS\system32\drivers\down\43962218.exe
C:\WINDOWS\system32\drivers\down\43967953.exe
C:\WINDOWS\system32\drivers\down\43970437.exe
C:\WINDOWS\system32\drivers\down\43971281.exe
C:\WINDOWS\system32\drivers\down\43974828.exe
C:\WINDOWS\system32\drivers\down\43978625.exe
C:\WINDOWS\system32\drivers\down\43987078.exe
C:\WINDOWS\system32\drivers\down\43988875.exe
C:\WINDOWS\system32\drivers\down\44018937.exe
C:\WINDOWS\system32\drivers\down\44022828.exe
C:\WINDOWS\system32\drivers\down\44029203.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\mdelk.exe
.
---- Previous Run -------
.
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\wintems.exe
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SROSA
-------\srosa






((((((((((((((((((((((((( Files Created from 2007-12-23 to 2008-01-23 )))))))))))))))))))))))))))))))
.

2008-01-23 14:24 . 2008-01-23 14:24 <DIR> d-------- C:\WINDOWS\system32\drivers\down
2008-01-23 14:24 . 2008-01-23 14:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-23 14:24 . 2008-01-23 14:24 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-23 13:21 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-21 20:54 . 2008-01-21 21:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-21 15:42 . 2008-01-21 15:42 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-21 14:55 . 2008-01-21 14:55 <DIR> d-------- C:\Deckard
2008-01-20 00:00 . 2008-01-22 10:40 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-19 18:24 . 2008-01-19 18:24 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-19 18:24 . 2008-01-19 18:24 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-19 15:02 . 2008-01-20 08:04 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-18 23:27 . 2008-01-21 15:01 <DIR> d-------- C:\Program Files\RegSupreme Pro
2008-01-18 19:24 . 2008-01-18 19:24 <DIR> d-------- C:\WINDOWS\Sun
2008-01-18 13:10 . 2008-01-18 13:10 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-18 13:10 . 2008-01-18 14:13 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-18 12:59 . 2008-01-18 12:59 1,158 --a------ C:\WINDOWS\mozver.dat
2008-01-18 12:41 . 2008-01-18 12:42 <DIR> d-------- C:\Program Files\Ontrack
2008-01-18 10:12 . 2008-01-18 10:17 <DIR> d-------- C:\Program Files\Symantec Client Security
2008-01-18 10:04 . 2008-01-18 10:05 <DIR> d-------- C:\Sym EndPoint
2008-01-17 09:04 . 2008-01-17 09:05 <DIR> d-------- C:\Program Files\QuickTime
2008-01-15 20:11 . 2007-12-17 13:53 159,458 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-01-15 16:02 . 2008-01-21 20:28 <DIR> d-------- C:\HJSplit
2008-01-13 20:43 . 2008-01-13 20:43 <DIR> d-------- C:\Program Files\MediaMonkey
2008-01-13 20:34 . 2008-01-13 22:58 <DIR> d-------- C:\Music
2008-01-13 20:22 . 1999-12-13 01:01 44,032 --------- C:\WINDOWS\system32\CTSVCCDA.EXE
2008-01-13 20:22 . 1999-11-18 01:00 25,088 --------- C:\WINDOWS\system32\CTSVCCTL.EXE
2008-01-13 14:41 . 2008-01-13 14:41 74,703 --a------ C:\WINDOWS\system32\mfc45.dll
2008-01-13 11:40 . 2008-01-13 11:40 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-07 16:36 . 2008-01-07 16:36 669,184 --a------ C:\WINDOWS\system32\pbsvc.exe
2008-01-06 23:27 . 2008-01-06 23:27 <DIR> d-------- C:\Program Files\YourWare Solutions
2008-01-04 11:15 . 2008-01-17 10:27 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2008-01-04 11:15 . 2008-01-07 16:36 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-01-04 11:15 . 2008-01-17 10:28 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-01-04 11:15 . 2008-01-04 11:15 319 --a------ C:\WINDOWS\game.ini
2008-01-04 10:22 . 2008-01-04 10:22 <DIR> d-------- C:\Program Files\Activision
2008-01-04 10:20 . 2008-01-04 10:20 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-01-03 19:19 . 2008-01-03 19:19 <DIR> d-------- C:\Program Files\Electronic Arts
2008-01-03 18:09 . 2008-01-21 20:27 <DIR> d-------- C:\Saved
2008-01-03 16:26 . 2008-01-03 16:26 <DIR> d-------- C:\Program Files\NVIDIA Corporation
2008-01-03 16:25 . 2008-01-03 16:25 <DIR> d-------- C:\Program Files\NVIDIA nTune Performance Application
2008-01-02 23:28 . 2008-01-15 20:35 <DIR> d-------- C:\WINDOWS\nview
2008-01-02 23:28 . 2008-01-15 20:11 164,081 --a------ C:\WINDOWS\system32\nvapps.xml
2008-01-02 23:28 . 2007-12-05 01:41 17,737 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-01-02 23:09 . 2007-12-05 01:41 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-01-02 22:52 . 2008-01-02 22:52 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-01-02 22:52 . 2008-01-02 22:52 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-01-01 23:45 . 2008-01-01 23:45 <DIR> d-------- C:\Program Files\ASUS
2008-01-01 23:21 . 2008-01-07 23:36 <DIR> d-------- C:\Program Files\SpeedFan
2008-01-01 18:58 . 2008-01-01 23:21 45 --a------ C:\WINDOWS\system32\initdebug.nfo
2008-01-01 13:38 . 2008-01-01 13:38 <DIR> d-------- C:\Mini CD DVD Images
2008-01-01 11:22 . 2008-01-01 11:23 <DIR> d-------- C:\Program Files\RivaTuner v2.06
2007-12-24 11:33 . 2007-12-24 11:33 <DIR> d-------- C:\Program Files\DVD Decrypter
2007-12-24 11:27 . 2007-12-24 11:27 <DIR> d-------- C:\Program Files\DVD Shrink
2007-12-23 05:19 . 2008-01-13 20:58 <DIR> d--h----- C:\Program Files\Creative Installation Information
2007-12-23 05:19 . 2007-12-23 05:19 <DIR> d-------- C:\Program Files\Common Files\Creative
2007-12-23 05:15 . 2008-01-13 20:58 <DIR> d-------- C:\Program Files\Creative

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-23 00:23 --------- d-----w C:\Program Files\eMule
2008-01-21 20:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-21 19:55 --------- d-----w C:\Program Files\Symantec
2008-01-20 00:50 --------- d-----w C:\Program Files\Google
2008-01-20 00:24 --------- d-----w C:\Program Files\Digital Media Reader
2008-01-13 02:18 --------- d-----w C:\Program Files\Microsoft Games
2008-01-08 23:35 --------- d-----w C:\Program Files\Common Files\Nero
2008-01-04 05:17 --------- d-----w C:\Program Files\NewsBin
2007-12-23 03:57 --------- d-----w C:\Program Files\Nero
2007-12-23 03:26 --------- d-----w C:\Program Files\DVD2one V2
2007-12-21 19:10 --------- d-----w C:\Program Files\Sierra Entertainment
2007-12-21 08:00 --------- d-----w C:\Program Files\MSXML 4.0
2007-12-21 01:12 --------- d-----w C:\Program Files\Common Files\Microsoft Games
2007-12-18 17:59 --------- d-----w C:\Program Files\IrfanView
2007-12-08 12:53 --------- d-----w C:\Program Files\DAEMON Tools
2007-12-08 12:49 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-12-07 19:31 --------- d-----w C:\Program Files\GameHouse
2007-12-05 06:41 7,435,392 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-12-05 01:21 --------- d-----w C:\Program Files\AC3Filter
2007-12-05 01:04 --------- d-----w C:\Program Files\DivX
2007-12-03 21:39 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-03 16:40 --------- d-----w C:\Program Files\QuickPar
2007-12-03 13:44 --------- d-----w C:\Program Files\McAfee
2007-12-03 13:08 --------- d-----w C:\Program Files\SystemRequirementsLab
2007-12-03 12:37 --------- d-----w C:\Program Files\Napster
2007-12-03 12:11 --------- d-----w C:\Program Files\Pure Networks
2007-12-03 12:10 --------- d-----w C:\Program Files\Common Files\AOL
2007-12-03 07:06 --------- d-----w C:\Program Files\MSN Encarta Plus
2007-12-03 07:06 --------- d-----w C:\Program Files\Microsoft Works
2007-12-03 07:04 8,552 ----a-w C:\WINDOWS\system32\drivers\asctrm.sys
2007-12-03 07:04 --------- d-----w C:\Program Files\Viewpoint
2007-12-03 07:04 --------- d-----w C:\Program Files\Real
2007-12-03 07:04 --------- d-----w C:\Program Files\Common Files\Real
2007-12-03 07:04 --------- d-----w C:\Program Files\Common Files\Nullsoft
2007-12-03 07:03 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2007-12-03 07:03 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-03 07:02 --------- d-----w C:\Program Files\Realtek
2007-12-03 07:01 --------- d-----w C:\Program Files\Microsoft Digital Image 2006
2007-12-03 07:00 --------- d-----w C:\Program Files\Java
2007-12-03 06:59 --------- d-----w C:\Program Files\Common Files\Java
2007-12-03 06:55 --------- d-----w C:\Program Files\Microsoft.NET
2007-12-03 06:55 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-03 06:50 --------- d-----w C:\Program Files\CyberLink
2007-12-03 06:49 --------- d-----w C:\Program Files\Common Files\New Boundary
2007-12-03 06:46 --------- d-----w C:\Program Files\CONEXANT
2007-12-03 05:38 --------- d-----w C:\Program Files\Windows Plus
2007-12-03 05:38 --------- d-----w C:\Program Files\microsoft frontpage
2007-10-25 15:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
.

