View Full Version : Vundo variant hijacks winlogon...
paulaerison
2008-06-16, 23:54
Vundo variant hijacks winlogon, blocks and disables automatic updates, root kit dropper with multiple outbound tcpip connections.... sbsd can not remove this.... saymantec fuxvundo can't remove this, mcaffee can't remove this, safe mode can't remove this... it's attacked to winlogon under notify... teatimer doesn't even scan this reg tree so I can't load teatimer in safe mode and walk through and kill the registry entries that WONT DIE...
dll can't be renamed...
hijackthis can't be downloaded because a very official looking window says "windows has identified this program as potentially harmfull and blocked access to it" poof, it's gone.... same with anything I try and download, INCLUDING windows malicious software removal tool... any windows update.... it's all blocked...
ARRRRRGGGHHHH x10
now what? is there a way, so set the registry to BYPASS winlogon and just load command.com or cmd.exe so I can delete the file then reboot into safe mode command prompt and re-run sbsd?
note: sbsd identifies the file every time, even though it keeps changing it's name and CLSID...
"tasklist /m *" shows me the dll('s)... they always havre goofy name and are attached to iexplore, explorer, and winlogon... all three will have the same one attached, as well as iexplore will have 1-3 more... the names are random in appearance.... I've tried adding the CLSID into the BLOCKED section, but apparently when it exits, it takes steps to protect it self with registry monitoring and morphing dll name and CLSID...
any suggestions? (i'm sending this from a different ;read; non-infected, computer)
:sad:
paulaerison
2008-06-17, 00:16
Any ideas short of format C:?
Hi
Let's see if you can download and run this
Download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.
Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply
paulaerison
2008-06-17, 15:39
Hi
Let's see if you can download and run this
Download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.
Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply
I get a popup that claims to be windows protection and has blocked the file as being protentially harmful...
15 years, i've never been hacked, or gotten a virus I couldn't get rid of... FIFTEEN YEARS... and then I opened what appeared to be a PDF attackemtn from my wife... BAM...
this thing is hooked into winlogon notify... it loads before EVERYTHING I can do, even in safe mode command prompt only... when I delete the registry entry, it poofs back... I thought i'd be clever and reset the registry permissions on that key so it couldn't acces it and re-write itself into the registry... F5 reveals even MORE permiscious permissions {EVERYONE:FULL ACCESS/SYSTEM:FULL ACCESS}... even WORSE that the default...
I am at a loss for a solution save FORMAT C:... I would really rather not if it can be helped.... I have 7 years worth of data on that system and nothing big enough to back it up (dual 280gb hdds)...
it's corrupting access to the FDD, so I can't even create a boot floppy... in safe mode, USB drives don't work... I can't even load it on another system...
this thing is tenatious... sbsd and mcaffee both detect it, and "claim" to have removed it and require a reboot to complete because a file was in use...
reboot -> safe mode command prompt only -> tasklist /m* >tasklist.txt | grep winlogon -> reveals the presence of a gobldygook named dll in sys32 attached to winlogon... again... GRRR....
paulaerison
2008-06-17, 15:42
I wonder if I can boot into safe mode network and use file sharing to remotely place the file on the system and then quickly execute it from a command prompt (killing explorer firtst and using taskman to start cmd)... I'm going to try that and let you know.
paulaerison
2008-06-17, 15:53
:oops: Nope, it's hooked in there too... as soon as I tried to run it, I got the popup.
paulaerison
2008-06-17, 16:03
:angel: and a bit of judicious scripting, I was able to detatch the DLL from winlogon and re-write the winlogon notify section of the registry to elimitinate it on startup... sbsd and mcaffee were both able to complete without popups (mcaffee I had scan only sys32 & restore to remove the immediate threat, a more thourough scan to follow) wish me luck on a networked reboot... not sure if iexplore will pull in one of it's buddies when I try and download this, but we'll see if I can avoid a reboot, it won't be able to hook back into winlogon, and it will be a child proc of explorer so I can taskkill /f/t/s and it should kill that and everything associated as a child of explorer (including any mal dlls/bhos)... wish me luck..
paulaerison
2008-06-17, 16:54
Hi
Let's see if you can download and run this
Download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.
Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply
ok, even in safe mode, the "windows security warning" still popped up, I even went so far as to load the internet control palnel and turn off ALL bhos and set security to max... YARG!!!
Soon as I clicked OK, dss.exe went poof... even tried running it directly... is there an FTP link that I can use to download from the command prompt without explorer loaded?
paulaerison
2008-06-17, 17:05
ok, even in safe mode, the "windows security warning" still popped up, I even went so far as to load the internet control palnel and turn off ALL bhos and set security to max... YARG!!!
Soon as I clicked OK, dss.exe went poof... even tried running it directly... is there an FTP link that I can use to download from the command prompt without explorer loaded?
killed explorer /t/f and iexplore /t/f... then loaded taskman and re-loaded iexplore... added safer and that tool place to trusted zones... got the popup again, BUT, this time I was able to taskkill /t/f /im iexplore* and it never got the chance to delete the file... WOOT!... now posting main and extra....
:angel:
paulaerison
2008-06-17, 17:12
Deckard's System Scanner v20071014.68
Run by ntadmin on 2008-06-17 08:49:30
Computer is in Safe Mode with Networking.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
Failed to create restore point; computer is in safe mode.
-- Last 5 Restore Point(s) --
18: 2008-06-16 14:44:11 UTC - RP421 - Spybot-S&D Spyware removal
17: 2008-06-15 16:41:20 UTC - RP420 - Spybot-S&D Spyware removal
16: 2008-06-15 16:38:36 UTC - RP419 - Spybot-S&D Spyware removal
15: 2008-06-15 15:00:11 UTC - RP418 - Software Distribution Service 3.0
14: 2008-06-15 14:59:07 UTC - RP417 - Software Distribution Service 3.0
-- First Restore Point --
1: 2008-05-21 21:47:46 UTC - RP404 - Unsigned driver install
Backed up registry hives.
Performed disk cleanup.
Total Physical Memory: 384 MiB (512 MiB recommended).
-- HijackThis Clone ------------------------------------------------------------
Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-17 08:52:00
Platform: Windows XP Service Pack 3 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16608)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\cmd.exe
C:\dss.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&ar=runonce&pver={SUB_PVER}&plcid={SUB_CLSID}
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\dapbho.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E7C50E6-0BBF-4FB9-BB5F-1162FD8924EF} - (no file)
O2 - BHO: (no name) - {1CE2611D-C642-4C15-A505-F6F20FE0F802} - (no file)
O2 - BHO: (no name) - {23577E89-4F44-40FC-9338-4F6FCCD497EB} - (no file)
O2 - BHO: (no name) - {3A41BFF5-8A08-48F3-A2B3-C155360027C0} - (no file)
O2 - BHO: (no name) - {427F6191-E327-4E0D-9F48-D7014D06B696} - (no file)
O2 - BHO: (no name) - {43F550EA-7462-412A-A27D-9644898A48E6} - (no file)
O2 - BHO: (no name) - {4543E828-4EAC-4273-9CBF-71006A8997F2} - (no file)
O2 - BHO: (no name) - {46DD5C71-08CC-4721-BC9F-710B5F0E5E3B} - C:\Windows\system32\geBrOefc.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5EDEE2A6-9EAF-48FB-8782-1F8BA93DB5FF} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - Z:\Sun\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {779F5D7B-85D4-404B-B130-FB2D0EC5CACF} - (no file)
O2 - BHO: (no name) - {7BE0B2EC-8C2E-467A-A500-7594227B18B4} - (no file)
O2 - BHO: (no name) - {7F260734-72A5-46E1-A144-99C714CB0786} - (no file)
O2 - BHO: (no name) - {8649F0BB-AFF8-44B8-9D96-92ED8AF3C6A8} - (no file)
O2 - BHO: (no name) - {96307A53-4723-4931-8625-A5D6A7A82E0D} - (no file)
O2 - BHO: (no name) - {96BBBFB6-9468-4D6F-B204-28290799E441} - (no file)
O2 - BHO: (no name) - {99959CA7-FA15-4A05-9DA7-F5C7A1A3A7BC} - (no file)
O2 - BHO: (no name) - {9E9E6136-D768-41AD-B6A2-BA246664C8E7} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - Z:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {BB828984-0EAA-4878-9EBE-EE61215B4257} - (no file)
O2 - BHO: (no name) - {BC53E890-2693-4906-B6BD-BC2E293079F0} - C:\Windows\system32\tuvTmNHX.dllx (file missing)
O2 - BHO: (no name) - {C1BBCD8C-AF71-4A01-87C5-FAC34E6116A9} - (no file)
O2 - BHO: (no name) - {E2D90E0D-04E2-4CCB-994E-5793A874E07F} - (no file)
O2 - BHO: (no name) - {E6163054-8277-4797-8800-054F53AC3A9B} - (no file)
O2 - BHO: (no name) - {EF6D1649-E2AD-4293-AA11-9224B0FD46BE} - (no file)
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-E22ABC2EED3F} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - Z:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: atfxqogp - {0FAAC4A8-2E74-4D58-9AC0-95201C69185A} - C:\Windows\atfxqogp.dll (file missing)
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Jet Detection] "c:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix /autoclose /waitstart /waitmore
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\Windows\system32\mstask.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA8461] command /c del "C:\WINDOWS\system32\rqRlKCrS.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3304] cmd /c del "C:\WINDOWS\system32\rqRlKCrS.dll_old"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk.disabled = Z:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk.disabled = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoStart IR.lnk.disabled = Z:\Program Files\WinTV\Ir.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk.disabled = ?
O4 - Global Startup: Microsoft Office.lnk.disabled = Z:\Program Files\Office2KPrem\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk.disabled = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Z:\Sun\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Z:\Sun\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://forums.spybot.info (HKCU)
O15 - Trusted Zone: http://www.techsupportforum.com (HKCU)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
O16 - DPF: {2703049B-D81D-4763-A3C6-AF8932FCBD8F} (CheckFileStatus.UserControl1) - https://am.hrblock.com/ActivexComponent/CheckFileStatus.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} () - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1099059536327
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169069644734
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{47ECF58E-EE56-4535-A375-5BCBADE6F9B1}: NameServer = 192.168.64.1
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: tuvTmNHX - C:\Windows\system32\tuvTmNHX.dll (file missing)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll
O21 - SSODL: vregfwlx - {80ADA70D-39D6-4F1B-BC24-2C207A1C87F1} - C:\Windows\vregfwlx.dll (file missing)
O21 - SSODL: vltdfabw - {5B0770DF-9A00-4C14-B1B1-9AC5F2CBDD3F} - C:\Windows\vltdfabw.dll (file missing)
O23 - Service: SunJavaSystemAppserver9PE (AppServer9PE) - Unknown owner - Z:\Sun\SDK\lib\appservService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
--
End of file - 12181 bytes
-- File Associations -----------------------------------------------------------
.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R0 Imagedrv - c:\windows\system32\drivers\imagedrv.sys <Not Verified; Ahead Software AG and its licensors; NERO IMAGEDRIVE>
R1 NaiAvTdi1 - c:\windows\system32\drivers\mvstdi5x.sys <Not Verified; Network Associates, Inc.; VirusScan (Enterprise, ASaP & Retail.)>
S1 PQNTDrv - c:\windows\system32\drivers\pqntdrv.sys
S2 SVKP - c:\windows\system32\svkp.sys <Not Verified; AntiCracking; SVKP driver for NT>
S3 EntDrv51 - c:\windows\system32\drivers\entdrv51.sys <Not Verified; Network Associates, Inc; Virus Scan Enterprise, Entercept>
S3 ENTECH - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
S3 HCWBT8XX (Hauppauge WinTV 848/9 WDM Video Driver) - c:\windows\system32\drivers\hcwbt8xx.sys <Not Verified; Hauppauge Computer Works; WinTV WDM Driver>
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 NaiAvFilter1 - c:\windows\system32\drivers\naiavf5x.sys <Not Verified; Network Associates, Inc.; VirusScan (Enterprise, ASaP & Retail.)>
S3 NPF (NetGroup Packet Filter Driver) - c:\windows\system32\drivers\npf.sys <Not Verified; CACE Technologies; WinPcap Netgroup Packet Filter Driver>
S3 vsdatant - c:\windows\system32\vsdatant.sys (file missing)
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
S2 McAfeeFramework (McAfee Framework Service) - c:\program files\network associates\common framework\frameworkservice.exe /servicestart <Not Verified; Network Associates, Inc.; McAfee Common Framework>
S2 McTaskManager (Network Associates Task Manager) - "c:\program files\network associates\virusscan\vstskmgr.exe" <Not Verified; Network Associates, Inc.; VirusScan Enterprise>
S2 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "c:\program files\winpcap\rpcapd.exe" -d -f "c:\program files\winpcap\rpcapd.ini" <Not Verified; CACE Technologies; Remote Packet Capture Daemon>
S3 AppServer9PE (SunJavaSystemAppserver9PE) - z:\sun\sdk\lib\appservservice.exe "\"z:\sun\sdk\bin\asadmin.bat\" start-domain --user admin domain1" "\"z:\sun\sdk\bin\asadmin.bat\" stop-domain domain1\"
-- Device Manager: Disabled ----------------------------------------------------
No disabled devices found.
-- Scheduled Tasks -------------------------------------------------------------
2008-06-16 13:40:47 426 --ah---c- C:\Windows\Tasks\User_Feed_Synchronization-{5678D393-1137-432C-86AC-EBF0BB7EA42C}.job
2008-05-30 08:55:34 332 --a----c- C:\Windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
-- Files created between 2008-05-17 and 2008-06-17 -----------------------------
2008-06-17 08:45:11 686630 --a----c- C:\dss.exe
2008-06-17 08:06:10 45 --a----c- C:\Documents and Settings\ntadmin\tl.cmd
2008-06-16 22:38:37 51240 --a----c- C:\OnDemandScanLog_06162008_2237 <ONDEMA~1>
2008-06-16 19:52:00 100 --a----c- C:\ntpass.cmd
2008-06-16 11:02:19 0 d------c- C:\Documents and Settings\ntadmin\Application Data\Identities
2008-06-16 11:02:18 0 d--h---c- C:\Documents and Settings\ntadmin\Templates
2008-06-16 11:02:18 0 dr-----c- C:\Documents and Settings\ntadmin\Start Menu
2008-06-16 11:02:18 0 dr-h---c- C:\Documents and Settings\ntadmin\SendTo
2008-06-16 11:02:18 0 dr-h---c- C:\Documents and Settings\ntadmin\Recent
2008-06-16 11:02:18 0 d--h---c- C:\Documents and Settings\ntadmin\PrintHood
2008-06-16 11:02:18 2359296 --ah----- C:\Documents and Settings\ntadmin\NTUSER.DAT
2008-06-16 11:02:18 0 d--h---c- C:\Documents and Settings\ntadmin\NetHood
2008-06-16 11:02:18 0 dr-----c- C:\Documents and Settings\ntadmin\My Documents
2008-06-16 11:02:18 0 d--h---c- C:\Documents and Settings\ntadmin\Local Settings
2008-06-16 11:02:18 0 dr-----c- C:\Documents and Settings\ntadmin\Favorites
2008-06-16 11:02:18 0 d------c- C:\Documents and Settings\ntadmin\Desktop
2008-06-16 11:02:18 0 d--hs--c- C:\Documents and Settings\ntadmin\Cookies
2008-06-16 11:02:18 0 dr-h---c- C:\Documents and Settings\ntadmin\Application Data
2008-06-15 13:41:26 665 --ahs--c- C:\Windows\system32\SrCKlRqr.ini2
2008-06-15 12:35:55 0 d------c- C:\Documents and Settings\aaerison\Application Data\Macromedia
2008-06-15 12:30:35 93056 --a----c- C:\Windows\system32\hyolsohw.dll
2008-06-15 12:29:26 238802 --ahs--c- C:\Windows\system32\dKnTCcdd.ini2
2008-06-15 12:21:10 0 dr-h---c- C:\Documents and Settings\aaerison\SendTo
2008-06-15 12:21:10 0 dr-h---c- C:\Documents and Settings\aaerison\Recent
2008-06-15 12:21:10 0 d--h---c- C:\Documents and Settings\aaerison\PrintHood
2008-06-15 12:21:10 0 d--h---c- C:\Documents and Settings\aaerison\NetHood
2008-06-15 12:21:10 0 dr-----c- C:\Documents and Settings\aaerison\My Documents
2008-06-15 12:21:10 0 d--h---c- C:\Documents and Settings\aaerison\Local Settings
2008-06-15 12:21:10 0 dr-----c- C:\Documents and Settings\aaerison\Favorites
2008-06-15 12:21:10 0 d------c- C:\Documents and Settings\aaerison\Desktop
2008-06-15 12:21:10 0 d--hs--c- C:\Documents and Settings\aaerison\Cookies
2008-06-15 12:21:10 0 dr-h---c- C:\Documents and Settings\aaerison\Application Data
2008-06-15 12:21:10 0 d---s--c- C:\Documents and Settings\aaerison\Application Data\Microsoft
2008-06-15 12:21:10 0 d------c- C:\Documents and Settings\aaerison\Application Data\Identities
2008-06-15 12:21:09 0 d--h---c- C:\Documents and Settings\aaerison\Templates
2008-06-15 12:21:09 0 dr-----c- C:\Documents and Settings\aaerison\Start Menu
2008-06-15 12:21:09 2097152 --ah----- C:\Documents and Settings\aaerison\NTUSER.DAT
2008-06-14 21:53:17 92544 --a----c- C:\Windows\system32\bujlgvtl.dll
2008-06-13 21:51:07 92544 --a----c- C:\Windows\system32\qrepuvxt.dll
2008-06-13 08:58:55 0 d------c- C:\Windows\Prefetch
2008-06-13 08:08:37 0 d------c- C:\Windows\system32\scripting
2008-06-13 08:08:29 0 d------c- C:\Windows\l2schemas
2008-06-13 08:08:26 0 d------c- C:\Windows\system32\en
2008-06-13 07:46:02 99 --a----c- C:\Documents and Settings\pauld99\rdc.cmd
2008-06-12 21:52:31 93 --a----c- C:\Documents and Settings\pauld99\rundlldead.cmd
2008-06-12 21:47:28 238196 --ahs--c- C:\Windows\system32\cfeOrBeg.ini2
2008-05-30 10:16:38 1542 --ahs--c- C:\Windows\system32\FgQBdMoq.ini2
2008-05-30 09:25:29 0 d------c- C:\Documents and Settings\LocalService\Desktop
2008-05-29 22:02:36 573878 --ahs--c- C:\Windows\system32\npWGNqss.ini2
2008-05-29 14:18:27 577005 --ahs--c- C:\Windows\system32\CdMTuBeg.ini2
2008-05-29 12:51:18 111 --a----c- C:\Documents and Settings\pauld99\regtask.cmd
2008-05-29 12:26:12 691545 --a----c- C:\Windows\unins000.exe
2008-05-29 12:26:12 2542 --a----c- C:\Windows\unins000.dat
2008-05-29 11:35:31 1387 --ahs--c- C:\Windows\system32\bLkkmnnn.ini2
2008-05-29 11:29:47 94208 --a----c- C:\Windows\xmpstean.exe
2008-05-29 11:29:47 163840 --a----c- C:\Windows\egtf.exe
2008-05-29 11:29:47 249856 --a----c- C:\Windows\boqnrwdmmpa.dll
2008-05-22 20:53:33 0 d------c- C:\Program Files\Qimage
2008-05-22 19:32:21 0 d------c- C:\Documents and Settings\pauld99\Application Data\Preclick Photo Organizer
2008-05-22 19:32:07 0 d------c- C:\Program Files\Preclick
-- Find3M Report ---------------------------------------------------------------
2008-06-15 20:45:50 0 d------c- C:\Program Files\Radmin
2008-06-13 08:09:43 0 d------c- C:\Program Files\Messenger
2008-06-13 08:08:23 0 d------c- C:\Program Files\Movie Maker
2008-06-13 08:01:48 0 d------c- C:\Program Files\Windows NT
2008-05-02 10:31:30 0 d------c- C:\Program Files\WatchGuard
2008-04-23 08:01:36 0 d------c- C:\Program Files\DNA
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E7C50E6-0BBF-4FB9-BB5F-1162FD8924EF}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1CE2611D-C642-4C15-A505-F6F20FE0F802}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{23577E89-4F44-40FC-9338-4F6FCCD497EB}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3A41BFF5-8A08-48F3-A2B3-C155360027C0}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{427F6191-E327-4E0D-9F48-D7014D06B696}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{43F550EA-7462-412A-A27D-9644898A48E6}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4543E828-4EAC-4273-9CBF-71006A8997F2}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{46DD5C71-08CC-4721-BC9F-710B5F0E5E3B}]
C:\Windows\system32\geBrOefc.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5EDEE2A6-9EAF-48FB-8782-1F8BA93DB5FF}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{779F5D7B-85D4-404B-B130-FB2D0EC5CACF}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7BE0B2EC-8C2E-467A-A500-7594227B18B4}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7F260734-72A5-46E1-A144-99C714CB0786}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8649F0BB-AFF8-44B8-9D96-92ED8AF3C6A8}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{96307A53-4723-4931-8625-A5D6A7A82E0D}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{96BBBFB6-9468-4D6F-B204-28290799E441}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{99959CA7-FA15-4A05-9DA7-F5C7A1A3A7BC}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9E9E6136-D768-41AD-B6A2-BA246664C8E7}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BB828984-0EAA-4878-9EBE-EE61215B4257}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BC53E890-2693-4906-B6BD-BC2E293079F0}]
C:\Windows\system32\tuvTmNHX.dllx
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1BBCD8C-AF71-4A01-87C5-FAC34E6116A9}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E2D90E0D-04E2-4CCB-994E-5793A874E07F}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E6163054-8277-4797-8800-054F53AC3A9B}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EF6D1649-E2AD-4293-AA11-9224B0FD46BE}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [08/18/2004 08:00 AM]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [08/06/2004 03:50 AM]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [10/07/2003 09:48 AM]
"nwiz"="nwiz.exe" [08/11/2006 10:43 PM C:\WINDOWS\system32\nwiz.exe]
"Jet Detection"="c:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [11/29/2001 02:00 AM]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [06/02/2003 01:25 PM]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [06/03/2007 03:51 PM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [08/31/2007 01:01 PM]
"SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [01/28/2008 11:43 AM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [08/11/2006 10:43 PM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [08/11/2006 10:43 PM]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 10:05 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingA8461"=command /c del "C:\WINDOWS\system32\rqRlKCrS.dll_old"
"SpybotDeletingC3304"=cmd /c del "C:\WINDOWS\system32\rqRlKCrS.dll_old"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"SchedulingAgent"=C:\Windows\system32\mstask.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk.disabled [2/2/2007 12:53:10 PM]
Adobe Gamma Loader.exe.lnk.disabled [10/10/2006 1:12:01 AM]
AutoStart IR.lnk.disabled [11/29/2006 4:15:20 PM]
HOTSYNCSHORTCUTNAME.lnk.disabled [8/21/2007 9:21:26 PM]
Microsoft Office.lnk.disabled [2/22/2007 4:35:19 PM]
WinZip Quick Pick.lnk.disabled [1/19/2007 1:30:26 PM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoPublishingWizard"=0 (0x0)
"NoWebServices"=0 (0x0)
"NoOnlinePrintsWizard"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BC53E890-2693-4906-B6BD-BC2E293079F0}"= C:\Windows\system32\tuvTmNHX.dllx [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"vregfwlx"= {80ADA70D-39D6-4F1B-BC24-2C207A1C87F1} - C:\Windows\vregfwlx.dll [ ]
"vltdfabw"= {5B0770DF-9A00-4C14-B1B1-9AC5F2CBDD3F} - C:\Windows\vltdfabw.dll [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\Windows\System32\dimsntfy.dll
:police: this is the one right here that I could not unload :police:
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvTmNHX]
tuvTmNHX.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\Windows\system32\rqRlKCrS
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"eMuleAutoStart"=Z:\Program Files\eMule\emule.exe -AutoStart
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Nero DriveSpeed"=C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
"NeroCheck"=C:\Windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc
-- Hosts -----------------------------------------------------------------------
127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 www.032439.com
8751 more entries in hosts file.
