View Full Version : starting from beginning. MDELK, Bagle and more
mhamilton
2008-08-17, 04:33
Hi
Running WinXP SP3. SP3 installed before virus took hold.
A malware loader is running (seems to be launched some how when I start iexplorer)
Running Counter Spy which is keeping Bagle.hk.12 and mdelk.exe blocked
Cannot enter Safe Mode (machine reboots when I try)
Cannot run Spybot.
When running GMER scan the machine hits some point and crashes
(I think it is \8th\modem)
Have run Prevx, Malwarebytes, and CounterSpy scans. They find and delete things like srosa.sys, hldrrr.exe, mdelk.exe and lots of numbered .exe. files.
Along the way I have also removed flec006.exe and winterms.exe - but these don't seem to be coming back as long as counter spy is runnign.
But something is still resident and keeps trying to launch Bagle.hk.12 (hldrrr.exe) and mdelk.exe.
What should I do to restore ability to get to Safe Mode?
Thanks in advace
Mike
HijackThis Log
----------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:56:19 PM, on 8/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\MediaMall\MediaMallServer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
C:\Program Files\D-Link Media Server\MediaGUI.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\D-Link Media Server\MediaServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Temp\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Ulead Quick-Drop] C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator\Ulead Quick-Drop 1.0\Quick-Drop.exe WINDOWCALL
O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
O4 - HKLM\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKLM\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKLM\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RegClean] "C:\Program Files\RegClean\RegClean.exe" -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [SBRegRebootCleaner] C:\Program Files\Sunbelt Software\CounterSpy\SBRC.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: D-Link Media Server.lnk = C:\Program Files\D-Link Media Server\MediaGUI.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Logitech Harmony Remote V5.lnk = C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217908534546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1217908520187
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://12.30.180.135/activex/AxisCamControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://juniper.provigent.com/dana-cached/setup/JuniperSetupSP1.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: vskype - (no CLSID) - (no file)
O20 - Winlogon Notify: wcnotify - C:\WINDOWS\SYSTEM32\wcnotify.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MediaMall Server - MediaMall Technologies, Inc. - C:\Program Files\MediaMall\MediaMallServer.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
--
End of file - 11466 bytes
----------------------------------
[B]Hijack this startup log-----------------------------------------------------------
StartupList report, 8/16/2008, 3:57:40 PM
StartupList version: 1.52.2
Started from : C:\Temp\HiJackThis.EXE
Detected: Windows XP SP3 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16705)
* Using default options
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\MediaMall\MediaMallServer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
C:\Program Files\D-Link Media Server\MediaGUI.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\D-Link Media Server\MediaServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Temp\HiJackThis.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\Mike\Start Menu\Programs\Startup]
Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
D-Link Media Server.lnk = C:\Program Files\D-Link Media Server\MediaGUI.exe
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Acrobat Speed Launcher.lnk = ?
HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
Logitech Harmony Remote V5.lnk = C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
RemoteControl = "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
Cmaudio = RunDll32 cmicnfg.cpl,CMICtrlWnd
Acrobat Assistant 7.0 = "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
LVCOMSX = C:\WINDOWS\system32\LVCOMSX.EXE
LogitechVideoRepair = C:\Program Files\Logitech\Video\ISStart.exe
LogitechVideoTray = C:\Program Files\Logitech\Video\LogiTray.exe
SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
Ulead Quick-Drop = C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator\Ulead Quick-Drop 1.0\Quick-Drop.exe WINDOWCALL
USIUDF_Eject_Monitor = C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
LogitechSoftwareUpdate = "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
Skype = "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
updateMgr = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
RegClean = "C:\Program Files\RegClean\RegClean.exe" -boot
QuickTime Task = "C:\Program Files\QuickTime\QTTask.exe" -atboottime
BluetoothAuthenticationAgent = rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
AppleSyncNotifier = C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
(Default) =
SBCSTray = C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
SBRegRebootCleaner = C:\Program Files\Sunbelt Software\CounterSpy\SBRC.exe
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
--------------------------------------------------
File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\scrnsave.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll - {22BF413B-C6D2-4d91-82A9-A0F997BA588C}
(no name) - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll - {AE7CD045-E861-484f-8273-0445EE161910}
(no name) - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}
--------------------------------------------------
Enumerating Task Scheduler jobs:
AppleSoftwareUpdate.job
RegClean Scheduled Scan.job
RegCure Program Check.job
RegCure.job
User_Feed_Synchronization-{C34135C4-C5CE-440A-B981-1BFF8E5F71A9}.job
--------------------------------------------------
Enumerating Download Program Files:
[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab
[Trend Micro ActiveX Scan Agent 6.6]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
CODEBASE = http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217908534546
[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1217908520187
[WScanCtl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\webscan.dll
CODEBASE = http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
[{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]
CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
[CamImage Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\AxisCamControl.ocx
CODEBASE = http://12.30.180.135/activex/AxisCamControl.cab
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9f.ocx
CODEBASE = http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
[JuniperSetupSP1 Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\JUNIPE~1.OCX
CODEBASE = https://juniper.provigent.com/dana-cached/setup/JuniperSetupSP1.cab
--------------------------------------------------
Enumerating Winsock LSP files:
NameSpace #4: C:\Program Files\Bonjour\mdnsNSP.dll
NameSpace #5: C:\WINDOWS\system32\wshbth.dll
--------------------------------------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\WINDOWS\system32\wintems.exe||C:\WINDOWS\system32\drivers\mdelk.exe||C:\DOCUME~1\Mike\LOCALS~1\Temp\_iu14D2N.tmp||C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll
--------------------------------------------------
End of report, 10,114 bytes
Report generated in 0.078 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
mhamilton
2008-08-17, 05:18
I ran beagled.exe
I guess it found nothing. The log file is empty except timestamp.
Still each time I execute iexplorer I get a long pause (before it will load the google toolbar) and then Counter Spy says TrojanDownloader.Bagle.hk.12(hldrrr.exe) is trying to execute.
After 2 warning messages, then the google toolbar will load and I get near-normal operation for awhile. Periodically the counterspy message will pop up.
Takes forever to start any download from the web - as if it is being stalled.
mhamilton
2008-08-17, 06:26
Was able to install and run spy bot by turning off Tea Timer install option
here is the log before running fix problems.
I did not try to fix the RegClean issues. I have been using RegClean without problems.