((((((((((((((((((((((((((((( snapshot@2008-01-23_13.32.23.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-23 18:22:30 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-23 19:22:05 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-23 18:22:30 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-23 19:22:05 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-23 18:22:30 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-23 19:22:05 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-23 18:22:30 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-23 19:22:05 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-23 18:22:30 3,874,816 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-23 19:22:05 3,883,008 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-23 18:22:30 57,344 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-23 19:22:05 57,344 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-23 19:25:02 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_7e8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2004-10-08 05:03 837281]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 19:25 81920]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-12-06 07:06 167368]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-11-23 17:12 851968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 13:36 14854144 C:\WINDOWS\RTHDCPL.EXE]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-08-27 08:09 139264]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"Power2GoExpress"="C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" [2007-09-29 16:53 2680104]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 19:16 1121792]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 20:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 23:56 64512]
"CLMLServer"="C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe" [2007-09-27 23:10 122880]
"CLJ"="" []
"CHotkey"="zHotkey.exe" [2004-12-08 20:57 550912 C:\WINDOWS\zHotkey.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
"EnableLUA"= 0 (0x0)

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"


.
Contents of the 'Scheduled Tasks' folder
"2008-01-17 14:03:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-23 14:24:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

EasyEEE
2008-01-23, 21:32
HiJiackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:29, on 2008-01-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT4016
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe"
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe"
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196686463109
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - https://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Unknown owner - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe (file missing)
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 7389 bytes

Rorschach112
2008-01-23, 21:34
Hello

Download and run SafeBootKeyRepair-CF from:

http://download.bleepingcomputer.com/sUBs/SafeBootKeyRepair.exe
or
http://www.techsupportforum.com/sectools/sUBs/SafeBootKeyRepair-CF.exe

It will take only a moment for it to run.
A log will be produced at C:\SafeBoot_Repair.txt. Please post that in your next reply



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:


Folder::
C:\WINDOWS\system32\drivers\down

Save this as CFScript.txt, in the same location as ComboFix.exe


http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

EasyEEE
2008-01-23, 21:53
Hello, and thanks again for the help! :eek:

SafeBoot Repair


Reg export of SafeBoot key after repair:
========================

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot]
"AlternateShell"="cmd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AFD]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Browser]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Dhcp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DnsCache]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ip6fw.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ipnat.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanServer]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanWorkstation]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LmHosts]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Messenger]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS Wrapper]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Ndisuio]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOS]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOSGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBT]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetDDEGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetMan]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Network]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetworkProvider]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NtLmSsp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP_TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpcdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpwd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdsessmgr]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SharedAccess]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Streams Drivers]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Tcpip]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdpipe.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdtcp.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\termservice]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WZCSVC]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
@="Net"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
@="NetClient"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
@="NetService"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
@="NetTrans"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

========================

EasyEEE
2008-01-23, 21:56
ComboFix - Part 1 after running new/short script:

ComboFix 08-01-23.2 - Owner 2008-01-23 14:49:24.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1593 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\Owner\Application Data\m\flec006.exe
C:\WINDOWS\system32\drivers\down
C:\WINDOWS\system32\drivers\down\124687.exe
C:\WINDOWS\system32\drivers\down\132234.exe
C:\WINDOWS\system32\drivers\down\134390.exe
C:\WINDOWS\system32\drivers\down\137687.exe
C:\WINDOWS\system32\drivers\down\139546.exe
C:\WINDOWS\system32\drivers\down\143531.exe
C:\WINDOWS\system32\drivers\down\14720625.exe
C:\WINDOWS\system32\drivers\down\14745734.exe
C:\WINDOWS\system32\drivers\down\14747859.exe
C:\WINDOWS\system32\drivers\down\14751312.exe
C:\WINDOWS\system32\drivers\down\14761671.exe
C:\WINDOWS\system32\drivers\down\14770984.exe
C:\WINDOWS\system32\drivers\down\14796437.exe
C:\WINDOWS\system32\drivers\down\14802640.exe
C:\WINDOWS\system32\drivers\down\14802750.exe
C:\WINDOWS\system32\drivers\down\148031.exe
C:\WINDOWS\system32\drivers\down\14808578.exe
C:\WINDOWS\system32\drivers\down\14812015.exe
C:\WINDOWS\system32\drivers\down\14844312.exe
C:\WINDOWS\system32\drivers\down\14845390.exe
C:\WINDOWS\system32\drivers\down\14853546.exe
C:\WINDOWS\system32\drivers\down\14865218.exe
C:\WINDOWS\system32\drivers\down\14871031.exe
C:\WINDOWS\system32\drivers\down\14872718.exe
C:\WINDOWS\system32\drivers\down\14873171.exe
C:\WINDOWS\system32\drivers\down\14873687.exe
C:\WINDOWS\system32\drivers\down\14877234.exe
C:\WINDOWS\system32\drivers\down\14878968.exe
C:\WINDOWS\system32\drivers\down\14911875.exe
C:\WINDOWS\system32\drivers\down\14915781.exe
C:\WINDOWS\system32\drivers\down\14923234.exe
C:\WINDOWS\system32\drivers\down\190312.exe
C:\WINDOWS\system32\drivers\down\193578.exe
C:\WINDOWS\system32\drivers\down\194031.exe
C:\WINDOWS\system32\drivers\down\198828.exe
C:\WINDOWS\system32\drivers\down\200984.exe
C:\WINDOWS\system32\drivers\down\232718.exe
C:\WINDOWS\system32\drivers\down\233484.exe
C:\WINDOWS\system32\drivers\down\236406.exe
C:\WINDOWS\system32\drivers\down\241703.exe
C:\WINDOWS\system32\drivers\down\243453.exe
C:\WINDOWS\system32\drivers\down\245484.exe
C:\WINDOWS\system32\drivers\down\246093.exe
C:\WINDOWS\system32\drivers\down\246843.exe
C:\WINDOWS\system32\drivers\down\270250.exe
C:\WINDOWS\system32\drivers\down\272859.exe
C:\WINDOWS\system32\drivers\down\29338000.exe
C:\WINDOWS\system32\drivers\down\29341859.exe
C:\WINDOWS\system32\drivers\down\29343687.exe
C:\WINDOWS\system32\drivers\down\29345671.exe
C:\WINDOWS\system32\drivers\down\29350109.exe
C:\WINDOWS\system32\drivers\down\29352515.exe
C:\WINDOWS\system32\drivers\down\29368203.exe
C:\WINDOWS\system32\drivers\down\29371015.exe
C:\WINDOWS\system32\drivers\down\29371234.exe
C:\WINDOWS\system32\drivers\down\29376687.exe
C:\WINDOWS\system32\drivers\down\29378734.exe
C:\WINDOWS\system32\drivers\down\29380359.exe
C:\WINDOWS\system32\drivers\down\29380921.exe
C:\WINDOWS\system32\drivers\down\29384109.exe
C:\WINDOWS\system32\drivers\down\29390015.exe
C:\WINDOWS\system32\drivers\down\29391968.exe
C:\WINDOWS\system32\drivers\down\29392437.exe
C:\WINDOWS\system32\drivers\down\29392734.exe
C:\WINDOWS\system32\drivers\down\29393843.exe
C:\WINDOWS\system32\drivers\down\29395640.exe
C:\WINDOWS\system32\drivers\down\29396937.exe
C:\WINDOWS\system32\drivers\down\29427640.exe
C:\WINDOWS\system32\drivers\down\29429765.exe
C:\WINDOWS\system32\drivers\down\29436031.exe
C:\WINDOWS\system32\drivers\down\302578.exe
C:\WINDOWS\system32\drivers\down\304953.exe
C:\WINDOWS\system32\drivers\down\310906.exe
C:\WINDOWS\system32\drivers\down\43844406.exe
C:\WINDOWS\system32\drivers\down\43848078.exe
C:\WINDOWS\system32\drivers\down\43850421.exe
C:\WINDOWS\system32\drivers\down\43892437.exe
C:\WINDOWS\system32\drivers\down\43895375.exe
C:\WINDOWS\system32\drivers\down\43898000.exe
C:\WINDOWS\system32\drivers\down\43941828.exe
C:\WINDOWS\system32\drivers\down\43944203.exe
C:\WINDOWS\system32\drivers\down\43944390.exe
C:\WINDOWS\system32\drivers\down\43952187.exe
C:\WINDOWS\system32\drivers\down\43954203.exe
C:\WINDOWS\system32\drivers\down\43956906.exe
C:\WINDOWS\system32\drivers\down\43957593.exe
C:\WINDOWS\system32\drivers\down\43962218.exe
C:\WINDOWS\system32\drivers\down\43967953.exe
C:\WINDOWS\system32\drivers\down\43970437.exe
C:\WINDOWS\system32\drivers\down\43971281.exe
C:\WINDOWS\system32\drivers\down\43974828.exe
C:\WINDOWS\system32\drivers\down\43978625.exe
C:\WINDOWS\system32\drivers\down\43987078.exe
C:\WINDOWS\system32\drivers\down\43988875.exe
C:\WINDOWS\system32\drivers\down\44018937.exe
C:\WINDOWS\system32\drivers\down\44022828.exe
C:\WINDOWS\system32\drivers\down\44029203.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\mdelk.exe
C:\WINDOWS\system32\wintems.exe
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SROSA
-------\srosa








((((((((((((((((((((((((( Files Created from 2007-12-23 to 2008-01-23 )))))))))))))))))))))))))))))))
.