-- End of Deckard's System Scanner: finished at 2008-06-17 08:56:28 ------------
paulaerison
2008-06-17, 17:17
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft Windows XP Professional (build 2600) SP 3.0
Architecture: X86; Language: English
CPU 0: Intel(R) Celeron(TM) CPU 1300MHz
Percentage of Memory in Use: 44%
Physical Memory (total/avail): 383.36 MiB / 211.15 MiB
Pagefile Memory (total/avail): 4442.01 MiB / 4350.79 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1931.23 MiB
A: is Removable (No Media)
C: is Fixed (NTFS) - 33.09 GiB total, 14.26 GiB free.
D: is Fixed (FAT32) - 4.19 GiB total, 0.72 GiB free.
E: is CDROM (No Media)
H: is CDROM (No Media)
Z: is Fixed (NTFS) - 233.76 GiB total, 29.45 GiB free.
\\.\PHYSICALDRIVE0 - MAXTOR 4K040H2 - 37.28 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 33.09 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 4.2 GiB - D:
\\.\PHYSICALDRIVE1 - PLATINUM 250G 2B5400 - 233.76 GiB - 1 partition
\PARTITION0 - Installable File System - 233.76 GiB - Z:
-- Security Center -------------------------------------------------------------
AUOptions is scheduled to auto-install.
-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\ntadmin\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=WACKO
ComSpec=C:\Windows\system32\cmd.exe
dircmd=/a/o
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\ntadmin
LOGONSERVER=\\WACKO
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;c:\progra~1\posix;c:\ntreskit;C:\Program Files\Microsoft SQL Server\90\Tools\binn\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 11 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0b01
ProgramFiles=C:\Program Files
PROMPT=$P$G
SAFEBOOT_OPTION=NETWORK
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\DOCUME~1\ntadmin\LOCALS~1\Temp
TMP=C:\DOCUME~1\ntadmin\LOCALS~1\Temp
USERDOMAIN=WACKO
USERNAME=ntadmin
USERPROFILE=C:\Documents and Settings\ntadmin
windir=C:\Windows
-- User Profiles ---------------------------------------------------------------
ntadmin (admin)
aaerison (new local, admin)
pauld99 (admin)
eBay Seller Account (admin)
eMule_Secure
ntadmin (admin)
Guest (guest)
-- Add/Remove Programs ---------------------------------------------------------
--> "c:\Program Files\Creative\SBLive\Program\Ctzapxx.EXE" /X /U /S
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58582977-44D2-44A0-A09B-031CC2AE5938}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58582977-44D2-44A0-A09B-031CC2AE5938}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A4D2983-4662-4387-BE3D-4CFC2FA9C100}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A4D2983-4662-4387-BE3D-4CFC2FA9C100}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A731533B-B325-4D9C-91A4-D93C8E294C19}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A731533B-B325-4D9C-91A4-D93C8E294C19}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD851F7E-F887-405D-9E1C-488811113EF3}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD851F7E-F887-405D-9E1C-488811113EF3}\setup.exe" -l0x9 /remove
--> z:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
ABBYY FineReader 5.0 Sprint --> MsiExec.exe /X{D1696920-9794-4BBC-8A30-7A88763DE5A2}
Adobe Acrobat 6.0 Standard --> MsiExec.exe /I{AC76BA86-1033-0000-BA7E-000000000001}
Adobe Flash Player 9 ActiveX --> C:\Windows\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Photoshop 6.0 --> C:\WINDOWS\ISUNINST.EXE -f"z:\Program Files\Adobe\Photoshop 6.0\Uninst.isu" -c"z:\Program Files\Adobe\Photoshop 6.0\Uninst.dll"
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe® Photoshop® Album Starter Edition 3.2 --> MsiExec.exe /I{A654A805-41D9-40C7-AA46-4AF04F044D61}
Ahead Nero Burning ROM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Archos MPG4 Translator V3.0.12 --> C:\Program Files\Archos MP4SP\Uninstal.exe
AviSynth 2.5 --> "C:\Program Files\AviSynth 2.5\Uninstall.exe"
Bejeweled 2 Deluxe 1.0 --> C:\Program Files\Sony Pictures Games\Bejeweled 2 Deluxe\PopUninstall.exe "C:\Program Files\Sony Pictures Games\Bejeweled 2 Deluxe\Install.log"
BroadGun pdfMachine --> C:\Windows\System32\spool\DRIVERS\W32X86\bgssetup.exe -uninstall -printer="BroadGun pdfMachine" -port="PDFPORT1:"
Cucusoft MPEG/MOV/RM/DivX/AVI to DVD/VCD/SVCD Creator Pro 7.07 --> "z:\Program Files\Cucusoft\avi-dvd-pro\unins000.exe"
Dell AIO Printer A920 --> C:\Windows\system32\spool\drivers\w32x86\3\DLBKUN5C.EXE -dDell AIO Printer A920
DivX Codec --> z:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> z:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> z:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> z:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> z:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
eMule --> "z:\Program Files\eMule\Uninstall.exe"
EQ Pixie --> z:\Program Files\EQ Pixie\EQPixie.exe -u
EverQuest Evolution --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48BE198F-7997-4624-858E-C579A8C96A01}\setup.exe" -l0x9
Firmware Downloader --> MsiExec.exe /I{9BE1DD8C-28F3-4DB5-8FA6-6E8B6DB4433E}
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
Hauppauge WinTV Infrared Remote --> Z:\PROGRA~1\WinTV\UNir32.EXE Z:\PROGRA~1\WinTV\ir32.LOG
Hauppauge WinTV Radio --> Z:\PROGRA~1\WinTV\UNrad32.EXE Z:\PROGRA~1\WinTV\RADIO32.LOG
Hauppauge WinTV Scheduler --> Z:\PROGRA~1\WinTV\SCHEDU~1\UniSched.EXE Z:\PROGRA~1\WinTV\SCHEDU~1\INSTALL.LOG
Hauppauge WinTV2000 --> Z:\PROGRA~1\WinTV\UNTV32.EXE Z:\PROGRA~1\WinTV\WINTV2K.LOG
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
Intel A/V Codecs V2.0 --> C:\Windows\IsUninst.exe -fC:\Windows\system32\CDUninst.isu
Intel(R) PRO Network Connections Drivers --> Prounstl.exe
ISO Recorder --> MsiExec.exe /I{0F6A7971-0F11-4A79-A0E9-133D0963A570}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java 2 Runtime Environment, SE v1.4.2_05 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142050}
Java Application Platform SDK --> "z:\Sun\SDK\uninstall.exe" -javahome "z:\Sun\SDK\jdk"
Java(TM) SE Runtime Environment 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
Junk E-mail Reporting Tool --> MsiExec.exe /I{B72B06E0-0C54-495F-896F-E3ED2905624D}
Legends of Norrath --> "C:\Program Files\InstallShield Installation Information\{D7A89413-FB45-4ECE-A893-32DC87F45554}\setup.exe" -runfromtemp -l0x0009 -removeonly
McAfee VirusScan Enterprise --> MsiExec.exe /I{5DF3D1BB-894E-4DCD-8275-159AC9829B43}
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Office 2003 Web Components --> MsiExec.exe /I{90A40409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Accounting 2007 --> "Z:\Program Files\Microsoft\Small Business\Small Business Accounting 2007\SetupBootstrap\Setup.exe" /remove {B0717D5A-1976-482B-9ADF-F19631A541A4}
Microsoft Office Accounting 2007 --> MsiExec.exe /X{B0717D5A-1976-482B-9ADF-F19631A541A4}
Microsoft Office Accounting ADP Payroll Addin --> MsiExec.exe /I{5FA793A6-0071-42C1-9355-8F69A428C44F}
Microsoft Office Accounting Equifax Addin --> MsiExec.exe /X{8C711818-076E-475C-B95B-DF11CD9D8DBE}
Microsoft Office Accounting Fixed Asset Manager --> MsiExec.exe /X{46614A49-222A-48EF-87A9-BFD603E608E1}
Microsoft Office Accounting PayPal Addin --> MsiExec.exe /X{353D20CC-719B-4A60-AD33-D03F88C10330}
Microsoft Office Basic Edition 2003 --> MsiExec.exe /I{91130409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Outlook Connector --> MsiExec.exe /I{95120000-011B-0409-0000-0000000FF1CE}
Microsoft Office Small Business Connectivity Components --> MsiExec.exe /X{A939D341-5A04-4E0A-BB55-3E65B386432D}
Microsoft Office XP Professional --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0050048383C9}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2005 --> "C:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ) --> MsiExec.exe /I{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}
Microsoft SQL Server Native Client --> MsiExec.exe /I{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}
Microsoft SQL Server Setup Support Files (English) --> MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer --> MsiExec.exe /I{E9F44C98-B8B6-480F-AF7B-E42A0A46F4E3}
Microsoft XML Parser and SDK --> MsiExec.exe /I{3E908702-AF35-4611-9518-955DA24B7E07}
Microtek ScanWizard --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{17A7779A-D23F-11D3-8753-0050BABE1202}\setup.exe"
MPEG Converter --> Z:\PROGRA~1\MPEGCO~1\UNWISE.EXE Z:\PROGRA~1\MPEGCO~1\INSTALL.LOG
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
nanoDVR for WinTV 1.2 --> "z:\Program Files\nanocosmos\MPEG-Tools for Hauppauge\unins000.exe"
NVIDIA Drivers --> C:\Windows\system32\nvudisp.exe UninstallGUI
Office Live Image Uploader --> MsiExec.exe /I{E78DAA24-38F8-4D35-B732-B18ABA0424DF}
palmOne --> MsiExec.exe /X{FF24F097-D090-41D2-8E9C-BAFEBBFD938C}
PowerQuest PartitionMagic 7.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1E5007FA-DA5E-4EDD-BDE5-14D128D66887}\Setup.exe"
Preclick Gold Photo Organizer --> C:\Program Files\Preclick\Organizer\setup.exe /uninstall
QBFC3.0 --> MsiExec.exe /X{5A847475-157F-45AD-9919-CD40D344B8B1}
Qimage --> Z:\PROGRA~1\Qimage\UNWISE.EXE Z:\PROGRA~1\Qimage\INSTALL.LOG
Qimage 30 Day Trial --> C:\PROGRA~1\Qimage\UNWISE.EXE C:\PROGRA~1\Qimage\INSTALL.LOG
QuickTime --> C:\Windows\unvise32qt.exe C:\Windows\system32\QuickTime\Uninstall.log
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Remote Administrator v2.1 --> C:\Program Files\Radmin\uninstal.exe
Replay Converter 2.31 --> C:\Windows\iun6002.exe "z:\Program Files\Replay Converter\irunin.ini"
Skype Plugin Manager --> MsiExec.exe /I{3D5E5C0A-5B36-4F98-99A7-287F7DBDCE03}
Sony DVD Architect 4.0 --> MsiExec.exe /X{219CB444-F2B6-4A17-8A76-BB7847F3DB26}
Sound Blaster Live! Web 2K/XP --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3FCAADB8-EB1B-11D6-AB2D-0090271A23A2}\Setup.exe" -l0x9
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\Windows\unins000.exe"
TeamSpeak 2 RC2 --> "C:\Program Files\Teamspeak2_RC2\unins000.exe"
TMPGEnc MPEG Editor --> MsiExec.exe /I{5C9440EC-5BAD-435F-8DE4-2B7A11C7B43E}
TMPGEnc Plus 2.5 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2A1E27FF-BE53-45B4-950F-060236E98E3D}
TOPO! --> C:\Windows\IsUninst.exe -f"c:\program files\delorme\topo4\EXTRA\Uninst.isu"
Trillian --> C:\Program Files\Trillian\trillian.exe /uninstall
Ulead PhotoImpact 3.01 Special Edition --> C:\Windows\ULEAD.DAT\uninst.exe /f:PI31L.INF
VideoReDo/Plus Version 2.5.3.500 --> "C:\Program Files\VideoReDoPlus\unins000.exe"
Virtual Earth 3D (Beta) --> MsiExec.exe /X{619B8475-0F48-41B7-A370-5147F7092989}
WinAce Archiver 2.0 --> C:\Program Files\WinAce\SXUNINST.EXE C:\Program Files\WinAce\SXUNINST.INI
Windows XP Service Pack 3 --> "C:\Windows\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinISO 5.3 --> "z:\Program Files\WinISO\unins000.exe"
WinPcap 3.1 --> C:\Program Files\WinPcap\uninstall.exe
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\PROGRA~1\WINZIP\winzip32.exe" /uninstall
XML Paper Specification Shared Components Pack 1.0 -->
-- Application Event Log -------------------------------------------------------
Event Record #/Type798 / Warning
Event Submitted/Written: 06/16/2008 10:36:08 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: The scan was cancelled at time 2008-06-17 3:36:08.(from WACKO IP 192.168.64.128 user ntadmin running VirusScan Enter 8.0 On-Demand Scan)
Event Record #/Type797 / Warning
Event Submitted/Written: 06/16/2008 10:35:31 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: The Scan was unable to scan password protected file c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Wronguninstallinformation1.zip\SBRECOVERY.REG. Scan engine version used is 5200 DAT version 5317.(from WACKO IP 192.168.64.128 user ntadmin running VirusScan Enter 8.0 On-Demand Scan)
Event Record #/Type796 / Warning
Event Submitted/Written: 06/16/2008 10:35:31 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: The Scan was unable to scan password protected file c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Wronguninstallinformation.zip\SBRECOVERY.REG. Scan engine version used is 5200 DAT version 5317.(from WACKO IP 192.168.64.128 user ntadmin running VirusScan Enter 8.0 On-Demand Scan)
Event Record #/Type795 / Warning
Event Submitted/Written: 06/16/2008 10:35:31 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: The Scan was unable to scan password protected file c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Wrongapppath9.zip\SBRECOVERY.REG. Scan engine version used is 5200 DAT version 5317.(from WACKO IP 192.168.64.128 user ntadmin running VirusScan Enter 8.0 On-Demand Scan)
Event Record #/Type794 / Warning
Event Submitted/Written: 06/16/2008 10:35:31 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: The Scan was unable to scan password protected file c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Wrongapppath8.zip\SBRECOVERY.REG. Scan engine version used is 5200 DAT version 5317.(from WACKO IP 192.168.64.128 user ntadmin running VirusScan Enter 8.0 On-Demand Scan)
-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
-- System Event Log ------------------------------------------------------------
Event Record #/Type325 / Error
Event Submitted/Written: 06/17/2008 08:45:45 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
Event Record #/Type324 / Error
Event Submitted/Written: 06/17/2008 08:45:05 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
Event Record #/Type323 / Error
Event Submitted/Written: 06/17/2008 08:38:09 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
Event Record #/Type322 / Error
Event Submitted/Written: 06/17/2008 08:38:04 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
Event Record #/Type321 / Error
Event Submitted/Written: 06/17/2008 08:17:56 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
-- End of Deckard's System Scanner: finished at 2008-06-17 08:56:28 ------------
paulaerison
2008-06-17, 17:32
I managed somehow to salvage a copy of the DLL and compress it into a winzip 256 bit encrypted file (I think because it no longer had the .dll ext so it was ignored and not loaded) pm me for the PW and I can upload it somewhere safe... I don't want this running on somone's unsecure machine considering how difficult it was to remove... i'm still in safe mode until I can be sure it's gone...
what's the next step?
paulaerison
2008-06-17, 18:51
When I try and do anything that might potentialy download a program that might have the ability to kill the virus...
going to try and install sp3 in safe mode... system "indicates" that sp3 is already installed... I know for a fact that there is no way possible for it to have done so becuase I was curious why THIS machine wasn't prompting me for update installations...