---------------
--- Search result list ---
Hint of the Day: Click the bar at the right of this to see more information! ()
RegClean: [SBI $4BF3377D] Uninstall settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RegClean_is1
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_04_18_22_17_55.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_04_18_22_17_57.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_04_26_17_32_54.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_05_15_11_12_04.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_05_17_08_58_38.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_05_18_17_53_52.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_06_16_01_14_22.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_06_21_08_08_01.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_07_05_19_04_40.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_08_05_15_38_43.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_08_17_10_20_32.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_08_19_14_01_22.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_09_10_22_26_14.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_09_20_08_43_04.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_09_24_12_05_01.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_09_25_20_27_03.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_10_01_09_11_19.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_10_07_05_29_46.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_10_31_08_15_50.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_11_18_08_21_50.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_11_26_19_01_57.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_12_18_20_08_30.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_12_18_20_28_58.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_12_21_21_37_44.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_12_28_18_25_10.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_01_06_10_57_56.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_01_11_14_01_32.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_01_21_10_02_55.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_01_27_10_01_13.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_02_05_21_43_03.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_02_09_08_41_09.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_02_20_10_00_08.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_02_20_21_58_25.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_02_21_03_30_00.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_03_05_15_10_07.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_03_12_22_04_08.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_03_23_08_04_41.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_03_28_07_56_14.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_03_29_17_44_02.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_03_31_20_24_44.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_04_19_07_56_18.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_04_20_15_03_37.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_04_20_16_59_58.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_04_21_08_02_32.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_04_21_08_32_13.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_04_22_07_50_27.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_04_30_11_54_07.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_05_10_09_04_04.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_05_13_07_27_07.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_05_15_19_25_56.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_05_22_19_05_15.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_06_11_09_18_36.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_06_13_11_24_50.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_06_21_16_16_52.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_06_22_12_56_20.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_06_30_18_31_06.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_07_07_19_22_17.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_07_07_19_49_39.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_07_20_19_31_34.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_07_23_10_00_18.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_07_23_10_05_20.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_08_04_22_14_03.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_08_04_22_59_23.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_08_09_10_55_02.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_08_09_20_08_51.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_08_15_08_14_00.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_08_15_17_27_55.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_08_15_18_51_15.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_08_15_21_53_35.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_08_16_08_17_14.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_08_16_09_00_57.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_08_16_12_11_44.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_08_16_12_16_26.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_08_16_13_22_27.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_08_16_13_39_06.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_08_16_14_18_15.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_08_16_17_00_34.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_08_16_17_52_48.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_08_16_18_08_43.log
RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_08_16_18_35_24.log
RegClean: [SBI $89B7497E] Executable (File, nothing done)
C:\Program Files\RegClean\Launcher.exe
RegClean: [SBI $CB9ED0F9] Web page (File, nothing done)
C:\Program Files\RegClean\RegClean.url
RegClean: [SBI $25F894B1] Data (File, nothing done)
C:\WINDOWS\Tasks\RegClean Scheduled Scan.job
RegClean: [SBI $8F06398F] Data (File, nothing done)
C:\Program Files\RegClean\license.txt
Microsoft.Windows.ActiveDesktop: [SBI $377029D9] User settings (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoHTMLWallPaper
Microsoft.Windows.ActiveDesktop: [SBI $377029D9] User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-789336058-1177238915-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoHTMLWallPaper
Microsoft.Windows.ActiveDesktop: [SBI $377029D9] User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoHTMLWallPaper
Win32.Agent.bgy: [SBI $3FF5579E] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-789336058-1177238915-682003330-1003\Software\FirstRRRun
MediaPlex: Tracking cookie (Internet Explorer: Mike) (Cookie, nothing done)
MediaPlex: Tracking cookie (Internet Explorer: Mike) (Cookie, nothing done)
BurstMedia: Tracking cookie (Internet Explorer: Mike) (Cookie, nothing done)
AdRevolver: Tracking cookie (Internet Explorer: Mike) (Cookie, nothing done)
--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---
2008-07-07 blindman.exe (1.0.0.8)
2008-07-07 SDFiles.exe (1.6.0.4)
2008-07-07 SDMain.exe (1.0.0.6)
2008-07-07 SDShred.exe (1.0.2.3)
2008-07-07 SDUpdate.exe (1.6.0.8)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-07 SpybotSD.exe (1.6.0.30)
2008-07-07 TeaTimer.exe (1.6.0.20)
2007-01-26 unins000.exe (51.41.0.0)
2008-08-16 unins001.exe (51.49.0.0)
2008-07-07 Update.exe (1.6.0.7)
2008-07-07 advcheck.dll (1.6.1.12)
2007-04-02 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-07-07 SDHelper.dll (1.6.0.12)
2008-06-19 sqlite3.dll
2008-07-07 Tools.dll (2.1.5.7)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2008-08-05 Includes\Adware.sbi (*)
2008-08-12 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-06-03 Includes\Dialer.sbi (*)
2008-08-05 Includes\DialerC.sbi (*)
2008-07-22 Includes\HeavyDuty.sbi (*)
2008-07-30 Includes\Hijackers.sbi (*)
2008-08-12 Includes\HijackersC.sbi (*)
2008-08-05 Includes\Keyloggers.sbi (*)
2008-08-12 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-08-05 Includes\Malware.sbi (*)
2008-08-12 Includes\MalwareC.sbi (*)
2008-08-05 Includes\PUPS.sbi (*)