2008-01-23 14:24 . 2008-01-23 14:24 <DIR> d-------- C:\WINDOWS\system32\drivers\down
2008-01-23 13:21 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-21 20:54 . 2008-01-21 21:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-21 15:42 . 2008-01-21 15:42 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-21 14:55 . 2008-01-21 14:55 <DIR> d-------- C:\Deckard
2008-01-20 00:00 . 2008-01-22 10:40 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-19 18:24 . 2008-01-19 18:24 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-19 18:24 . 2008-01-19 18:24 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-19 15:02 . 2008-01-20 08:04 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-18 23:27 . 2008-01-21 15:01 <DIR> d-------- C:\Program Files\RegSupreme Pro
2008-01-18 19:24 . 2008-01-18 19:24 <DIR> d-------- C:\WINDOWS\Sun
2008-01-18 13:10 . 2008-01-18 13:10 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-18 13:10 . 2008-01-18 14:13 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-18 12:59 . 2008-01-18 12:59 1,158 --a------ C:\WINDOWS\mozver.dat
2008-01-18 12:41 . 2008-01-18 12:42 <DIR> d-------- C:\Program Files\Ontrack
2008-01-18 10:12 . 2008-01-18 10:17 <DIR> d-------- C:\Program Files\Symantec Client Security
2008-01-18 10:04 . 2008-01-18 10:05 <DIR> d-------- C:\Sym EndPoint
2008-01-17 09:04 . 2008-01-17 09:05 <DIR> d-------- C:\Program Files\QuickTime
2008-01-15 20:11 . 2007-12-17 13:53 159,458 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-01-15 16:02 . 2008-01-21 20:28 <DIR> d-------- C:\HJSplit
2008-01-13 20:43 . 2008-01-13 20:43 <DIR> d-------- C:\Program Files\MediaMonkey
2008-01-13 20:34 . 2008-01-13 22:58 <DIR> d-------- C:\Music
2008-01-13 20:22 . 1999-12-13 01:01 44,032 --------- C:\WINDOWS\system32\CTSVCCDA.EXE
2008-01-13 20:22 . 1999-11-18 01:00 25,088 --------- C:\WINDOWS\system32\CTSVCCTL.EXE
2008-01-13 14:41 . 2008-01-13 14:41 74,703 --a------ C:\WINDOWS\system32\mfc45.dll
2008-01-13 11:40 . 2008-01-13 11:40 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-07 16:36 . 2008-01-07 16:36 669,184 --a------ C:\WINDOWS\system32\pbsvc.exe
2008-01-06 23:27 . 2008-01-06 23:27 <DIR> d-------- C:\Program Files\YourWare Solutions
2008-01-04 11:15 . 2008-01-17 10:27 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2008-01-04 11:15 . 2008-01-07 16:36 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-01-04 11:15 . 2008-01-17 10:28 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-01-04 11:15 . 2008-01-04 11:15 319 --a------ C:\WINDOWS\game.ini
2008-01-04 10:22 . 2008-01-04 10:22 <DIR> d-------- C:\Program Files\Activision
2008-01-04 10:20 . 2008-01-04 10:20 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-01-03 19:19 . 2008-01-03 19:19 <DIR> d-------- C:\Program Files\Electronic Arts
2008-01-03 18:09 . 2008-01-21 20:27 <DIR> d-------- C:\Saved
2008-01-03 16:26 . 2008-01-03 16:26 <DIR> d-------- C:\Program Files\NVIDIA Corporation
2008-01-03 16:25 . 2008-01-03 16:25 <DIR> d-------- C:\Program Files\NVIDIA nTune Performance Application
2008-01-02 23:28 . 2008-01-15 20:35 <DIR> d-------- C:\WINDOWS\nview
2008-01-02 23:28 . 2008-01-15 20:11 164,081 --a------ C:\WINDOWS\system32\nvapps.xml
2008-01-02 23:28 . 2007-12-05 01:41 17,737 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-01-02 23:09 . 2007-12-05 01:41 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-01-02 22:52 . 2008-01-02 22:52 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-01-02 22:52 . 2008-01-02 22:52 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-01-01 23:45 . 2008-01-01 23:45 <DIR> d-------- C:\Program Files\ASUS
2008-01-01 23:21 . 2008-01-07 23:36 <DIR> d-------- C:\Program Files\SpeedFan
2008-01-01 18:58 . 2008-01-01 23:21 45 --a------ C:\WINDOWS\system32\initdebug.nfo
2008-01-01 13:38 . 2008-01-01 13:38 <DIR> d-------- C:\Mini CD DVD Images
2008-01-01 11:22 . 2008-01-01 11:23 <DIR> d-------- C:\Program Files\RivaTuner v2.06
2007-12-24 11:33 . 2007-12-24 11:33 <DIR> d-------- C:\Program Files\DVD Decrypter
2007-12-24 11:27 . 2007-12-24 11:27 <DIR> d-------- C:\Program Files\DVD Shrink
2007-12-23 05:19 . 2008-01-13 20:58 <DIR> d--h----- C:\Program Files\Creative Installation Information
2007-12-23 05:19 . 2007-12-23 05:19 <DIR> d-------- C:\Program Files\Common Files\Creative
2007-12-23 05:15 . 2008-01-13 20:58 <DIR> d-------- C:\Program Files\Creative

EasyEEE
2008-01-23, 21:57
ComboFix - Part 2 after running new/short script:

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-23 00:23 --------- d-----w C:\Program Files\eMule
2008-01-21 20:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-21 19:55 --------- d-----w C:\Program Files\Symantec
2008-01-20 00:50 --------- d-----w C:\Program Files\Google
2008-01-20 00:24 --------- d-----w C:\Program Files\Digital Media Reader
2008-01-13 02:18 --------- d-----w C:\Program Files\Microsoft Games
2008-01-08 23:35 --------- d-----w C:\Program Files\Common Files\Nero
2008-01-04 05:17 --------- d-----w C:\Program Files\NewsBin
2007-12-23 03:57 --------- d-----w C:\Program Files\Nero
2007-12-23 03:26 --------- d-----w C:\Program Files\DVD2one V2
2007-12-22 01:33 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-12-21 19:10 --------- d-----w C:\Program Files\Sierra Entertainment
2007-12-21 08:00 --------- d-----w C:\Program Files\MSXML 4.0
2007-12-21 01:12 --------- d-----w C:\Program Files\Common Files\Microsoft Games
2007-12-18 17:59 --------- d-----w C:\Program Files\IrfanView
2007-12-08 12:53 --------- d-----w C:\Program Files\DAEMON Tools
2007-12-08 12:49 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-12-07 19:31 --------- d-----w C:\Program Files\GameHouse
2007-12-05 07:53 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2007-12-05 06:41 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-12-05 06:41 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-12-05 06:41 8,523,776 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-12-05 06:41 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-12-05 06:41 7,435,392 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-12-05 06:41 6,901,760 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-12-05 06:41 6,549,504 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-12-05 06:41 5,773,568 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-12-05 06:41 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-12-05 06:41 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-12-05 06:41 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-12-05 06:41 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-12-05 06:41 385,024 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-12-05 06:41 35,328 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-12-05 06:41 35,328 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-12-05 06:41 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-12-05 06:41 3,710,976 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-12-05 06:41 3,420,160 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-12-05 06:41 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-12-05 06:41 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-12-05 06:41 2,498,560 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-12-05 06:41 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-12-05 06:41 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-12-05 06:41 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-12-05 06:41 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-12-05 06:41 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-12-05 06:41 1,474,560 ----a-w C:\WINDOWS\system32\nview.dll
2007-12-05 06:41 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-12-05 06:41 1,228,800 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-12-05 06:41 1,089,536 ----a-w C:\WINDOWS\system32\nvcuda.dll
2007-12-05 06:41 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-12-05 01:21 --------- d-----w C:\Program Files\AC3Filter
2007-12-05 01:04 --------- d-----w C:\Program Files\DivX
2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-04 01:33 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-04 01:33 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-12-03 21:39 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-03 16:40 --------- d-----w C:\Program Files\QuickPar
2007-12-03 13:44 --------- d-----w C:\Program Files\McAfee
2007-12-03 13:08 --------- d-----w C:\Program Files\SystemRequirementsLab
2007-12-03 12:37 --------- d-----w C:\Program Files\Napster
2007-12-03 12:11 --------- d-----w C:\Program Files\Pure Networks
2007-12-03 12:10 --------- d-----w C:\Program Files\Common Files\AOL
2007-12-03 07:06 --------- d-----w C:\Program Files\MSN Encarta Plus
2007-12-03 07:06 --------- d-----w C:\Program Files\Microsoft Works
2007-12-03 07:04 8,552 ----a-w C:\WINDOWS\system32\drivers\asctrm.sys
2007-12-03 07:04 --------- d-----w C:\Program Files\Viewpoint
2007-12-03 07:04 --------- d-----w C:\Program Files\Real
2007-12-03 07:04 --------- d-----w C:\Program Files\Common Files\Real
2007-12-03 07:04 --------- d-----w C:\Program Files\Common Files\Nullsoft
2007-12-03 07:03 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2007-12-03 07:03 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-03 07:02 --------- d-----w C:\Program Files\Realtek
2007-12-03 07:01 --------- d-----w C:\Program Files\Microsoft Digital Image 2006
2007-12-03 07:00 --------- d-----w C:\Program Files\Java
2007-12-03 06:59 --------- d-----w C:\Program Files\Common Files\Java
2007-12-03 06:55 --------- d-----w C:\Program Files\Microsoft.NET
2007-12-03 06:55 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-03 06:50 --------- d-----w C:\Program Files\CyberLink
2007-12-03 06:49 --------- d-----w C:\Program Files\Common Files\New Boundary
2007-12-03 06:46 --------- d-----w C:\Program Files\CONEXANT
2007-12-03 05:38 --------- d-----w C:\Program Files\Windows Plus
2007-12-03 05:38 --------- d-----w C:\Program Files\microsoft frontpage
2007-11-29 22:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-11-29 22:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-11-29 22:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-11-29 22:28 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-11-28 21:55 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-11-28 21:53 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-11-28 21:53 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-11-28 21:53 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-11-28 21:53 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-11-28 21:53 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-11-28 21:53 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-11-28 21:52 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:39 228,864 ----a-w C:\WINDOWS\system32\wmasf.dll
.