Wish me luck, the infected one will be offline for the next 0.5-4 hrs...
paulaerison
2008-06-17, 20:04
:oops:6/13/2008 2:23:11 PM Would be blocked by behaviour blocking rule (rule is currently in warn mode) WACKO\pauld99 cscript.exe C:\Documents and Settings\pauld99\Local Settings\Temporary Internet Files\Content.IE5\index.dat Prevent execution of scripts from the Temp folder Action blocked :Read
That was my wife trying to get an e-card for me for fathers day :-(
I have now increased the secutity for real-time-protection... SP3 succeded, now running SBSD scan and McAffee scan...
Hi
If you post here for help then you should do according to the instructions. If you want to clean this by yourself then go for it. If you want me to help you then you have to follow my instructions patiently without doing any solo ;)
Please post new DSS report (main.txt is enough).
paulaerison
2008-06-21, 19:37
users s-1-5-19 or something, so nothing worked for the better part of 2 days... I finally got it back up lat last night, and bitdefender is currently running... it's about 70% ish so far and has identified over 400 infected files of some 300k+ files (and growing).... as soon as BD is done scanning and I can put the system back online, I will re-run DSS with HJT installed and post the log... it's saying around 60hrs or so and it's been running for 15 or so as of this point...
btw, McAffee is a POJ... my faith in commercial AV software has been shattered... I used to use DrSolomons till it got bought and burried, then symantec till I got a virus, that mcaffee found and killed, then mcaffee, till now... I ran this variant through BOTH symantec and mcaffee (once it was isolated) and neither identified it... I ran it (and some variants) through Jotti, and almost all of the ones listed identified at LEAST one of the files... with BitDefender and AVG as the top dogs for hit%...
So I should be ablt to posting the log on or about sunday night or monday morning...
Ok. Thanks for the heads up. I'll wait for your input :)
paulaerison
2008-06-21, 20:35
Ok. Thanks for the heads up. I'll wait for your input :)
when you get a chance, if you could take a crack at the other two, I would appreciate it... The laptop is used by my wife to connect to her work using thier VPN client so it's importan that is not infected... (I think the laptop might be ok, because ad-hoc networking is disabled, and the wap that i's connected has some insanely long key)
Find all threads started by paulaerison (http://forums.spybot.info/search.php?do=finduser&u=42556&starteronly=1)
i'm not even plaing any computer games till this is figured out... (I'm really bored without EQ and LoN right now... I have to watch TV... uggghhh)
for those of you following this thread... never, NEVER, EVER disable your antivirus or firewall software because a website told you to do so... trust the pros (http://forums.spybot.info/showthread.php?t=288) (your cable company doesn't have a clue, they are not pros, their responsibility ends at your modem) :police:
paulaerison
2008-06-22, 07:03
Deckard's System Scanner v20071014.68
Run by pauld99 on 2008-06-21 20:28:29
Computer is in Normal Mode.
--------------------------------------------------------------------------------
Total Physical Memory: 384 MiB (512 MiB recommended).
-- HijackThis (run as pauld99.exe) ---------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:28:38 PM, on 6/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\nvsvc32.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\devldr32.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdlite.exe
C:\Windows\system32\LEXBCES.EXE
C:\Windows\system32\LEXPPS.EXE
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Windows\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\Windows\system32\spoolsv.exe
Z:\DOWNLOADS\Copy of dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\pauld99.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - Z:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - Z:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - Z:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Jet Detection] "c:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix /autoclose /waitstart /waitmore
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\Windows\system32\mstask.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: SDK Tray Menu.lnk.disabled
O4 - Startup: Trillian.lnk.disabled
O4 - Global Startup: Acrobat Assistant.lnk = Z:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Acrobat Assistant.lnk.disabled
O4 - Global Startup: Adobe Gamma Loader.exe.lnk.disabled
O4 - Global Startup: AutoStart IR.lnk.disabled
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: WinZip Quick Pick.lnk.disabled
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.kaspersky.com
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1099059536327
O17 - HKLM\System\CCS\Services\Tcpip\..\{47ECF58E-EE56-4535-A375-5BCBADE6F9B1}: NameServer = 192.168.64.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Windows\system32\LEXBCES.EXE
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\Windows\system32\nvsvc32.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
--
End of file - 7772 bytes
-- Files created between 2008-05-21 and 2008-06-21 -----------------------------
2008-06-21 20:14:46 98 --a----c- C:\Windows\detected.cmd
2008-06-21 19:37:52 94 --a----c- C:\Windows\bdlog.cmd
2008-06-20 08:26:02 0 d------c- C:\Windows\LastGood
2008-06-19 15:28:09 0 d------c- C:\Documents and Settings\Administrator\Application Data\Identities
2008-06-19 15:28:08 0 d--h---c- C:\Documents and Settings\Administrator\Templates
2008-06-19 15:28:08 0 dr-----c- C:\Documents and Settings\Administrator\Start Menu
2008-06-19 15:28:08 0 dr-h---c- C:\Documents and Settings\Administrator\SendTo
2008-06-19 15:28:08 0 dr-h---c- C:\Documents and Settings\Administrator\Recent
2008-06-19 15:28:08 0 d--h---c- C:\Documents and Settings\Administrator\PrintHood
2008-06-19 15:28:08 2097152 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-19 15:28:08 0 d--h---c- C:\Documents and Settings\Administrator\NetHood
2008-06-19 15:28:08 0 dr-----c- C:\Documents and Settings\Administrator\My Documents
2008-06-19 15:28:08 0 d--h---c- C:\Documents and Settings\Administrator\Local Settings
2008-06-19 15:28:08 0 dr-----c- C:\Documents and Settings\Administrator\Favorites
2008-06-19 15:28:08 0 d------c- C:\Documents and Settings\Administrator\Desktop
2008-06-19 15:28:08 0 d--hs--c- C:\Documents and Settings\Administrator\Cookies
2008-06-19 15:28:08 0 dr-h---c- C:\Documents and Settings\Administrator\Application Data
2008-06-19 15:28:08 0 d---s--c- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-19 15:09:28 39424 --a----c- C:\Windows\zipinst.exe <Not Verified; NirSoft; ZipInstaller>
2008-06-19 14:14:03 0 d--h---c- C:\Windows\$hf_mig$
2008-06-19 13:45:00 0 d------c- C:\Windows\Prefetch
2008-06-19 13:39:02 0 d------c- C:\Windows\l2schemas
2008-06-19 11:23:41 0 d------c- C:\Program Files\Microsoft Baseline Security Analyzer 2
2008-06-19 09:14:46 0 d------c- C:\Program Files\msn gaming zone
2008-06-18 22:58:28 0 d------c- C:\Windows\tmp
2008-06-18 15:47:36 0 d--hs--c- C:\Documents and Settings\ntadmin\Cookies
2008-06-18 15:47:15 0 dr-----c- C:\Documents and Settings\ntadmin\Favorites
2008-06-18 15:47:14 0 d------c- C:\Documents and Settings\ntadmin\Start Menu
2008-06-18 15:47:14 0 dr-h---c- C:\Documents and Settings\ntadmin\Recent
2008-06-18 15:47:14 0 d------c- C:\Documents and Settings\ntadmin\Desktop
2008-06-18 15:46:05 0 d--h---c- C:\Documents and Settings\ntadmin\Local Settings
2008-06-18 15:46:05 0 d------c- C:\Documents and Settings\ntadmin\Application Data
2008-06-18 15:46:05 0 d------c- C:\Documents and Settings\ntadmin\Application Data\Microsoft
2008-06-18 15:13:20 0 d------c- C:\Documents and Settings\aaerison\Application Data\Bitdefender
2008-06-18 13:41:33 0 d------c- C:\Documents and Settings\pauld99\Application Data\Bitdefender
2008-06-18 12:27:36 81984 --a----c- C:\Windows\system32\bdod.bin
2008-06-18 12:22:07 0 d------c- C:\Documents and Settings\All Users\Application Data\BitDefender
2008-06-18 10:23:01 0 d------c- C:\Program Files\Trend Micro
2008-06-18 07:58:28 0 d------c- C:\Program Files\RegScanner
2008-06-17 21:42:31 0 d--h---c- C:\Program Files\WindowsUpdate
2008-06-17 13:36:19 118 --a----c- C:\Windows\taplog.cmd
2008-06-16 11:02:18 2359296 --ah----- C:\Documents and Settings\ntadmin\NTUSER.DAT
2008-06-15 12:35:55 0 d------c- C:\Documents and Settings\aaerison\Application Data\Macromedia
2008-06-15 12:21:10 0 d--h---c- C:\Documents and Settings\aaerison\SendTo
2008-06-15 12:21:10 0 dr-h---c- C:\Documents and Settings\aaerison\Recent
2008-06-15 12:21:10 0 d--h---c- C:\Documents and Settings\aaerison\PrintHood
2008-06-15 12:21:10 0 d--h---c- C:\Documents and Settings\aaerison\NetHood
2008-06-15 12:21:10 0 dr-----c- C:\Documents and Settings\aaerison\My Documents
2008-06-15 12:21:10 0 d--h---c- C:\Documents and Settings\aaerison\Local Settings
2008-06-15 12:21:10 0 dr-----c- C:\Documents and Settings\aaerison\Favorites
2008-06-15 12:21:10 0 d------c- C:\Documents and Settings\aaerison\Desktop
2008-06-15 12:21:10 0 d--hs--c- C:\Documents and Settings\aaerison\Cookies
2008-06-15 12:21:10 0 d--h---c- C:\Documents and Settings\aaerison\Application Data
2008-06-15 12:21:10 0 d---s--c- C:\Documents and Settings\aaerison\Application Data\Microsoft
2008-06-15 12:21:10 0 d------c- C:\Documents and Settings\aaerison\Application Data\Identities
2008-06-15 12:21:09 0 d--h---c- C:\Documents and Settings\aaerison\Templates
2008-06-15 12:21:09 0 d------c- C:\Documents and Settings\aaerison\Start Menu
2008-06-15 12:21:09 2359296 --ah----- C:\Documents and Settings\aaerison\NTUSER.DAT
2008-06-13 08:08:37 0 d------c- C:\Windows\system32\scripting
2008-06-13 08:08:26 0 d------c- C:\Windows\system32\en
2008-06-13 07:46:02 99 --a----c- C:\Windows\rdc.cmd
2008-05-30 09:25:29 0 d------c- C:\Documents and Settings\LocalService\Desktop
2008-05-29 12:51:18 126 --a----c- C:\Windows\regtask.cmd
-- Find3M Report ---------------------------------------------------------------
2008-06-21 20:11:57 0 d------c- C:\Documents and Settings\pauld99\Application Data\AdobeUM
2008-06-21 19:53:09 0 d------c- C:\Program Files\Dell AIO Printer A920
2008-06-20 10:38:29 0 d------c- C:\Program Files\Common Files
2008-06-20 09:58:03 95 --a----c- C:\Windows\system32\productregistry
2008-06-19 15:29:28 0 d------c- C:\Program Files\Google
2008-06-18 14:45:26 0 d------c- C:\Documents and Settings\pauld99\Application Data\Identities
2008-06-17 22:02:27 0 d------c- C:\Program Files\Microsoft Silverlight
2008-06-13 09:41:11 0 d------c- C:\Documents and Settings\pauld99\Application Data\DNA
2008-06-13 08:09:43 0 d------c- C:\Program Files\Messenger
2008-06-13 08:08:23 0 d------c- C:\Program Files\Movie Maker
2008-06-13 08:01:48 0 d------c- C:\Program Files\Windows NT
2008-05-23 06:52:01 0 d------c- C:\Documents and Settings\pauld99\Application Data\BitTorrent
2008-04-23 08:01:36 0 d------c- C:\Program Files\DNA
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [08/18/2004 08:00 AM]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [08/06/2004 03:50 AM]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [10/07/2003 09:48 AM]
"nwiz"="nwiz.exe" [08/11/2006 10:43 PM C:\WINDOWS\system32\nwiz.exe]
"Jet Detection"="c:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [11/29/2001 02:00 AM]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [06/02/2003 01:25 PM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [08/31/2007 01:01 PM]
"SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [01/28/2008 11:43 AM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [08/11/2006 10:43 PM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [08/11/2006 10:43 PM]
"BDMCon"="C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" [04/02/2007 04:48 PM]
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [03/26/2007 03:49 PM]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [04/03/2007 11:32 PM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"SchedulingAgent"=C:\Windows\system32\mstask.exe
C:\Documents and Settings\pauld99\Start Menu\Programs\Startup\
SDK Tray Menu.lnk.disabled [3/1/2007 6:50:43 PM]
Trillian.lnk.disabled [11/5/2006 5:25:06 PM]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - Z:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [5/15/2003 3:19:50 AM]
Acrobat Assistant.lnk.disabled [2/2/2007 12:53:10 PM]
Adobe Gamma Loader.exe.lnk.disabled [10/10/2006 1:12:01 AM]
AutoStart IR.lnk.disabled [11/29/2006 4:15:20 PM]
HOTSYNCSHORTCUTNAME.lnk.disabled [8/21/2007 9:21:26 PM]
Microsoft Office.lnk.disabled [2/22/2007 4:35:19 PM]
WinZip Quick Pick.lnk.disabled [1/19/2007 1:30:26 PM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoPublishingWizard"=0 (0x0)
"NoWebServices"=0 (0x0)
"NoOnlinePrintsWizard"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\Windows\System32\dimsntfy.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Nero DriveSpeed"=C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
"NeroCheck"=C:\Windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc
-- End of Deckard's System Scanner: finished at 2008-06-21 20:33:07 ------------
paulaerison
2008-06-22, 07:14
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll
Digging through the registry brings me to a CSLID with no other info in it, digging for that CLSID pops up dozens of hits for BitDefender... Safe to assume this is legit? Jotti reports no infection... except for ArcaVir :lip: which reports {ArcaVir Found Riskware.SockSpy.A} (i'm guessing... false positive matched by name? :cool:)
File: sockspy.dll
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 6382040502f8e7271e65a523b70f2b0a
Packers detected: -
paulaerison
2008-06-22, 07:37
Rootkits found by bitdefender (I missed a critical letter in the grep command):oops:
Hi
Please uninstall Spybot for now to make sure TeaTimer won't interfere fixing. You may reinstall it after system is clean :)
1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
paulaerison
2008-06-22, 18:46
ComboFix 08-06-20.4 - pauld99 2008-06-22 8:12:54.1 - NTFSx86
Running from: Z:\DOWNLOADS\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Windows\cookies.ini
C:\Windows\system32\CdMTuBeg.ini
C:\Windows\system32\cfeOrBeg.ini
C:\Windows\system32\cyylyxlv.ini
C:\Windows\system32\dKnTCcdd.ini
C:\Windows\system32\gsnmbndt.ini
C:\Windows\system32\ltvgljub.ini
C:\Windows\system32\MabryObj.dll
C:\Windows\system32\npWGNqss.ini
C:\Windows\system32\rbuptxpl.ini
C:\Windows\system32\sxadygxb.ini
C:\Windows\system32\txvuperq.ini
C:\Windows\system32\uvixxifj.ini
C:\Windows\system32\whosloyh.ini
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NPF
((((((((((((((((((((((((( Files Created from 2008-05-22 to 2008-06-22 )))))))))))))))))))))))))))))))
.
