View Full Version : hldrr again
Hi,
I already removed this malware once, but it came again.
When I started the computer and logged in today, the window popped up asking what file I want to crack. I new that this is ti, so I checked using CtrlAlt Del what program opened this window and I killed the bastard. It was GmailNotify (supprice).
Moments later Scotty told me that it killed the process which if I remember the name correctly was hldrr.
As I have SBS&D TeaTimer and Scotty I hope that if I remove it know before I restart it should be easier than last time.
I will apreciate your help.
Thanks in advance
Jacek
SpyBot Serach & Destroy reported
--- Search result list ---
Microsoft.WindowsSecurityCenter.AntiVirusOverride: [SBI $3604910C] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride
Microsoft.WindowsSecurityCenter_disabled: [SBI $2E20C9A9] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start
Win32.Agent.bgy: [SBI $3FF5579E] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-117609710-1085031214-725345543-1003\Software\FirstRRRun
Win32.Bagle.hi: [SBI $37536BC2] Program directory (Directory, nothing done)
E:\WINDOWS\system32\drivers\down\
--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---
2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-02-18 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-03-05 Includes\Cookies.sbi (*)
2007-12-26 Includes\Dialer.sbi (*)
2008-03-05 Includes\DialerC.sbi (*)
2008-03-05 Includes\HeavyDuty.sbi (*)
2008-03-05 Includes\Hijackers.sbi (*)
2008-03-05 Includes\HijackersC.sbi (*)
2008-02-27 Includes\Keyloggers.sbi (*)
2008-03-05 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-02-27 Includes\Malware.sbi (*)
2008-03-05 Includes\MalwareC.sbi (*)
2008-02-20 Includes\PUPS.sbi (*)
2008-03-05 Includes\PUPSC.sbi (*)
2008-03-05 Includes\Revision.sbi (*)
2008-01-09 Includes\Security.sbi (*)
2008-03-05 Includes\SecurityC.sbi (*)
2008-02-20 Includes\Spybots.sbi (*)
2008-03-05 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti
2008-02-27 Includes\Trojans.sbi (*)
2008-03-05 Includes\TrojansC.sbi (*)
2007-12-24 Plugins\TCPIPAddress.dll
--- System information ---
Windows XP (Build: 2600) Service Pack 2 (5.1.2600)
Deckard's System Scanner v20071014.68
Run by jacek on 2008-03-07 19:25:14
Computer is in Normal Mode.
--------------------------------------------------------------------------------
System Drive E: has 1.58 GiB (less than 15%) free.
-- HijackThis (run as jacek.exe) -----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:25:20 PM, on 3/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\nfsclnt.exe
F:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
E:\Program Files\Common Files\LightScribe\LSSrvc.exe
F:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
E:\WINDOWS\System32\tcpsvcs.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\TVersity\Media Server\MediaServer.exe
E:\WINDOWS\System32\dmadmin.exe
E:\SFU\Mapper\mapsvc.exe
E:\WINDOWS\system32\nfssvc.exe
E:\WINDOWS\system32\pcnfsd.exe
F:\Program Files\PeerGuardian2\pg2.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\WINDOWS\system32\S3trayp.exe
F:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
E:\WINDOWS\system32\LVCOMSX.EXE
E:\Program Files\Canon\MyPrinter\BJMyPrt.exe
E:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\PROGRA~1\Yahoo!\YOP\yop.exe
E:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
E:\WINDOWS\system32\VTTimer.exe
E:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
F:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
F:\program files\ActiveSync\WCESCOMM.EXE
E:\PROGRA~1\Yahoo!\browser\ycommon.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\Messenger\msmsgs.exe
E:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
E:\Documents and Settings\jacek\Desktop\WinPFind35u\WinPFind35U.exe
E:\WINDOWS\notepad.exe
E:\Program Files\Norton Security Scan\Nss.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\WINDOWS\system32\NOTEPAD.EXE
E:\Documents and Settings\jacek\Desktop\dss.exe
C:\PLIKIZ~1\jacek.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - E:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - F:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - E:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - F:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Windows Media Connect 2] "E:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "E:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [OpwareSE4] "F:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] E:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [CanonMyPrinter] E:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [AudioDeck] E:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [Zone Labs Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [YOP] E:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [YBrowser] E:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [A8GSdsApp] E:\A8GSds\AGSeiApp.exe
O4 - HKLM\..\Run: [WinPatrol] E:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [WMPNSCFG] E:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] F:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\program files\ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] "E:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PeerGuardian] F:\Program Files\PeerGuardian2\pg2.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-117609710-1085031214-725345543-1004\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe (User 'internet')
O4 - HKUS\S-1-5-21-117609710-1085031214-725345543-1004\..\Run: [WMPNSCFG] E:\Program Files\Windows Media Player\WMPNSCFG.exe (User 'internet')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - S-1-5-21-117609710-1085031214-725345543-1004 Startup: eMule.lnk = F:\Program Files\e.47c\emule.exe (User 'internet')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = F:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Otlook2000\Office\OSA9.EXE
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://F:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://F:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://F:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://F:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - f:\PROGRA~1\ACTIVE~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - f:\PROGRA~1\ACTIVE~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - f:\PROGRA~1\ACTIVE~1\INetRepl.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - E:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4EC8E993-32C1-47F5-A07A-5B0574655AD4} (Software Center) - http://us.dl1.yimg.com/download.yahoo.com/dl/controls/ysftcntr/ysftcntr_current.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127678961638
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7AFA411E-8DC4-4A1E-A58A-67B25AE56063}: NameServer = 10.0.0.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - E:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - F:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - E:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Unknown owner - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: LVSrvLauncher - Logitech Inc. - E:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Norton Ghost - Symantec Corporation - F:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TVersityMediaServer - Unknown owner - E:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 11376 bytes
-- Files created between 2008-02-07 and 2008-03-07 -----------------------------
2008-02-20 21:48:44 0 d-------- E:\Documents and Settings\internet\Application Data\Media Player Classic
2008-02-18 20:21:24 0 d-------- E:\Documents and Settings\jacek\Application Data\WinPatrol
2008-02-18 20:21:08 0 d-------- E:\Program Files\BillP Studios
2008-02-18 20:19:08 0 d-------- E:\WINDOWS\system32\drivers\down
2008-02-18 15:02:57 0 d-------- E:\WINDOWS\system32\ZoneLabs
2008-02-18 15:02:22 0 d-------- E:\WINDOWS\Internet Logs
2008-02-18 13:50:49 0 d-------- E:\cmdcons
2008-02-17 16:09:28 0 d-------- E:\WINDOWS\system32\NtmsData
2008-02-16 18:34:19 701247 --a------ E:\Documents and Settings\internet\SOUNDMAN.EXE
2008-02-16 17:32:03 0 d-------- E:\Documents and Settings\jacek\Application Data\Seven Zip
2008-02-16 15:27:50 0 d-------- E:\SDM_ALLzSansy
2008-02-16 12:47:19 0 d-------- E:\SDM
2008-02-10 16:26:21 0 d-------- E:\Program Files\TVersity
2008-02-07 21:44:56 0 d-------- E:\Program Files\Omron Healthcare
-- Find3M Report ---------------------------------------------------------------
2008-03-07 18:00:01 0 d-------- E:\Program Files\Norton Security Scan
2008-02-23 17:59:33 0 d-------- E:\Documents and Settings\jacek\Application Data\OpenOffice.org2
2008-02-20 09:31:49 0 d-------- E:\Program Files\Common Files\Symantec Shared
2008-02-18 17:18:33 0 d-------- E:\Program Files\Symantec
2008-02-18 17:17:06 0 d-------- E:\Program Files\Common Files
2008-02-18 16:00:21 0 d-------- E:\Documents and Settings\jacek\Application Data\Yahoo!
2008-02-18 15:35:29 0 d-------- E:\Program Files\Yahoo!