2008-08-12 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-18 Includes\Security.sbi (*)
2008-08-12 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-08-11 Includes\Spyware.sbi (*)
2008-08-11 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2008-08-05 Includes\Trojans.sbi (*)
2008-08-12 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
--- System information ---
Windows XP (Build: 2600) Service Pack 3 (5.1.2600)
/ Microsoft .NET Framework 2.0: This Security Update is for Microsoft .NET Framework 2.0. \n
If you later install a more recent service pack, this Security Update will be uninstalled automatically. \n
For more information, visit http://support.microsoft.com/kb/928365
/ MSXML4SP2: Security update for MSXML4 SP2 (KB936181)
/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs
/ Windows / SP1: Microsoft National Language Support Downlevel APIs
/ Windows Media Format 11 SDK: Hotfix for Windows Media Format 11 SDK (KB929399)
/ Windows Media Player 11: Security Update for Windows Media Player 11 (KB936782)
/ Windows Media Player 11: Hotfix for Windows Media Player 11 (KB939683)
/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB917734)
/ Windows XP: Security Update for Windows XP (KB941569)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB950759)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB953838)
/ Windows XP / SP10: Microsoft Compression Client Pack 1.0 for Windows XP
/ Windows XP / SP3: Windows XP Service Pack 3
/ Windows XP / SP4: Update for Windows XP (KB942763)
/ Windows XP / SP4: Security Update for Windows XP (KB946648)
/ Windows XP / SP4: Security Update for Windows XP (KB950760)
/ Windows XP / SP4: Security Update for Windows XP (KB950762)
/ Windows XP / SP4: Security Update for Windows XP (KB950974)
/ Windows XP / SP4: Security Update for Windows XP (KB951066)
/ Windows XP / SP4: Update for Windows XP (KB951072-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB951376-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB951698)
/ Windows XP / SP4: Security Update for Windows XP (KB951748)
/ Windows XP / SP4: Update for Windows XP (KB951978)
/ Windows XP / SP4: Hotfix for Windows XP (KB952287)
/ Windows XP / SP4: Security Update for Windows XP (KB952954)
/ Windows XP / SP4: Security Update for Windows XP (KB953839)
/ Windows XP OOB / SP10: High Definition Audio Driver Package - KB835221
--- Startup entries list ---
Located: HK_LM:Run,
command:
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_LM:Run, Acrobat Assistant 7.0
command: "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
file: C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
size: 483328
MD5: B985665B63E92D8DF8859EAE21E7B52F
Located: HK_LM:Run, AppleSyncNotifier
command: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
file: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
size: 116040
MD5: 0BBC0204478194E404DF71B7A3E3FC22
Located: HK_LM:Run, BluetoothAuthenticationAgent
command: rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
file: C:\WINDOWS\system32\bthprops.cpl
size: 110592
MD5: 80AA4214C5BC0A355151BD115017313F
Located: HK_LM:Run, Cmaudio
command: RunDll32 cmicnfg.cpl,CMICtrlWnd
file: C:\WINDOWS\system\cmicnfg.cpl
size: 4001792
MD5: 49944533CA69A1E998C69B6DA65C00F2
Located: HK_LM:Run, ctfmon.exe
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
Located: HK_LM:Run, iTunesHelper
command: "C:\Program Files\iTunes\iTunesHelper.exe"
file: C:\Program Files\iTunes\iTunesHelper.exe
size: 289064
MD5: 4CED92963F453EB8DCFE67FD4248D657
Located: HK_LM:Run, LogitechSoftwareUpdate
command: "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
file: C:\Program Files\Logitech\Video\ManifestEngine.exe
size: 196608
MD5: 660B6158BC2BC5D7CB1FF18D148C17AA
Located: HK_LM:Run, LogitechVideoRepair
command: C:\Program Files\Logitech\Video\ISStart.exe
file: C:\Program Files\Logitech\Video\ISStart.exe
size: 458752
MD5: 93C8B9C6FD3D243D4B2C8C03C44B18E9
Located: HK_LM:Run, LogitechVideoTray
command: C:\Program Files\Logitech\Video\LogiTray.exe
file: C:\Program Files\Logitech\Video\LogiTray.exe
size: 217088
MD5: F433926BBEC782B603BA3BE0D4E92B7B
Located: HK_LM:Run, LVCOMSX
command: C:\WINDOWS\system32\LVCOMSX.EXE
file: C:\WINDOWS\system32\LVCOMSX.EXE
size: 221184
MD5: 5BA8A7DA5D0573F7923E02B260AAD2F1
Located: HK_LM:Run, NeroFilterCheck
command: C:\WINDOWS\system32\NeroCheck.exe
file: C:\WINDOWS\system32\NeroCheck.exe
size: 155648
MD5: 3E4C03CEFAD8DE135263236B61A49C90
Located: HK_LM:Run, NvMediaCenter
command: RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
file: C:\WINDOWS\system32\NvMcTray.dll
size: 86016
MD5: 1FF171FBAF6E5A29C07B1F8D318B607A
Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\QTTask.exe" -atboottime
file: C:\Program Files\QuickTime\QTTask.exe
size: 413696
MD5: F34EB5D4F145ED5FE50033CA3A41ED24
Located: HK_LM:Run, RegClean
command: "C:\Program Files\RegClean\RegClean.exe" -boot
file: C:\Program Files\RegClean\RegClean.exe
size: 10065392
MD5: E17FE7AC4E2FC47FB8E2058D6AA81A00
Located: HK_LM:Run, RemoteControl
command: "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
file: C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
size: 32768
MD5: 915A106A2FB87292CEF0AD4F36ADF313
Located: HK_LM:Run, SBCSTray
command: C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
file: C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
size: 698864
MD5: 6CEC5278A917DCBDE0A7D3B0EBC3DD1E
Located: HK_LM:Run, Skype
command: "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
file: C:\Program Files\Skype\Phone\Skype.exe
size: 23165736
MD5: D1C4805584C7A74DA35452473A1445EA
Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
file: C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
size: 144784
MD5: 6AB4C021FBD36DC6764924C312428D97
Located: HK_LM:Run, Ulead Quick-Drop
command: C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator\Ulead Quick-Drop 1.0\Quick-Drop.exe WINDOWCALL
file: C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator\Ulead Quick-Drop 1.0\Quick-Drop.exe
size: 102400
MD5: 715C7B67525107E896E21525F374D4BB
Located: HK_LM:Run, updateMgr
command: "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1
file: C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe
size: 313472
MD5: 43F3F6D33C793089A7C32B45DA16094B
Located: HK_LM:Run, USIUDF_Eject_Monitor
command: C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
file: C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
size: 81920
MD5: D9C8A14D9C2168C29A068B2C470E37B4
Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-789336058-1177238915-682003330-1003...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
Located: Startup (common), Adobe Acrobat Speed Launcher.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe
file: C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe
size: 25214
MD5: D6294D59171AC375CD142003566AA89E
Located: Startup (common), HPAiODevice(hp officejet g series) - 1.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
file: C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
size: 151552
MD5: 0C284F768815000381E76898624C2E68
Located: Startup (common), Logitech Harmony Remote V5.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
file: C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
size: 94295
MD5: 67766472D5EEB88250158B2B907A7448
Located: Startup (user), Adobe Gamma.lnk
where: C:\Documents and Settings\Mike\Start Menu\Programs\Startup...
command: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
file: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
size: 113664
MD5: C2FF17734176CD15221C10044EF0BA1A
Located: Startup (user), D-Link Media Server.lnk
where: C:\Documents and Settings\Mike\Start Menu\Programs\Startup...
command: C:\Program Files\D-Link Media Server\MediaGUI.exe
file: C:\Program Files\D-Link Media Server\MediaGUI.exe
size: 1523831
MD5: 489A77E81450B92BC6C048A869FC6F1E
Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, dimsntfy
command: %SystemRoot%\System32\dimsntfy.dll
file: %SystemRoot%\System32\dimsntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, wcnotify
command: wcnotify.dll
file: wcnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, WgaLogon
command: WgaLogon.dll
file: WgaLogon.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Adobe PDF Reader Link Helper