2008-06-21 20:14 . 2008-06-21 20:19 98 --a--c--- C:\WINDOWS\detected.cmd
2008-06-21 19:37 . 2008-06-21 19:37 94 --a--c--- C:\WINDOWS\bdlog.cmd
2008-06-19 15:28 . 2008-06-19 15:28 <DIR> d----c--- C:\Documents and Settings\Administrator
2008-06-19 15:09 . 2008-06-19 15:09 39,424 --a--c--- C:\WINDOWS\zipinst.exe
2008-06-19 15:08 . 2008-06-19 15:08 <DIR> d----c--- C:\Deckard
2008-06-19 14:14 . 2008-06-19 14:14 <DIR> d--h-c--- C:\WINDOWS\$hf_mig$
2008-06-19 13:39 . 2008-06-19 13:39 <DIR> d----c--- C:\WINDOWS\l2schemas
2008-06-19 13:36 . 2006-12-29 00:31 19,569 --a--c--- C:\WINDOWS\000001_.tmp
2008-06-19 11:23 . 2008-06-19 11:23 <DIR> d----c--- C:\Program Files\Microsoft Baseline Security Analyzer 2
2008-06-18 22:58 . 2008-06-19 15:12 <DIR> d----c--- C:\WINDOWS\tmp
2008-06-18 15:13 . 2008-06-18 15:13 <DIR> d----c--- C:\Documents and Settings\aaerison\Application Data\Bitdefender
2008-06-18 13:41 . 2008-06-18 13:41 <DIR> d----c--- C:\Documents and Settings\pauld99\Application Data\Bitdefender
2008-06-18 12:27 . 2008-06-22 09:31 81,984 --a--c--- C:\WINDOWS\system32\bdod.bin
2008-06-18 12:22 . 2008-06-18 12:22 <DIR> d----c--- C:\Program Files\Softwin
2008-06-18 12:22 . 2008-06-18 12:23 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\BitDefender
2008-06-18 12:20 . 2008-06-18 12:22 <DIR> d----c--- C:\Program Files\Common Files\Softwin
2008-06-18 10:23 . 2008-06-18 10:23 <DIR> d----c--- C:\Program Files\Trend Micro
2008-06-18 07:58 . 2008-06-18 13:51 <DIR> d----c--- C:\Program Files\RegScanner
2008-06-17 20:34 . 2008-06-17 20:34 66 --a--c--- C:\WINDOWS\ws40.ini
2008-06-17 13:36 . 2008-06-17 13:36 118 --a--c--- C:\WINDOWS\taplog.cmd
2008-06-17 11:09 . 2008-04-14 05:42 13,824 -----c--- C:\WINDOWS\system32\wscntfy.exe
2008-06-17 10:47 . 2008-06-17 10:47 8,887 --a--c--- C:\windows_protection.png
2008-06-17 09:26 . 2008-06-17 09:26 23,644 --a--c--- C:\tuvtmnhx.dll.bad.zip
2008-06-16 13:49 . 2008-06-16 13:48 173,456 --a--c--- C:\FixVundo.exe
2008-06-16 11:02 . 2008-06-18 15:47 <DIR> d----c--- C:\Documents and Settings\ntadmin
2008-06-15 13:41 . 2008-06-15 20:41 665 --ahsc--- C:\WINDOWS\system32\SrCKlRqr.ini
2008-06-15 12:21 . 2008-06-18 15:10 <DIR> d----c--- C:\Documents and Settings\aaerison
2008-06-13 08:08 . 2008-06-13 08:08 <DIR> d----c--- C:\WINDOWS\system32\scripting
2008-06-13 07:57 . 2008-04-13 22:06 144,384 --a--c--- C:\WINDOWS\system32\drivers\hdaudbus.sys
2008-06-13 07:57 . 2008-04-14 00:10 10,240 --a--c--- C:\WINDOWS\system32\drivers\sffp_mmc.sys
2008-06-13 07:46 . 2008-06-13 07:46 99 --a--c--- C:\WINDOWS\rdc.cmd
2008-06-12 22:12 . 2008-05-07 00:12 1,288,192 -----c--- C:\WINDOWS\system32\dllcache\quartz.dll
2008-06-12 22:12 . 2008-05-08 09:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-12 22:11 . 2008-06-13 06:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-05-30 10:16 . 2008-06-12 21:35 1,542 --ahsc--- C:\WINDOWS\system32\FgQBdMoq.ini
2008-05-29 14:07 . 2008-06-16 11:39 614 --a--c--- C:\WINDOWS\wininit.ini
2008-05-29 12:51 . 2008-06-17 17:53 126 --a--c--- C:\WINDOWS\regtask.cmd
2008-05-29 11:35 . 2008-05-29 11:57 1,387 --ahsc--- C:\WINDOWS\system32\bLkkmnnn.ini
2008-05-22 20:26 . 2008-05-22 21:15 35 --a--c--- C:\WINDOWS\iltwain.ini
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-22 13:01 --------- dc----w C:\Program Files\Spybot - Search & Destroy
2008-06-22 12:59 --------- dc----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-22 01:11 --------- dc----w C:\Documents and Settings\pauld99\Application Data\AdobeUM
2008-06-22 00:53 --------- dc----w C:\Program Files\Dell AIO Printer A920
2008-06-19 20:29 --------- dc----w C:\Program Files\Google
2008-06-18 03:02 --------- dc----w C:\Program Files\Microsoft Silverlight
2008-06-13 14:41 --------- dc----w C:\Documents and Settings\pauld99\Application Data\DNA
2008-06-13 11:05 272,128 -c--a-w C:\Windows\system32\drivers\bthport.sys
2008-05-23 11:52 --------- dc----w C:\Documents and Settings\pauld99\Application Data\BitTorrent
2008-05-08 14:02 203,136 -c--a-w C:\Windows\system32\drivers\rmcast.sys
2008-04-23 13:01 --------- dc----w C:\Program Files\DNA
2008-04-14 10:42 69,120 -c----w C:\Windows\notepad.exe
2008-04-14 10:42 50,688 -c--a-w C:\Windows\twain_32.dll
2008-04-14 10:42 32,866 -c----w C:\Windows\slrundll.exe
2008-04-14 10:42 283,648 -c----w C:\Windows\winhlp32.exe
2008-04-14 10:42 146,432 -c----w C:\Windows\regedit.exe
2008-04-14 10:42 10,752 -c----w C:\Windows\hh.exe
2008-04-14 10:42 1,033,728 -c--a-w C:\Windows\explorer.exe
2008-04-14 10:41 451,072 -c--a-w C:\Windows\AppPatch\aclayers.dll
2008-04-14 10:41 39,424 -c--a-w C:\Windows\AppPatch\acadproc.dll
2008-04-14 10:41 245,248 -c--a-w C:\Windows\AppPatch\acspecfc.dll
2008-04-14 10:41 141,312 -c--a-w C:\Windows\AppPatch\aclua.dll
2008-04-14 10:41 116,224 -c--a-w C:\Windows\AppPatch\acxtrnal.dll
2008-04-14 10:41 1,852,928 -c--a-w C:\Windows\AppPatch\acgenral.dll
2007-01-31 23:36 233,424 -c--a-w C:\Documents and Settings\pauld99\Application Data\GDIPFONTCACHEV1.DAT
2007-03-04 14:58 80 -csha-r C:\Windows\system32\6B7A0F6512.dll
2005-07-14 19:31 27,648 -csha-w C:\Windows\system32\AVSredirect.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-03 23:32 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" [2004-08-18 08:00 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 03:50 139320]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 09:48 147514]
"nwiz"="nwiz.exe" [2006-08-11 22:43 1519616 C:\WINDOWS\system32\nwiz.exe]
"Jet Detection"="c:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 02:00 28672]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-06-02 13:25 270336]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 13:01 1037736]
"SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [ ]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2006-08-11 22:43 7630848]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2006-08-11 22:43 86016]
"BDMCon"="C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" [2007-04-02 16:48 290816]
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 15:49 69632]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"SchedulingAgent"="C:\Windows\system32\mstask.exe" [ ]
C:\Documents and Settings\pauld99\Start Menu\Programs\Startup\
SDK Tray Menu.lnk.disabled [2007-03-01 18:50:43 793]
Trillian.lnk.disabled [2006-11-05 17:25:06 702]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - Z:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 03:19:50 217193]
Acrobat Assistant.lnk.disabled [2007-02-02 12:53:10 1677]
Adobe Gamma Loader.exe.lnk.disabled [2006-10-10 01:12:01 896]
AutoStart IR.lnk.disabled [2006-11-29 16:15:20 588]
HOTSYNCSHORTCUTNAME.lnk.disabled [2007-08-21 21:21:26 661]
Microsoft Office.lnk.disabled [2007-02-22 16:35:19 1580]
WinZip Quick Pick.lnk.disabled [2007-01-19 13:30:26 1524]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoPublishingWizard"= 0 (0x0)
"NoWebServices"= 0 (0x0)
"NoOnlinePrintsWizard"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"= ctwdm32.dll
"msvideo"= o100vc.dll
"VIDC.I420"= i263_32.drv
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Nero DriveSpeed"=C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
"NeroCheck"=C:\Windows\system32\NeroCheck.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"z:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"135:TCP"= 135:TCP:TCP 135
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)
R2 SVKP;SVKP;C:\Windows\system32\SVKP.sys [2006-11-20 00:32]
R3 HCWBT8XX;Hauppauge WinTV 848/9 WDM Video Driver;C:\Windows\system32\drivers\HCWBT8XX.sys [2006-01-25 18:14]
S3 scsiscan;SCSI Scanner Driver;C:\Windows\system32\DRIVERS\scsiscan.sys [2008-04-14 00:15]
.
Contents of the 'Scheduled Tasks' folder
"2008-06-20 06:00:00 C:\Windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
"2008-06-22 14:35:00 C:\Windows\Tasks\User_Feed_Synchronization-{5678D393-1137-432C-86AC-EBF0BB7EA42C}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-22 09:31:04
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\locator.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
.
**************************************************************************
.
Completion time: 2008-06-22 9:38:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-22 14:38:40
Pre-Run: 20,650,868,736 bytes free
Post-Run: 20,983,570,432 bytes free
207 --- E O F --- 2008-06-18 02:40:12
Hi
Do you recognize following files? If not upload them to http://virusscan.jotti.org and post back the results:
C:\windows_protection.png
C:\WINDOWS\regtask.cmd
C:\WINDOWS\taplog.cmd
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\000001_.tmp
C:\tuvtmnhx.dll.bad.zip
C:\FixVundo.exe
C:\WINDOWS\system32\SrCKlRqr.ini
C:\WINDOWS\system32\FgQBdMoq.ini
C:\WINDOWS\system32\bLkkmnnn.ini
Save this as
CFScript
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.nl/scanforvirus-en/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, click Yes.
The program will launch and start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings and select the following:
Scan using the following Anti-Virus database:
Extended (If available, otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK.
Under
select a target to scan
, select My Computer.
The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.Once the scan is complete:
Click on the Save as Text button.
Save the file to your desktop.
Copy and paste that information into your next post if the AV content will fit into one post only. Post a fresh hjt log (without forgetting above meantioned ComboFix resultant log) too.
Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.
If having a problme doing the above
Make sure that your Internet security settings are set to default values.
To set default security settings for Internet Explorer:
* Open Internet Explorer.
* Go to the Tools menu, then choose Internet Options.
* Click on the Security tab.
* Make sure that all four item (Internet, Local intranet, Trusted sites, and Restricted sites) are set to their default settings.
paulaerison
2008-06-23, 00:29
Hi
C:\windows_protection.png
That is the image file that I made for the popup anytime I use IE to download a fix, I uploaded it in one of my messages earlier...
Hi
C:\WINDOWS\regtask.cmd
@echo example: REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
Hi
C:\WINDOWS\taplog.cmd
tail -f "C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt"
paulaerison
2008-06-23, 00:31
Hi
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\000001_.tmp
C:\tuvtmnhx.dll.bad.zip
C:\FixVundo.exe
C:\WINDOWS\system32\SrCKlRqr.ini
C:\WINDOWS\system32\FgQBdMoq.ini
C:\WINDOWS\system32\bLkkmnnn.ini
Save this as
CFScript
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
ComboFix 08-06-20.4 - pauld99 2008-06-22 16:15:43.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.158 [GMT -5:00]
Running from: Z:\DOWNLOADS\ComboFix.exe
Command switches used :: Z:\DOWNLOADS\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\FixVundo.exe
C:\WINDOWS\000001_.tmp
C:\WINDOWS\system32\bLkkmnnn.ini
C:\WINDOWS\system32\FgQBdMoq.ini
C:\WINDOWS\system32\SrCKlRqr.ini
.
((((((((((((((((((((((((( Files Created from 2008-05-22 to 2008-06-22 )))))))))))))))))))))))))))))))
.
2008-06-22 15:16 . 2008-06-22 15:16 <DIR> d----c--- C:\Program Files\Pro Imaging Powertoys
2008-06-22 15:16 . 2008-06-22 15:16 <DIR> d----c--- C:\Program Files\Common Files\Nikon
2008-06-22 15:02 . 2008-06-22 15:02 <DIR> d----c--- C:\WINDOWS\system32\Kaspersky Lab
2008-06-22 15:02 . 2008-06-22 15:02 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-22 15:01 . 2008-06-22 15:01 <DIR> d----c--- C:\WINDOWS\LastGood
2008-06-22 14:09 . 2003-06-25 16:05 266,360 --a--c--- C:\WINDOWS\system32\TweakUI.exe
2008-06-22 14:09 . 2002-06-21 15:09 160,217 --a--c--- C:\WINDOWS\system32\PowerToysLicense.rtf
2008-06-22 12:55 . 2008-06-22 12:55 <DIR> d----c--- C:\Documents and Settings\sqlwriter
2008-06-22 12:55 . 2008-06-22 12:55 <DIR> d----c--- C:\Documents and Settings\sqlservr
2008-06-22 12:54 . 2008-06-22 12:54 <DIR> d----c--- C:\Documents and Settings\sqlbrowser
2008-06-22 11:42 . 2008-06-22 12:39 <DIR> d----c--- C:\Documents and Settings\pauld99\SecurityScans
2008-06-22 11:01 . 2008-03-25 02:37 69,632 --a--c--- C:\WINDOWS\system32\javacpl.cpl
2008-06-22 11:00 . 2008-06-22 11:01 <DIR> d----c--- C:\Program Files\Java
2008-06-22 10:59 . 2008-06-22 10:59 <DIR> d----c--- C:\Program Files\Common Files\Java
2008-06-21 20:14 . 2008-06-21 20:19 98 --a--c--- C:\WINDOWS\detected.cmd
2008-06-21 19:37 . 2008-06-21 19:37 94 --a--c--- C:\WINDOWS\bdlog.cmd
2008-06-19 15:28 . 2008-06-19 15:28 <DIR> d----c--- C:\Documents and Settings\Administrator
2008-06-19 15:09 . 2008-06-19 15:09 39,424 --a--c--- C:\WINDOWS\zipinst.exe
2008-06-19 15:08 . 2008-06-19 15:08 <DIR> d----c--- C:\Deckard
2008-06-19 14:14 . 2008-06-19 14:14 <DIR> d--h-c--- C:\WINDOWS\$hf_mig$
2008-06-19 13:39 . 2008-06-19 13:39 <DIR> d----c--- C:\WINDOWS\l2schemas
2008-06-19 11:23 . 2008-06-19 11:23 <DIR> d----c--- C:\Program Files\Microsoft Baseline Security Analyzer 2
2008-06-18 22:58 . 2008-06-19 15:12 <DIR> d----c--- C:\WINDOWS\tmp
2008-06-18 15:13 . 2008-06-18 15:13 <DIR> d----c--- C:\Documents and Settings\aaerison\Application Data\Bitdefender
2008-06-18 13:41 . 2008-06-18 13:41 <DIR> d----c--- C:\Documents and Settings\pauld99\Application Data\Bitdefender
2008-06-18 12:27 . 2008-06-22 16:17 81,984 --a--c--- C:\WINDOWS\system32\bdod.bin
2008-06-18 12:22 . 2008-06-18 12:22 <DIR> d----c--- C:\Program Files\Softwin
2008-06-18 12:22 . 2008-06-18 12:23 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\BitDefender
2008-06-18 12:20 . 2008-06-18 12:22 <DIR> d----c--- C:\Program Files\Common Files\Softwin
2008-06-18 10:23 . 2008-06-18 10:23 <DIR> d----c--- C:\Program Files\Trend Micro
2008-06-18 07:58 . 2008-06-18 13:51 <DIR> d----c--- C:\Program Files\RegScanner
2008-06-17 20:34 . 2008-06-17 20:34 66 --a--c--- C:\WINDOWS\ws40.ini
2008-06-17 13:36 . 2008-06-17 13:36 118 --a--c--- C:\WINDOWS\taplog.cmd
2008-06-17 11:09 . 2008-04-14 05:42 13,824 -----c--- C:\WINDOWS\system32\wscntfy.exe
2008-06-17 10:47 . 2008-06-17 10:47 8,887 --a--c--- C:\windows_protection.png
2008-06-16 11:02 . 2008-06-18 15:47 <DIR> d----c--- C:\Documents and Settings\ntadmin
2008-06-15 12:21 . 2008-06-18 15:10 <DIR> d----c--- C:\Documents and Settings\aaerison
2008-06-13 08:08 . 2008-06-13 08:08 <DIR> d----c--- C:\WINDOWS\system32\scripting
2008-06-13 07:57 . 2008-04-13 22:06 144,384 --a--c--- C:\WINDOWS\system32\drivers\hdaudbus.sys
2008-06-13 07:57 . 2008-04-14 00:10 10,240 --a--c--- C:\WINDOWS\system32\drivers\sffp_mmc.sys
2008-06-13 07:46 . 2008-06-13 07:46 99 --a--c--- C:\WINDOWS\rdc.cmd
2008-06-12 22:12 . 2008-05-07 00:12 1,288,192 -----c--- C:\WINDOWS\system32\dllcache\quartz.dll
2008-06-12 22:12 . 2008-05-08 09:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-12 22:11 . 2008-06-13 06:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-05-29 14:07 . 2008-06-16 11:39 614 --a--c--- C:\WINDOWS\wininit.ini
2008-05-29 12:51 . 2008-06-17 17:53 126 --a--c--- C:\WINDOWS\regtask.cmd
2008-05-22 20:26 . 2008-05-22 21:15 35 --a--c--- C:\WINDOWS\iltwain.ini
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-22 16:40 --------- dc----w C:\Program Files\Common Files\Network Associates
2008-06-22 13:01 --------- dc----w C:\Program Files\Spybot - Search & Destroy
2008-06-22 12:59 --------- dc----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-22 01:11 --------- dc----w C:\Documents and Settings\pauld99\Application Data\AdobeUM
2008-06-22 00:53 --------- dc----w C:\Program Files\Dell AIO Printer A920
2008-06-19 20:29 --------- dc----w C:\Program Files\Google
2008-06-18 03:02 --------- dc----w C:\Program Files\Microsoft Silverlight
2008-06-13 14:41 --------- dc----w C:\Documents and Settings\pauld99\Application Data\DNA
2008-06-13 11:05 272,128 -c--a-w C:\Windows\system32\drivers\bthport.sys
2008-05-23 11:52 --------- dc----w C:\Documents and Settings\pauld99\Application Data\BitTorrent
2008-05-08 14:02 203,136 -c--a-w C:\Windows\system32\drivers\rmcast.sys
2008-05-07 05:12 1,288,192 -c--a-w C:\Windows\system32\quartz.dll
2008-04-23 13:01 --------- dc----w C:\Program Files\DNA
2008-04-23 04:16 826,368 -c--a-w C:\Windows\system32\wininet.dll
2008-04-14 10:55 1,804 -c--a-w C:\Windows\system32\dcache.bin
2008-04-14 10:46 329,728 -c--a-w C:\Windows\system32\netsetup.exe
2008-04-14 10:43 92,424 -c--a-w C:\Windows\system32\rdpdd.dll
2008-04-14 10:43 87,176 -c--a-w C:\Windows\system32\rdpwsx.dll
2008-04-14 10:43 12,168 -c--a-w C:\Windows\system32\tsddd.dll
2008-04-14 10:41 98,304 -c--a-w C:\Windows\system32\actxprxy.dll
2008-04-14 10:40 53,279 -c--a-w C:\Windows\system32\odbcji32.dll
2008-04-14 10:40 4,126 -c--a-w C:\Windows\system32\msdxmlc.dll
2008-04-14 10:40 3,584 -c--a-w C:\Windows\system32\msafd.dll
2008-04-14 06:00 1,845,632 -c--a-w C:\Windows\system32\win32k.sys
2008-04-14 05:57 2,188,928 -c--a-w C:\Windows\system32\ntoskrnl.exe
2008-04-14 05:15 17,664 -c--a-w C:\Windows\system32\watchdog.sys
2008-04-14 05:13 9,728 -c--a-w C:\Windows\system32\comsdupd.exe
2008-04-14 05:13 12,800 -c--a-w C:\Windows\system32\spiisupd.exe
2008-04-14 05:01 7,424 -c--a-w C:\Windows\system32\kd1394.dll
2008-04-14 05:01 2,065,792 -c--a-w C:\Windows\system32\ntkrnlpa.exe
2008-04-14 05:00 61,440 -c--a-w C:\Windows\system32\msvcrt40.dll
2008-04-14 04:45 76,800 -c--a-w C:\Windows\system32\msshavmsg.dll
2008-04-14 04:09 438,784 -c--a-w C:\Windows\system32\xpob2res.dll
2008-04-14 04:09 2,897,920 -c--a-w C:\Windows\system32\xpsp2res.dll
2008-04-14 04:09 187,392 -c--a-w C:\Windows\system32\xpsp1res.dll
2008-04-14 04:07 208,384 -c--a-w C:\Windows\system32\rsaenh.dll
2008-04-14 04:07 138,752 -c--a-w C:\Windows\system32\dssenh.dll
2008-04-14 03:57 79,872 -c--a-w C:\Windows\system32\msxml6r.dll
2008-04-14 03:56 94,208 -c--a-w C:\Windows\system32\odbcint.dll
2008-04-14 03:56 12,288 -c--a-w C:\Windows\system32\odbcp32r.dll
2008-04-14 03:56 12,288 -c--a-w C:\Windows\system32\mscpx32r.dll
2008-04-14 03:54 20,480 -c--a-w C:\Windows\system32\msorc32r.dll
2008-04-14 03:51 733,696 -c--a-w C:\Windows\system32\qedwipes.dll
2008-04-14 03:39 4,096 -c--a-w C:\Windows\system32\dsprpres.dll
2008-04-14 03:33 63,488 -c--a-w C:\Windows\system32\browselc.dll
2008-04-14 03:33 549,376 -c--a-w C:\Windows\system32\shdoclc.dll
2008-04-14 03:18 1,647,616 -c--a-w C:\Windows\system32\winbrand.dll
2008-04-14 03:15 216,064 -c--a-w C:\Windows\system32\moricons.dll
2008-04-14 02:53 48,128 -c--a-w C:\Windows\system32\msprivs.dll
2008-04-14 02:52 48,128 -c--a-w C:\Windows\system32\inetres.dll
2008-04-14 02:09 884,736 -c--a-w C:\Windows\system32\msimsg.dll
2007-01-31 23:36 233,424 -c--a-w C:\Documents and Settings\pauld99\Application Data\GDIPFONTCACHEV1.DAT
2007-03-04 14:58 80 -csha-r C:\Windows\system32\6B7A0F6512.dll
2005-07-14 19:31 27,648 -csha-w C:\Windows\system32\AVSredirect.dll
.