2008-02-18 15:03:59 4212 ---h----- E:\WINDOWS\system32\zllictbl.dat
2008-01-20 16:47:48 0 d-------- E:\Program Files\Apple Software Update
2008-01-19 19:42:13 0 d-------- E:\Documents and Settings\jacek\Application Data\Media Player Classic
2008-01-19 19:36:22 0 d-------- E:\Program Files\K-Lite Codec Pack
2008-01-19 19:36:17 0 d-------- E:\Documents and Settings\jacek\Application Data\Real
2007-12-24 13:49:52 7680 --a------ E:\WINDOWS\system32\ff_vfw.dll
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Media Connect 2"="E:\Program Files\Windows Media Connect 2\WMCCFG.exe" [10/18/2006 09:58 PM]
"SunJavaUpdateSched"="E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 12:11 AM]
"SSBkgdUpdate"="E:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [09/30/2003 12:14 AM]
"SoundMan"="SOUNDMAN.EXE" [03/01/2006 12:22 AM E:\WINDOWS\SOUNDMAN.EXE]
"S3Trayp"="S3trayp.exe" [10/31/2005 12:15 PM E:\WINDOWS\system32\S3Trayp.exe]
"OpwareSE4"="F:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [03/21/2006 01:19 PM]
"NeroFilterCheck"="E:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 10:50 AM]
"LVCOMSX"="E:\WINDOWS\system32\LVCOMSX.EXE" [10/08/2004 10:52 AM]
"CanonMyPrinter"="E:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [03/21/2006 05:30 PM]
"AudioDeck"="E:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe" [11/02/2006 03:57 PM]
"Zone Labs Client"="E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [08/23/2006 11:38 PM]
"YOP"="E:\PROGRA~1\Yahoo!\YOP\yop.exe" [10/26/2007 03:42 PM]
"YBrowser"="E:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [12/09/2003 01:02 PM]
"VTTimer"="VTTimer.exe" [03/07/2005 03:33 AM E:\WINDOWS\system32\VTTimer.exe]
"A8GSdsApp"="E:\A8GSds\AGSeiApp.exe" [05/05/2007 12:15 AM]
"WinPatrol"="E:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [01/26/2008 09:38 PM]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="E:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/27/2004 03:08 AM]
"PhotoShow Deluxe Media Manager"="F:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe" [02/25/2005 04:28 PM]
"MsnMsgr"="E:\Program Files\MSN Messenger\MsnMsgr.exe" []
"H/PC Connection Agent"="F:\program files\ActiveSync\WCESCOMM.EXE" [08/09/2000 09:41 PM]
"Yahoo! Pager"="E:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" []
"SpybotSD TeaTimer"="E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]
"PeerGuardian"="F:\Program Files\PeerGuardian2\pg2.exe" [09/18/2005 06:40 PM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Spybot - Search & Destroy"="E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkvMon.exe.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk
backup=E:\WINDOWS\pss\NkvMon.exe.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"F:\Program Files\Adobe\Reader\Reader_sl.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DynDNS Updater]
"F:\Program Files\DynDNS Updater\DynDNS.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 9.0]
F:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
"E:\PROGRA~1\Symantec\osCheck.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ymetray]
"E:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" -preload
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"YPCService"=3 (0x3)
*Newly Created Service* - PGFILTER
-- End of Deckard's System Scanner: finished at 2008-03-07 19:25:39 ------------
[code]
WinPFind35 logfile created on: 3/7/2008 10:14:20 AM
WinPFind35U Version Beta52 Folder = E:\Documents and Settings\jacek\Desktop\WinPFind35u
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
895.29 Mb Total Physical Memory | 399.12 Mb Available Physical Memory | 44.58% Memory free
2.11 Gb Paging File | 1.57 Gb Available in Paging File | 74.42% Paging File free
Paging file location(s): C:\pagefile.sys 2 2;E:\pagefile.sys 1342 1342;
%SystemDrive% = E: | %SystemRoot% = E:\WINDOWS | %ProgramFiles% = E:\Program Files
Drive C: | 232.88 Gb Total Space | 0.34 Gb Free Space | 0.15% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 29.49 Gb Total Space | 1.60 Gb Free Space | 5.43% Space Free | Partition Type: NTFS
Drive F: | 8.66 Gb Total Space | 0.16 Gb Free Space | 1.80% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
Drive H: | 3.72 Gb Total Space | 1.37 Gb Free Space | 36.81% Space Free | Partition Type: FAT32
I: Drive not present or media not loaded
Computer Name: SYPIALNIA
Current User Name: jacek
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: All users
[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\DefaultLaunchPermission -> (binary data) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\EnableDCOM -> Y ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\MachineLaunchRestriction -> (binary data) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\MachineAccessRestriction -> (binary data) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{A50398B8-9075-4FBF-A7A1-456BF21937AD} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{AD65A69D-3831-40D7-9629-9B0B50A93843} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{0040D221-54A1-11D1-9DE0-006097042D69} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST\\System.EnterpriseServices.Thunk.dll -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusDisableNotify -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallDisableNotify -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\UpdatesDisableNotify -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusOverride -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallOverride -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\\DisableMonitoring -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\\DisableMonitoring -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall\\DisableMonitoring -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall\\DisableMonitoring -> 1 ->
Reg Error: Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ not found. -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ -> ->
*Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages ->
msv1_0 -> %SystemRoot%\system32\msv1_0.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 129536 bytes | Modified Date = 8/3/2004 11:56:43 PM | Attr = ]
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Bounds -> (binary data) ->
*Security Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Security Packages ->
kerberos -> %SystemRoot%\system32\kerberos.dll -> Microsoft Corporation [Ver = 5.1.2600.2698 (xpsp_sp2_gdr.050614-1522) | Size = 295936 bytes | Modified Date = 6/15/2005 9:49:30 AM | Attr = ]
msv1_0 -> %SystemRoot%\system32\msv1_0.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 129536 bytes | Modified Date = 8/3/2004 11:56:43 PM | Attr = ]
schannel -> %SystemRoot%\system32\schannel.dll -> Microsoft Corporation [Ver = 5.1.2600.3126 (xpsp_sp2_gdr.070425-0226) | Size = 144896 bytes | Modified Date = 4/25/2007 6:21:15 AM | Attr = ]
wdigest -> %SystemRoot%\system32\wdigest.dll -> Microsoft Corporation [Ver = 5.1.2600.2784 (xpsp_sp2_gdr.051026-1715) | Size = 49152 bytes | Modified Date = 10/26/2005 7:03:53 PM | Attr = ]
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\LsaPid -> 1104 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\SecureBoot -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\auditbaseobjects -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\crashonauditfail -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\disabledomaincreds -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\everyoneincludesanonymous -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\fipsalgorithmpolicy -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\forceguest -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\fullprivilegeauditing -> (binary data) ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\limitblankpassworduse -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\lmcompatibilitylevel -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\nodefaultadminowner -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\nolmhash -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\restrictanonymous -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\restrictanonymoussam -> 1 ->
*Notification Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Notification Packages ->
scecli -> %SystemRoot%\system32\scecli.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 180224 bytes | Modified Date = 8/3/2004 11:56:44 PM | Attr = ]
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\ImpersonatePrivilegeUpgradeToolHasRun -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\enabledcom -> y ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\ -> ->
*ProviderOrder* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\\ProviderOrder ->
Windows NT Access Provider -> -> File not found