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Adobe\Acrobat 7.0\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 12/14/2004 2:56:50 AM
Date (last access): 8/16/2008 8:03:24 PM
Date (last write): 12/18/2006 5:16:42 AM
Filesize: 59032
Attributes: archive
MD5: 4EA3A6CD9D20584FFAFDB1E47DBF0E20
CRC32: 7B0A854F
Version: 7.0.9.50
{22BF413B-C6D2-4d91-82A9-A0F997BA588C} (Skype add-on (mastermind))
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: Skype add-on (mastermind)
CLSID name: Skype add-on (mastermind)
Path: C:\Program Files\Skype\Toolbars\Internet Explorer\
Long name: SkypeIEPlugin.dll
Short name: SKYPEI~1.DLL
Date (created): 8/6/2007 12:43:22 PM
Date (last access): 8/16/2008 8:16:44 PM
Date (last write): 8/6/2007 12:43:22 PM
Filesize: 1062184
Attributes: archive
MD5: 6E7F682F1AB484A10DF4A27BFC52C3FF
CRC32: CC900F47
Version: 2.2.0.105
{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\Program Files\Spybot - Search & Destroy\
Long name: SDHelper.dll
Short name:
Date (created): 8/16/2008 7:20:06 PM
Date (last access): 8/16/2008 8:20:40 PM
Date (last write): 7/7/2008 9:41:58 AM
Filesize: 1562448
Attributes: archive
MD5: 32981ADE44D01EC2A9EBC2E311291707
CRC32: C2F522E6
Version: 1.6.0.12
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: SSVHelper Class
Path: C:\Program Files\Java\jre1.6.0_07\bin\
Long name: ssv.dll
Short name:
Date (created): 7/20/2008 7:59:02 PM
Date (last access): 8/16/2008 6:58:22 PM
Date (last write): 6/10/2008 4:27:02 AM
Filesize: 509328
Attributes: archive
MD5: F921D875A1CBD69A6A462BA2514BC831
CRC32: 38AC9EE2
Version: 6.0.70.6
{AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Google Toolbar Helper
description: Google toolbar
classification: Open for discussion
known filename: googletoolbar.dll<br>googletoolbar*.dll<br>(* = number)<br>googletoolbar_en_*.**-big.dll<br>Googletoolbar_en_*.*.**-deleon.dll
info link: http://toolbar.google.com/
info source: TonyKlein
Path: c:\program files\google\
Long name: GoogleToolbar1.dll
Short name: GOOGLE~1.DLL
Date (created): 5/20/2008 4:13:20 PM
Date (last access): 8/16/2008 8:16:46 PM
Date (last write): 5/20/2008 4:13:20 PM
Filesize: 2549368
Attributes: readonly archive
MD5: CC489913075050292FCF09A02A449522
CRC32: FAE9D654
Version: 4.0.1602.35650
{AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Adobe PDF Conversion Toolbar Helper
description: Adobe Acrobat
classification: Legitimate
known filename: AcroIEFavClient.dll
info link: http://www.adobe.com/products/acrobatpro/main.html
info source: TonyKlein
Path: C:\Program Files\Adobe\Acrobat 7.0\Acrobat\
Long name: AcroIEFavClient.dll
Short name: ACROIE~1.DLL
Date (created): 9/23/2005 10:41:42 PM
Date (last access): 8/16/2008 8:03:24 PM
Date (last write): 12/18/2006 5:18:14 AM
Filesize: 231160
Attributes: archive
MD5: 00AA6DF95E24DE4C616127EE739897F4
CRC32: D6B49BBF
Version: 7.0.9.50
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Google Toolbar Notifier BHO
Path: C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\
Long name: swg.dll
Short name:
Date (created): 5/1/2008 11:55:42 AM
Date (last access): 8/16/2008 8:16:46 PM
Date (last write): 5/1/2008 11:55:42 AM
Filesize: 734704
Attributes: archive
MD5: F1D0608833F726C8FF84E11A46843CDE
CRC32: 0AF4F0EF
Version: 3.0.1225.9868
--- ActiveX list ---
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object)
DPF name:
CLSID name: QuickTime Object
Installer: C:\WINDOWS\Downloaded Program Files\QTPlugin.inf
Codebase: http://www.apple.com/qtactivex/qtplugin.cab
description: Apple Quicktime
classification: Legitimate
known filename: QTPLUGIN.OCX
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\QuickTime\
Long name: QTPlugin.ocx
Short name:
Date (created): 5/27/2008 10:50:48 AM
Date (last access): 8/16/2008 4:52:26 PM
Date (last write): 5/27/2008 10:50:48 AM
Filesize: 779568
Attributes: archive
MD5: 2895E4DA45C169531EA5DF01E3829B23
CRC32: 95147D29
Version: 7.50.61.0
{215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6)
DPF name:
CLSID name: Trend Micro ActiveX Scan Agent 6.6
Installer: C:\WINDOWS\Downloaded Program Files\hcImpl.inf
Codebase: http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
Path: C:\WINDOWS\Downloaded Program Files\
Long name: Housecall_ActiveX.dll
Short name: HOUSEC~1.DLL
Date (created): 5/2/2008 2:22:56 PM
Date (last access): 8/16/2008 4:56:52 PM
Date (last write): 5/2/2008 2:22:56 PM
Filesize: 385536
Attributes: archive
MD5: 4CF2B39A5AB298CFFA2674CB8AD66A63
CRC32: BC7E68C2
Version: 6.51.0.1028
{6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
DPF name:
CLSID name: WUWebControl Class
Installer: C:\WINDOWS\Downloaded Program Files\wuweb.inf
Codebase: http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217908534546
Path: C:\WINDOWS\system32\
Long name: wuweb.dll
Short name:
Date (created): 3/11/2005 4:32:24 AM
Date (last access): 8/16/2008 7:32:46 PM
Date (last write): 7/30/2007 7:19:46 PM
Filesize: 203096
Attributes: archive
MD5: FD984F9BFC9C62BD6546BD183CE5ADE7
CRC32: 8092F837
Version: 7.0.6000.381
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
DPF name:
CLSID name: MUWebControl Class
Installer: C:\WINDOWS\Downloaded Program Files\muweb.inf
Codebase: http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1217908520187
Path: C:\WINDOWS\system32\
Long name: muweb.dll
Short name:
Date (created): 5/26/2005 4:19:32 AM
Date (last access): 8/16/2008 7:32:44 PM
Date (last write): 7/30/2007 7:18:34 PM
Filesize: 207736
Attributes: archive
MD5: 8038B166CE79E58E193566150CE26465
CRC32: 9137D395
Version: 7.0.6000.381
{7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class)
DPF name:
CLSID name: WScanCtl Class
Installer: C:\WINDOWS\Downloaded Program Files\webscan.inf
Codebase: http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
Path: C:\WINDOWS\Downloaded Program Files\
Long name: webscan.dll
Short name:
Date (created): 11/20/2006 1:02:34 PM
Date (last access): 8/16/2008 4:56:52 PM
Date (last write): 11/20/2006 1:02:34 PM
Filesize: 180282
Attributes: archive
MD5: 76EA3ABECE61FBA3C07F61E42BB0CA48
CRC32: AECD0E4D
Version: 1.1.0.1049
{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_07
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre1.6.0_07\bin\
Long name: npjpi160_07.dll
Short name: NPJPI1~1.DLL
Date (created): 6/10/2008 2:32:34 AM
Date (last access): 8/16/2008 4:43:14 PM
Date (last write): 6/10/2008 4:27:02 AM
Filesize: 132496
Attributes: archive
MD5: 7C83A2809E13950359189767AC9D5DB8
CRC32: 925C2A88
Version: 6.0.70.6
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\erma.inf
Codebase: http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
{917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class)
DPF name:
CLSID name: CamImage Class
Installer: C:\WINDOWS\Downloaded Program Files\AxisCamControl.inf
Codebase: http://12.30.180.135/activex/AxisCamControl.cab
Path: C:\WINDOWS\Downloaded Program Files\
Long name: AxisCamControl.ocx
Short name: AXISCA~1.OCX
Date (created): 10/29/2004 11:01:34 AM
Date (last access): 8/16/2008 4:56:50 PM
Date (last write): 10/29/2004 11:01:34 AM
Filesize: 204800
Attributes: archive
MD5: 85284D40568AE8D20718C4AE34F673AB
CRC32: 69273103
Version: 2.23.0.0
{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_04
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
Path: C:\Program Files\Java\jre1.5.0_04\bin\
Long name: NPJPI150_04.dll
Short name: NPJPI1~1.DLL
Date (created): 6/3/2005 3:52:58 AM
Date (last access): 8/16/2008 4:41:34 PM
Date (last write): 6/3/2005 4:09:54 AM
Filesize: 69746
Attributes: archive
MD5: 8548FE98BD687F35AFD0AED9C2A2DEE3
CRC32: 4058FA1B
Version: 5.0.40.5
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_06
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Path: C:\Program Files\Java\jre1.5.0_06\bin\
Long name: NPJPI150_06.dll
Short name: NPJPI1~1.DLL
Date (created): 11/10/2005 2:03:56 PM
Date (last access): 8/16/2008 4:41:42 PM
Date (last write): 11/10/2005 2:22:10 PM
Filesize: 69746
Attributes: archive
MD5: D2CF6BB5E9020E6707B62575F8083954
CRC32: 7F39DC54
Version: 5.0.60.5
{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_08
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
Path: C:\Program Files\Java\jre1.5.0_08\bin\