((((((((((((((((((((((((((((( snapshot@2008-06-22_ 9.38.09.43 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-22 13:17:58 2,048 --s-a-w C:\Windows\bootstat.dat
+ 2008-06-22 18:41:33 2,048 --s-a-w C:\Windows\bootstat.dat
+ 2007-03-23 01:07:56 91,488 -c--a-r C:\Windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.8173\ADDRPARS.DLL
+ 2007-03-23 01:07:54 80,224 -c--a-r C:\Windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.8173\DLGSETP.DLL
+ 2007-04-19 19:53:52 137,568 -c--a-r C:\Windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.8173\ENVELOPE.DLL
+ 2007-05-31 19:41:06 10,352,472 -c--a-r C:\Windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.8173\EXCEL.EXE
+ 2007-04-19 20:09:30 167,256 -c--a-r C:\Windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.8173\IETAG.DLL
+ 2007-04-19 19:53:52 127,328 -c--a-r C:\Windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.8173\IMPMAIL.DLL
+ 2007-04-19 19:54:04 183,136 -c--a-r C:\Windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.8173\MIMEDIR.DLL
+ 2007-06-18 23:16:32 12,259,160 -c--a-r C:\Windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.8173\MSO.DLL
+ 2007-05-31 19:43:46 7,613,280 -c--a-r C:\Windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.8173\OUTLLIB.DLL
+ 2007-04-19 19:53:44 106,336 -c--a-r C:\Windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.8173\OUTLMIME.DLL
+ 2007-05-31 19:42:14 200,032 -c--a-r C:\Windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.8173\OUTLOOK.EXE
+ 2007-04-19 19:53:56 149,856 -c--a-r C:\Windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.8173\OUTLPH.DLL
+ 2007-04-19 19:53:24 69,984 -c--a-r C:\Windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.8173\OUTLRPC.DLL
+ 2007-03-23 01:07:10 41,824 -c--a-r C:\Windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.8173\RECALL.DLL
+ 2007-03-23 01:07:54 78,168 -c--a-r C:\Windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.8173\RM.DLL
+ 2007-03-23 01:22:02 103,264 -c--a-r C:\Windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.8173\TRANSMGR.DLL
+ 2008-06-22 19:56:11 25,214 -c--a-r C:\Windows\Installer\{4E475FD4-4513-4B1D-8DDA-43912B068C99}\ARPPRODUCTICON.exe
+ 2008-06-22 19:56:11 25,214 -c--a-r C:\Windows\Installer\{4E475FD4-4513-4B1D-8DDA-43912B068C99}\startmenu.exe
- 2008-02-15 09:12:12 167,936 -c--a-r C:\Windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\accicons.exe
+ 2008-06-22 20:55:05 167,936 -c--a-r C:\Windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\accicons.exe
- 2008-02-15 09:12:12 2,560 -c--a-r C:\Windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2008-06-22 20:55:05 2,560 -c--a-r C:\Windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
- 2008-02-15 09:12:12 34,304 -c--a-r C:\Windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2008-06-22 20:55:05 34,304 -c--a-r C:\Windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2008-02-15 09:12:12 8,192 -c--a-r C:\Windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2008-06-22 20:55:05 8,192 -c--a-r C:\Windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2008-02-15 09:12:12 3,584 -c--a-r C:\Windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2008-06-22 20:55:05 3,584 -c--a-r C:\Windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2008-02-15 09:12:13 114,688 -c--a-r C:\Windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\outicon.exe
+ 2008-06-22 20:55:05 114,688 -c--a-r C:\Windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\outicon.exe
- 2008-02-15 09:12:12 16,384 -c--a-r C:\Windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2008-06-22 20:55:05 16,384 -c--a-r C:\Windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2008-02-15 09:12:12 30,720 -c--a-r C:\Windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\pptico.exe
+ 2008-06-22 20:55:05 30,720 -c--a-r C:\Windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\pptico.exe
- 2008-02-15 09:12:13 22,528 -c--a-r C:\Windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2008-06-22 20:55:05 22,528 -c--a-r C:\Windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
- 2008-02-15 09:12:12 45,056 -c--a-r C:\Windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2008-06-22 20:55:05 45,056 -c--a-r C:\Windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2008-02-15 09:12:12 90,112 -c--a-r C:\Windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2008-06-22 20:55:05 90,112 -c--a-r C:\Windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
- 2008-03-03 03:17:27 12,288 -c--a-r C:\Windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-06-22 20:56:31 12,288 -c--a-r C:\Windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-03-03 03:17:27 135,168 -c--a-r C:\Windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-06-22 20:56:31 135,168 -c--a-r C:\Windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-03-03 03:17:27 11,264 -c--a-r C:\Windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-06-22 20:56:31 11,264 -c--a-r C:\Windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-03-03 03:17:27 27,136 -c--a-r C:\Windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-06-22 20:56:31 27,136 -c--a-r C:\Windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-03-03 03:17:27 4,096 -c--a-r C:\Windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-06-22 20:56:31 4,096 -c--a-r C:\Windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-03-03 03:17:28 794,624 -c--a-r C:\Windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-06-22 20:56:31 794,624 -c--a-r C:\Windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-03-03 03:17:28 23,040 -c--a-r C:\Windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-06-22 20:56:31 23,040 -c--a-r C:\Windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-03-03 03:17:27 286,720 -c--a-r C:\Windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-06-22 20:56:31 286,720 -c--a-r C:\Windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-03-03 03:17:27 409,600 -c--a-r C:\Windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-06-22 20:56:31 409,600 -c--a-r C:\Windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-06-22 19:58:25 23,558 -c--a-r C:\Windows\Installer\{B37C842A-B624-46B8-A727-654E72F1C91A}\ARPPRODUCTICON.exe
+ 2008-06-22 19:58:25 23,558 -c--a-r C:\Windows\Installer\{B37C842A-B624-46B8-A727-654E72F1C91A}\PowerCalc.exe
+ 2008-06-22 19:54:37 42,166 -c--a-r C:\Windows\Installer\{C9E4932C-8417-4E4C-A0E3-EE534810AB4D}\ARPPRODUCTICON.exe
+ 2002-03-19 22:30:00 11,328 -c--a-w C:\Windows\system32\cmdhere.dll
+ 2004-07-15 21:47:48 616,960 -c--a-w C:\Windows\system32\htmlgen.exe
+ 2008-03-25 06:28:39 135,168 -c--a-w C:\Windows\system32\java.exe
+ 2008-03-25 06:28:43 135,168 -c--a-w C:\Windows\system32\javaw.exe
+ 2008-03-25 07:37:01 139,264 -c--a-w C:\Windows\system32\javaws.exe
+ 2005-05-24 17:27:16 213,048 -c--a-w C:\Windows\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 -c--a-w C:\Windows\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 -c--a-w C:\Windows\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2002-03-19 22:30:00 21,504 -c--a-w C:\Windows\system32\phototoys.dll
+ 2002-03-19 22:30:00 216,576 -c--a-w C:\Windows\system32\PowerCalc.exe
+ 2002-03-19 22:30:00 90,112 -c--a-w C:\Windows\system32\slideshow.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-03 23:32 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2006-08-11 22:43 1519616 C:\WINDOWS\system32\nwiz.exe]
"Jet Detection"="c:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 02:00 28672]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-06-02 13:25 270336]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 13:01 1037736]
"SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [ ]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2006-08-11 22:43 7630848]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2006-08-11 22:43 86016]
"BDMCon"="C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" [2007-04-02 16:48 290816]
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 15:49 69632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"SchedulingAgent"="C:\Windows\system32\mstask.exe" [ ]
C:\Documents and Settings\pauld99\Start Menu\Programs\Startup\
SDK Tray Menu.lnk.disabled [2007-03-01 18:50:43 793]
Trillian.lnk.disabled [2006-11-05 17:25:06 702]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - Z:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 03:19:50 217193]
Acrobat Assistant.lnk.disabled [2007-02-02 12:53:10 1677]
Adobe Gamma Loader.exe.lnk.disabled [2006-10-10 01:12:01 896]
AutoStart IR.lnk.disabled [2006-11-29 16:15:20 588]
HOTSYNCSHORTCUTNAME.lnk.disabled [2007-08-21 21:21:26 661]
Microsoft Office.lnk.disabled [2007-02-22 16:35:19 1580]
WinZip Quick Pick.lnk.disabled [2007-01-19 13:30:26 1524]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoPublishingWizard"= 0 (0x0)
"NoWebServices"= 0 (0x0)
"NoOnlinePrintsWizard"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"= ctwdm32.dll
"msvideo"= o100vc.dll
"VIDC.I420"= i263_32.drv
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Nero DriveSpeed"=C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
"NeroCheck"=C:\Windows\system32\NeroCheck.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"z:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"135:TCP"= 135:TCP:TCP 135
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)
R2 SVKP;SVKP;C:\Windows\system32\SVKP.sys [2006-11-20 00:32]
R3 HCWBT8XX;Hauppauge WinTV 848/9 WDM Video Driver;C:\Windows\system32\drivers\HCWBT8XX.sys [2006-01-25 18:14]
S3 scsiscan;SCSI Scanner Driver;C:\Windows\system32\DRIVERS\scsiscan.sys [2008-04-14 00:15]
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-20 06:00:00 C:\Windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
"2008-06-22 21:20:00 C:\Windows\Tasks\User_Feed_Synchronization-{5678D393-1137-432C-86AC-EBF0BB7EA42C}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-22 16:19:17
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-06-22 16:22:35
ComboFix-quarantined-files.txt 2008-06-22 21:22:21
ComboFix2.txt 2008-06-22 14:38:48
Pre-Run: 21,600,690,176 bytes free
Post-Run: 21,768,749,056 bytes free
296 --- E O F --- 2008-06-22 19:48:05
paulaerison
2008-06-23, 00:34
Hi
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.nl/scanforvirus-en/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, click Yes
Started now as of the time of this post...
paulaerison
2008-06-23, 03:38
I have over 500k files to scan... Although, I notcied in the BD scan that there are some new directories that I don't recognize, and most of the ones the BD identified were there... hopefully Kapersky finds the same stuff...
Hi
Yes, Kaspersky scan usually takes quite long. Let's see the log when ready :)
paulaerison
2008-06-24, 04:52
computer locked up and blue screened... restarting.
Maybe I should have just done format c: ? :red:
I wouldn't give up at this stage of process. We've done well so far :bigthumb:
paulaerison
2008-06-24, 16:01
:funny:It had a picture of a cat with it's paws over a clothes line, and a caption that read "Hang in there kitty".
It was copyriight 1976. I'm pretty sure the cat is dead by now ;)
Anyway, let me know what you want to do with this case :)
paulaerison
2008-06-24, 20:50
@ 40% as of this posting... :cool:
paulaerison
2008-06-25, 03:33
OK! now i'm mad, i'm turning off everything that windows will let me turn off and trying this one more time before I format C:
paulaerison
2008-06-25, 03:36
and flush the cache? (knowing that if the registry crashes again, I have no backup)
:oops: Bit defender was still running... heh... ok, that's off now. Could explain why it was taking so long, any maybe why it crashed... :red:
paulaerison
2008-06-26, 04:16
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-06-25 16:13
Operating System: Microsoft Windows XP Professional, Service Pack 3 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/06/2008
Kaspersky Anti-Virus database records: 881045
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
H:\
Z:\
Scan Statistics:
Total number of scanned objects: 369411
Number of viruses found: 28
Number of infected objects: 138
Number of suspicious objects: 76
Duration of the scan process: 20:14:21
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Documents\PAULD99\spoofmail.src.txt/[From aw-confirm@ebay.com][Date Thu, 27 May 2004 23:31:39 -0600]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\All Users\Documents\PAULD99\spoofmail.src.txt Mail: suspicious - 1 skipped
C:\Documents and Settings\All Users\Documents\PAULD99\_Urgent Fraud Prevention Group Notice_.eml/[From aw-confirm@ebay.com][Date Thu, 27 May 2004 23:31:39 -0600]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\All Users\Documents\PAULD99\_Urgent Fraud Prevention Group Notice_.eml Mail: suspicious - 1 skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\pauld99\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\pauld99\Favorites\Compaq Recommended Sites\AltaVista Live.URL Object is locked skipped
C:\Documents and Settings\pauld99\Favorites\Compaq Recommended Sites\AltaVista Search.URL Object is locked skipped
C:\Documents and Settings\pauld99\Favorites\Compaq Recommended Sites\AltaVista.URL Object is locked skipped
C:\Documents and Settings\pauld99\Favorites\Compaq Recommended Sites\Business Community.URL Object is locked skipped
C:\Documents and Settings\pauld99\Favorites\Compaq Recommended Sites\Compaq.URL Object is locked skipped
C:\Documents and Settings\pauld99\Favorites\Compaq Recommended Sites\eCommerce.URL Object is locked skipped
C:\Documents and Settings\pauld99\Local Settings\Application Data\Identities\{EED02091-47AD-4EDD-A0AA-0B2D9D1B9B0F}\Microsoft\Outlook Express\andtatt71@hotmail.com - Deleted Items.dbx/[From increase-si'ze <Brokenheart40@yahoo.com.mx>][Date Tue, 28 Mar 2006 17:15:15 -0800 (EST)]/Brokenheart40_click-PERMANENTENLARGER.htm Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\pauld99\Local Settings\Application Data\Identities\{EED02091-47AD-4EDD-A0AA-0B2D9D1B9B0F}\Microsoft\Outlook Express\andtatt71@hotmail.com - Deleted Items.dbx MailMSOutlook5: infected - 1 skipped
C:\Documents and Settings\pauld99\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\pauld99\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\pauld99\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\pauld99\Local Settings\History\History.IE5\MSHist012008062420080625\index.dat Object is locked skipped
C:\Documents and Settings\pauld99\Local Settings\Temp\hsperfdata_pauld99\3052 Object is locked skipped
C:\Documents and Settings\pauld99\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\pauld99\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\pauld99\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\pauld99\ntuser.dat.LOG Object is locked skipped
C:\ipsec.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP461\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Z:\BACKUPS\BABS\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook1.pst/Personal Folders/Inbox/eBay/Disputes/01 Jun 2004 14:53 from eBay Customer Support:RE: SP91011 - Your .eml/[From "paul aerison" <paulaerison@hotmail.com>][Date tue, 1 jun 2004 08:39:11 -0600]/spoofmail.src.txt/[From aw-confirm@ebay.com][Date thu, 27 may 2004 23:31:39 -0600]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
Z:\BACKUPS\BABS\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook1.pst/Personal Folders/Inbox/eBay/Disputes/01 Jun 2004 14:53 from eBay Customer Support:RE: SP91011 - Your .eml/[From "paul aerison" <paulaerison@hotmail.com>][Date tue, 1 jun 2004 08:39:11 -0600]/spoofmail.src.txt Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
Z:\BACKUPS\BABS\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook1.pst/Personal Folders/Inbox/eBay/Disputes/01 Jun 2004 14:53 from eBay Customer Support:RE: SP91011 - Your .eml/[From "paul aerison" <paulaerison@hotmail.com>][Date tue, 1 jun 2004 08:39:11 -0600]/_urgent/[From from 8bit to quoted-printable by][Date thu, 27 may 2004 23:31:39 -0600]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
Z:\BACKUPS\BABS\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook1.pst/Personal Folders/Inbox/eBay/Disputes/01 Jun 2004 14:53 from eBay Customer Support:RE: SP91011 - Your .eml/[From "paul aerison" <paulaerison@hotmail.com>][Date tue, 1 jun 2004 08:39:11 -0600]/_urgent Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
Z:\BACKUPS\BABS\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook1.pst/Personal Folders/Inbox/eBay/Disputes/01 Jun 2004 14:53 from eBay Customer Support:RE: SP91011 - Your .eml Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
Z:\BACKUPS\BABS\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook1.pst/Personal Folders/Inbox/STUFF/24 Mar 2004 02:14 to paulaerison@hotmail.com:Returned mail: see /24 Mar 2004 02:17 from paulaerison@hotmail.com:Mail Delivery (fa.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\BABS\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook1.pst/Personal Folders/Inbox/STUFF/24 Mar 2004 02:14 to paulaerison@hotmail.com:Returned mail: see /24 Mar 2004 02:17 from paulaerison@hotmail.com:Mail Delivery (fa/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