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\\ProviderPath -> E:\WINDOWS\system32\ntmarta.dll [%SystemRoot%\system32\ntmarta.dll] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 118784 bytes | Modified Date = 8/3/2004 11:56:44 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\\Pattern -> (binary data) ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\\GrafBlumGroup -> (binary data) ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\\Lookup -> (binary data) ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\\Auth132 -> E:\WINDOWS\system32\iissuba.dll [IISSUBA] -> Microsoft Corporation [Ver = 6.0.2600.0 (xpclient.010817-1148) | Size = 9216 bytes | Modified Date = 8/23/2001 4:00:00 AM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\\ntlmminclientsec -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\\ntlmminserversec -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\\Auth170 -> E:\WINDOWS\system32\nfssa.dll [nfssa] -> Microsoft Corporation [Ver = 8.0.1969.1 | Size = 5424 bytes | Modified Date = 11/8/2003 1:42:36 PM | Attr = R ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1\\SkewMatrix -> (binary data) ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4\\SSOURL -> http://www.passport.com ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\\Time -> (binary data) ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Name -> Digest ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Comment -> Digest SSPI Authentication Package ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Capabilities -> 16464 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\RpcId -> 65535 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Version -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\TokenSize -> 65535 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Time -> (binary data) ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Type -> 49 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Name -> DPA ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Comment -> DPA Security Package ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Capabilities -> 55 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\RpcId -> 17 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Version -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\TokenSize -> 768 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Time -> (binary data) ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Type -> 49 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Name -> MSN ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Comment -> MSN Security Package ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Capabilities -> 55 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\RpcId -> 18 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Version -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\TokenSize -> 768 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Time -> (binary data) ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Type -> 49 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Type -> 32 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Start -> 2 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ErrorControl -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ImagePath -> E:\WINDOWS\system32\svchost.exe [%SystemRoot%\System32\svchost.exe -k netsvcs] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/3/2004 11:56:57 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DisplayName -> Windows Firewall/Internet Connection Sharing (ICS) ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnService -> Netman;WinMgmt; ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnGroup -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ObjectName -> LocalSystem ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Description -> Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network. ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\\Epoch -> 11593 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\\ServiceDll -> E:\WINDOWS\system32\ipnathlp.dll [%SystemRoot%\System32\ipnathlp.dll] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 331264 bytes | Modified Date = 8/3/2004 11:56:42 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\S\ -> ->
-> Reg Error: Key does not exist or could not be opened. ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Security\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Security\\Security -> (binary data) ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\\ServiceUpgrade -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\\{E1DC7464-91E6-4B4D-B36B-37D01AE64F49} -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\\All -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\0 -> Root\LEGACY_SHAREDACCESS\0000 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\Count -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\NextInstance -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Type -> 32 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Start -> 2 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ErrorControl -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ImagePath -> E:\WINDOWS\system32\svchost.exe [%systemroot%\system32\svchost.exe -k netsvcs] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/3/2004 11:56:57 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\DisplayName -> Automatic Updates ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ObjectName -> LocalSystem ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Description -> Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site. ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\\ServiceDll -> E:\WINDOWS\system32\wuauserv.dll [E:\WINDOWS\system32\wuauserv.dll] -> Microsoft Corporation [Ver = 5.4.3790.2180 (xpsp_sp2_rtm.040803-2158) | Size = 6656 bytes | Modified Date = 8/3/2004 11:56:46 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\\Security -> (binary data) ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\0 -> Root\LEGACY_WUAUSERV\0000 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\Count -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\NextInstance -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Description -> Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start. ->
*DependOnService* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\DependOnService ->
RPCSS -> %SystemRoot%\system32\rpcss.dll -> Microsoft Corporation [Ver = 5.1.2600.2726 (xpsp_sp2_gdr.050725-1528) | Size = 397824 bytes | Modified Date = 7/25/2005 8:39:49 PM | Attr = ]
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\DisplayName -> Remote Registry ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\ErrorControl -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\ImagePath -> E:\WINDOWS\system32\svchost.exe [%SystemRoot%\system32\svchost.exe -k LocalService] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/3/2004 11:56:57 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\ObjectName -> NT AUTHORITY\LocalService ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Group -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Start -> 2 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Type -> 32 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\FailureActions -> (binary data) ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Parameters\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Parameters\\ServiceDll -> E:\WINDOWS\system32\regsvc.dll [%SystemRoot%\system32\regsvc.dll] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 59904 bytes | Modified Date = 8/3/2004 11:56:44 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security\\Security -> (binary data) ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\\0 -> Root\LEGACY_REMOTEREGISTRY\0000 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\\Count -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\\NextInstance -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\Type -> 16 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\Start -> 3 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\ErrorControl -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\ImagePath -> E:\WINDOWS\system32\tlntsvr.exe [E:\WINDOWS\System32\tlntsvr.exe] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 73216 bytes | Modified Date = 8/3/2004 11:56:57 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\DisplayName -> Telnet ->
*DependOnService* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\DependOnService ->
RPCSS -> %SystemRoot%\system32\rpcss.dll -> Microsoft Corporation [Ver = 5.1.2600.2726 (xpsp_sp2_gdr.050725-1528) | Size = 397824 bytes | Modified Date = 7/25/2005 8:39:49 PM | Attr = ]
TCPIP -> -> File not found
NTLMSSP -> -> File not found
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\DependOnGroup -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\ObjectName -> LocalSystem ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\Description -> Enables a remote user to log on to this computer and run programs, and supports various TCP/IP Telnet clients, including UNIX-based and Windows-based computers. If this service is stopped, remote user access to programs might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Security\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Security\\Security -> (binary data) ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\\ProxyEnable -> 0 ->
< End of report >
[/code]
Saturday, March 08, 2008 1:06:53 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 8/03/2008
Kaspersky Anti-Virus database records: 612708
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target Memory
Scan Statistics
Total number of scanned objects 3227
Number of viruses found 1
Number of infected objects 15
Number of suspicious objects 0
Duration of the scan process 00:01:09
Infected Object Name Virus Name Last Action
[1404] SOUNDMAN.EXE => E:\A8GSds\msvb.dll Infected: Trojan.Win32.Hooker.j skipped
[1412] S3Trayp.exe => E:\A8GSds\msvb.dll Infected: Trojan.Win32.Hooker.j skipped
[1420] OpWareSE4.exe => E:\A8GSds\msvb.dll Infected: Trojan.Win32.Hooker.j skipped
[1444] LVCOMSX.EXE => E:\A8GSds\msvb.dll Infected: Trojan.Win32.Hooker.j skipped
[1456] BJMYPRT.EXE => E:\A8GSds\msvb.dll Infected: Trojan.Win32.Hooker.j skipped
[1464] ADeck.exe => E:\A8GSds\msvb.dll Infected: Trojan.Win32.Hooker.j skipped
[1496] yop.exe => E:\A8GSds\msvb.dll Infected: Trojan.Win32.Hooker.j skipped
[1516] ybrwicon.exe => E:\A8GSds\msvb.dll Infected: Trojan.Win32.Hooker.j skipped
[1544] VTTimer.exe => E:\A8GSds\msvb.dll Infected: Trojan.Win32.Hooker.j skipped
[1552] AGSeiApp.exe => E:\A8GSds\msvb.dll Infected: Trojan.Win32.Hooker.j skipped
[1560] WinPatrol.exe => E:\A8GSds\msvb.dll Infected: Trojan.Win32.Hooker.j skipped
[1864] ycommon.exe => E:\A8GSds\msvb.dll Infected: Trojan.Win32.Hooker.j skipped
[716] WCESCOMM.EXE => E:\A8GSds\msvb.dll Infected: Trojan.Win32.Hooker.j skipped
[1796] msmsgs.exe => E:\A8GSds\msvb.dll Infected: Trojan.Win32.Hooker.j skipped
[2328] emule.exe => E:\A8GSds\msvb.dll Infected: Trojan.Win32.Hooker.j skipped
Scan process completed.