Long name: NPJPI150_08.dll
Short name: NPJPI1~1.DLL
Date (created): 7/26/2006 3:03:18 AM
Date (last access): 8/16/2008 4:41:52 PM
Date (last write): 7/26/2006 3:17:56 AM
Filesize: 69746
Attributes: archive
MD5: C10D603F2BD3B0A2EAC4EC5B743430D3
CRC32: 1EB99B36
Version: 5.0.80.3
{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_09
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
Path: C:\Program Files\Java\jre1.5.0_09\bin\
Long name: NPJPI150_09.dll
Short name: NPJPI1~1.DLL
Date (created): 10/12/2006 4:10:58 AM
Date (last access): 8/16/2008 4:42:02 PM
Date (last write): 10/12/2006 4:25:44 AM
Filesize: 69746
Attributes: archive
MD5: A3CDEB59B6B8C2EA81B9ED2D3EF4C95E
CRC32: 2A32A9A2
Version: 5.0.90.3
{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_10
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
Path: C:\Program Files\Java\jre1.5.0_10\bin\
Long name: NPJPI150_10.dll
Short name: NPJPI1~1.DLL
Date (created): 11/9/2006 4:07:34 PM
Date (last access): 8/16/2008 4:42:12 PM
Date (last write): 11/9/2006 4:21:54 PM
Filesize: 75528
Attributes: archive
MD5: 635F4B3A0F1C661B5CEDE628BA85E46B
CRC32: 0C9B7145
Version: 5.0.100.3
{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_11
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
Path: C:\Program Files\Java\jre1.5.0_11\bin\
Long name: NPJPI150_11.dll
Short name: NPJPI1~1.DLL
Date (created): 12/15/2006 4:09:16 AM
Date (last access): 8/16/2008 4:42:22 PM
Date (last write): 12/15/2006 4:23:26 AM
Filesize: 75528
Attributes: archive
MD5: 3B3F6984DBF972DAFF1B7E9C44E2FE75
CRC32: 4BDE2041
Version: 5.0.110.3
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_01
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
Path: C:\Program Files\Java\jre1.6.0_01\bin\
Long name: npjpi160_01.dll
Short name: NPJPI1~1.DLL
Date (created): 3/14/2007 2:04:46 AM
Date (last access): 8/16/2008 4:42:32 PM
Date (last write): 3/14/2007 3:43:42 AM
Filesize: 132760
Attributes: archive
MD5: F112FB2FD2EF66D439799E3F834DF000
CRC32: D2B09219
Version: 6.0.0.6
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_02
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
Path: C:\Program Files\Java\jre1.6.0_02\bin\
Long name: npjpi160_02.dll
Short name: NPJPI1~1.DLL
Date (created): 7/12/2007 2:22:38 AM
Date (last access): 8/16/2008 4:42:42 PM
Date (last write): 7/12/2007 4:00:36 AM
Filesize: 132496
Attributes: archive
MD5: E3811F1A1C5063C941EC0E2766C3EA39
CRC32: AEFD3747
Version: 6.0.20.6
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_03
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
Path: C:\Program Files\Java\jre1.6.0_03\bin\
Long name: npjpi160_03.dll
Short name: NPJPI1~1.DLL
Date (created): 9/25/2007 12:31:44 AM
Date (last access): 8/16/2008 4:42:52 PM
Date (last write): 9/25/2007 2:11:34 AM
Filesize: 132496
Attributes: archive
MD5: D6A4682A6FF41832A3F1A7AB9AE08199
CRC32: 9080B537
Version: 6.0.30.5
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_05
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
Path: C:\Program Files\Java\jre1.6.0_05\bin\
Long name: npjpi160_05.dll
Short name: NPJPI1~1.DLL
Date (created): 2/22/2008 2:33:32 AM
Date (last access): 8/16/2008 4:43:02 PM
Date (last write): 2/22/2008 4:25:20 AM
Filesize: 132496
Attributes: archive
MD5: 4FDFB86D78994BD71CBB779A7809E9CD
CRC32: 5A0EB880
Version: 6.0.50.13
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_07
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Path: C:\Program Files\Java\jre1.6.0_07\bin\
Long name: npjpi160_07.dll
Short name: NPJPI1~1.DLL
Date (created): 6/10/2008 2:32:34 AM
Date (last access): 8/16/2008 8:20:42 PM
Date (last write): 6/10/2008 4:27:02 AM
Filesize: 132496
Attributes: archive
MD5: 7C83A2809E13950359189767AC9D5DB8
CRC32: 925C2A88
Version: 6.0.70.6
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_07
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Path: C:\Program Files\Java\jre1.6.0_07\bin\
Long name: npjpi160_07.dll
Short name: NPJPI1~1.DLL
Date (created): 6/10/2008 2:32:34 AM
Date (last access): 8/16/2008 8:20:42 PM
Date (last write): 6/10/2008 4:27:02 AM
Filesize: 132496
Attributes: archive
MD5: 7C83A2809E13950359189767AC9D5DB8
CRC32: 925C2A88
Version: 6.0.70.6
{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf
Codebase: http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Macromed\Flash\
Long name: Flash9f.ocx
Short name:
Date (created): 3/24/2008 7:32:42 PM
Date (last access): 8/16/2008 7:59:44 PM
Date (last write): 3/24/2008 7:32:42 PM
Filesize: 2991488
Attributes: readonly archive
MD5: 48FDF435B8595604E54125B321924510
CRC32: 12335E29
Version: 9.0.124.0
{E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control)
DPF name:
CLSID name: JuniperSetupSP1 Control
Installer: C:\WINDOWS\Downloaded Program Files\JuniperSetup.INF
Codebase: https://juniper.provigent.com/dana-cached/setup/JuniperSetupSP1.cab
Path: C:\WINDOWS\DOWNLO~1\
Long name: JuniperSetup.ocx
Short name: JUNIPE~1.OCX
Date (created): 4/10/2007 6:59:50 PM
Date (last access): 8/16/2008 4:56:52 PM
Date (last write): 4/10/2007 6:59:50 PM
Filesize: 98371
Attributes: archive
MD5: 59A13BACF3033749FC0E6D7C179F850F
CRC32: FDA271CD
Version: 1.0.0.12
--- Process list ---
PID: 0 ( 0) [System]
PID: 692 ( 4) \SystemRoot\System32\smss.exe
size: 50688
PID: 808 ( 692) \??\C:\WINDOWS\system32\csrss.exe
size: 6144
PID: 832 ( 692) \??\C:\WINDOWS\system32\winlogon.exe
size: 507904
PID: 876 ( 832) C:\WINDOWS\system32\services.exe
size: 108544
MD5: 0E776ED5F7CC9F94299E70461B7B8185
PID: 888 ( 832) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: BF2466B3E18E970D8A976FB95FC1CA85
PID: 1056 ( 876) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1104 ( 876) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1248 ( 876) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1308 ( 876) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1408 ( 876) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1460 ( 876) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: D8E14A61ACC1D4A6CD0D38AEBAC7FA3B
PID: 1564 ( 876) C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
size: 116040
MD5: 2BDA4A9480B550FCCA6D29C22CA54C0D
PID: 1576 ( 876) C:\Program Files\Bonjour\mDNSResponder.exe
size: 229376
MD5: CFD4C3352E29A8B729536648466E8DF5
PID: 1604 ( 876) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1676 ( 876) C:\Program Files\PrevxCSI\prevxcsi.exe
size: 618040
MD5: 49863CB74B67FEC24E9469B909390A25
PID: 1880 ( 876) C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
size: 137200
MD5: 1BF044E23206FDDC16891A32922D571B
PID: 1996 ( 876) C:\WINDOWS\system32\inetsrv\inetinfo.exe
size: 15360
MD5: DB3C22745C0DA4666F3BE31F1AF36B2F
PID: 252 ( 876) C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
size: 788976
MD5: 5F8945CF66D646A8CF2A0E207F1241B3
PID: 780 ( 876) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1088 ( 876) C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
size: 49152
MD5: 332D341D92B933600D41953B08360DFB
PID: 1188 ( 876) C:\Program Files\MediaMall\MediaMallServer.exe
size: 1190912
MD5: 5A62EB4F34BAD7E62ACD25345032ACEE
PID: 192 ( 876) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 568 (1676) C:\Program Files\PrevxCSI\prevxcsi.exe
size: 618040
MD5: 49863CB74B67FEC24E9469B909390A25
PID: 1956 ( 688) C:\WINDOWS\Explorer.EXE
size: 1033728
MD5: 12896823FB95BFB3DC9B46BCAEDC9923
PID: 3220 (1956) C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
size: 32768
MD5: 915A106A2FB87292CEF0AD4F36ADF313
PID: 3256 (1956) C:\WINDOWS\system32\RunDll32.exe
size: 33280
MD5: 037B1E7798960E0420003D05BB577EE6
PID: 3488 (1956) C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
size: 483328
MD5: B985665B63E92D8DF8859EAE21E7B52F
PID: 3552 (1956) C:\WINDOWS\system32\LVCOMSX.EXE
size: 221184
MD5: 5BA8A7DA5D0573F7923E02B260AAD2F1
PID: 3808 (1956) C:\Program Files\Logitech\Video\LogiTray.exe
size: 217088
MD5: F433926BBEC782B603BA3BE0D4E92B7B
PID: 3940 (1956) C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
size: 144784
MD5: 6AB4C021FBD36DC6764924C312428D97
PID: 940 (1956) C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
size: 81920
MD5: D9C8A14D9C2168C29A068B2C470E37B4
PID: 2400 (1956) C:\Program Files\Skype\Phone\Skype.exe
size: 23165736