Z:\BACKUPS\BABS\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook1.pst/Personal Folders/Inbox/STUFF/24 Mar 2004 02:14 to paulaerison@hotmail.com:Returned mail: see /24 Mar 2004 02:17 from paulaerison@hotmail.com:Mail Delivery (fa.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\BABS\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook1.pst/Personal Folders/Inbox/STUFF/24 Mar 2004 02:14 to paulaerison@hotmail.com:Returned mail: see /24 Mar 2004 02:17 from paulaerison@hotmail.com:Mail Delivery (fa/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
Z:\BACKUPS\BABS\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook1.pst/Personal Folders/Sent Items/20 Jul 2006 19:53 from Paul Aerison:Fw: *Urgent Fraud Prevention/spoofmail.src.txt/[From aw-confirm@ebay.com][Date Thu, 27 May 2004 23:31:39 -0600]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
Z:\BACKUPS\BABS\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook1.pst/Personal Folders/Sent Items/20 Jul 2006 19:53 from Paul Aerison:Fw: *Urgent Fraud Prevention/spoofmail.src.txt Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
Z:\BACKUPS\BABS\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook1.pst/Personal Folders/Sent Items/20 Jul 2006 19:53 from Paul Aerison:Fw: *Urgent Fraud Prevention/28 May 2004 04:31 to paulaerison@hotmail.com:*Urgent Fraud Preve.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
Z:\BACKUPS\BABS\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook1.pst MailMSMaill: infected - 2, suspicious - 10 skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\Archive.pst/Archive Folders/Sent Items/11 Feb 2002 19:10 to 'cwaite@sdcr.com':radman/radmin20.zip/RADMIN20.EXE/R_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\Archive.pst/Archive Folders/Sent Items/11 Feb 2002 19:10 to 'cwaite@sdcr.com':radman/radmin20.zip/RADMIN20.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\Archive.pst/Archive Folders/Sent Items/11 Feb 2002 19:10 to 'cwaite@sdcr.com':radman/radmin20.zip/RADMIN20.EXE/AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\Archive.pst/Archive Folders/Sent Items/11 Feb 2002 19:10 to 'cwaite@sdcr.com':radman/radmin20.zip/RADMIN20.EXE/Radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\Archive.pst/Archive Folders/Sent Items/11 Feb 2002 19:10 to 'cwaite@sdcr.com':radman/radmin20.zip/RADMIN20.EXE Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\Archive.pst/Archive Folders/Sent Items/11 Feb 2002 19:10 to 'cwaite@sdcr.com':radman/radmin20.zip Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\Archive.pst MailMSMaill: infected - 6 skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\personal.pst/Personal Folders/Deleted Items/13 May 2002 14:39 from info:952.933.3188.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\personal.pst/Personal Folders/Deleted Items/14 May 2002 17:41 from info:Re:look,my beautiful girl friend.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\personal.pst/Personal Folders/Deleted Items/14 May 2002 21:42 from rickd:952.933.3188.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\personal.pst/Personal Folders/Deleted Items/22 May 2002 15:19 from bob:Language.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\personal.pst/Personal Folders/Deleted Items/22 May 2002 19:54 from generaldating:Learn more about how we use.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\personal.pst/Personal Folders/Deleted Items/23 May 2002 20:21 from joon-bj:CNET Networks, Inc. All rights re.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\personal.pst/Personal Folders/Deleted Items/25 May 2002 03:27 from Lewis:Welcome to my hometown.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\personal.pst/Personal Folders/Deleted Items/26 May 2002 16:14 from ADDRphishnbs:ONMOUSEOUT.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\personal.pst/Personal Folders/Deleted Items/27 May 2002 17:28 from welcome:VULGAR TEENS.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\personal.pst/Personal Folders/Deleted Items/28 May 2002 11:32 from sales:TARGET.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\personal.pst/Personal Folders/Deleted Items/28 May 2002 14:04 from info:A powful tool.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\personal.pst/Personal Folders/Deleted Items/29 May 2002 02:35 from mail:Don't drink too much.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\personal.pst/Personal Folders/Deleted Items/29 May 2002 18:39 from scarlett747:ACCESSKEY.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\personal.pst/Personal Folders/Deleted Items/29 May 2002 21:55 from Mail Delivery Subsystem:Returned mail: se/29 May 2002 21:51 from sales:Marginwidth.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\personal.pst/Personal Folders/Deleted Items/30 May 2002 03:18 from kmullall:Parent.frames.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\personal.pst/Personal Folders/Deleted Items/30 May 2002 15:45 from daryl:Background.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\personal.pst/Personal Folders/Deleted Items/30 May 2002 21:33 from Mbright13:So cool a flash,enjoy it.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\personal.pst/Personal Folders/Deleted Items/31 May 2002 02:21 from EYIWatchDogAP:Height.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\personal.pst/Personal Folders/Deleted Items/31 May 2002 14:12 from yamelis:Hi,sales,let's be friends.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\personal.pst/Personal Folders/Deleted Items/31 May 2002 17:01 from can:Welcome to my hometown.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\personal.pst/Personal Folders/Deleted Items/01 Jun 2002 08:08 from YogaStore:A funny website.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\personal.pst/Personal Folders/Deleted Items/02 Jun 2002 02:27 from bto4:Let's be friends.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\personal.pst/Personal Folders/Deleted Items/02 Jun 2002 21:06 from Cyberdetective:Fw:the Garden of Eden.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\personal.pst/Personal Folders/Deleted Items/03 Jun 2002 02:54 from help:Welcome to my hometown.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\personal.pst/Personal Folders/Deleted Items/03 Jun 2002 22:47 from name:A good tool.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\personal.pst/Personal Folders/Deleted Items/04 Jun 2002 03:26 from bVen:A special powful tool.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\personal.pst/Personal Folders/Deleted Items/05 Jun 2002 02:58 from Munich:34, 291, 99.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\personal.pst/Personal Folders/Deleted Items/07 Jun 2002 02:40 from 20Prahlada:Honey.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\personal.pst/Personal Folders/Deleted Items/08 Jun 2002 12:02 from geography:Button to see the latest versio.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\personal.pst/Personal Folders/Deleted Items/10 Jun 2002 18:57 from xanajdu:Fw:sales,questionnaire.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\personal.pst/Personal Folders/Deleted Items/11 Jun 2002 16:44 from sales:CELLPADDING.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\personal.pst/Personal Folders/Deleted Items/11 Jun 2002 18:50 from BobCarlson:Meeting notice.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\personal.pst/Personal Folders/Deleted Items/12 Jun 2002 03:39 from LA-news:A new website.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\personal.pst/Personal Folders/Deleted Items/12 Jun 2002 15:49 from sjtincat1:Tabindex.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\personal.pst/Personal Folders/Deleted Items/13 Jun 2002 00:16 from kfa01:Happy Lady Day.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\personal.pst/Personal Folders/Deleted Items/13 Jun 2002 01:02 from askus:Navigator.userAgent.indexOf(.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\personal.pst/Personal Folders/Deleted Items/13 Jun 2002 05:16 from melaniemccormack:A WinXP patch.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\personal.pst/Personal Folders/Sent Items/29 Apr 2002 15:04 to 'westmarine':RE: Arrow and select a languag.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\personal.pst/Personal Folders/Sent Items/06 May 2002 14:20 to Paul Dinwiddio (pauld99@ncrscomplete.com):F.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\personal.pst/Personal Folders/Sent Items/06 May 2002 14:20 to Paul Dinwiddio (pauld99@ncrscomplete.com):F/05 May 2002 20:34 from Karina94:952.933.3188.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\personal.pst/Personal Folders/Sent Items/22 May 2002 15:40 to 'bob':RE: Language.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\personal.pst/Personal Folders/Sent Items/30 May 2002 15:42 to 'daryl':RE: Background.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\Drive E\users\arte21\My Documents\mail\personal.pst MailMSMaill: suspicious - 42 skipped
Z:\BACKUPS\Drive E\users\davee94\Arts Portable.zip/NCRS_S.8.02.0033/NCRS-Pro 8.02.0033 source and support/radmin20.zip/RADMIN20.EXE/R_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\Drive E\users\davee94\Arts Portable.zip/NCRS_S.8.02.0033/NCRS-Pro 8.02.0033 source and support/radmin20.zip/RADMIN20.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\Drive E\users\davee94\Arts Portable.zip/NCRS_S.8.02.0033/NCRS-Pro 8.02.0033 source and support/radmin20.zip/RADMIN20.EXE/AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\Drive E\users\davee94\Arts Portable.zip/NCRS_S.8.02.0033/NCRS-Pro 8.02.0033 source and support/radmin20.zip/RADMIN20.EXE/Radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\Drive E\users\davee94\Arts Portable.zip/NCRS_S.8.02.0033/NCRS-Pro 8.02.0033 source and support/radmin20.zip/RADMIN20.EXE Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\Drive E\users\davee94\Arts Portable.zip/NCRS_S.8.02.0033/NCRS-Pro 8.02.0033 source and support/radmin20.zip Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\Drive E\users\davee94\Arts Portable.zip ZIP: infected - 6 skipped
Z:\BACKUPS\emallpos\-_downloads\Serv-U_3.1\susetup.exe/SERVUDAEMON.EXE Infected: not-a-virus:Server-FTP.Win32.Serv-U.3103 skipped
Z:\BACKUPS\emallpos\-_downloads\Serv-U_3.1\susetup.exe ZIP: infected - 1 skipped
Z:\BACKUPS\emallpos\-_downloads\ServerSoftware\radmin21 + key.zip/RADMIN21.EXE/AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\emallpos\-_downloads\ServerSoftware\radmin21 + key.zip/RADMIN21.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\emallpos\-_downloads\ServerSoftware\radmin21 + key.zip/RADMIN21.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
Z:\BACKUPS\emallpos\-_downloads\ServerSoftware\radmin21 + key.zip/RADMIN21.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
Z:\BACKUPS\emallpos\-_downloads\ServerSoftware\radmin21 + key.zip/RADMIN21.EXE Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
Z:\BACKUPS\emallpos\-_downloads\ServerSoftware\radmin21 + key.zip ZIP: infected - 5 skipped
Z:\BACKUPS\emallpos\-_downloads\ServerSoftware\tightvnc-1.2.6-setup.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
Z:\BACKUPS\emallpos\-_downloads\ServerSoftware\tightvnc-1.2.6-setup.exe Inno: infected - 1 skipped
Z:\BACKUPS\emallpos\-_inetpub\www\www.thecashdrawer.com\downloads\RADMIN21.EXE/AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\emallpos\-_inetpub\www\www.thecashdrawer.com\downloads\RADMIN21.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\emallpos\-_inetpub\www\www.thecashdrawer.com\downloads\RADMIN21.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
Z:\BACKUPS\emallpos\-_inetpub\www\www.thecashdrawer.com\downloads\RADMIN21.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
Z:\BACKUPS\emallpos\-_inetpub\www\www.thecashdrawer.com\downloads\RADMIN21.EXE Gentee: infected - 4 skipped
Z:\BACKUPS\inetpub.bak\shared\ServerSoftware\FTP-SERV-U\susetup3.0.0.16.exe/SERVUDAEMON.EXE Infected: not-a-virus:Server-FTP.Win32.Serv-U.3016 skipped
Z:\BACKUPS\inetpub.bak\shared\ServerSoftware\FTP-SERV-U\susetup3.0.0.16.exe ZIP: infected - 1 skipped
Z:\BACKUPS\inetpub.bak\shared\ServerSoftware\FTP-SERV-U\susetup3.0.0.17.exe/SERVUDAEMON.EXE Infected: not-a-virus:Server-FTP.Win32.Serv-U.3017 skipped
Z:\BACKUPS\inetpub.bak\shared\ServerSoftware\FTP-SERV-U\susetup3.0.0.17.exe ZIP: infected - 1 skipped
Z:\BACKUPS\inetpub.bak\shared\ServerSoftware\FTP-SERV-U\v3b12\ServU3b12.zip/Setup.exe/SERVUDAEMON.EXE Infected: not-a-virus:Server-FTP.Win32.Serv-U.gen skipped
Z:\BACKUPS\inetpub.bak\shared\ServerSoftware\FTP-SERV-U\v3b12\ServU3b12.zip/Setup.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.gen skipped
Z:\BACKUPS\inetpub.bak\shared\ServerSoftware\FTP-SERV-U\v3b12\ServU3b12.zip ZIP: infected - 2 skipped
Z:\BACKUPS\inetpub.bak\shared\ServerSoftware\FTP-SERV-U\v3b13\ServU3b13.zip/Setup.exe/SERVUDAEMON.EXE Infected: not-a-virus:Server-FTP.Win32.Serv-U.gen skipped
Z:\BACKUPS\inetpub.bak\shared\ServerSoftware\FTP-SERV-U\v3b13\ServU3b13.zip/Setup.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.gen skipped
Z:\BACKUPS\inetpub.bak\shared\ServerSoftware\FTP-SERV-U\v3b13\ServU3b13.zip ZIP: infected - 2 skipped
Z:\BACKUPS\inetpub.bak\shared\ServerSoftware\FTP-SERV-U\v3b15\ServU3b15.zip/Setup.exe/SERVUDAEMON.EXE Infected: not-a-virus:Server-FTP.Win32.Serv-U.3015 skipped
Z:\BACKUPS\inetpub.bak\shared\ServerSoftware\FTP-SERV-U\v3b15\ServU3b15.zip/Setup.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.3015 skipped
Z:\BACKUPS\inetpub.bak\shared\ServerSoftware\FTP-SERV-U\v3b15\ServU3b15.zip ZIP: infected - 2 skipped
Z:\BACKUPS\inetpub.bak\shared\ServerSoftware\FTP-SERV-U\v3b9\serv-u (ftpD).zip/Setup.exe/SERV-U32.EXE Infected: not-a-virus:Server-FTP.Win32.Serv-U.25.i skipped
Z:\BACKUPS\inetpub.bak\shared\ServerSoftware\FTP-SERV-U\v3b9\serv-u (ftpD).zip/Setup.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.25.i skipped
Z:\BACKUPS\inetpub.bak\shared\ServerSoftware\FTP-SERV-U\v3b9\serv-u (ftpD).zip ZIP: infected - 2 skipped
Z:\BACKUPS\inetpub.bak\shared\ServerSoftware\FTP-SERV-U\v3b9\ServU3b9.zip/Setup.exe/SERVUDAEMON.EXE Infected: not-a-virus:Server-FTP.Win32.Serv-U.30 skipped
Z:\BACKUPS\inetpub.bak\shared\ServerSoftware\FTP-SERV-U\v3b9\ServU3b9.zip/Setup.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.30 skipped
Z:\BACKUPS\inetpub.bak\shared\ServerSoftware\FTP-SERV-U\v3b9\ServU3b9.zip ZIP: infected - 2 skipped
Z:\BACKUPS\inetpub.bak\shared\ServerSoftware\radmin20.zip/RADMIN20.EXE/R_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\inetpub.bak\shared\ServerSoftware\radmin20.zip/RADMIN20.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\inetpub.bak\shared\ServerSoftware\radmin20.zip/RADMIN20.EXE/AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\inetpub.bak\shared\ServerSoftware\radmin20.zip/RADMIN20.EXE/Radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\inetpub.bak\shared\ServerSoftware\radmin20.zip/RADMIN20.EXE Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\inetpub.bak\shared\ServerSoftware\radmin20.zip ZIP: infected - 5 skipped
Z:\BACKUPS\inetpub.bak\shared\ServerSoftware\radmin21.zip/RADMIN21.EXE/AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\inetpub.bak\shared\ServerSoftware\radmin21.zip/RADMIN21.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\inetpub.bak\shared\ServerSoftware\radmin21.zip/RADMIN21.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
Z:\BACKUPS\inetpub.bak\shared\ServerSoftware\radmin21.zip/RADMIN21.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
Z:\BACKUPS\inetpub.bak\shared\ServerSoftware\radmin21.zip/RADMIN21.EXE Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
Z:\BACKUPS\inetpub.bak\shared\ServerSoftware\radmin21.zip ZIP: infected - 5 skipped
Z:\BACKUPS\inetpub.bak\shared\ServerSoftware\serv-u.ace/serv-u\ServUDaemon.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.30 skipped
Z:\BACKUPS\inetpub.bak\shared\ServerSoftware\serv-u.ace ACE: infected - 1 skipped
Z:\BACKUPS\ncrs\ncrs.MrWarner_Backup.Documents And Settings.ace/Documents and Settings\ADMINISTRATOR.NCRSCOMPLETE\Local Settings\Temp\RADMIN20.EXE/R_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\ncrs\ncrs.MrWarner_Backup.Documents And Settings.ace/Documents and Settings\ADMINISTRATOR.NCRSCOMPLETE\Local Settings\Temp\RADMIN20.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\ncrs\ncrs.MrWarner_Backup.Documents And Settings.ace/Documents and Settings\ADMINISTRATOR.NCRSCOMPLETE\Local Settings\Temp\RADMIN20.EXE/AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\ncrs\ncrs.MrWarner_Backup.Documents And Settings.ace/Documents and Settings\ADMINISTRATOR.NCRSCOMPLETE\Local Settings\Temp\RADMIN20.EXE/Radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\ncrs\ncrs.MrWarner_Backup.Documents And Settings.ace/Documents and Settings\ADMINISTRATOR.NCRSCOMPLETE\Local Settings\Temp\RADMIN20.EXE Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\ncrs\ncrs.MrWarner_Backup.Documents And Settings.ace/Documents and Settings\ADMINISTRATOR.NCRSCOMPLETE\Local Settings\Temporary Internet Files\Content.IE5\KTATWL67\excursion[1].zip/Excursion/Excursion9.2.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.601 skipped
Z:\BACKUPS\ncrs\ncrs.MrWarner_Backup.Documents And Settings.ace/Documents and Settings\ADMINISTRATOR.NCRSCOMPLETE\Local Settings\Temporary Internet Files\Content.IE5\KTATWL67\excursion[1].zip/Excursion/Addons/Nukenabber/protec.exe Infected: not-a-virus:NetTool.Win32.NukeNabber.21 skipped