KASPERSKY ONLINE SCANNER REPORT
Saturday, March 08, 2008 11:32:31 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 8/03/2008
Kaspersky Anti-Virus database records: 612708
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
Scan Statistics
Total number of scanned objects 107036
Number of viruses found 3
Number of infected objects 10
Number of suspicious objects 0
Duration of the scan process 02:15:34
Infected Object Name Virus Name Last Action
C:\._nfs\DRIVEC.NDX Object is locked skipped
C:\._nfs\DRIVEC.NOD Object is locked skipped
C:\Documents and Settings\Jacek\Application Data\desktop.ini Object is locked skipped
C:\Documents and Settings\Jacek\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#local\settings.sol Object is locked skipped
C:\Documents and Settings\Jacek\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol Object is locked skipped
C:\Documents and Settings\Jacek\Application Data\Media Player Classic\default.mpcpl Object is locked skipped
C:\Documents and Settings\Jacek\Application Data\Microsoft\HTML Help\hh.dat Object is locked skipped
C:\Documents and Settings\Jacek\Application Data\Microsoft\Internet Explorer\brndlog.bak Object is locked skipped
C:\Documents and Settings\Jacek\Application Data\Microsoft\Internet Explorer\brndlog.txt Object is locked skipped
C:\Documents and Settings\Jacek\Application Data\Microsoft\Internet Explorer\Desktop.htt Object is locked skipped
C:\Documents and Settings\Jacek\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini Object is locked skipped
C:\Documents and Settings\Jacek\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf Object is locked skipped
C:\Documents and Settings\Jacek\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Application Data\Microsoft\Media Player\001C2DFD.wpl Object is locked skipped
C:\Documents and Settings\Jacek\Application Data\Microsoft\Protect\CREDHIST Object is locked skipped
C:\Documents and Settings\Jacek\Application Data\Microsoft\Protect\S-1-5-21-796845957-1383384898-839522115-1003\cb703e00-ff11-40ee-9810-253d5a4a5a2c Object is locked skipped
C:\Documents and Settings\Jacek\Application Data\Microsoft\Protect\S-1-5-21-796845957-1383384898-839522115-1003\Preferred Object is locked skipped
C:\Documents and Settings\Jacek\Application Data\Microsoft\Windows\Themes\Custom.theme Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@1072708089[1].txt Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@advertising[2].txt Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@adz.afterdawn[1].txt Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@afterdawn.us.intellitxt[1].txt Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@afterdawn[1].txt Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@atdmt[2].txt Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@att[1].txt Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@c.msn[1].txt Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@cgi-bin[1].txt Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@doubleclick[1].txt Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@duplexsecure[2].txt Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@forums.tversity[2].txt Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@free-codecs[2].txt Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@freecodecs.us.intellitxt[1].txt Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@h.msn[1].txt Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@hotmail.msn[1].txt Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@ie.search.msn[1].txt Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@kontera[2].txt Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@live[1].txt Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@login.live[1].txt Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@m.webtrends[2].txt Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@mediaplex[1].txt Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@microsoft[1].txt Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@msdn2.microsoft[1].txt Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@msnportal.112.2o7[1].txt Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@msn[2].txt Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@picasa.google[1].txt Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@questionmarket[1].txt Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@rad.msn[1].txt Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@runner.splunk[1].txt Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@s3.amazonaws[2].txt Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@search.msn[1].txt Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@sourceforge[2].txt Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@splunk[1].txt Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@statcounter[1].txt Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@tradedoubler[2].txt Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@tribalfusion[1].txt Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@tversity[1].txt Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@www.afterdawn[1].txt Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@www.codec-download[2].txt Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@www.msn[1].txt Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@www.octave[1].txt Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@www.tweaktown[1].txt Object is locked skipped
C:\Documents and Settings\Jacek\Cookies\jacek@www2.daemon-tools[2].txt Object is locked skipped
C:\Documents and Settings\Jacek\Desktop\Donate To DemonSpeed.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Desktop\TVersity.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Favorites\Desktop.ini Object is locked skipped
C:\Documents and Settings\Jacek\Favorites\DirectShow Registry Settings.url Object is locked skipped
C:\Documents and Settings\Jacek\Favorites\Links\Customize Links.url Object is locked skipped
C:\Documents and Settings\Jacek\Favorites\Links\Free Hotmail.url Object is locked skipped
C:\Documents and Settings\Jacek\Favorites\Links\Windows Marketplace.url Object is locked skipped
C:\Documents and Settings\Jacek\Favorites\Links\Windows Media.url Object is locked skipped
C:\Documents and Settings\Jacek\Favorites\Links\Windows.url Object is locked skipped
C:\Documents and Settings\Jacek\Favorites\MSN.com.url Object is locked skipped
C:\Documents and Settings\Jacek\Favorites\Radio Station Guide.url Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Application Data\GDIPFONTCACHEV1.DAT Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Application Data\IconCache.db Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_219.wmdb Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_59R.wmdb Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Application Data\Microsoft\Media Player\wmpfolders.wmdb Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNS.DTD Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNS.XML Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\desktop.ini Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\History\desktop.ini Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\History\History.IE5\desktop.ini Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\History\History.IE5\MSHist012007041620070423\index.dat Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\History\History.IE5\MSHist012007042320070430\index.dat Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\History\History.IE5\MSHist012007051220070513\index.dat Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd1.tmp\____mmfp.ocx Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd10.tmp\main.lzx.swf Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd10.tmp\rd11.tmp Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd10.tmp\rd12.tmp Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd10.tmp\____mmfp.ocx Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd10.tmp\____swmx Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd10.tmp\____swmxs Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd11.tmp\main.lzx.swf Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd11.tmp\rd12.tmp Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd11.tmp\rd13.tmp Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd11.tmp\____mmfp.ocx Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd11.tmp\____swmx Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd11.tmp\____swmxs Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd13.tmp\main.lzx.swf Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd13.tmp\rd14.tmp Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd13.tmp\rd15.tmp Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd13.tmp\____mmfp.ocx Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd13.tmp\____swmx Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd13.tmp\____swmxs Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd2.tmp\____mmfp.ocx Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd21.tmp\main.lzx.swf Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd21.tmp\rd22.tmp Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd21.tmp\rd23.tmp Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd21.tmp\____mmfp.ocx Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd21.tmp\____swmx Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd21.tmp\____swmxs Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd3.tmp\main.lzx.swf Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd3.tmp\rd4.tmp Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd3.tmp\rd5.tmp Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd3.tmp\____mmfp.ocx Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd3.tmp\____swmx Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd3.tmp\____swmxs Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd35.tmp\____mmfp.ocx Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd38.tmp\main.lzx.swf Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd38.tmp\rd39.tmp Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd38.tmp\rd3A.tmp Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd38.tmp\____mmfp.ocx Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd38.tmp\____swmx Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd38.tmp\____swmxs Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd4.tmp\____mmfp.ocx Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd5.tmp\____mmfp.ocx Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd6.tmp\main.lzx.swf Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd6.tmp\rd7.tmp Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd6.tmp\rd8.tmp Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd6.tmp\____mmfp.ocx Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd6.tmp\____swmx Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd6.tmp\____swmxs Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd7.tmp\main.lzx.swf Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd7.tmp\rd8.tmp Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd7.tmp\rd9.tmp Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd7.tmp\____mmfp.ocx Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd7.tmp\____swmx Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd7.tmp\____swmxs Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd8.tmp\____mmfp.ocx Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd9.tmp\main.lzx.swf Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd9.tmp\rdA.tmp Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd9.tmp\rdB.tmp Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd9.tmp\____mmfp.ocx Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd9.tmp\____swmx Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rd9.tmp\____swmxs Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rdA.tmp\____mmfp.ocx Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rdB.tmp\main.lzx.swf Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rdB.tmp\rdC.tmp Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rdB.tmp\rdD.tmp Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rdB.tmp\____mmfp.ocx Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rdB.tmp\____swmx Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rdB.tmp\____swmxs Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rdC.tmp\main.lzx.swf Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rdC.tmp\rdD.tmp Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rdC.tmp\rdE.tmp Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rdC.tmp\____mmfp.ocx Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rdC.tmp\____swmx Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rdC.tmp\____swmxs Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rdD.tmp\____mmfp.ocx Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rdE.tmp\main.lzx.swf Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rdE.tmp\rd10.tmp Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rdE.tmp\rdF.tmp Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rdE.tmp\____mmfp.ocx Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temp\rdE.tmp\____swmx Object is locked skipped
I REMOVED TONS OF IE5 context which I'm not using anymore
C:\Documents and Settings\Jacek\Local Settings\Temporary Internet Files\Content.IE5\26EO0XW8\browse[13] Object is locked skipped
C:\Documents and Settings\Jacek\Local Settings\Temporary Internet Files\desktop.ini Object is locked skipped
C:\Documents and Settings\Jacek\My Documents\desktop.ini Object is locked skipped
C:\Documents and Settings\Jacek\My Documents\My Music\Desktop.ini Object is locked skipped
C:\Documents and Settings\Jacek\My Documents\My Music\Sample Music.lnk Object is locked skipped
C:\Documents and Settings\Jacek\My Documents\My Pictures\Desktop.ini Object is locked skipped
C:\Documents and Settings\Jacek\My Documents\My Pictures\Sample Pictures.lnk Object is locked skipped
C:\Documents and Settings\Jacek\My Documents\My Videos\Desktop.ini Object is locked skipped
C:\Documents and Settings\Jacek\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jacek\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\Jacek\ntuser.ini Object is locked skipped
C:\Documents and Settings\Jacek\Recent\casualcomments.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Recent\config.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Recent\C_Drive.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Recent\Desktop.ini Object is locked skipped
C:\Documents and Settings\Jacek\Recent\Desktop.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Recent\FAT32_GENER (E).lnk Object is locked skipped
C:\Documents and Settings\Jacek\Recent\Incoming.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Recent\lost.s01e17....in.translation.hdtv-lol.www!OSIOLEK!com.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Recent\lucent win modem drivers.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Recent\Media Server.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Recent\MOvies.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Recent\plik teksowy.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Recent\PlikiZinternetu.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Recent\profiles.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Recent\sciagado Codecs.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Recent\TranscodigVideo.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Recent\tversity.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Recent\UPNP_AV_MediaServer_1.0.allservices.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Recent\UPNP_AV_MediaServer_1.0.default.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Recent\VIA0571.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Recent\wmv.lnk Object is locked skipped
C:\Documents and Settings\Jacek\SendTo\Compressed (zipped) Folder.ZFSendToTarget Object is locked skipped
C:\Documents and Settings\Jacek\SendTo\Desktop (create shortcut).DeskLink Object is locked skipped
C:\Documents and Settings\Jacek\SendTo\desktop.ini Object is locked skipped
C:\Documents and Settings\Jacek\SendTo\Mail Recipient.MAPIMail Object is locked skipped
C:\Documents and Settings\Jacek\SendTo\My Documents.mydocs Object is locked skipped
C:\Documents and Settings\Jacek\Start Menu\desktop.ini Object is locked skipped
C:\Documents and Settings\Jacek\Start Menu\Programs\Accessories\Accessibility\desktop.ini Object is locked skipped
C:\Documents and Settings\Jacek\Start Menu\Programs\Accessories\Accessibility\Magnifier.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Start Menu\Programs\Accessories\Accessibility\Utility Manager.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Start Menu\Programs\Accessories\Address Book.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Start Menu\Programs\Accessories\Command Prompt.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Start Menu\Programs\Accessories\desktop.ini Object is locked skipped
C:\Documents and Settings\Jacek\Start Menu\Programs\Accessories\Entertainment\desktop.ini Object is locked skipped
C:\Documents and Settings\Jacek\Start Menu\Programs\Accessories\Entertainment\Windows Media Player.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Start Menu\Programs\Accessories\Notepad.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Start Menu\Programs\Accessories\Program Compatibility Wizard.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Start Menu\Programs\Accessories\Synchronize.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Start Menu\Programs\Accessories\Tour Windows XP.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Start Menu\Programs\Accessories\Windows Explorer.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Start Menu\Programs\desktop.ini Object is locked skipped
C:\Documents and Settings\Jacek\Start Menu\Programs\Internet Explorer.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Start Menu\Programs\Outlook Express.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Start Menu\Programs\Remote Assistance.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Start Menu\Programs\Startup\desktop.ini Object is locked skipped