MD5: D1C4805584C7A74DA35452473A1445EA
PID: 2592 (1956) C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
PID: 2764 (1956) C:\WINDOWS\system32\RUNDLL32.EXE
size: 33280
MD5: 037B1E7798960E0420003D05BB577EE6
PID: 3836 (1956) C:\WINDOWS\system32\rundll32.exe
size: 33280
MD5: 037B1E7798960E0420003D05BB577EE6
PID: 224 (1956) C:\Program Files\iTunes\iTunesHelper.exe
size: 289064
MD5: 4CED92963F453EB8DCFE67FD4248D657
PID: 556 (1956) C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
size: 698864
MD5: 6CEC5278A917DCBDE0A7D3B0EBC3DD1E
PID: 2876 ( 876) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 2072 (1956) C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
size: 151552
MD5: 0C284F768815000381E76898624C2E68
PID: 2364 (1956) C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
size: 94295
MD5: 67766472D5EEB88250158B2B907A7448
PID: 2564 (1956) C:\Program Files\D-Link Media Server\MediaGUI.exe
size: 1523831
MD5: 489A77E81450B92BC6C048A869FC6F1E
PID: 4092 ( 876) C:\Program Files\iPod\bin\iPodService.exe
size: 532264
MD5: D7ED7D86C9FDDC2EEE637B303B3D6A6B
PID: 2108 (2564) C:\Program Files\D-Link Media Server\MediaServer.exe
size: 655360
MD5: 9FC62EA932D196722AB90BC9B217A0A6
PID: 3188 (1056) C:\Program Files\Logitech\Video\FxSvr2.exe
size: 192512
MD5: 951504797D17139BDCA8F962DF65FDAB
PID: 3856 (1056) C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
size: 299008
MD5: 786A9556B35CA88E867213E135BB5DEF
PID: 2312 (2072) C:\WINDOWS\system32\hpoipm07.exe
size: 57344
MD5: 9F1573F5069BA5B0A7CA131C52430E65
PID: 2912 (2400) C:\Program Files\Skype\Plugin Manager\SkypePM.exe
size: 1942472
MD5: 7C27CCFDE444A377BFC87A3B17031DC8
PID: 3100 (3856) C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
size: 294912
MD5: C596C2F76134513F5429215F06EC72D7
PID: 1808 (3856) C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
size: 188416
MD5: 9719062F746282C1C1095F62CD870D2A
PID: 3292 (2620) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4891472
MD5: 3B1B5D09D3C9C4CD39D4DB06ED7A0855
PID: 660 (3136) C:\Program Files\RegClean\RegClean.exe
size: 10065392
MD5: E17FE7AC4E2FC47FB8E2058D6AA81A00
PID: 4 ( 0) System
--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 8/16/2008 8:20:44 PM
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.google.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
http://www.google.com/ie
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
about:blank
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.google.com/ie
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://www.google.com/ie
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://www.google.com/search?q=%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://www.google.com/ie
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 5: MSAFD RfComm [Bluetooth]
GUID: {9FC48064-7298-43E4-B7BD-181F2089792A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Bluetooth
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD RfComm [Bluetooth]
Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A9C30D3D-7444-4350-AD42-725F4CE84012}] SEQPACKET 8
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A9C30D3D-7444-4350-AD42-725F4CE84012}] DATAGRAM 8
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A54DF575-11A9-4DB0-98E9-6FB075102772}] SEQPACKET 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A54DF575-11A9-4DB0-98E9-6FB075102772}] DATAGRAM 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D98AB491-55A4-43F1-BD3D-4095B84B64FE}] SEQPACKET 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D98AB491-55A4-43F1-BD3D-4095B84B64FE}] DATAGRAM 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{BAD61B5D-BE5D-4AE9-9C8D-27B17886463F}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{BAD61B5D-BE5D-4AE9-9C8D-27B17886463F}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2710509B-5384-4EE3-8A44-C44C6B629B50}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
mhamilton
2008-08-17, 06:27
Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2710509B-5384-4EE3-8A44-C44C6B629B50}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{29E09D19-EF0F-4D45-8A03-F93BAFAD3D09}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip_{29E09D19-EF0F-4D45-8A03-F93BAFAD3D09}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B6338DA5-E01C-4F7F-807C-9CF3BFD0A344}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 19: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B6338DA5-E01C-4F7F-807C-9CF3BFD0A344}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 20: MSAFD NetBIOS [\Device\NetBT_Tcpip_{35DDE95D-BC8F-4F7A-95F1-B93FA198A36C}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 21: MSAFD NetBIOS [\Device\NetBT_Tcpip_{35DDE95D-BC8F-4F7A-95F1-B93FA198A36C}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 22: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C6CDB976-E5B8-4FD6-BE2B-E4FBC57F9862}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 23: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C6CDB976-E5B8-4FD6-BE2B-E4FBC57F9862}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP
Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS
Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace
Namespace Provider 3: mdnsNSP
GUID: {B600E6E9-553B-4A19-8696-335E5C896153}
Filename: C:\Program Files\Bonjour\mdnsNSP.dll
Description: Apple Rendezvous protocol
DB filename: %ProgramFiles%\Rendezvous\bin\mdnsNSP.dll
DB protocol: mdnsNSP
Namespace Provider 4: Bluetooth Namespace
GUID: {06AA63E0-7D60-41FF-AFB2-3EE6D2D9392D}
Filename: %SystemRoot%\system32\wshbth.dll
Description: Bluetooth
DB filename: %SystemRoot%\system32\wshbth.dll
DB protocol: Bluetooth-Namespace
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
Download ***Combofix**** from any of the links below. You****** must ***********rename it ****before saving it. Save it to your desktop.
***Link 1**** (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
***Link 2**** (http://www.forospyware.com/sUBs/ComboFix.exe)
***Link 3**** (http://subs.geekstogo.com/ComboFix.exe)
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif
--------------------------------------------------------------------
Double click on ***Combo-Fix.exe**** & follow the prompts.
When finished, it will produce a report for you.
Please post the ***C:\ComboFix.txt ****along with a *** HijackThis log**** so we can continue cleaning the system.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
mhamilton
2008-08-21, 22:38
Here is the CF log.
Note: after the finish, I started IExplorer and immediately a Pop-up program launched "Select File to Crack".
this re-infected the computer.
I think it is either attached to the IEXPLORER or to the Google Toolbar (it happens before the Google Toolbar has a chance to load).
---------------------------------------------------------------
ComboFix 08-08-19.06 - Mike 2008-08-21 12:07:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.674 [GMT -7:00]
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
Rootkit driver pe386 is present. ... attempting disinfection
pe386 ...... driver unloaded successfully.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Mike\Application Data\macromedia\Flash Player\#SharedObjects\5MCT9UUU\interclick.com
C:\Documents and Settings\Mike\Application Data\macromedia\Flash Player\#SharedObjects\5MCT9UUU\interclick.com\ud.sol
C:\Documents and Settings\Mike\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Mike\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Mike\Cookies\mike@a.tomshardware[2].txt
C:\Documents and Settings\Mike\Cookies\mike@ads.revsci[3].txt
C:\Documents and Settings\Mike\Cookies\mike@circuitcity[1].txt
C:\Documents and Settings\Mike\Cookies\mike@clicktorrent[3].txt
C:\Documents and Settings\Mike\Cookies\mike@my.clearchannelradio[1].txt
C:\Documents and Settings\Mike\Cookies\mike@track.bestbuy[1].txt
C:\Documents and Settings\Mike\Cookies\mike@turn[1].txt
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\drivers\downld
C:\WINDOWS\system32\drivers\mdelk.exe
G:\Temp\Temporary Internet Files\ENCSC-Download.com.2.5.1040.0.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_SROSA
((((((((((((((((((((((((( Files Created from 2008-07-21 to 2008-08-21 )))))))))))))))))))))))))))))))
.