((((((((((((((((((((((((((((( snapshot@2008-01-23_13.32.23.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-23 18:22:30 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-23 19:49:22 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-23 18:22:30 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-23 19:49:22 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-23 18:22:30 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-23 19:49:22 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-23 18:22:30 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-23 19:49:22 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-23 18:22:30 3,874,816 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-23 19:49:22 3,883,008 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-23 18:22:30 57,344 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-23 19:49:22 57,344 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-23 19:25:02 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_7e8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2004-10-08 05:03 837281]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 19:25 81920]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-12-06 07:06 167368]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-11-23 17:12 851968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 13:36 14854144 C:\WINDOWS\RTHDCPL.EXE]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-08-27 08:09 139264]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"Power2GoExpress"="C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" [2007-09-29 16:53 2680104]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 19:16 1121792]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 20:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 23:56 64512]
"CLMLServer"="C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe" [2007-09-27 23:10 122880]
"CLJ"="" []
"CHotkey"="zHotkey.exe" [2004-12-08 20:57 550912 C:\WINDOWS\zHotkey.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
"EnableLUA"= 0 (0x0)


.
Contents of the 'Scheduled Tasks' folder
"2008-01-17 14:03:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-23 14:50:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

Rorschach112
2008-01-23, 21:57
Hello

Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html)

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT

Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases

Click OK
Now under select a target to scan:Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

EasyEEE
2008-01-23, 23:17
Scan is almost complete, with "4 viruses found" and "417 objects infected."

Should I have rebooted anywhere during this process? I haven't other than when ComboFix auto-rebooted.

Will post log here shortly. 91% complete.

-Brad

EasyEEE
2008-01-23, 23:59
Probably shouldn't have been using FireFox..

KASPERSKY ONLINE SCANNER REPORT - PART 1

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-01-23 16:56
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/01/2008
Kaspersky Anti-Virus database records: 528347
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 136481
Number of viruses found: 5
Number of infected objects: 494
Number of suspicious objects: 0
Duration of the scan process: 01:40:32

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\m\data.oct Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\30 Happy Easter Riddles Screensaver 5.0.zip/30 Happy Easter Riddles Screensaver 5.0.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\30 Happy Easter Riddles Screensaver 5.0.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\3D Mystic Wind Chimes 1.2.zip/3D Mystic Wind Chimes 1.2.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\3D Mystic Wind Chimes 1.2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\A Peek at Mrs Radvelli's Bloomers 1.zip/A Peek at Mrs Radvelli's Bloomers 1.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\A Peek at Mrs Radvelli's Bloomers 1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\A Tale of Two Cities 1.0.zip/A Tale of Two Cities 1.0.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\A Tale of Two Cities 1.0.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Absolutely Fabulous Screensaver 1.0.zip/Absolutely Fabulous Screensaver 1.0.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Absolutely Fabulous Screensaver 1.0.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Adisoft 2004+.zip/Adisoft 2004+.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Adisoft 2004+.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Adriana Lima 27 Screensaver 1.0.zip/Adriana Lima 27 Screensaver 1.0.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Adriana Lima 27 Screensaver 1.0.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Advanced Access Builder 1.51 b3.zip/Advanced Access Builder 1.51 b3.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Advanced Access Builder 1.51 b3.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Advanced RAR Repair 1.2.zip/Advanced RAR Repair 1.2.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Advanced RAR Repair 1.2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Advanced System Cleaner 1.8.zip/Advanced System Cleaner 1.8.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Advanced System Cleaner 1.8.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Advene 0.23.zip/Advene 0.23.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Advene 0.23.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\AFPextract 1.0.zip/AFPextract 1.0.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\AFPextract 1.0.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Age of Mythology - River Styx map.zip/Age of Mythology - River Styx map.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Age of Mythology - River Styx map.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\AGEphone 1.50.2 Cracked.zip/AGEphone 1.50.2 Cracked.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\AGEphone 1.50.2 Cracked.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Aglare Video to 3GP Converter 1.0.zip/Aglare Video to 3GP Converter 1.0.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Aglare Video to 3GP Converter 1.0.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Alert LinkRunner 6.0 build 11.zip/Alert LinkRunner 6.0 build 11.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Alert LinkRunner 6.0 build 11.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Allocator 1.zip/Allocator 1.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Allocator 1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Animated Desktop 1.2.4.zip/Animated Desktop 1.2.4.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Animated Desktop 1.2.4.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Antivirus.Avast.Profesional.Edition.V.4.7.Spanish.Keygen.zip/Antivirus.Avast.Profesional.Edition.V.4.7.Spanish.Keygen.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Antivirus.Avast.Profesional.Edition.V.4.7.Spanish.Keygen.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\ArchiCrypt Shredder 3.5.1.zip/ArchiCrypt Shredder 3.5.1.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\ArchiCrypt Shredder 3.5.1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Arlington Text to Speech 2.1.zip/Arlington Text to Speech 2.1.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Arlington Text to Speech 2.1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\ASPPack GroupWare 2.1.2 (Cracked).zip/ASPPack GroupWare 2.1.2 (Cracked).exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\ASPPack GroupWare 2.1.2 (Cracked).zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\AutoSlideshow 0.2.1.zip/AutoSlideshow 0.2.1.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\AutoSlideshow 0.2.1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\BeautyHobby Toolbar 1.0 [Crack].zip/BeautyHobby Toolbar 1.0 [Crack].exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\BeautyHobby Toolbar 1.0 [Crack].zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Birds Jigsaw Puzzle 1.0.zip/Birds Jigsaw Puzzle 1.0.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Birds Jigsaw Puzzle 1.0.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Birthday Organizer 5.0 Cracked.zip/Birthday Organizer 5.0 Cracked.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Birthday Organizer 5.0 Cracked.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Block MDE Unlockers 1.1.zip/Block MDE Unlockers 1.1.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Block MDE Unlockers 1.1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Blue Ad Robo 1.0.zip/Blue Ad Robo 1.0.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Blue Ad Robo 1.0.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Book Avis 1.4.2.0.zip/Book Avis 1.4.2.0.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Book Avis 1.4.2.0.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Brand Worlds Tools 1.zip/Brand Worlds Tools 1.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Brand Worlds Tools 1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Break-In Textures Vol.1 [With Crack].zip/Break-In Textures Vol.1 [With Crack].exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Break-In Textures Vol.1 [With Crack].zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\BroadWave 1.01.zip/BroadWave 1.01.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\BroadWave 1.01.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Caribbean Treasures 1.zip/Caribbean Treasures 1.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Caribbean Treasures 1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Cheerful Dogs Screensaver 1.0.zip/Cheerful Dogs Screensaver 1.0.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Cheerful Dogs Screensaver 1.0.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Chinesepera-kun Chinese Popup Dictionary 0.2.2.zip/Chinesepera-kun Chinese Popup Dictionary 0.2.2.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Chinesepera-kun Chinese Popup Dictionary 0.2.2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Clicktionary English-Spanish 3.2.2 [With Crack].zip/Clicktionary English-Spanish 3.2.2 [With Crack].exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Clicktionary English-Spanish 3.2.2 [With Crack].zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Clipboard Washer 1.23.zip/Clipboard Washer 1.23.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Clipboard Washer 1.23.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Collectibles Organizer 3.6s [With Crack].zip/Collectibles Organizer 3.6s [With Crack].exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Collectibles Organizer 3.6s [With Crack].zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Complete Beowulf Interactive 1.10 [Key+Serial].zip/Complete Beowulf Interactive 1.10 [Key+Serial].exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Complete Beowulf Interactive 1.10 [Key+Serial].zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\ContactGenie Exporter Basic Ed 1.1.11.zip/ContactGenie Exporter Basic Ed 1.1.11.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\ContactGenie Exporter Basic Ed 1.1.11.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Cyfin SA Proxy 7.5.3.zip/Cyfin SA Proxy 7.5.3.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Cyfin SA Proxy 7.5.3.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Database Icon Collection 1.0 [Patch].zip/Database Icon Collection 1.0 [Patch].exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Database Icon Collection 1.0 [Patch].zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\DaToInfo 2.0 (With Crack).zip/DaToInfo 2.0 (With Crack).exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\DaToInfo 2.0 (With Crack).zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\DB to HTML Express 3.0.zip/DB to HTML Express 3.0.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\DB to HTML Express 3.0.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\DBEasy 2.02.069.zip/DBEasy 2.02.069.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\DBEasy 2.02.069.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Descent OpenGL 1.27.zip/Descent OpenGL 1.27.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Descent OpenGL 1.27.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Drag-N-Dropper for MS Access 4.3.zip/Drag-N-Dropper for MS Access 4.3.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Drag-N-Dropper for MS Access 4.3.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\DrWeb.4.32.NhT.zip/DrWeb.4.32.NhT.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\DrWeb.4.32.NhT.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Duplicate File Finder 3.1.zip/Duplicate File Finder 3.1.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Duplicate File Finder 3.1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\DWG Miner DLL 2.3.42 Key+Serial.zip/DWG Miner DLL 2.3.42 Key+Serial.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\DWG Miner DLL 2.3.42 Key+Serial.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Earthling 1.0.zip/Earthling 1.0.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Earthling 1.0.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Easy Batch Watermark 3.0 (With Crack).zip/Easy Batch Watermark 3.0 (With Crack).exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Easy Batch Watermark 3.0 (With Crack).zip ZIP: infected - 1 skipped

EasyEEE
2008-01-24, 00:01
Hrm..