C:\Documents and Settings\Jacek\Start Menu\Programs\TVersity Media Server\TVersity Media Server.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Start Menu\Programs\TVersity Media Server\TVersity Tools\Restart TVersity Media Server.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Start Menu\Programs\TVersity Media Server\TVersity Tools\Share Media Command Prompt.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Start Menu\Programs\TVersity Media Server\TVersity Tools\Start TVersity Media Server.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Start Menu\Programs\TVersity Media Server\TVersity Tools\Stop TVersity Media Server.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Start Menu\Programs\TVersity Media Server\Uninstall.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Start Menu\Programs\TVersity Media Server\Website.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Start Menu\Programs\Windows Media Player.lnk Object is locked skipped
C:\Documents and Settings\Jacek\Templates\amipro.sam Object is locked skipped
C:\Documents and Settings\Jacek\Templates\excel.xls Object is locked skipped
C:\Documents and Settings\Jacek\Templates\excel4.xls Object is locked skipped
C:\Documents and Settings\Jacek\Templates\lotus.wk4 Object is locked skipped
C:\Documents and Settings\Jacek\Templates\powerpnt.ppt Object is locked skipped
C:\Documents and Settings\Jacek\Templates\presenta.shw Object is locked skipped
C:\Documents and Settings\Jacek\Templates\quattro.wb2 Object is locked skipped
C:\Documents and Settings\Jacek\Templates\sndrec.wav Object is locked skipped
C:\Documents and Settings\Jacek\Templates\winword.doc Object is locked skipped
C:\Documents and Settings\Jacek\Templates\winword2.doc Object is locked skipped
C:\Documents and Settings\Jacek\Templates\wordpfct.wpd Object is locked skipped
C:\Documents and Settings\Jacek\Templates\wordpfct.wpg Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\_OTMoveIt\MovedFiles\02172008_230333\WINDOWS\system32\drivers\srosa.sys Infected: Trojan-Downloader.Win32.Bagle.jy skipped
E:\A8GSds\msvb.dll Infected: Trojan.Win32.Hooker.j skipped
E:\Documents and Settings\Administrator.SYPIALNIA\ntuser.dat Object is locked skipped
E:\Documents and Settings\Administrator.SYPIALNIA\NTUSER.DAT.LOG Object is locked skipped
E:\Documents and Settings\All Users\ntuser.dat Object is locked skipped
E:\Documents and Settings\All Users\ntuser.dat.LOG Object is locked skipped
E:\Documents and Settings\internet\Cookies\index.dat Object is locked skipped
E:\Documents and Settings\internet\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
E:\Documents and Settings\internet\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
E:\Documents and Settings\internet\Local Settings\History\History.IE5\index.dat Object is locked skipped
E:\Documents and Settings\internet\Local Settings\temp\WCESCOMM.LOG Object is locked skipped
E:\Documents and Settings\internet\Local Settings\temp\~DF430D.tmp Object is locked skipped
E:\Documents and Settings\internet\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
E:\Documents and Settings\internet\ntuser.dat Object is locked skipped
E:\Documents and Settings\internet\NTUSER.DAT.LOG Object is locked skipped
E:\Documents and Settings\internet\SOUNDMAN.EXE Infected: Trojan-Downloader.Win32.Bagle.jv skipped
E:\Documents and Settings\jacek\Application Data\Mozilla\Firefox\Profiles\tf1prbid.Default User\cert8.db Object is locked skipped
E:\Documents and Settings\jacek\Application Data\Mozilla\Firefox\Profiles\tf1prbid.Default User\formhistory.dat Object is locked skipped
E:\Documents and Settings\jacek\Application Data\Mozilla\Firefox\Profiles\tf1prbid.Default User\history.dat Object is locked skipped
E:\Documents and Settings\jacek\Application Data\Mozilla\Firefox\Profiles\tf1prbid.Default User\key3.db Object is locked skipped
E:\Documents and Settings\jacek\Application Data\Mozilla\Firefox\Profiles\tf1prbid.Default User\parent.lock Object is locked skipped
E:\Documents and Settings\jacek\Application Data\Mozilla\Firefox\Profiles\tf1prbid.Default User\search.sqlite Object is locked skipped
E:\Documents and Settings\jacek\Application Data\Mozilla\Firefox\Profiles\tf1prbid.Default User\urlclassifier2.sqlite Object is locked skipped
E:\Documents and Settings\jacek\Cookies\index.dat Object is locked skipped
E:\Documents and Settings\jacek\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
E:\Documents and Settings\jacek\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
E:\Documents and Settings\jacek\Local Settings\Application Data\Mozilla\Firefox\Profiles\tf1prbid.Default User\Cache\_CACHE_001_ Object is locked skipped
E:\Documents and Settings\jacek\Local Settings\Application Data\Mozilla\Firefox\Profiles\tf1prbid.Default User\Cache\_CACHE_002_ Object is locked skipped
E:\Documents and Settings\jacek\Local Settings\Application Data\Mozilla\Firefox\Profiles\tf1prbid.Default User\Cache\_CACHE_003_ Object is locked skipped
E:\Documents and Settings\jacek\Local Settings\Application Data\Mozilla\Firefox\Profiles\tf1prbid.Default User\Cache\_CACHE_MAP_ Object is locked skipped
E:\Documents and Settings\jacek\Local Settings\Application Data\Mozilla\Firefox\Profiles\tf1prbid.Default User\XUL.mfl Object is locked skipped
E:\Documents and Settings\jacek\Local Settings\History\History.IE5\index.dat Object is locked skipped
E:\Documents and Settings\jacek\Local Settings\History\History.IE5\MSHist012008030820080309\index.dat Object is locked skipped
E:\Documents and Settings\jacek\Local Settings\Temp\Perflib_Perfdata_490.dat Object is locked skipped
E:\Documents and Settings\jacek\Local Settings\Temp\WCESCOMM.LOG Object is locked skipped
E:\Documents and Settings\jacek\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
E:\Documents and Settings\jacek\My Documents\Downloads\goldeneyekeylog\goldeneyekeylog\gesetup.exe/file22 Infected: Trojan.Win32.Hooker.j skipped
E:\Documents and Settings\jacek\My Documents\Downloads\goldeneyekeylog\goldeneyekeylog\gesetup.exe Inno: infected - 1 skipped
E:\Documents and Settings\jacek\ntuser.dat Object is locked skipped
E:\Documents and Settings\jacek\NTUSER.DAT.LOG Object is locked skipped
E:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
E:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
E:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
E:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
E:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
GMER 1.0.14.14116 - http://www.gmer.net
Rootkit scan 2008-03-08 15:53:12
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.14 ----
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwConnectPort [0xF53548D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateFile [0xF53512D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateKey [0xF535C0D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreatePort [0xF5354C60]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcess [0xF535AEE0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcessEx [0xF535B110]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateSection [0xF535E6D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateWaitablePort [0xF5354D40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteFile [0xF5351950]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteKey [0xF535D0B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteValueKey [0xF535CD00]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDuplicateObject [0xF535AC50]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwLoadKey [0xF535D3E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenFile [0xF53517A0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenProcess [0xF535A9A0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenThread [0xF535A7C0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwReplaceKey [0xF535D6D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRequestWaitReplyPort [0xF5354570]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRestoreKey [0xF535D980]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSecureConnectPort [0xF5354A80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetInformationFile [0xF5351AC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetValueKey [0xF535C897]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwTerminateProcess [0xF535B340]
---- Kernel code sections - GMER 1.0.14 ----
.text ntkrnlpa.exe!ZwCallbackReturn + 2C44 805039F8 12 Bytes [ 60, 4C, 35, F5, E0, AE, 35, ... ]
? srescan.sys The system cannot find the file specified. !
.text ntkrnlpa.exe!ZwYieldExecution + 31EC 805039F8 12 Bytes [ 60, 4C, 35, F5, E0, AE, 35, ... ]
---- User code sections - GMER 1.0.14 ----
.text E:\Documents and Settings\jacek\Desktop\gmer\gmer.exe[812] ntdll.dll!NtQuerySystemInformation 7C90E1AA 6 Bytes JMP 00CCE854 E:\A8GSds\msvb.dll
.text E:\Documents and Settings\jacek\Desktop\gmer\gmer.exe[812] USER32.DLL!EnumWindows 7E41CD97 6 Bytes JMP 00CCE82C E:\A8GSds\msvb.dll
.text E:\PROGRA~1\Yahoo!\browser\ybrwicon.exe[1168] ntdll.dll!NtQuerySystemInformation 7C90E1AA 6 Bytes JMP 00F9E854 E:\A8GSds\msvb.dll
.text E:\PROGRA~1\Yahoo!\browser\ybrwicon.exe[1168] USER32.dll!EnumWindows 7E41CD97 6 Bytes JMP 00F9E82C E:\A8GSds\msvb.dll