2008-08-16 19:03 . 2008-08-16 19:03 231,999 --a------ C:\Temp\Beagled.exe
2008-08-16 18:54 . 2008-08-16 18:58 <DIR> d-------- C:\ComboFix
2008-08-16 18:02 . 2008-08-16 18:16 250 --a------ C:\WINDOWS\gmer.ini
2008-08-16 18:01 . 2008-08-16 18:01 747,873 --a------ C:\Temp\gmer.zip
2008-08-16 17:54 . 2008-08-16 17:54 0 --a------ C:\WINDOWS\system32\SBRC.dat
2008-08-16 17:54 . 2008-08-16 17:54 0 --a------ C:\WINDOWS\system32\SBFC.dat
2008-08-16 15:53 . 2008-08-16 15:53 401,720 --a------ C:\Temp\HiJackThis.exe
2008-08-16 15:52 . 2008-08-16 15:53 716,539 --a------ C:\Temp\HJTInstall.exe
2008-08-16 15:31 . 2006-04-25 08:01 704,520 --a------ C:\WINDOWS\system32\RunDll32 cmicnfg.cpl,CMICtrlWnd
2008-08-16 13:50 . 2008-08-16 13:50 <DIR> d-------- C:\Program Files\PrevxCSI
2008-08-16 13:50 . 2008-08-16 16:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-08-16 13:50 . 2008-08-16 13:50 17,408 --a------ C:\WINDOWS\system32\drivers\pxark.sys
2008-08-16 12:45 . 2008-08-16 16:28 15,083,520 --a------ C:\Temp\spybotsd160.exe
2008-08-16 12:17 . 2008-08-16 12:17 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2008-08-16 08:48 . 2008-08-16 08:48 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Sunbelt Software
2008-08-16 08:48 . 2008-08-16 08:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2008-08-16 08:47 . 2008-08-16 08:47 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-08-16 08:45 . 2008-08-16 08:42 45,935,776 --a------ C:\Temp\counterspy.exe
2008-08-15 18:02 . 2008-08-15 18:02 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Malwarebytes
2008-08-15 18:01 . 2008-08-16 15:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-15 18:01 . 2008-08-15 18:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-15 18:01 . 2008-08-06 21:59 1,885,120 --a------ C:\Temp\mbam-setup.exe
2008-08-15 18:01 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-15 18:01 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-15 17:49 . 2008-08-15 19:14 <DIR> d-------- C:\Documents and Settings\Mike\.housecall6.6
2008-08-15 07:48 . 2008-04-11 12:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-15 07:48 . 2008-05-01 07:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-14 12:57 . 2008-08-14 12:57 <DIR> d-------- C:\Program Files\Safari
2008-08-12 11:30 . 2008-08-12 11:30 <DIR> d-------- C:\Program Files\iPod
2008-08-12 11:29 . 2008-08-12 11:30 <DIR> d-------- C:\Program Files\iTunes
2008-08-12 11:28 . 2008-08-12 11:28 <DIR> d-------- C:\Program Files\Bonjour
2008-08-12 11:22 . 2008-08-12 11:22 63,530,280 --a------ C:\Temp\iTunesSetup.exe
2008-08-04 22:46 . 2008-08-04 22:46 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-08-04 22:35 . 2008-08-04 22:35 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-04 22:02 . 2008-08-04 22:02 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-04 21:33 . 2004-08-03 22:29 701,440 --------- C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-08-04 20:55 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-08-04 20:55 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-08-04 20:55 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-08-04 20:55 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-08-03 12:21 . 2008-08-03 12:21 2,108,504 --a------ C:\Temp\GPSMAP60CSx_370.exe
2008-08-03 12:13 . 2007-03-08 17:18 18,432 --a------ C:\WINDOWS\system32\drivers\grmngen.sys
2008-08-03 12:13 . 2006-02-20 11:25 17,536 --a------ C:\WINDOWS\system32\drivers\grmn0200.sys
2008-08-03 12:13 . 2006-04-11 12:51 16,512 --a------ C:\WINDOWS\system32\drivers\grmn0400.sys
2008-08-03 12:13 . 2006-07-11 12:50 11,776 --a------ C:\WINDOWS\system32\drivers\grmn1200.sys
2008-08-03 12:13 . 2007-03-08 17:18 8,320 --a------ C:\WINDOWS\system32\drivers\grmnusb.sys
2008-08-03 12:12 . 2008-08-03 21:28 <DIR> d-------- C:\Garmin
2008-07-29 11:10 . 2008-07-29 11:10 <DIR> d-------- C:\Program Files\Tech-Pro World Clock 2
2008-07-29 11:10 . 2008-02-04 02:10 237,776 --a------ C:\WINDOWS\system32\tpuninst.exe
2008-07-29 11:08 . 2008-07-29 11:08 2,428,088 --a------ C:\Temp\wc2setup.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-21 19:20 --------- d-----w C:\Documents and Settings\Mike\Application Data\D-Link Media Server
2008-08-21 19:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-21 18:54 --------- d-----w C:\Documents and Settings\Mike\Application Data\Skype
2008-08-17 03:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-17 02:20 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-16 02:09 --------- d-----w C:\Documents and Settings\Mike\Application Data\dvdcss
2008-08-16 00:25 --------- d-----w C:\Program Files\eMule
2008-08-15 14:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\MediaMall
2008-08-15 00:24 --------- d-----w C:\Documents and Settings\Mike\Application Data\Apple Computer
2008-08-14 19:57 --------- d-----w C:\Program Files\Apple Software Update
2008-08-14 15:55 --------- d-----w C:\Documents and Settings\Mike\Application Data\Azureus
2008-08-12 18:28 --------- d-----w C:\Program Files\QuickTime
2008-08-10 20:41 --------- d-----w C:\Program Files\Internet Radio Recorder
2008-08-06 23:20 --------- d-----w C:\Program Files\Google
2008-08-03 20:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-27 00:05 --------- d-----w C:\Documents and Settings\Mike\Application Data\MediaServerDump
2008-07-21 03:16 --------- d-----w C:\Program Files\Picasa2
2008-07-21 02:59 --------- d-----w C:\Program Files\Sun
2008-07-21 02:59 --------- d-----w C:\Program Files\Java
2008-07-08 02:58 --------- d-----w C:\Program Files\D-Link Media Server
2008-07-08 02:22 --------- d-----w C:\Documents and Settings\Mike\Application Data\AdobeUM
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-25 01:38 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-04-30 18:49 92,064 -c--a-w C:\Documents and Settings\Mike\mqdmmdm.sys
2008-04-30 18:49 9,232 -c--a-w C:\Documents and Settings\Mike\mqdmmdfl.sys
2008-04-30 18:49 79,328 -c--a-w C:\Documents and Settings\Mike\mqdmserd.sys
2008-04-30 18:49 66,656 -c--a-w C:\Documents and Settings\Mike\mqdmbus.sys
2008-04-30 18:49 6,208 -c--a-w C:\Documents and Settings\Mike\mqdmcmnt.sys
2008-04-30 18:49 5,936 -c--a-w C:\Documents and Settings\Mike\mqdmwhnt.sys
2008-04-30 18:49 4,048 -c--a-w C:\Documents and Settings\Mike\mqdmcr.sys
2008-04-30 18:49 25,600 -c--a-w C:\Documents and Settings\Mike\usbsermptxp.sys
2008-04-30 18:49 22,768 -c--a-w C:\Documents and Settings\Mike\usbsermpt.sys
2007-05-29 05:17 81,920 ----a-w C:\Documents and Settings\Mike\Application Data\ezpinst.exe
2007-05-29 05:17 47,360 ----a-w C:\Documents and Settings\Mike\Application Data\pcouffin.sys
2006-03-19 16:36 13,824 -c--a-w C:\Documents and Settings\Mike\atwbxdet.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 20:42 32768]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 02:08 483328]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-10-08 11:52 221184]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-01-18 17:47 458752]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-01-18 17:37 217088]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"Ulead Quick-Drop"="C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator\Ulead Quick-Drop 1.0\Quick-Drop.exe" [2005-01-31 17:32 102400]
"USIUDF_Eject_Monitor"="C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe" [2004-12-23 18:27 81920]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-01-18 17:07 196608]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-06 12:43 23165736]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 13:22 86016]
"RegClean"="C:\Program Files\RegClean\RegClean.exe" [2007-03-30 16:45 10065392]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 20:42 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-08-27 12:09 698864]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 17:12 110592 C:\WINDOWS\system32\bthprops.cpl]
C:\Documents and Settings\Mike\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-06-21 17:13:51 113664]
D-Link Media Server.lnk - C:\Program Files\D-Link Media Server\MediaGUI.exe [2008-07-07 19:58:32 1523831]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2005-03-13 19:02:09 25214]
HPAiODevice(hp officejet g series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 17:15:00 151552]
Logitech Harmony Remote V5.lnk - C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe [2006-02-22 15:47:44 94295]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytoosl"= 0 (0x0)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogOff"= 0 (0x0)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wcnotify]
2007-08-09 17:16 14656 C:\WINDOWS\system32\WcNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"C:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"C:\\Program Files\\Logitech\\Harmony Remote\\HarmonyClient.exe"=
"C:\\Program Files\\Logitech\\Harmony Remote\\PatchHelper.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MediaMall\\MediaMallServer.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R0 iteraid;ITERAID_Service_Install;C:\WINDOWS\system32\DRIVERS\iteraid.sys [2004-10-28 20:21]
R0 pxark;pxark;C:\WINDOWS\system32\drivers\pxark.sys [2008-08-16 13:50]
R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2008-08-16 12:17]
R1 BeTwinSystem;BeTwinSystem;C:\WINDOWS\system32\Drivers\BeTwinSystem.sys [2007-08-09 17:15]
R2 CSIScanner;CSIScanner;C:\Program Files\PrevxCSI\prevxcsi.exe [2008-08-16 13:50]
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2000-01-07 10:00]
R2 MediaMall Server;MediaMall Server;C:\Program Files\MediaMall\MediaMallServer.exe [2007-10-09 16:57]
R3 cmudax;C-Media High Definition Audio Interface;C:\WINDOWS\system32\drivers\cmudax.sys [2004-10-21 03:56]
R3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
NativeTS
*Newly Created Service* - SBAPIFS
.