Z:\BACKUPS\ncrs\ncrs.MrWarner_Backup.Documents And Settings.ace/Documents and Settings\ADMINISTRATOR.NCRSCOMPLETE\Local Settings\Temporary Internet Files\Content.IE5\KTATWL67\excursion[1].zip Infected: not-a-virus:NetTool.Win32.NukeNabber.21 skipped
Z:\BACKUPS\ncrs\ncrs.MrWarner_Backup.Documents And Settings.ace/Documents and Settings\ADMINISTRATOR.NCRSCOMPLETE\Local Settings\Temporary Internet Files\Content.IE5\4G2UJTNP\pc_tkct6[1].zip/TUTOR.EXE Infected: VirTool.Win32.Magazine skipped
Z:\BACKUPS\ncrs\ncrs.MrWarner_Backup.Documents And Settings.ace/Documents and Settings\ADMINISTRATOR.NCRSCOMPLETE\Local Settings\Temporary Internet Files\Content.IE5\4G2UJTNP\pc_tkct6[1].zip Infected: VirTool.Win32.Magazine skipped
Z:\BACKUPS\ncrs\ncrs.MrWarner_Backup.Documents And Settings.ace/Documents and Settings\ADMINISTRATOR.NCRSCOMPLETE\Local Settings\Temporary Internet Files\Content.IE5\4XMZW9U3\TMD.Recruit[1].zip/TMD_Recruit/MIRC32.EXE Infected: not-a-virus:Client-IRC.Win32.mIRC.591 skipped
Z:\BACKUPS\ncrs\ncrs.MrWarner_Backup.Documents And Settings.ace/Documents and Settings\ADMINISTRATOR.NCRSCOMPLETE\Local Settings\Temporary Internet Files\Content.IE5\4XMZW9U3\TMD.Recruit[1].zip Infected: not-a-virus:Client-IRC.Win32.mIRC.591 skipped
Z:\BACKUPS\ncrs\ncrs.MrWarner_Backup.Documents And Settings.ace ACE: infected - 12 skipped
Z:\BACKUPS\pauld99\angelsofwar.org.ace/bigvar\www\angelsofwar.org\files\irc\nnscript352.exe/data0004 Infected: not-a-virus:Client-IRC.Win32.mIRC.601 skipped
Z:\BACKUPS\pauld99\angelsofwar.org.ace/bigvar\www\angelsofwar.org\files\irc\nnscript352.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.601 skipped
Z:\BACKUPS\pauld99\angelsofwar.org.ace ACE: infected - 2 skipped
Z:\BACKUPS\pauld99\fastpush.ace/fastpush\TightVNC2\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
Z:\BACKUPS\pauld99\fastpush.ace/fastpush\vnc9\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
Z:\BACKUPS\pauld99\fastpush.ace/fastpush\vnc9\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
Z:\BACKUPS\pauld99\fastpush.ace/fastpush\vnc\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
Z:\BACKUPS\pauld99\fastpush.ace/fastpush\vnc9\WinVNC.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
Z:\BACKUPS\pauld99\fastpush.ace/fastpush\vnc\WinVNC.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
Z:\BACKUPS\pauld99\fastpush.ace ACE: infected - 6 skipped
Z:\BACKUPS\pauld99\Program Files.ace/Program Files\Serv-U\ServUDaemon.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.40 skipped
Z:\BACKUPS\pauld99\Program Files.ace ACE: infected - 1 skipped
Z:\BACKUPS\pauld99\techdev1.ace/techdev1\apache\htdocs\Downloads\radmin\Radmin.ace/RADMIN20.EXE/R_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\pauld99\techdev1.ace/techdev1\apache\htdocs\Downloads\radmin\Radmin.ace/RADMIN20.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\pauld99\techdev1.ace/techdev1\apache\htdocs\Downloads\radmin\Radmin.ace/RADMIN20.EXE/AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\pauld99\techdev1.ace/techdev1\apache\htdocs\Downloads\radmin\Radmin.ace/RADMIN20.EXE/Radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\pauld99\techdev1.ace/techdev1\apache\htdocs\Downloads\radmin\Radmin.ace/RADMIN20.EXE Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\pauld99\techdev1.ace/techdev1\apache\htdocs\Downloads\radmin\Radmin.ace Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\pauld99\techdev1.ace ACE: infected - 6 skipped
Z:\BACKUPS\pauld99\techdev1\apache\htdocs\Downloads\radmin\Radmin.ace/RADMIN20.EXE/R_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\pauld99\techdev1\apache\htdocs\Downloads\radmin\Radmin.ace/RADMIN20.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\pauld99\techdev1\apache\htdocs\Downloads\radmin\Radmin.ace/RADMIN20.EXE/AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\pauld99\techdev1\apache\htdocs\Downloads\radmin\Radmin.ace/RADMIN20.EXE/Radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\pauld99\techdev1\apache\htdocs\Downloads\radmin\Radmin.ace/RADMIN20.EXE Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\pauld99\techdev1\apache\htdocs\Downloads\radmin\Radmin.ace ACE: infected - 5 skipped
Z:\BACKUPS\techdev01\apache.techdev.ace/apache.techdev\htdocs\Downloads\radmin\Radmin.ace/RADMIN20.EXE/R_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\techdev01\apache.techdev.ace/apache.techdev\htdocs\Downloads\radmin\Radmin.ace/RADMIN20.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\techdev01\apache.techdev.ace/apache.techdev\htdocs\Downloads\radmin\Radmin.ace/RADMIN20.EXE/AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\techdev01\apache.techdev.ace/apache.techdev\htdocs\Downloads\radmin\Radmin.ace/RADMIN20.EXE/Radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\techdev01\apache.techdev.ace/apache.techdev\htdocs\Downloads\radmin\Radmin.ace/RADMIN20.EXE Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\techdev01\apache.techdev.ace/apache.techdev\htdocs\Downloads\radmin\Radmin.ace Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
Z:\BACKUPS\techdev01\apache.techdev.ace ACE: infected - 6 skipped
Z:\BACKUPS\YACKO\backups\vdshm1.gwzi.net\var\var\drweb\infected\drweb.quarantine.TWwXka/[From eBay Inc <custservice_9323895@ebay.com>][Date Fri, 22 Jul 2005 10:59:50 +0500]/html Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
Z:\BACKUPS\YACKO\backups\vdshm1.gwzi.net\var\var\drweb\infected\drweb.quarantine.TWwXka Mail: infected - 1 skipped
Z:\BACKUPS\YACKO\backups\vdshm1.gwzi.net\var.tar.gz/packed/var/drweb/infected/drweb.quarantine.TWwXka/[From eBay Inc <custservice_9323895@ebay.com>][Date Fri, 22 Jul 2005 10:59:50 +0500]/html Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
Z:\BACKUPS\YACKO\backups\vdshm1.gwzi.net\var.tar.gz/packed/var/drweb/infected/drweb.quarantine.TWwXka Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
Z:\BACKUPS\YACKO\backups\vdshm1.gwzi.net\var.tar.gz/packed/var/qmail/mailnames/gwzi.net/pauld99/Maildir/cur/1116816050.M961863P2913V0000000000008215I1F0F012B_/[From mail.vanderhouwen.com [198.107.53.230]][Date Tue, 23 Mar 2004 21:17:26 -0500 (EST)]/UNNAMED/[From paulaerison@hotmail.com][Date Tue, 23 Mar 2004 18:14:00 -0800]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\YACKO\backups\vdshm1.gwzi.net\var.tar.gz/packed/var/qmail/mailnames/gwzi.net/pauld99/Maildir/cur/1116816050.M961863P2913V0000000000008215I1F0F012B_/[From mail.vanderhouwen.com [198.107.53.230]][Date Tue, 23 Mar 2004 21:17:26 -0500 (EST)]/UNNAMED/[From paulaerison@hotmail.com][Date Tue, 23 Mar 2004 18:14:00 -0800]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\YACKO\backups\vdshm1.gwzi.net\var.tar.gz/packed/var/qmail/mailnames/gwzi.net/pauld99/Maildir/cur/1116816050.M961863P2913V0000000000008215I1F0F012B_/[From mail.vanderhouwen.com [198.107.53.230]][Date Tue, 23 Mar 2004 21:17:26 -0500 (EST)]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\YACKO\backups\vdshm1.gwzi.net\var.tar.gz/packed/var/qmail/mailnames/gwzi.net/pauld99/Maildir/cur/1116816050.M961863P2913V0000000000008215I1F0F012B_ Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\YACKO\backups\vdshm1.gwzi.net\var.tar.gz/packed/var/qmail/mailnames/gwzi.net/pauld99/Maildir/cur/1116816053.M537901P2913V0000000000008215I1F0F012C_ Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Z:\BACKUPS\YACKO\backups\vdshm1.gwzi.net\var.tar.gz/packed/var/qmail/mailnames/gwzi.net/pauld99/Maildir/cur/1116816114.M392381P2913V0000000000008215I1F0F0169_/[From "Paul Aerison" <PAerison@alservices.com>][Date Mon, 8 Dec 2003 16:05:58 -0700]/vnc7.zip/real337/othread2.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
Z:\BACKUPS\YACKO\backups\vdshm1.gwzi.net\var.tar.gz/packed/var/qmail/mailnames/gwzi.net/pauld99/Maildir/cur/1116816114.M392381P2913V0000000000008215I1F0F0169_/[From "Paul Aerison" <PAerison@alservices.com>][Date Mon, 8 Dec 2003 16:05:58 -0700]/vnc7.zip/real337/winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
Z:\BACKUPS\YACKO\backups\vdshm1.gwzi.net\var.tar.gz/packed/var/qmail/mailnames/gwzi.net/pauld99/Maildir/cur/1116816114.M392381P2913V0000000000008215I1F0F0169_/[From "Paul Aerison" <PAerison@alservices.com>][Date Mon, 8 Dec 2003 16:05:58 -0700]/vnc7.zip/realb4/wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
Z:\BACKUPS\YACKO\backups\vdshm1.gwzi.net\var.tar.gz/packed/var/qmail/mailnames/gwzi.net/pauld99/Maildir/cur/1116816114.M392381P2913V0000000000008215I1F0F0169_/[From "Paul Aerison" <PAerison@alservices.com>][Date Mon, 8 Dec 2003 16:05:58 -0700]/vnc7.zip/tight128/VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
Z:\BACKUPS\YACKO\backups\vdshm1.gwzi.net\var.tar.gz/packed/var/qmail/mailnames/gwzi.net/pauld99/Maildir/cur/1116816114.M392381P2913V0000000000008215I1F0F0169_/[From "Paul Aerison" <PAerison@alservices.com>][Date Mon, 8 Dec 2003 16:05:58 -0700]/vnc7.zip/tight128/winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
Z:\BACKUPS\YACKO\backups\vdshm1.gwzi.net\var.tar.gz/packed/var/qmail/mailnames/gwzi.net/pauld99/Maildir/cur/1116816114.M392381P2913V0000000000008215I1F0F0169_/[From "Paul Aerison" <PAerison@alservices.com>][Date Mon, 8 Dec 2003 16:05:58 -0700]/vnc7.zip/tridia152/WinVNC.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1540 skipped
Z:\BACKUPS\YACKO\backups\vdshm1.gwzi.net\var.tar.gz/packed/var/qmail/mailnames/gwzi.net/pauld99/Maildir/cur/1116816114.M392381P2913V0000000000008215I1F0F0169_/[From "Paul Aerison" <PAerison@alservices.com>][Date Mon, 8 Dec 2003 16:05:58 -0700]/vnc7.zip/utils/xCmd.exe Infected: not-a-virus:RemoteAdmin.Win32.RemoteExec skipped
Z:\BACKUPS\YACKO\backups\vdshm1.gwzi.net\var.tar.gz/packed/var/qmail/mailnames/gwzi.net/pauld99/Maildir/cur/1116816114.M392381P2913V0000000000008215I1F0F0169_/[From "Paul Aerison" <PAerison@alservices.com>][Date Mon, 8 Dec 2003 16:05:58 -0700]/vnc7.zip/vnc4/winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.403 skipped
Z:\BACKUPS\YACKO\backups\vdshm1.gwzi.net\var.tar.gz/packed/var/qmail/mailnames/gwzi.net/pauld99/Maildir/cur/1116816114.M392381P2913V0000000000008215I1F0F0169_/[From "Paul Aerison" <PAerison@alservices.com>][Date Mon, 8 Dec 2003 16:05:58 -0700]/vnc7.zip/vnc4/wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.403 skipped
Z:\BACKUPS\YACKO\backups\vdshm1.gwzi.net\var.tar.gz/packed/var/qmail/mailnames/gwzi.net/pauld99/Maildir/cur/1116816114.M392381P2913V0000000000008215I1F0F0169_/[From "Paul Aerison" <PAerison@alservices.com>][Date Mon, 8 Dec 2003 16:05:58 -0700]/vnc7.zip/vnc9/VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
Z:\BACKUPS\YACKO\backups\vdshm1.gwzi.net\var.tar.gz/packed/var/qmail/mailnames/gwzi.net/pauld99/Maildir/cur/1116816114.M392381P2913V0000000000008215I1F0F0169_/[From "Paul Aerison" <PAerison@alservices.com>][Date Mon, 8 Dec 2003 16:05:58 -0700]/vnc7.zip/vnc9/vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
Z:\BACKUPS\YACKO\backups\vdshm1.gwzi.net\var.tar.gz/packed/var/qmail/mailnames/gwzi.net/pauld99/Maildir/cur/1116816114.M392381P2913V0000000000008215I1F0F0169_/[From "Paul Aerison" <PAerison@alservices.com>][Date Mon, 8 Dec 2003 16:05:58 -0700]/vnc7.zip/vnc9/WinVNC.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
Z:\BACKUPS\YACKO\backups\vdshm1.gwzi.net\var.tar.gz/packed/var/qmail/mailnames/gwzi.net/pauld99/Maildir/cur/1116816114.M392381P2913V0000000000008215I1F0F0169_/[From "Paul Aerison" <PAerison@alservices.com>][Date Mon, 8 Dec 2003 16:05:58 -0700]/vnc7.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
Z:\BACKUPS\YACKO\backups\vdshm1.gwzi.net\var.tar.gz/packed/var/qmail/mailnames/gwzi.net/pauld99/Maildir/cur/1116816114.M392381P2913V0000000000008215I1F0F0169_ Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
Z:\BACKUPS\YACKO\backups\vdshm1.gwzi.net\var.tar.gz/packed/var/qmail/mailnames/gwzi.net/pauld99/Maildir/.Mail.Ebay/cur/1116880654.M337076P20000V00000000000082/[From "paul aerison" <paulaerison@hotmail.com>][Date tue, 1 jun 2004 08:39:11 -0600]/spoofmail.src.txt/[From aw-confirm@ebay.com][Date thu, 27 may 2004 23:31:39 -0600]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
Z:\BACKUPS\YACKO\backups\vdshm1.gwzi.net\var.tar.gz/packed/var/qmail/mailnames/gwzi.net/pauld99/Maildir/.Mail.Ebay/cur/1116880654.M337076P20000V00000000000082/[From "paul aerison" <paulaerison@hotmail.com>][Date tue, 1 jun 2004 08:39:11 -0600]/spoofmail.src.txt Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
Z:\BACKUPS\YACKO\backups\vdshm1.gwzi.net\var.tar.gz/packed/var/qmail/mailnames/gwzi.net/pauld99/Maildir/.Mail.Ebay/cur/1116880654.M337076P20000V00000000000082/[From "paul aerison" <paulaerison@hotmail.com>][Date tue, 1 jun 2004 08:39:11 -0600]/_urgent/[From from 8bit to quoted-printable by][Date thu, 27 may 2004 23:31:39 -0600]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
Z:\BACKUPS\YACKO\backups\vdshm1.gwzi.net\var.tar.gz/packed/var/qmail/mailnames/gwzi.net/pauld99/Maildir/.Mail.Ebay/cur/1116880654.M337076P20000V00000000000082/[From "paul aerison" <paulaerison@hotmail.com>][Date tue, 1 jun 2004 08:39:11 -0600]/_urgent Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
Z:\BACKUPS\YACKO\backups\vdshm1.gwzi.net\var.tar.gz/packed/var/qmail/mailnames/gwzi.net/pauld99/Maildir/.Mail.Ebay/cur/1116880654.M337076P20000V00000000000082 Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
Z:\BACKUPS\YACKO\backups\vdshm1.gwzi.net\var.tar.gz/packed/var/qmail/mailnames/gwzi.net/pauld99/Maildir/.drafts/cur/1116994138.M181191P14626V0000000000008215I/[From aw-confirm@ebay.com][Date Thu, 27 May 2004 23:31:39 -0600]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
Z:\BACKUPS\YACKO\backups\vdshm1.gwzi.net\var.tar.gz/packed/var/qmail/mailnames/gwzi.net/pauld99/Maildir/.drafts/cur/1116994138.M181191P14626V0000000000008215I Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
Z:\BACKUPS\YACKO\backups\vdshm1.gwzi.net\var.tar.gz/packed/var/qmail/mailnames/gwzi.net/pauld99/Maildir/.Sent Items-may-2005/cur/1116817059.M474111P8769V00000/[From "Paul Aerison" <paulaerison@hotmail.com>][Date Tue, 1 Jun 2004 08:39:11 -0600]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
Z:\BACKUPS\YACKO\backups\vdshm1.gwzi.net\var.tar.gz/packed/var/qmail/mailnames/gwzi.net/pauld99/Maildir/.Sent Items-may-2005/cur/1116817059.M474111P8769V00000/[From "Paul Aerison" <paulaerison@hotmail.com>][Date Tue, 1 Jun 2004 08:39:11 -0600]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
Z:\BACKUPS\YACKO\backups\vdshm1.gwzi.net\var.tar.gz/packed/var/qmail/mailnames/gwzi.net/pauld99/Maildir/.Sent Items-may-2005/cur/1116817059.M474111P8769V00000/[From "Paul Aerison" <paulaerison@hotmail.com>][Date Tue, 1 Jun 2004 08:39:11 -0600]/spoofmail.src.txt/[From aw-confirm@ebay.com][Date Thu, 27 May 2004 23:31:39 -0600]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
Z:\BACKUPS\YACKO\backups\vdshm1.gwzi.net\var.tar.gz/packed/var/qmail/mailnames/gwzi.net/pauld99/Maildir/.Sent Items-may-2005/cur/1116817059.M474111P8769V00000/[From "Paul Aerison" <paulaerison@hotmail.com>][Date Tue, 1 Jun 2004 08:39:11 -0600]/spoofmail.src.txt Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
Z:\BACKUPS\YACKO\backups\vdshm1.gwzi.net\var.tar.gz/packed/var/qmail/mailnames/gwzi.net/pauld99/Maildir/.Sent Items-may-2005/cur/1116817059.M474111P8769V00000/[From "Paul Aerison" <paulaerison@hotmail.com>][Date Tue, 1 Jun 2004 08:39:11 -0600]/_Urgent/[From aw-confirm@ebay.com][Date Thu, 27 May 2004 23:31:39 -0600]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
Z:\BACKUPS\YACKO\backups\vdshm1.gwzi.net\var.tar.gz/packed/var/qmail/mailnames/gwzi.net/pauld99/Maildir/.Sent Items-may-2005/cur/1116817059.M474111P8769V00000/[From "Paul Aerison" <paulaerison@hotmail.com>][Date Tue, 1 Jun 2004 08:39:11 -0600]/_Urgent Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
Z:\BACKUPS\YACKO\backups\vdshm1.gwzi.net\var.tar.gz/packed/var/qmail/mailnames/gwzi.net/pauld99/Maildir/.Sent Items-may-2005/cur/1116817059.M474111P8769V00000 Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
Z:\BACKUPS\YACKO\backups\vdshm1.gwzi.net\var.tar.gz/packed Infected: Trojan-Spy.HTML.Fraud.gen skipped
Z:\BACKUPS\YACKO\backups\vdshm1.gwzi.net\var.tar.gz GZIP: infected - 17, suspicious - 19 skipped
Z:\BACKUPS\YACKO\Program Files\Deerfield.com\DNS2Go\vncsetup.exe/file1 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 skipped
Z:\BACKUPS\YACKO\Program Files\Deerfield.com\DNS2Go\vncsetup.exe/file3 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
Z:\BACKUPS\YACKO\Program Files\Deerfield.com\DNS2Go\vncsetup.exe Inno: infected - 2 skipped
Z:\BACKUPS\YACKO\Program Files\orl\vnc\WinVNC.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
Z:\DOWNLOADS\_INCOMING\[GAME][E-TOOLS]\Wizards of the Coast.ace/Wizards of the Coast\eTools\eTools.exe Infected: Virus.Win32.Parite.b skipped
Z:\DOWNLOADS\_INCOMING\[GAME][E-TOOLS]\Wizards of the Coast.ace ACE: infected - 1 skipped
Z:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Z:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP462\change.log Object is locked skipped
Scan process completed.
paulaerison
2008-06-26, 04:19
Looks like I have a lot of stuff left over from the last software company I worked for in 2001 before they went bankrupt... Seemed like it was good idea at the time :oops:
paulaerison
2008-06-26, 04:21
Deckard's System Scanner v20071014.68
Run by pauld99 on 2008-06-25 20:14:09
Computer is in Normal Mode.
--------------------------------------------------------------------------------
Total Physical Memory: 384 MiB (512 MiB recommended).