.text E:\PROGRA~1\Yahoo!\YOP\yop.exe[1200] ntdll.dll!NtQuerySystemInformation 7C90E1AA 6 Bytes JMP 01B6E854 E:\A8GSds\msvb.dll
.text E:\PROGRA~1\Yahoo!\YOP\yop.exe[1200] USER32.dll!EnumWindows 7E41CD97 6 Bytes JMP 01B6E82C E:\A8GSds\msvb.dll
.text E:\WINDOWS\system32\LVCOMSX.EXE[1312] ntdll.dll!NtQuerySystemInformation 7C90E1AA 6 Bytes JMP 0126E854 E:\A8GSds\msvb.dll
.text E:\WINDOWS\system32\LVCOMSX.EXE[1312] USER32.dll!EnumWindows 7E41CD97 6 Bytes JMP 0126E82C E:\A8GSds\msvb.dll
.text E:\WINDOWS\system32\S3trayp.exe[1744] ntdll.dll!NtQuerySystemInformation 7C90E1AA 6 Bytes JMP 00B9E854 E:\A8GSds\msvb.dll
.text E:\WINDOWS\system32\S3trayp.exe[1744] USER32.dll!EnumWindows 7E41CD97 6 Bytes JMP 00B9E82C E:\A8GSds\msvb.dll
.text E:\Program Files\Canon\MyPrinter\BJMyPrt.exe[2180] ntdll.dll!NtQuerySystemInformation 7C90E1AA 6 Bytes JMP 00ACE854 E:\A8GSds\msvb.dll
.text E:\Program Files\Canon\MyPrinter\BJMyPrt.exe[2180] USER32.dll!EnumWindows 7E41CD97 6 Bytes JMP 00ACE82C E:\A8GSds\msvb.dll
.text E:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe[2188] ntdll.dll!NtQuerySystemInformation 7C90E1AA 6 Bytes JMP 010CE854 E:\A8GSds\msvb.dll
.text E:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe[2188] USER32.dll!EnumWindows 7E41CD97 6 Bytes JMP 010CE82C E:\A8GSds\msvb.dll
.text E:\WINDOWS\SOUNDMAN.EXE[2232] ntdll.dll!NtQuerySystemInformation 7C90E1AA 6 Bytes JMP 00CFE854 E:\A8GSds\msvb.dll
.text E:\WINDOWS\SOUNDMAN.EXE[2232] USER32.dll!EnumWindows 7E41CD97 6 Bytes JMP 00CFE82C E:\A8GSds\msvb.dll
.text E:\WINDOWS\system32\VTTimer.exe[2260] ntdll.dll!NtQuerySystemInformation 7C90E1AA 6 Bytes JMP 003EE854 E:\A8GSds\msvb.dll
.text E:\WINDOWS\system32\VTTimer.exe[2260] USER32.dll!EnumWindows 7E41CD97 6 Bytes JMP 003EE82C E:\A8GSds\msvb.dll
.text E:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[2268] ntdll.dll!NtQuerySystemInformation 7C90E1AA 6 Bytes JMP 003EE854 E:\A8GSds\msvb.dll
.text E:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[2268] USER32.dll!EnumWindows 7E41CD97 6 Bytes JMP 003EE82C E:\A8GSds\msvb.dll
.text F:\program files\ActiveSync\WCESCOMM.EXE[2536] ntdll.dll!NtQuerySystemInformation 7C90E1AA 6 Bytes JMP 00F4E854 E:\A8GSds\msvb.dll
.text F:\program files\ActiveSync\WCESCOMM.EXE[2536] USER32.dll!EnumWindows 7E41CD97 6 Bytes JMP 00F4E82C E:\A8GSds\msvb.dll
.text E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2676] ntdll.dll!NtQuerySystemInformation 7C90E1AA 6 Bytes JMP 0307E854 E:\A8GSds\msvb.dll
.text E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2676] USER32.dll!EnumWindows 7E41CD97 6 Bytes JMP 0307E82C E:\A8GSds\msvb.dll
.text F:\Program Files\PeerGuardian2\pg2.exe[2728] ntdll.dll!NtQuerySystemInformation 7C90E1AA 6 Bytes JMP 00E2E854 E:\A8GSds\msvb.dll
.text F:\Program Files\PeerGuardian2\pg2.exe[2728] USER32.dll!EnumWindows 7E41CD97 6 Bytes JMP 00E2E82C E:\A8GSds\msvb.dll
.text E:\PROGRA~1\Yahoo!\browser\ycommon.exe[2760] ntdll.dll!NtQuerySystemInformation 7C90E1AA 6 Bytes JMP 0120E854 E:\A8GSds\msvb.dll
.text E:\PROGRA~1\Yahoo!\browser\ycommon.exe[2760] USER32.dll!EnumWindows 7E41CD97 6 Bytes JMP 0120E82C E:\A8GSds\msvb.dll
.text E:\Program Files\Messenger\msmsgs.exe[2992] ntdll.dll!NtQuerySystemInformation 7C90E1AA 6 Bytes JMP 00D7E854 E:\A8GSds\msvb.dll
.text E:\Program Files\Messenger\msmsgs.exe[2992] USER32.dll!EnumWindows 7E41CD97 6 Bytes JMP 00D7E82C E:\A8GSds\msvb.dll
.text F:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe[3176] ntdll.dll!NtQuerySystemInformation 7C90E1AA 6 Bytes JMP 0122E854 E:\A8GSds\msvb.dll
.text F:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe[3176] USER32.dll!EnumWindows 7E41CD97 6 Bytes JMP 0122E82C E:\A8GSds\msvb.dll
.text F:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe[3628] ntdll.dll!NtQuerySystemInformation 7C90E1AA 6 Bytes JMP 0096E854 E:\A8GSds\msvb.dll
.text F:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe[3628] USER32.dll!EnumWindows 7E41CD97 6 Bytes JMP 0096E82C E:\A8GSds\msvb.dll
---- Kernel IAT/EAT - GMER 1.0.14 ----
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F53593E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F5359900] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F5359A60] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F5359550] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F53593E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F5359A60] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F5359900] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F5359550] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F5359A60] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F5359900] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F53593E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F5359550] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F53593E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F5359900] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F5359A60] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [F5359A60] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [F5359900] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [F5359550] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [F53593E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
---- Devices - GMER 1.0.14 ----
AttachedDevice \FileSystem\Ntfs \Ntfs PQV2i.sys (StorageCraft Volume Snap-Shot/StorageCraft)
Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 PQV2i.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 PQV2i.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 PQV2i.sys (StorageCraft Volume Snap-Shot/StorageCraft)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.14 ----
Process E:\A8GSds\AGSeiApp.exe (*** hidden *** ) 2280
---- Registry - GMER 1.0.14 ----
Reg HKLM\SOFTWARE\Classes\CLSID\{248FCFB3-5914-AF2C-CCBA-9BB5E3C749D5}\InProcServer32@ %SystemRoot%\System32\dsquery.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{248FCFB3-5914-AF2C-CCBA-9BB5E3C749D5}\InProcServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{3B6C15BE-F9FD-7E15-F865-ABA8E2A09915}\InProcServer32@ E:\WINDOWS\System32\msaatext.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{3B6C15BE-F9FD-7E15-F865-ABA8E2A09915}\InProcServer32@ThreadingModel Both
---- EOF - GMER 1.0.14 ----
This time I see the real virus
I removed Win32.Bagle from all directories except one.
I can't remove or explore the directory E:\System Volume Information\
By the way; I know what GoldnEye is and I installed it myself.
Kapserski log on Rapid Share
http://rapidshare.com/files/98093423/KasperskiFullScan.html
I think that I removed all infected files reported by Kasperski and I hope that computer is clean now.
Can smoebody advice me if its clean?
New combofix log below and Kasperski will follow.
Thanks in advance
Jacek
ComboFix 08-03-07.4 - jacek 2008-03-08 16:55:40.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.422 [GMT -8:00]
Running from: E:\Documents and Settings\jacek\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
E:\WINDOWS\system32\drivers\down
.
((((((((((((((((((((((((( Files Created from 2008-02-09 to 2008-03-09 )))))))))))))))))))))))))))))))
.
2008-03-08 14:20 . 2008-03-08 16:06 250 --a------ E:\WINDOWS\gmer.ini
2008-03-08 00:38 . 2008-03-08 00:38 <DIR> d-------- E:\WINDOWS\system32\Kaspersky Lab
2008-03-08 00:38 . 2008-03-08 00:38 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-07 09:49 . 2008-03-07 09:49 <DIR> d-------- E:\Deckard
2008-02-23 15:01 . 2008-02-23 15:07 519 --a------ E:\WINDOWS\system32\tversity.cookies
2008-02-20 21:48 . 2008-02-20 21:48 <DIR> d-------- E:\Documents and Settings\internet\Application Data\Media Player Classic
2008-02-18 20:21 . 2008-02-18 20:21 <DIR> d-------- E:\Program Files\BillP Studios
2008-02-18 20:21 . 2008-02-18 20:21 <DIR> d-------- E:\Documents and Settings\jacek\Application Data\WinPatrol
2008-02-18 19:03 . 2008-02-18 19:03 <DIR> d-------- E:\Program Files\Spybot - Search & Destroy
2008-02-18 15:02 . 2008-02-18 15:02 <DIR> d-------- E:\Program Files\Zone Labs
2008-02-17 16:09 . 2008-02-17 22:42 <DIR> d-------- E:\WINDOWS\system32\NtmsData
2008-02-16 17:32 . 2008-02-16 17:32 <DIR> d-------- E:\Documents and Settings\jacek\Application Data\Seven Zip
2008-02-16 15:27 . 2008-02-16 15:42 <DIR> d-------- E:\SDM_ALLzSansy
2008-02-16 12:47 . 2008-02-16 12:47 <DIR> d-------- E:\SDM
2008-02-10 16:26 . 2008-02-10 16:26 <DIR> d-------- E:\Program Files\TVersity
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-08 22:34 --------- d-----w E:\Program Files\Common Files\Symantec Shared
2008-03-08 02:00 --------- d-----w E:\Program Files\Norton Security Scan
2008-03-06 07:51 3,042,816 ----a-w E:\WINDOWS\Internet Logs\xDB1.tmp
2008-03-06 07:51 1,285,120 ----a-w E:\WINDOWS\Internet Logs\xDB2.tmp
2008-03-06 05:08 --------- d-----w E:\Documents and Settings\internet\Application Data\OpenOffice.org2
2008-03-05 17:10 1,794,820 ----a-w E:\WINDOWS\Internet Logs\tvDebug.zip
2008-02-24 01:59 --------- d-----w E:\Documents and Settings\jacek\Application Data\OpenOffice.org2
2008-02-19 19:21 --------- d-----w E:\Documents and Settings\internet\Application Data\Yahoo!