KASPERSKY ONLINE SCANNER REPORT - PART 2

C:\Documents and Settings\Owner\Application Data\m\shared\Easy Photo Recovery 1.4.1 Key+Serial.zip/Easy Photo Recovery 1.4.1 Key+Serial.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Easy Photo Recovery 1.4.1 Key+Serial.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Electronic Bird HotMailPlus 2.0 (Cracked).zip/Electronic Bird HotMailPlus 2.0 (Cracked).exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Electronic Bird HotMailPlus 2.0 (Cracked).zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\EMCO Permissions Audit 1.0 (Key).zip/EMCO Permissions Audit 1.0 (Key).exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\EMCO Permissions Audit 1.0 (Key).zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Estard Data Miner 1.2.5.zip/Estard Data Miner 1.2.5.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Estard Data Miner 1.2.5.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Evaluation Tracker 2.2.2.zip/Evaluation Tracker 2.2.2.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Evaluation Tracker 2.2.2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\ExecutiveSync 1.2.2.zip/ExecutiveSync 1.2.2.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\ExecutiveSync 1.2.2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\eXPert PDF Editor Professional Edition 1.zip/eXPert PDF Editor Professional Edition 1.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\eXPert PDF Editor Professional Edition 1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\EZ Macros 5.0a.zip/EZ Macros 5.0a.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\EZ Macros 5.0a.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\FileSort 1.5.146.zip/FileSort 1.5.146.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\FileSort 1.5.146.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\FirstStop WebSearch Visual Edition 4.21.zip/FirstStop WebSearch Visual Edition 4.21.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\FirstStop WebSearch Visual Edition 4.21.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Flaredance Firework Screensaver 1.1.zip/Flaredance Firework Screensaver 1.1.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Flaredance Firework Screensaver 1.1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Flash Effect Maker Pro 3.5.zip/Flash Effect Maker Pro 3.5.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Flash Effect Maker Pro 3.5.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Gaia Wallpaper Desktop 1.2.zip/Gaia Wallpaper Desktop 1.2.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Gaia Wallpaper Desktop 1.2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Gatekeeper 1.02.zip/Gatekeeper 1.02.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Gatekeeper 1.02.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Good Keywords 2.0.1.zip/Good Keywords 2.0.1.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Good Keywords 2.0.1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Google4india Toolbar 1.zip/Google4india Toolbar 1.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Google4india Toolbar 1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\GUITAR COMBOS Ac Box Combo 1.0.zip/GUITAR COMBOS Ac Box Combo 1.0.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\GUITAR COMBOS Ac Box Combo 1.0.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\House Rules 1.0.2480.zip/House Rules 1.0.2480.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\House Rules 1.0.2480.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\HTMLSpy 1.04 Patch.zip/HTMLSpy 1.04 Patch.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\HTMLSpy 1.04 Patch.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\HydraLinks 1.2.zip/HydraLinks 1.2.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\HydraLinks 1.2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Icon Collector Tool 1.2.zip/Icon Collector Tool 1.2.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Icon Collector Tool 1.2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\IDN Conversion Tool 0.99.zip/IDN Conversion Tool 0.99.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\IDN Conversion Tool 0.99.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\ie quick saver 1.1.zip/ie quick saver 1.1.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\ie quick saver 1.1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\IglooFTP PRO 3.9.zip/IglooFTP PRO 3.9.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\IglooFTP PRO 3.9.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\ImTOO iPod Movie Converter 3.1.39.0809b Key+Serial.zip/ImTOO iPod Movie Converter 3.1.39.0809b Key+Serial.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\ImTOO iPod Movie Converter 3.1.39.0809b Key+Serial.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\iNewYork 2.0.zip/iNewYork 2.0.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\iNewYork 2.0.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\InTriever 2007 build 06.10.23.1234.zip/InTriever 2007 build 06.10.23.1234.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\InTriever 2007 build 06.10.23.1234.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\iTunes miniRate 1.0.1.zip/iTunes miniRate 1.0.1.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\iTunes miniRate 1.0.1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Kaspersky.Antyvirus.6.0.+.Key.zip/Kaspersky.Antyvirus.6.0.+.Key.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Kaspersky.Antyvirus.6.0.+.Key.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Kentico Compare SQL 1.0 KeyGen.zip/Kentico Compare SQL 1.0 KeyGen.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Kentico Compare SQL 1.0 KeyGen.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Keyboard Wizard 1.0 [With Crack].zip/Keyboard Wizard 1.0 [With Crack].exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Keyboard Wizard 1.0 [With Crack].zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\KidsSave 1.zip/KidsSave 1.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\KidsSave 1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\KillCopy 2.84.zip/KillCopy 2.84.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\KillCopy 2.84.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Kongsoft MP3 CD Burner 1.04 p1 Serial.zip/Kongsoft MP3 CD Burner 1.04 p1 Serial.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Kongsoft MP3 CD Burner 1.04 p1 Serial.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Label Magic 2.1 (Serial).zip/Label Magic 2.1 (Serial).exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Label Magic 2.1 (Serial).zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\LingvoSoft Learning Voice PhraseBook 2006 Albanian Thai 2.1.29.zip/LingvoSoft Learning Voice PhraseBook 2006 Albanian Thai 2.1.29.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\LingvoSoft Learning Voice PhraseBook 2006 Albanian Thai 2.1.29.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\LingvoSoft Picture Dictionary 2007 Polish - Arabic 1.1.19.zip/LingvoSoft Picture Dictionary 2007 Polish - Arabic 1.1.19.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\LingvoSoft Picture Dictionary 2007 Polish - Arabic 1.1.19.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Lisk CMS 4.3.zip/Lisk CMS 4.3.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Lisk CMS 4.3.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Live Help 123 2.2.zip/Live Help 123 2.2.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Live Help 123 2.2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\LuraDocument PDF Compressor 4.2.02.15.zip/LuraDocument PDF Compressor 4.2.02.15.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\LuraDocument PDF Compressor 4.2.02.15.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\MAGIX Music Maker 11 [Crack].zip/MAGIX Music Maker 11 [Crack].exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\MAGIX Music Maker 11 [Crack].zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\MailArmor 1.1.2 for Windows (Cracked).zip/MailArmor 1.1.2 for Windows (Cracked).exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\MailArmor 1.1.2 for Windows (Cracked).zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\MailCheck 2.0 Build 110202.zip/MailCheck 2.0 Build 110202.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\MailCheck 2.0 Build 110202.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\MailScan SMTP Server 5.2.zip/MailScan SMTP Server 5.2.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\MailScan SMTP Server 5.2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\MarshallSoft DUN Dialer for PowerBASIC 2.1.zip/MarshallSoft DUN Dialer for PowerBASIC 2.1.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\MarshallSoft DUN Dialer for PowerBASIC 2.1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\MCEBrowser 2.2.zip/MCEBrowser 2.2.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\MCEBrowser 2.2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\MechWarrior 4 Vengeance 1.0.zip/MechWarrior 4 Vengeance 1.0.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\MechWarrior 4 Vengeance 1.0.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Mobile AMR converter 1.5.0.zip/Mobile AMR converter 1.5.0.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Mobile AMR converter 1.5.0.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\MoonlightTorrent 0.2.0.0.zip/MoonlightTorrent 0.2.0.0.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\MoonlightTorrent 0.2.0.0.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\MP3 Crawler 1.0 Serial.zip/MP3 Crawler 1.0 Serial.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\MP3 Crawler 1.0 Serial.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\muCommander 0.8 beta 3.zip/muCommander 0.8 beta 3.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\muCommander 0.8 beta 3.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\MusicPlayer X 3.0.zip/MusicPlayer X 3.0.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\MusicPlayer X 3.0.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\My Video Downloader 1.0.zip/My Video Downloader 1.0.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\My Video Downloader 1.0.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\myGrid Solution 1.0 KeyGen.zip/myGrid Solution 1.0 KeyGen.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\myGrid Solution 1.0 KeyGen.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Nvu 1.0.zip/Nvu 1.0.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Nvu 1.0.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\ObjectDock 1.9 Build 543.zip/ObjectDock 1.9 Build 543.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\ObjectDock 1.9 Build 543.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Office Fitness Timer 1.2.zip/Office Fitness Timer 1.2.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Office Fitness Timer 1.2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\OnLetterhead - Branded Email Stationary 3.0.0.0 (Patch).zip/OnLetterhead - Branded Email Stationary 3.0.0.0 (Patch).exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\OnLetterhead - Branded Email Stationary 3.0.0.0 (Patch).zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Operation Flashpoint Cold War Crisis - Advanced sound mod.zip/Operation Flashpoint Cold War Crisis - Advanced sound mod.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Operation Flashpoint Cold War Crisis - Advanced sound mod.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\PAL Spyware Remover 1.1 Key+Serial.zip/PAL Spyware Remover 1.1 Key+Serial.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\PAL Spyware Remover 1.1 Key+Serial.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\PatentHunter 3.5.05 Key.zip/PatentHunter 3.5.05 Key.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\PatentHunter 3.5.05 Key.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\PC Draft PE 5.0.6 Patch.zip/PC Draft PE 5.0.6 Patch.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\PC Draft PE 5.0.6 Patch.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\PDF-to-HTML 1.1.zip/PDF-to-HTML 1.1.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\PDF-to-HTML 1.1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Peachtree Key 6.1.zip/Peachtree Key 6.1.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Peachtree Key 6.1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Personal Finance Quizzes 1.zip/Personal Finance Quizzes 1.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Personal Finance Quizzes 1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Photos Manager 1.0 [With Crack].zip/Photos Manager 1.0 [With Crack].exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped

EasyEEE
2008-01-24, 00:02
And the hits just keep coming..

KASPERSKY ONLINE SCANNER REPORT - PART 3


C:\Documents and Settings\Owner\Application Data\m\shared\Photos Manager 1.0 [With Crack].zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Picture Resizing Utility 1.0.zip/Picture Resizing Utility 1.0.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Picture Resizing Utility 1.0.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Pixbook 2.9C.zip/Pixbook 2.9C.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Pixbook 2.9C.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Plato DVD + Video to iPod Package 6.71 [Key+Serial].zip/Plato DVD + Video to iPod Package 6.71 [Key+Serial].exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Plato DVD + Video to iPod Package 6.71 [Key+Serial].zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Power Layers 1.1.8.10 [Serial].zip/Power Layers 1.1.8.10 [Serial].exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Power Layers 1.1.8.10 [Serial].zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Power Systems Analysis 1.1.zip/Power Systems Analysis 1.1.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Power Systems Analysis 1.1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Power Video to Audio Converter 1.03 [Crack].zip/Power Video to Audio Converter 1.03 [Crack].exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Power Video to Audio Converter 1.03 [Crack].zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Presentation Manager 2.01 (With Crack).zip/Presentation Manager 2.01 (With Crack).exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Presentation Manager 2.01 (With Crack).zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\PrintDirect Anywhere 2.00.zip/PrintDirect Anywhere 2.00.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\PrintDirect Anywhere 2.00.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\PSYBMail 1.1.0.124.zip/PSYBMail 1.1.0.124.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\PSYBMail 1.1.0.124.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Punch Clock 2005 1.3 (Cracked).zip/Punch Clock 2005 1.3 (Cracked).exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Punch Clock 2005 1.3 (Cracked).zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\pVoice 2.2 Beta 5.zip/pVoice 2.2 Beta 5.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\pVoice 2.2 Beta 5.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\QDictionary 2006.10.25.zip/QDictionary 2006.10.25.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\QDictionary 2006.10.25.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\QNote 1.0 [Patch].zip/QNote 1.0 [Patch].exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\QNote 1.0 [Patch].zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Quark ALAP ImagePort 1.4.zip/Quark ALAP ImagePort 1.4.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Quark ALAP ImagePort 1.4.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\quick.heal.x-gen.v7.00.zip/quick.heal.x-gen.v7.00.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\quick.heal.x-gen.v7.00.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\React! 1.0.zip/React! 1.0.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\React! 1.0.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Real Estate Follow Up Software (REFUS) 1.zip/Real Estate Follow Up Software (REFUS) 1.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Real Estate Follow Up Software (REFUS) 1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Real-Time Server 1.10.zip/Real-Time Server 1.10.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Real-Time Server 1.10.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Recolored 1.0.1.zip/Recolored 1.0.1.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Recolored 1.0.1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Red Cells 1.0.2.zip/Red Cells 1.0.2.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Red Cells 1.0.2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\RefreshForce 1.10.zip/RefreshForce 1.10.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\RefreshForce 1.10.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Registry Explorer 1.4.4.zip/Registry Explorer 1.4.4.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Registry Explorer 1.4.4.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Registry Master 2.0.1 (Cracked).zip/Registry Master 2.0.1 (Cracked).exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Registry Master 2.0.1 (Cracked).zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Restaurant Billing Software 4.5 Crack.zip/Restaurant Billing Software 4.5 Crack.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Restaurant Billing Software 4.5 Crack.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Revel 1.1.0.zip/Revel 1.1.0.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Revel 1.1.0.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Scheduler 1.0.zip/Scheduler 1.0.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Scheduler 1.0.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\ShredIt 5.7.zip/ShredIt 5.7.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\ShredIt 5.7.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\SiteMonNak 2004 V1.0.0 (Key+Serial).zip/SiteMonNak 2004 V1.0.0 (Key+Serial).exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\SiteMonNak 2004 V1.0.0 (Key+Serial).zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\sMonitor 4.1 build 1250.zip/sMonitor 4.1 build 1250.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\sMonitor 4.1 build 1250.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\SnippetEdit 1.0.zip/SnippetEdit 1.0.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\SnippetEdit 1.0.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Softstunt MP4 Video Converter 2.0.zip/Softstunt MP4 Video Converter 2.0.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Softstunt MP4 Video Converter 2.0.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Softstunt Video to iPod Zune PSP 3GP 2.0 Serial.zip/Softstunt Video to iPod Zune PSP 3GP 2.0 Serial.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Softstunt Video to iPod Zune PSP 3GP 2.0 Serial.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Soliton 3.1.zip/Soliton 3.1.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Soliton 3.1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Sound Energy Volume Control 1.0.zip/Sound Energy Volume Control 1.0.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Sound Energy Volume Control 1.0.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Spam Sweeper 3.4.zip/Spam Sweeper 3.4.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Spam Sweeper 3.4.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Spank the Frank 1.zip/Spank the Frank 1.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Spank the Frank 1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Speaking Calendar 6.6.8 [Patch].zip/Speaking Calendar 6.6.8 [Patch].exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Speaking Calendar 6.6.8 [Patch].zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Spy-Kill Deluxe Edition 3.65.zip/Spy-Kill Deluxe Edition 3.65.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Spy-Kill Deluxe Edition 3.65.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\SunRav TestOfficePro 4.7.zip/SunRav TestOfficePro 4.7.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\SunRav TestOfficePro 4.7.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\SuperBot 4.7.0.70.zip/SuperBot 4.7.0.70.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\SuperBot 4.7.0.70.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Survey Import & Export 2005 3.0 Crack.zip/Survey Import & Export 2005 3.0 Crack.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Survey Import & Export 2005 3.0 Crack.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Table Tennis Pro V2 2.32.zip/Table Tennis Pro V2 2.32.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Table Tennis Pro V2 2.32.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Task Force 4 2.5a.zip/Task Force 4 2.5a.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Task Force 4 2.5a.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\TBClamWin 0.99b.zip/TBClamWin 0.99b.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\TBClamWin 0.99b.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Teddy Bear Demo Screensaver 1.0.zip/Teddy Bear Demo Screensaver 1.0.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Teddy Bear Demo Screensaver 1.0.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Teker 1.1.zip/Teker 1.1.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Teker 1.1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Temproact 11.8.zip/Temproact 11.8.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Temproact 11.8.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Text Splitter 1.02.zip/Text Splitter 1.02.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Text Splitter 1.02.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Timeless Time & Expense 2.6.11.zip/Timeless Time & Expense 2.6.11.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Timeless Time & Expense 2.6.11.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Timer 3.0.zip/Timer 3.0.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Timer 3.0.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\TradingSolutions 4.0.070618 (With Crack).zip/TradingSolutions 4.0.070618 (With Crack).exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\TradingSolutions 4.0.070618 (With Crack).zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\TurboLaunch 5.0.10 [Crack].zip/TurboLaunch 5.0.10 [Crack].exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\TurboLaunch 5.0.10 [Crack].zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Tweak Total Commander 6.0.3.zip/Tweak Total Commander 6.0.3.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Tweak Total Commander 6.0.3.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Unreal Tournament 2004 Remote Strike mod.zip/Unreal Tournament 2004 Remote Strike mod.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Unreal Tournament 2004 Remote Strike mod.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Vancouver Gas Prices 1.0.zip/Vancouver Gas Prices 1.0.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped

EasyEEE
2008-01-24, 00:02
KASPERSKY ONLINE SCANNER REPORT - PART 4(?)