-- HijackThis (run as pauld99.exe) ---------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:14, on 2008-06-25
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\nvsvc32.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Windows\explorer.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\Windows\system32\devldr32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\NOTEPAD.EXE
C:\WINDOWS\system32\mstsc.exe
Z:\DOWNLOADS\Copy of dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\pauld99.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - Z:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - Z:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - Z:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Jet Detection] "c:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix /autoclose /waitstart /waitmore
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\Windows\system32\mstask.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: SDK Tray Menu.lnk.disabled
O4 - Startup: Trillian.lnk.disabled
O4 - Global Startup: Acrobat Assistant.lnk = Z:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Acrobat Assistant.lnk.disabled
O4 - Global Startup: Adobe Gamma Loader.exe.lnk.disabled
O4 - Global Startup: AutoStart IR.lnk.disabled
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: WinZip Quick Pick.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.kaspersky.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1099059536327
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD42/JSCDL/jre/6u6-b90/jinstall-6u6-windows-i586-jc.cab?e=1214150411677&h=c53f1ca5321f2112c501196d35186f43/&filename=jinstall-6u6-windows-i586-jc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{47ECF58E-EE56-4535-A375-5BCBADE6F9B1}: NameServer = 192.168.64.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Windows\system32\LEXBCES.EXE
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\Windows\system32\nvsvc32.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
--
End of file - 6881 bytes
-- Files created between 2008-05-25 and 2008-06-25 -----------------------------
2008-06-25 09:30:12 0 d------c- C:\temp
2008-06-25 07:17:44 0 d------c- C:\Windows\Symbols
2008-06-24 23:52:06 0 d------c- C:\Program Files\Debugging Tools for Windows (x86)
2008-06-24 09:51:36 0 d------c- C:\Windows\system32\Adobe
2008-06-22 15:16:40 0 d------c- C:\Program Files\Common Files\Nikon
2008-06-22 15:16:39 0 d------c- C:\Program Files\Pro Imaging Powertoys
2008-06-22 15:02:13 0 d------c- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-22 15:02:11 0 d------c- C:\Windows\system32\Kaspersky Lab
2008-06-22 15:01:46 0 d------c- C:\Windows\LastGood
2008-06-22 14:09:53 266360 --a----c- C:\Windows\system32\TweakUI.exe <Not Verified; Microsoft Corporation; Microsoft® Windows(TM) Shell PowerToys>
2008-06-22 12:55:18 0 dr-h---c- C:\Documents and Settings\sqlservr\SendTo
2008-06-22 12:55:18 0 dr-h---c- C:\Documents and Settings\sqlservr\Recent
2008-06-22 12:55:18 0 d--h---c- C:\Documents and Settings\sqlservr\PrintHood
2008-06-22 12:55:18 0 d--h---c- C:\Documents and Settings\sqlservr\NetHood
2008-06-22 12:55:18 0 dr-----c- C:\Documents and Settings\sqlservr\My Documents
2008-06-22 12:55:18 0 d--h---c- C:\Documents and Settings\sqlservr\Local Settings
2008-06-22 12:55:18 0 dr-----c- C:\Documents and Settings\sqlservr\Favorites
2008-06-22 12:55:18 0 d------c- C:\Documents and Settings\sqlservr\Desktop
2008-06-22 12:55:18 0 d---s--c- C:\Documents and Settings\sqlservr\Cookies
2008-06-22 12:55:18 0 dr-h---c- C:\Documents and Settings\sqlservr\Application Data
2008-06-22 12:55:18 0 d---s--c- C:\Documents and Settings\sqlservr\Application Data\Microsoft
2008-06-22 12:55:18 0 d------c- C:\Documents and Settings\sqlservr\Application Data\Identities
2008-06-22 12:55:17 0 d--h---c- C:\Documents and Settings\sqlservr\Templates
2008-06-22 12:55:17 0 dr-----c- C:\Documents and Settings\sqlservr\Start Menu
2008-06-22 12:55:17 524288 --ah----- C:\Documents and Settings\sqlservr\NTUSER.DAT
2008-06-22 12:55:05 0 d--h---c- C:\Documents and Settings\sqlwriter\Templates
2008-06-22 12:55:05 0 dr-----c- C:\Documents and Settings\sqlwriter\Start Menu
2008-06-22 12:55:05 0 dr-h---c- C:\Documents and Settings\sqlwriter\SendTo
2008-06-22 12:55:05 0 dr-h---c- C:\Documents and Settings\sqlwriter\Recent
2008-06-22 12:55:05 0 d--h---c- C:\Documents and Settings\sqlwriter\PrintHood
2008-06-22 12:55:05 524288 --ah----- C:\Documents and Settings\sqlwriter\NTUSER.DAT
2008-06-22 12:55:05 0 d--h---c- C:\Documents and Settings\sqlwriter\NetHood
2008-06-22 12:55:05 0 dr-----c- C:\Documents and Settings\sqlwriter\My Documents
2008-06-22 12:55:05 0 d--h---c- C:\Documents and Settings\sqlwriter\Local Settings
2008-06-22 12:55:05 0 dr-----c- C:\Documents and Settings\sqlwriter\Favorites
2008-06-22 12:55:05 0 d------c- C:\Documents and Settings\sqlwriter\Desktop
2008-06-22 12:55:05 0 d---s--c- C:\Documents and Settings\sqlwriter\Cookies
2008-06-22 12:55:05 0 dr-h---c- C:\Documents and Settings\sqlwriter\Application Data
2008-06-22 12:55:05 0 d---s--c- C:\Documents and Settings\sqlwriter\Application Data\Microsoft
2008-06-22 12:55:05 0 d------c- C:\Documents and Settings\sqlwriter\Application Data\Identities
2008-06-22 12:54:58 0 d---s--c- C:\Documents and Settings\sqlbrowser\Cookies
2008-06-22 12:54:58 0 dr-h---c- C:\Documents and Settings\sqlbrowser\Application Data
2008-06-22 12:54:58 0 d---s--c- C:\Documents and Settings\sqlbrowser\Application Data\Microsoft
2008-06-22 12:54:58 0 d------c- C:\Documents and Settings\sqlbrowser\Application Data\Identities
2008-06-22 12:54:57 0 d--h---c- C:\Documents and Settings\sqlbrowser\Templates
2008-06-22 12:54:57 0 dr-----c- C:\Documents and Settings\sqlbrowser\Start Menu
2008-06-22 12:54:57 0 dr-h---c- C:\Documents and Settings\sqlbrowser\SendTo
2008-06-22 12:54:57 0 dr-h---c- C:\Documents and Settings\sqlbrowser\Recent
2008-06-22 12:54:57 0 d--h---c- C:\Documents and Settings\sqlbrowser\PrintHood
2008-06-22 12:54:57 524288 --ah----- C:\Documents and Settings\sqlbrowser\NTUSER.DAT
2008-06-22 12:54:57 0 d--h---c- C:\Documents and Settings\sqlbrowser\NetHood
2008-06-22 12:54:57 0 dr-----c- C:\Documents and Settings\sqlbrowser\My Documents
2008-06-22 12:54:57 0 d--h---c- C:\Documents and Settings\sqlbrowser\Local Settings
2008-06-22 12:54:57 0 dr-----c- C:\Documents and Settings\sqlbrowser\Favorites
2008-06-22 12:54:57 0 d------c- C:\Documents and Settings\sqlbrowser\Desktop
2008-06-22 11:42:11 0 d------c- C:\Documents and Settings\pauld99\SecurityScans
2008-06-22 11:00:00 0 d------c- C:\Program Files\Java
2008-06-22 10:59:31 0 d------c- C:\Program Files\Common Files\Java
2008-06-22 08:12:00 68096 --a----c- C:\Windows\zip.exe
2008-06-22 08:12:00 49152 --a----c- C:\Windows\VFind.exe
2008-06-22 08:12:00 212480 --a----c- C:\Windows\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-22 08:12:00 136704 --a----c- C:\Windows\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-22 08:12:00 161792 --a----c- C:\Windows\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-22 08:12:00 98816 --a----c- C:\Windows\sed.exe
2008-06-22 08:12:00 80412 --a----c- C:\Windows\grep.exe
2008-06-22 08:12:00 89504 --a----c- C:\Windows\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-21 20:14:46 98 --a----c- C:\Windows\detected.cmd
2008-06-21 19:37:52 94 --a----c- C:\Windows\bdlog.cmd
2008-06-19 15:28:09 0 d------c- C:\Documents and Settings\Administrator\Application Data\Identities
2008-06-19 15:28:08 0 d--h---c- C:\Documents and Settings\Administrator\Templates
2008-06-19 15:28:08 0 dr-----c- C:\Documents and Settings\Administrator\Start Menu
2008-06-19 15:28:08 0 dr-h---c- C:\Documents and Settings\Administrator\SendTo
2008-06-19 15:28:08 0 dr-h---c- C:\Documents and Settings\Administrator\Recent
2008-06-19 15:28:08 0 d--h---c- C:\Documents and Settings\Administrator\PrintHood
2008-06-19 15:28:08 2097152 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-19 15:28:08 0 d--h---c- C:\Documents and Settings\Administrator\NetHood
2008-06-19 15:28:08 0 dr-----c- C:\Documents and Settings\Administrator\My Documents
2008-06-19 15:28:08 0 d--h---c- C:\Documents and Settings\Administrator\Local Settings
2008-06-19 15:28:08 0 dr-----c- C:\Documents and Settings\Administrator\Favorites
2008-06-19 15:28:08 0 d------c- C:\Documents and Settings\Administrator\Desktop
2008-06-19 15:28:08 0 d--hs--c- C:\Documents and Settings\Administrator\Cookies
2008-06-19 15:28:08 0 dr-h---c- C:\Documents and Settings\Administrator\Application Data
2008-06-19 15:28:08 0 d---s--c- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-19 15:09:28 39424 --a----c- C:\Windows\zipinst.exe <Not Verified; NirSoft; ZipInstaller>
2008-06-19 14:14:03 0 d--h---c- C:\Windows\$hf_mig$
2008-06-19 13:45:00 0 d------c- C:\Windows\Prefetch
2008-06-19 13:39:02 0 d------c- C:\Windows\l2schemas
2008-06-19 11:23:41 0 d------c- C:\Program Files\Microsoft Baseline Security Analyzer 2
2008-06-19 09:14:46 0 d------c- C:\Program Files\msn gaming zone
2008-06-18 22:58:28 0 d------c- C:\Windows\tmp
2008-06-18 15:47:36 0 d--hs--c- C:\Documents and Settings\ntadmin\Cookies
2008-06-18 15:47:15 0 dr-----c- C:\Documents and Settings\ntadmin\Favorites
2008-06-18 15:47:14 0 d------c- C:\Documents and Settings\ntadmin\Start Menu
2008-06-18 15:47:14 0 dr-h---c- C:\Documents and Settings\ntadmin\Recent
2008-06-18 15:47:14 0 d------c- C:\Documents and Settings\ntadmin\Desktop
2008-06-18 15:46:05 0 d--h---c- C:\Documents and Settings\ntadmin\Local Settings
2008-06-18 15:46:05 0 d------c- C:\Documents and Settings\ntadmin\Application Data
2008-06-18 15:46:05 0 d------c- C:\Documents and Settings\ntadmin\Application Data\Microsoft
2008-06-18 15:13:20 0 d------c- C:\Documents and Settings\aaerison\Application Data\Bitdefender
2008-06-18 13:41:33 0 d------c- C:\Documents and Settings\pauld99\Application Data\Bitdefender
2008-06-18 12:27:36 81984 --a----c- C:\Windows\system32\bdod.bin
2008-06-18 12:22:07 0 d------c- C:\Documents and Settings\All Users\Application Data\BitDefender
2008-06-18 10:23:01 0 d------c- C:\Program Files\Trend Micro
2008-06-18 07:58:28 0 d------c- C:\Program Files\RegScanner
2008-06-17 21:42:31 0 d--h---c- C:\Program Files\WindowsUpdate
2008-06-17 13:36:19 118 --a----c- C:\Windows\taplog.cmd
2008-06-16 11:02:18 2359296 --ah----- C:\Documents and Settings\ntadmin\NTUSER.DAT
2008-06-15 12:35:55 0 d------c- C:\Documents and Settings\aaerison\Application Data\Macromedia
2008-06-15 12:21:10 0 d--h---c- C:\Documents and Settings\aaerison\SendTo
2008-06-15 12:21:10 0 dr-h---c- C:\Documents and Settings\aaerison\Recent
2008-06-15 12:21:10 0 d--h---c- C:\Documents and Settings\aaerison\PrintHood
2008-06-15 12:21:10 0 d--h---c- C:\Documents and Settings\aaerison\NetHood
2008-06-15 12:21:10 0 dr-----c- C:\Documents and Settings\aaerison\My Documents
2008-06-15 12:21:10 0 d--h---c- C:\Documents and Settings\aaerison\Local Settings
2008-06-15 12:21:10 0 dr-----c- C:\Documents and Settings\aaerison\Favorites
2008-06-15 12:21:10 0 d------c- C:\Documents and Settings\aaerison\Desktop
2008-06-15 12:21:10 0 d--hs--c- C:\Documents and Settings\aaerison\Cookies
2008-06-15 12:21:10 0 d--h---c- C:\Documents and Settings\aaerison\Application Data
2008-06-15 12:21:10 0 d---s--c- C:\Documents and Settings\aaerison\Application Data\Microsoft
2008-06-15 12:21:10 0 d------c- C:\Documents and Settings\aaerison\Application Data\Identities
2008-06-15 12:21:09 0 d--h---c- C:\Documents and Settings\aaerison\Templates
2008-06-15 12:21:09 0 d------c- C:\Documents and Settings\aaerison\Start Menu
2008-06-15 12:21:09 2359296 --ah----- C:\Documents and Settings\aaerison\NTUSER.DAT
2008-06-13 08:08:37 0 d------c- C:\Windows\system32\scripting
2008-06-13 08:08:26 0 d------c- C:\Windows\system32\en
2008-06-13 07:46:02 99 --a----c- C:\Windows\rdc.cmd
2008-05-30 09:25:29 0 d------c- C:\Documents and Settings\LocalService\Desktop
2008-05-29 12:51:18 126 --a----c- C:\Windows\regtask.cmd
-- Find3M Report ---------------------------------------------------------------
2008-06-24 10:00:33 0 d------c- C:\Documents and Settings\pauld99\Application Data\Adobe
2008-06-22 15:16:40 0 d------c- C:\Program Files\Common Files
2008-06-22 11:40:10 0 d------c- C:\Program Files\Common Files\Network Associates
2008-06-21 20:11:57 0 d------c- C:\Documents and Settings\pauld99\Application Data\AdobeUM
2008-06-21 19:53:09 0 d------c- C:\Program Files\Dell AIO Printer A920
2008-06-20 09:58:03 95 --a----c- C:\Windows\system32\productregistry
2008-06-19 15:29:28 0 d------c- C:\Program Files\Google
2008-06-18 14:45:26 0 d------c- C:\Documents and Settings\pauld99\Application Data\Identities
2008-06-17 22:02:27 0 d------c- C:\Program Files\Microsoft Silverlight
2008-06-13 09:41:11 0 d------c- C:\Documents and Settings\pauld99\Application Data\DNA
2008-06-13 08:09:43 0 d------c- C:\Program Files\Messenger
2008-06-13 08:08:23 0 d------c- C:\Program Files\Movie Maker
2008-06-13 08:01:48 0 d------c- C:\Program Files\Windows NT
2008-05-23 06:52:01 0 d------c- C:\Documents and Settings\pauld99\Application Data\BitTorrent
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2006-08-11 22:43 C:\WINDOWS\system32\nwiz.exe]
"Jet Detection"="c:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 02:00]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-06-02 13:25]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 13:01]
"SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" []
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2006-08-11 22:43]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2006-08-11 22:43]
"BDMCon"="C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" [2007-04-02 16:48]
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 15:49]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-03 23:32]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"SchedulingAgent"=C:\Windows\system32\mstask.exe
C:\Documents and Settings\pauld99\Start Menu\Programs\Startup\
SDK Tray Menu.lnk.disabled [2007-03-01 18:50:43]
Trillian.lnk.disabled [2006-11-05 17:25:06]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - Z:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 03:19:50]
Acrobat Assistant.lnk.disabled [2007-02-02 12:53:10]
Adobe Gamma Loader.exe.lnk.disabled [2006-10-10 01:12:01]
AutoStart IR.lnk.disabled [2006-11-29 16:15:20]
HOTSYNCSHORTCUTNAME.lnk.disabled [2007-08-21 21:21:26]
Microsoft Office.lnk.disabled [2007-02-22 16:35:19]
WinZip Quick Pick.lnk.disabled [2007-01-19 13:30:26]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=1 (0x1)
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoPublishingWizard"=0 (0x0)
"NoWebServices"=0 (0x0)
"NoOnlinePrintsWizard"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\Windows\System32\dimsntfy.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Nero DriveSpeed"=C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
"NeroCheck"=C:\Windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc
*Newly Created Service* - CATCHME
-- End of Deckard's System Scanner: finished at 2008-06-25 20:19:04 ------------
paulaerison
2008-06-26, 04:22
this time? What about all the other things it scans?
paulaerison
2008-06-26, 04:27
0 = TRUE in microsoft's world... That's a bad thing I think? I don't remember turning that on, or off for that matter...
if there is a script that runs at logon, I'll never see it... this computer is not part of a domain... never has been, and now that i'm changing careers, probably never will be (it will hopefully be replaced before year end)... Should I be concerned?
Hi
First of all, to make it easier for me to follow please don't post multiple times before I've reacted your current post. Makes it easier for me to follow ;)
Delete those email messages (thru Outlook) found by Kaspersky.
If key in this file isn't legal then the file must go:
Z:\BACKUPS\emallpos\-_downloads\ServerSoftware\radmin21 + key.zip
Delete following folders:
Z:\BACKUPS\ncrs\ncrs.MrWarner_Backup.Documents And Settings.ace/Documents and Settings\ADMINISTRATOR.NCRSCOMPLETE\Local Settings\Temporary Internet Files\Content.IE5\KTATWL67
Z:\BACKUPS\ncrs\ncrs.MrWarner_Backup.Documents And Settings.ace/Documents and Settings\ADMINISTRATOR.NCRSCOMPLETE\Local Settings\Temporary Internet Files\Content.IE5\4G2UJTNP
Z:\BACKUPS\ncrs\ncrs.MrWarner_Backup.Documents And Settings.ace/Documents and Settings\ADMINISTRATOR.NCRSCOMPLETE\Local Settings\Temporary Internet Files\Content.IE5\4XMZW9U3
You seem to have different remote use related tools like remoteadmin there. If you don't use them remove related items flagged by Kaspersky. Kaspersky detects all these kind of programs since it doesn't know whether they're used for bad or good. If those are installed by you then it's ok to have them.
paulaerison
2008-06-27, 05:55
First of all, to make it easier for me to follow please don't post multiple times before I've reacted your current post. Makes it easier for me to follow ;)Sorry, wanted you to know that I realized there was a problem/solution.
Delete those email messages (thru Outlook) found by Kaspersky.Might be easier (and safer) to simply remove the entire .pst file? (considering that the messages are 2004 and older, I can't see how there could be much usefull info in them)
If key in this file isn't legal then the file must go:
Z:\BACKUPS\emallpos\-_downloads\ServerSoftware\radmin21 + key.zipEfen if it was legal, i'm not the one that purchased it, it would have been the company I was working for... so away it goes.
Delete following folders:
Z:\BACKUPS\ncrs\ncrs.MrWarner_Backup.Documents And Settings.ace/Documents and Settings\ADMINISTRATOR.NCRSCOMPLETE\Local Settings\Temporary Internet Files\Content.IE5\KTATWL67
Z:\BACKUPS\ncrs\ncrs.MrWarner_Backup.Documents And Settings.ace/Documents and Settings\ADMINISTRATOR.NCRSCOMPLETE\Local Settings\Temporary Internet Files\Content.IE5\4G2UJTNP
Z:\BACKUPS\ncrs\ncrs.MrWarner_Backup.Documents And Settings.ace/Documents and Settings\ADMINISTRATOR.NCRSCOMPLETE\Local Settings\Temporary Internet Files\Content.IE5\4XMZW9U3easier said than done, they are inside a winace archive.
You seem to have different remote use related tools like remoteadmin there. If you don't use them remove related items flagged by Kaspersky. Kaspersky detects all these kind of programs since it doesn't know whether they're used for bad or good. If those are installed by you then it's ok to have them. again, backups... i'll get rid of most, if not all of them.
Hi
Might be easier (and safer) to simply remove the entire .pst file? (considering that the messages are 2004 and older, I can't see how there could be much usefull info in them)Sure, if not needed anymore :)
easier said than done, they are inside a winace archive.
I think you can leave those then. Other solution would be to extract the archive, remove bad items and then re-archive.
Let's see fresh hjt log of the system when you're done with Kaspersky findings :)
paulaerison
2008-07-02, 22:36
having problems finding time with kids and school (started last week)... I will get to it by sunday, I promise.
Ok. I'll wait for your reply :)
Hi
Do you still need help with this?
Due to inactivity, this thread will now be closed.
Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.