2008-02-19 04:12 --------- d-----w E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-19 02:29 --------- d-----w E:\Documents and Settings\All Users\Application Data\Yahoo!
2008-02-19 01:22 --------- d-----w E:\Documents and Settings\All Users\Application Data\Symantec
2008-02-19 01:18 --------- d-----w E:\Program Files\Symantec
2008-02-19 00:19 18,103,532 ----a-w E:\WINDOWS\Internet Logs\vsmon_on_demand_2008_02_18_16_17_23_full.dmp.zip
2008-02-19 00:00 --------- d-----w E:\Documents and Settings\jacek\Application Data\Yahoo!
2008-02-18 23:35 --------- d-----w E:\Program Files\Yahoo!
2008-02-08 05:44 --------- d-----w E:\Program Files\Omron Healthcare
2008-02-03 02:00 --------- d-----w E:\Documents and Settings\internet\Application Data\DivX
2008-01-21 00:47 --------- d-----w E:\Program Files\Apple Software Update
2008-01-21 00:47 --------- d-----w E:\Documents and Settings\All Users\Application Data\Apple
2008-01-20 03:42 --------- d-----w E:\Documents and Settings\jacek\Application Data\Media Player Classic
2008-01-20 03:36 --------- d-----w E:\Program Files\K-Lite Codec Pack
2007-12-24 21:49 7,680 ----a-w E:\WINDOWS\system32\ff_vfw.dll
2007-11-18 00:23 32 ----a-w E:\Documents and Settings\All Users\Application Data\ezsid.dat
2005-09-27 03:15 6,632 ----a-w E:\Documents and Settings\All Users\Application Data\ypinfo.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\NFS Shell Icon Overlay Identifier]
@={04EA2470-913A-11D2-8CB8-0000F8083420}
[HKEY_CLASSES_ROOT\CLSID\{04EA2470-913A-11D2-8CB8-0000F8083420}]
2003-11-08 13:42 61136 -ra------ E:\WINDOWS\system32\nfssprop.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="E:\Program Files\Windows Media Player\WMPNSCFG.exe" [ ]
"PhotoShow Deluxe Media Manager"="F:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe" [2005-02-25 16:28 212992]
"MsnMsgr"="E:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"H/PC Connection Agent"="F:\program files\ActiveSync\WCESCOMM.EXE" [2000-08-09 21:41 450646]
"Yahoo! Pager"="E:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" [ ]
"SpybotSD TeaTimer"="E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"PeerGuardian"="F:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 18:40 1421824]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Media Connect 2"="E:\Program Files\Windows Media Connect 2\WMCCFG.exe" [2006-10-18 21:58 8704]
"SunJavaUpdateSched"="E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"SSBkgdUpdate"="E:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 00:14 155648]
"SoundMan"="SOUNDMAN.EXE" [2006-03-01 00:22 577536 E:\WINDOWS\SOUNDMAN.EXE]
"S3Trayp"="S3trayp.exe" [2005-10-31 12:15 163840 E:\WINDOWS\system32\S3Trayp.exe]
"OpwareSE4"="F:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 13:19 69632]
"NeroFilterCheck"="E:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"LVCOMSX"="E:\WINDOWS\system32\LVCOMSX.EXE" [2004-10-08 10:52 221184]
"CanonMyPrinter"="E:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-21 17:30 1191936]
"AudioDeck"="E:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe" [2006-11-02 15:57 528384]
"Zone Labs Client"="E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-08-23 23:38 968696]
"YOP"="E:\PROGRA~1\Yahoo!\YOP\yop.exe" [2007-10-26 15:42 509224]
"YBrowser"="E:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2003-12-09 13:02 57344]
"VTTimer"="VTTimer.exe" [2005-03-07 03:33 53248 E:\WINDOWS\system32\VTTimer.exe]
"A8GSdsApp"="E:\A8GSds\AGSeiApp.exe" [2007-05-05 00:15 970752]
"WinPatrol"="E:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-01-26 21:38 316728]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="E:\WINDOWS\System32\CTFMON.EXE" [2004-08-03 23:56 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-03 23:56 53760 E:\WINDOWS\system32\narrator.exe]
E:\Documents and Settings\internet\Start Menu\Programs\Startup\
eMule.lnk - F:\Program Files\e.47c\emule.exe [2006-11-14 19:52:10 5308416]
[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkvMon.exe.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk
backup=E:\WINDOWS\pss\NkvMon.exe.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 03:06 40048 F:\Program Files\Adobe\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DynDNS Updater]
F:\Program Files\DynDNS Updater\DynDNS.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 9.0]
--a------ 2004-11-10 11:03 1126400 F:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
E:\PROGRA~1\Symantec\osCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2005-01-12 03:01 32768 E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ymetray]
E:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"YPCService"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
R0 PQV2i;PQV2i;E:\WINDOWS\system32\drivers\PQV2i.sys [2004-11-10 09:30]
R0 videX32;videX32;E:\WINDOWS\system32\DRIVERS\videX32.sys [2006-02-22 19:38]
R0 xfilt;VIA SATA IDE Hot-plug Driver;E:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-02-22 19:39]
R1 PQIMount;PQIMount;E:\WINDOWS\system32\drivers\PQIMount.sys [2004-11-10 09:49]
R2 Client for NFS;Client for NFS;E:\WINDOWS\system32\nfsclnt.exe [2003-11-08 13:42]
R2 Mapsvc;User Name Mapping;E:\SFU\Mapper\mapsvc.exe [2003-11-08 13:42]
R2 NfsSvc;Server for NFS;E:\WINDOWS\system32\nfssvc.exe [2003-11-08 13:42]
R2 Pcnfsd;Server for PCNFS;E:\WINDOWS\system32\pcnfsd.exe [2003-11-08 13:42]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;E:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2007-02-27 15:14]
R3 KePcnfsd;KePcnfsd;E:\WINDOWS\system32\drivers\kepcnfsd.sys [2003-11-08 13:42]
R3 NfsRdr;NfsRdr;E:\WINDOWS\system32\drivers\nfsrdr.sys [2003-11-08 13:42]
R3 NfsSvr;NfsSvr;E:\WINDOWS\system32\drivers\nfssvr.sys [2003-11-08 13:42]
R3 Portmap;Portmap;E:\WINDOWS\system32\drivers\portmap.sys [2003-11-08 13:42]
R3 RpcXdr;RpcXdr;E:\WINDOWS\system32\drivers\rpcxdr.sys [2003-11-08 13:42]
R3 S3GIGP;S3GIGP;E:\WINDOWS\system32\DRIVERS\S3gIGPm.sys [2006-02-07 15:40]
.
Contents of the 'Scheduled Tasks' folder
"2008-03-08 22:59:19 E:\WINDOWS\Tasks\Norton Security Scan.job"
- E:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-08 16:57:15
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-08 16:58:42
.
2008-02-14 06:45:57 --- E O F ---
http://rapidshare.com/files/98120438/KasperskiFinal.html
Looks like I managed to clean it using the tools advertised here.
Can somebody confirm that my computer is clean now?
Thanks
Jacek
Hello.
Because of the volume of posts to your own topic, it may have appeared you were already being assisted.
Copy and paste that information into your next post if the AV content will fit into one post only.
If the results of the anti virus scan itself will take more than one post to contain, it is best not to post it. Just make a note for our volunteers so they are aware, as it would be best to start off with no more than two posts (total) in your topic before a helper responds. "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
NOTE:We do NOT ask Users to run fixes before helpers have analyzed HJT/KAV scans (http://forums.spybot.info/showthread.php?t=16806)
If you still require help, please start a new topic and include a fresh HijackThis log with a link to this thread in your new topic.
Best regards.