C:\Documents and Settings\Owner\Application Data\m\shared\Vancouver Gas Prices 1.0.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\VBAcodePrint97 1.4.67 (Cracked).zip/VBAcodePrint97 1.4.67 (Cracked).exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\VBAcodePrint97 1.4.67 (Cracked).zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Vidmex 1.38 [With Crack].zip/Vidmex 1.38 [With Crack].exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Vidmex 1.38 [With Crack].zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\View-It 1.3.25.zip/View-It 1.3.25.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\View-It 1.3.25.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\VisioForge Video Edit ActiveX Version 3.0.zip/VisioForge Video Edit ActiveX Version 3.0.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\VisioForge Video Edit ActiveX Version 3.0.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Visual CD Ripper 2.20 Crack.zip/Visual CD Ripper 2.20 Crack.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Visual CD Ripper 2.20 Crack.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\VLViewPort 1.0.zip/VLViewPort 1.0.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\VLViewPort 1.0.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Watching Bart 1.0.zip/Watching Bart 1.0.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Watching Bart 1.0.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\WatermarkIt 1.0.1.8.zip/WatermarkIt 1.0.1.8.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\WatermarkIt 1.0.1.8.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Whizlabs MCSE Exam (70-215) Simulator 6.zip/Whizlabs MCSE Exam (70-215) Simulator 6.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Whizlabs MCSE Exam (70-215) Simulator 6.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Wildlife Animals Screen Saver 3.0 Key+Serial.zip/Wildlife Animals Screen Saver 3.0 Key+Serial.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Wildlife Animals Screen Saver 3.0 Key+Serial.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\WinBackup 2.0 Professional 2.0 (2.1.2).zip/WinBackup 2.0 Professional 2.0 (2.1.2).exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\WinBackup 2.0 Professional 2.0 (2.1.2).zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Windows Commander Widget 1.0.2.zip/Windows Commander Widget 1.0.2.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Windows Commander Widget 1.0.2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Winfiltre English version 3.1.zip/Winfiltre English version 3.1.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Winfiltre English version 3.1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\WinPersonalizer 5.3.2.zip/WinPersonalizer 5.3.2.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\WinPersonalizer 5.3.2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\WinSettings Pro 2.zip/WinSettings Pro 2.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\WinSettings Pro 2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\WMA To WAV Converter 1.00.zip/WMA To WAV Converter 1.00.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\WMA To WAV Converter 1.00.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\X-Cleaner 4.0.0 [Serial].zip/X-Cleaner 4.0.0 [Serial].exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\X-Cleaner 4.0.0 [Serial].zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\XLplus 2.0.18.zip/XLplus 2.0.18.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\XLplus 2.0.18.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Xteq Explorer LaunchPad 2.1.zip/Xteq Explorer LaunchPad 2.1.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Xteq Explorer LaunchPad 2.1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\YaCy 0.50.zip/YaCy 0.50.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\YaCy 0.50.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Yahadi 4.5 (Patch).zip/Yahadi 4.5 (Patch).exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\Yahadi 4.5 (Patch).zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\ZoomBlaster Photo-Web 4.5.zip/ZoomBlaster Photo-Web 4.5.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\ZoomBlaster Photo-Web 4.5.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\ZSplitter 2.0.zip/ZSplitter 2.0.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\ZSplitter 2.0.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\[app.eng]Nod32.v.2.70.16.Nt.2000.Xp.2003.vista.x64.patch.fix.2.1.freddy.zip/[app.eng]Nod32.v.2.70.16.Nt.2000.Xp.2003.vista.x64.patch.fix.2.1.freddy.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\[app.eng]Nod32.v.2.70.16.Nt.2000.Xp.2003.vista.x64.patch.fix.2.1.freddy.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\m\shared\[ITA.+.PTBR].Avast!.Antivirus.4.6.691.Professional.Edition.+.Keygen_by_zicadu.zip/[ITA.+.PTBR].Avast!.Antivirus.4.6.691.Professional.Edition.+.Keygen_by_zicadu.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Owner\Application Data\m\shared\[ITA.+.PTBR].Avast!.Antivirus.4.6.691.Professional.Edition.+.Keygen_by_zicadu.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6cm3zby8.default\cert8.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6cm3zby8.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6cm3zby8.default\history.dat Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6cm3zby8.default\key3.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6cm3zby8.default\parent.lock Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6cm3zby8.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6cm3zby8.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Adobe\Acrobat\8.0\Updater\updater.log Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Adobe\Updater5\aumLib.log Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\6cm3zby8.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\6cm3zby8.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\6cm3zby8.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\6cm3zby8.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Power2Go\CLML\CLDB.db Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008012320080124\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\Acr7820.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\lilo2 Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\lilo3 Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

EasyEEE
2008-01-24, 00:03
Probably shouldn't have been using FireFox..

KASPERSKY ONLINE SCANNER REPORT - PART 5


C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\QooBox\Quarantine\C\Documents and Settings\Owner\Application Data\m\flec006.exe.vir Infected: Email-Worm.Win32.Bagle.of skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\124687.exe.vir Infected: Email-Worm.Win32.Bagle.of skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\137687.exe.vir Infected: Email-Worm.Win32.Bagle.of skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\139546.exe.vir Infected: Email-Worm.Win32.Bagle.of skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\14720625.exe.vir Infected: Email-Worm.Win32.Bagle.of skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\14747859.exe.vir Infected: Email-Worm.Win32.Bagle.of skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\14751312.exe.vir Infected: Email-Worm.Win32.Bagle.of skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\29338000.exe.vir Infected: Email-Worm.Win32.Bagle.of skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\29343687.exe.vir Infected: Email-Worm.Win32.Bagle.of skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\29345671.exe.vir Infected: Email-Worm.Win32.Bagle.of skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\43844406.exe.vir Infected: Email-Worm.Win32.Bagle.of skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\43850421.exe.vir Infected: Email-Worm.Win32.Bagle.of skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\43892437.exe.vir Infected: Email-Worm.Win32.Bagle.of skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\hldrrr.exe.vir Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mdelk.exe.vir Infected: Email-Worm.Win32.Bagle.of skipped
C:\QooBox\Quarantine\catchme2008-01-23_132818.17.zip/wintems.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\QooBox\Quarantine\catchme2008-01-23_132818.17.zip ZIP: infected - 1 skipped
C:\QooBox\Quarantine\Registry_backups\LEGACY_SROSA.reg.dat Infected: Trojan-Downloader.Win32.Bagle.hp skipped
C:\QooBox\Quarantine\Registry_backups\services_srosa.reg.dat Infected: Trojan-Downloader.Win32.Bagle.hp skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP10\A0001424.exe Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP10\A0001431.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP10\A0001442.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP10\A0001443.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP10\A0001450.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP10\A0001490.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP10\A0001493.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0001728.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0001729.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0001730.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0001744.exe Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0001757.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0001766.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0001767.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0001768.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0001773.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0001776.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0001782.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0001785.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0001840.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0001886.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0001888.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0001889.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0001912.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0001913.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0001916.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0001917.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0001938.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0001941.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0001942.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP13\A0002820.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP13\A0002823.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP13\A0002824.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP13\A0002826.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP13\A0002828.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP13\A0002829.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP13\A0002866.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP13\A0002868.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP13\A0002869.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP13\A0002893.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP13\A0002895.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP13\A0002896.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP13\A0002917.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP13\A0002918.exe Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP13\A0002919.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP14\change.log Object is locked skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000139.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000141.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000142.exe Infected: Trojan.Win32.Pakes.bwy skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000144.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000145.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000146.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000147.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000148.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000149.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000150.exe Infected: Trojan.Win32.Pakes.bwy skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000151.exe Infected: Trojan.Win32.Pakes.bwy skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000152.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000155.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000156.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000158.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000159.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000176.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000177.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP5\A0000299.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP5\A0000300.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP5\A0000317.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP5\A0000318.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP6\A0000452.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP6\A0000453.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP6\A0000460.exe Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP6\A0000484.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP6\A0000494.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP6\A0000660.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP6\A0000663.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP6\A0000730.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP6\A0000734.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP7\A0000940.exe Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{11222285-D408-4DC9-A291-CBD1F33671F5}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_7e8.dat Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP14\change.log Object is locked skipped

Scan process completed.

Rorschach112
2008-01-24, 00:21
I think firefox is the least of your worries

This is what you get for using cracks


Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.



Also you can pretty much delete this folder, all the zip and exe files are rootkits

C:\Documents and Settings\Owner\Application Data\m

EasyEEE
2008-01-24, 01:58
Yeah, I've gotten lazy with swapping CD's over the last 15 years.

Two quick questions, these two .bat files

A0002764.bat;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP12;Probably BATCH.Virus;Renamed.;
A0002944.bat;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP13;Probably BATCH.Virus;;

I accidently renamed the first one.. should I delete those? Dr.Web did not. Below is the rest of the report. I still have Dr.Web open.

Also, is there ANY anti-virus program one can run to prevent a virus from uninstalling it? Otherwise, what's the point?

Again, thanks for your help. Will steer clear of those things.

Dr.Web

ComboFix.bat;C:\ComboFix;Probably BATCH.Virus;;
A0002764.bat;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP12;Probably BATCH.Virus;Renamed.;
A0002944.bat;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP13;Probably BATCH.Virus;;
googletoolbarnotifier.exe;c:\program files\google\googletoolbarnotifier\1.2.1128.5462;Win32.HLLM.Beagle;Deleted.;
flec006.exe.vir;C:\QooBox\Quarantine\C\Documents and Settings\Owner\Application Data\m;Win32.HLLM.Beagle;Deleted.;
mdelk.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Win32.HLLM.Beagle;Deleted.;
hldrrr.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers;Win32.HLLM.Beagle;Deleted.;
124687.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
134390.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Trojan.PWS.Nerf;Deleted.;
137687.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
139546.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
14720625.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
14747859.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
14751312.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
29338000.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
29343687.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
29345671.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
43844406.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
43850421.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
43892437.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
A0001422.sys;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP10;Win32.HLLM.Beagle;Deleted.;
A0001424.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP10;Win32.HLLM.Beagle;Deleted.;
A0001431.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP10;Win32.HLLM.Beagle;Deleted.;
A0001440.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP10;Trojan.PWS.Nerf;Deleted.;
A0001442.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP10;Win32.HLLM.Beagle;Deleted.;
A0001443.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP10;Win32.HLLM.Beagle;Deleted.;
A0001447.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP10;Trojan.PWS.Nerf;Deleted.;
A0001450.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP10;Win32.HLLM.Beagle;Deleted.;
A0001490.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP10;Win32.HLLM.Beagle;Deleted.;
A0001492.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP10;Trojan.PWS.Nerf;Deleted.;
A0001493.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP10;Win32.HLLM.Beagle;Deleted.;
A0001523.sys;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP10;Win32.HLLM.Beagle;Deleted.;
A0001651.sys;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP10;Win32.HLLM.Beagle;Deleted.;
A0001691.sys;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP10;Win32.HLLM.Beagle;Deleted.;
A0001728.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11;Win32.HLLM.Beagle;Deleted.;
A0001729.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11;Win32.HLLM.Beagle;Deleted.;
A0001730.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11;Win32.HLLM.Beagle;Deleted.;
A0001744.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11;Win32.HLLM.Beagle;Deleted.;
A0001756.sys;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11;Win32.HLLM.Beagle;Deleted.;
A0001757.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11;Win32.HLLM.Beagle;Deleted.;
A0001766.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11;Win32.HLLM.Beagle;Deleted.;
A0001767.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11;Win32.HLLM.Beagle;Deleted.;
A0001768.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11;Win32.HLLM.Beagle;Deleted.;
A0001770.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11;Trojan.PWS.Nerf;Deleted.;
A0001772.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11;Trojan.PWS.Nerf;Deleted.;
A0001773.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11;Win32.HLLM.Beagle;Deleted.;
A0001776.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11;Win32.HLLM.Beagle;Deleted.;
A0001782.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11;Win32.HLLM.Beagle;Deleted.;
A0001784.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11;Trojan.PWS.Nerf;Deleted.;
A0001785.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11;Win32.HLLM.Beagle;Deleted.;
A0001838.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11;Trojan.PWS.Nerf;Deleted.;
A0001840.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11;Win32.HLLM.Beagle;Deleted.;
A0001860.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11;Trojan.PWS.Nerf;Deleted.;
A0001886.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11;Win32.HLLM.Beagle;Deleted.;
A0001888.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11;Win32.HLLM.Beagle;Deleted.;
A0001889.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11;Win32.HLLM.Beagle;Deleted.;
A0001911.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11;Trojan.PWS.Nerf;Deleted.;
A0001912.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11;Win32.HLLM.Beagle;Deleted.;
A0001913.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11;Win32.HLLM.Beagle;Deleted.;
A0001915.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11;Trojan.PWS.Nerf;Deleted.;
A0001916.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11;Win32.HLLM.Beagle;Deleted.;
A0001917.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11;Win32.HLLM.Beagle;Deleted.;
A0001938.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11;Win32.HLLM.Beagle;Deleted.;
A0001940.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11;Trojan.PWS.Nerf;Deleted.;
A0001941.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11;Win32.HLLM.Beagle;Deleted.;
A0001942.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11;Win32.HLLM.Beagle;Deleted.;
A0002820.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP13;Win32.HLLM.Beagle;Deleted.;
A0002822.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP13;Trojan.PWS.Nerf;Deleted.;
A0002823.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP13;Win32.HLLM.Beagle;Deleted.;
A0002824.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP13;Win32.HLLM.Beagle;Deleted.;
A0002826.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP13;Win32.HLLM.Beagle;Deleted.;
A0002828.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP13;Win32.HLLM.Beagle;Deleted.;
A0002829.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP13;Win32.HLLM.Beagle;Deleted.;
A0002866.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP13;Win32.HLLM.Beagle;Deleted.;
A0002868.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP13;Win32.HLLM.Beagle;Deleted.;
A0002869.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP13;Win32.HLLM.Beagle;Deleted.;
A0002893.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP13;Win32.HLLM.Beagle;Deleted.;
A0002895.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP13;Win32.HLLM.Beagle;Deleted.;
A0002896.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP13;Win32.HLLM.Beagle;Deleted.;
A0002917.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP13;Win32.HLLM.Beagle;Deleted.;
A0002918.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP13;Win32.HLLM.Beagle;Deleted.;
A0002919.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP13;Win32.HLLM.Beagle;Deleted.;
A0002989.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP14;Win32.HLLM.Beagle;Deleted.;
A0000022.sys;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4;Win32.HLLM.Beagle;Deleted.;
A0000139.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4;Win32.HLLM.Beagle;Deleted.;
A0000140.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4;Trojan.PWS.Nerf;Deleted.;
A0000141.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4;Win32.HLLM.Beagle;Deleted.;
A0000142.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4;Win32.HLLM.Beagle;Deleted.;
A0000143.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4;Trojan.PWS.Nerf;Deleted.;
A0000144.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4;Win32.HLLM.Beagle;Deleted.;
A0000145.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4;Win32.HLLM.Beagle;Deleted.;
A0000146.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4;Win32.HLLM.Beagle;Deleted.;
A0000147.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4;Win32.HLLM.Beagle;Deleted.;
A0000148.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4;Win32.HLLM.Beagle;Deleted.;
A0000149.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4;Win32.HLLM.Beagle;Deleted.;
A0000150.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4;Win32.HLLM.Beagle;Deleted.;
A0000151.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4;Win32.HLLM.Beagle;Deleted.;
A0000152.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4;Win32.HLLM.Beagle;Deleted.;
A0000153.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4;Trojan.PWS.Nerf;Deleted.;
A0000154.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4;Trojan.PWS.Nerf;Deleted.;
A0000155.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4;Win32.HLLM.Beagle;Deleted.;
A0000156.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4;Win32.HLLM.Beagle;Deleted.;
A0000157.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4;Trojan.PWS.Nerf;Deleted.;
A0000158.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4;Win32.HLLM.Beagle;Deleted.;
A0000159.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4;Win32.HLLM.Beagle;Deleted.;
A0000175.sys;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4;Win32.HLLM.Beagle;Deleted.;
A0000176.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4;Win32.HLLM.Beagle;Deleted.;
A0000177.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4;Win32.HLLM.Beagle;Deleted.;
A0000299.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP5;Win32.HLLM.Beagle;Deleted.;
A0000300.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP5;Win32.HLLM.Beagle;Deleted.;
A0000315.sys;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP5;Win32.HLLM.Beagle;Deleted.;
A0000317.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP5;Win32.HLLM.Beagle;Deleted.;
A0000318.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP5;Win32.HLLM.Beagle;Deleted.;
A0000451.sys;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP6;Win32.HLLM.Beagle;Deleted.;
A0000452.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP6;Win32.HLLM.Beagle;Deleted.;
A0000453.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP6;Win32.HLLM.Beagle;Deleted.;
A0000460.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP6;Win32.HLLM.Beagle;Deleted.;
A0000484.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP6;Win32.HLLM.Beagle;Deleted.;
A0000493.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP6;Trojan.PWS.Nerf;Deleted.;
A0000494.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP6;Win32.HLLM.Beagle;Deleted.;
A0000510.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP6;Trojan.PWS.Nerf;Deleted.;
A0000660.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP6;Win32.HLLM.Beagle;Deleted.;
A0000662.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP6;Trojan.PWS.Nerf;Deleted.;
A0000663.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP6;Win32.HLLM.Beagle;Deleted.;
A0000667.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP6;Trojan.PWS.Nerf;Deleted.;
A0000730.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP6;Win32.HLLM.Beagle;Deleted.;
A0000733.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP6;Trojan.PWS.Nerf;Deleted.;
A0000734.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP6;Win32.HLLM.Beagle;Deleted.;
A0000940.exe;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP7;Win32.HLLM.Beagle;Deleted.;
A0001012.sys;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP8;Win32.HLLM.Beagle;Deleted.;
A0001247.sys;C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP9;Win32.HLLM.Beagle;Deleted.;

Rorschach112
2008-01-24, 02:10
Hello


I accidently renamed the first one.. should I delete those? Dr.Web did not. Below is the rest of the report. I still have Dr.Web open.
Don't worry about that


Also, is there ANY anti-virus program one can run to prevent a virus from uninstalling it? Otherwise, what's the point?
Anti-virus programs can only do so much, especially when people go out of their way to get infected.


Few things to do

You can delete the tools that we used

You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here (http://java.sun.com/javase/downloads/index.jsp)



Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster (http://www.javacoolsoftware.com/sbdownload.html) protects against bad ActiveX
IE-SPYAD (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe) puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)

* SpywareGuard (http://www.javacoolsoftware.com/sgdownload.html) offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure

Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.


* MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here (http://www.mozilla.org/products/firefox/)

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here (http://forums.spywareinfo.com/index.php?showtopic=60955)

Thank you for your patience, and performing all of the procedures requested.

EasyEEE
2008-01-24, 02:47
Sincerely appreciate your time, knowledge & patience.

Although I don't use it much, IE7 now opens up without hanging for 3-4 minutes.

I've done all the steps, and just installed SpywareBlaster, and am moving on to the others.

Thanks again!

-Brad

Rorschach112
2008-01-24, 02:51
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

For new problems, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.

Everyone else please begin a New Topic.