Contents of the 'Scheduled Tasks' folder
2008-08-14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2008-08-21 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job
- C:\Program Files\RegClean\RegClean.exe [2007-03-30 16:45]
2008-08-21 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job
- C:\Program Files\RegClean [2007-04-18 22:17]
2008-08-21 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe [2007-08-02 09:20]
2008-08-21 C:\WINDOWS\Tasks\User_Feed_Synchronization-{C34135C4-C5CE-440A-B981-1BFF8E5F71A9}.job
- C:\WINDOWS\system32\msfeedssync.exe [2006-10-17 12:58]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-Cmaudio - cmicnfg.cpl
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\xx0vemed.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - about:blank
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-21 12:19:17
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\D-Link Media Server\MediaServer.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\Bin\hposts07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\Bin\hpofxm07.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2008-08-21 12:29:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-21 19:28:48
Pre-Run: 118,582,091,776 bytes free
Post-Run: 118,520,954,880 bytes free
265
mhamilton
2008-08-21, 22:41
Here is the HJT log after the CF run.
(and after re-infection)
------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:13 PM, on 8/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\MediaMall\MediaMallServer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
C:\Program Files\D-Link Media Server\MediaGUI.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\D-Link Media Server\MediaServer.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcrobatInfo.exe
C:\Temp\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Ulead Quick-Drop] C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator\Ulead Quick-Drop 1.0\Quick-Drop.exe WINDOWCALL
O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
O4 - HKLM\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKLM\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKLM\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RegClean] "C:\Program Files\RegClean\RegClean.exe" -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: D-Link Media Server.lnk = C:\Program Files\D-Link Media Server\MediaGUI.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Logitech Harmony Remote V5.lnk = C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217908534546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1217908520187
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://12.30.180.135/activex/AxisCamControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://juniper.provigent.com/dana-cached/setup/JuniperSetupSP1.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: vskype - (no CLSID) - (no file)
O20 - Winlogon Notify: wcnotify - C:\WINDOWS\SYSTEM32\wcnotify.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MediaMall Server - MediaMall Technologies, Inc. - C:\Program Files\MediaMall\MediaMallServer.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
--
End of file - 11880 bytes
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
eMule
I'd like you to read the this thread (http://forums.spybot.info/showthread.php?t=282).
Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
Delete these folders afterwards:
C:\Program Files\eMule
Empty Recycle Bin.
After that:
a) Run ComboFix again & post its log.
b) Generate an Uninstall List
* Open HijackThis
* Click on Open Misc Tools Section
* Click on Open Uninstall Manager
* Click on Save list
* Save it to your Desktop
* Post it & a fresh hjt log on your next reply.
mhamilton
2008-08-22, 00:31
CF log
-----------------------------------
ComboFix 08-08-19.06 - Mike 2008-08-21 14:13:40.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.467 [GMT -7:00]
Running from: C:\Documents and Settings\Mike\Desktop\Combo-Fix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\drivers\downld
C:\WINDOWS\system32\drivers\mdelk.exe
.
((((((((((((((((((((((((( Files Created from 2008-07-21 to 2008-08-21 )))))))))))))))))))))))))))))))
.
2008-08-16 19:03 . 2008-08-16 19:03 231,999 --a------ C:\Temp\Beagled.exe
2008-08-16 18:54 . 2008-08-16 18:58 <DIR> d-------- C:\ComboFix
2008-08-16 18:02 . 2008-08-16 18:16 250 --a------ C:\WINDOWS\gmer.ini
2008-08-16 18:01 . 2008-08-16 18:01 747,873 --a------ C:\Temp\gmer.zip
2008-08-16 17:54 . 2008-08-16 17:54 0 --a------ C:\WINDOWS\system32\SBRC.dat
2008-08-16 17:54 . 2008-08-16 17:54 0 --a------ C:\WINDOWS\system32\SBFC.dat
2008-08-16 15:53 . 2008-08-16 15:53 401,720 --a------ C:\Temp\HiJackThis.exe
2008-08-16 15:52 . 2008-08-16 15:53 716,539 --a------ C:\Temp\HJTInstall.exe
2008-08-16 15:31 . 2006-04-25 08:01 704,520 --a------ C:\WINDOWS\system32\RunDll32 cmicnfg.cpl,CMICtrlWnd
2008-08-16 13:50 . 2008-08-16 13:50 <DIR> d-------- C:\Program Files\PrevxCSI
2008-08-16 13:50 . 2008-08-21 13:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-08-16 13:50 . 2008-08-16 13:50 17,408 --a------ C:\WINDOWS\system32\drivers\pxark.sys
2008-08-16 12:45 . 2008-08-16 16:28 15,083,520 --a------ C:\Temp\spybotsd160.exe
2008-08-16 12:17 . 2008-08-16 12:17 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2008-08-16 08:48 . 2008-08-16 08:48 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Sunbelt Software
2008-08-16 08:48 . 2008-08-16 08:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2008-08-16 08:47 . 2008-08-16 08:47 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-08-16 08:45 . 2008-08-16 08:42 45,935,776 --a------ C:\Temp\counterspy.exe
2008-08-15 18:02 . 2008-08-15 18:02 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Malwarebytes
2008-08-15 18:01 . 2008-08-16 15:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-15 18:01 . 2008-08-15 18:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-15 18:01 . 2008-08-06 21:59 1,885,120 --a------ C:\Temp\mbam-setup.exe
2008-08-15 18:01 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-15 18:01 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-15 17:49 . 2008-08-15 19:14 <DIR> d-------- C:\Documents and Settings\Mike\.housecall6.6
2008-08-15 07:48 . 2008-04-11 12:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-15 07:48 . 2008-05-01 07:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-14 12:57 . 2008-08-14 12:57 <DIR> d-------- C:\Program Files\Safari
2008-08-12 11:30 . 2008-08-12 11:30 <DIR> d-------- C:\Program Files\iPod
2008-08-12 11:29 . 2008-08-12 11:30 <DIR> d-------- C:\Program Files\iTunes
2008-08-12 11:28 . 2008-08-12 11:28 <DIR> d-------- C:\Program Files\Bonjour
2008-08-12 11:22 . 2008-08-12 11:22 63,530,280 --a------ C:\Temp\iTunesSetup.exe
2008-08-04 22:46 . 2008-08-04 22:46 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-08-04 22:35 . 2008-08-04 22:35 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-04 22:02 . 2008-08-04 22:02 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-04 21:33 . 2004-08-03 22:29 701,440 --------- C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-08-04 20:55 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-08-04 20:55 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-08-04 20:55 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-08-04 20:55 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-08-03 12:21 . 2008-08-03 12:21 2,108,504 --a------ C:\Temp\GPSMAP60CSx_370.exe
2008-08-03 12:13 . 2007-03-08 17:18 18,432 --a------ C:\WINDOWS\system32\drivers\grmngen.sys
2008-08-03 12:13 . 2006-02-20 11:25 17,536 --a------ C:\WINDOWS\system32\drivers\grmn0200.sys
2008-08-03 12:13 . 2006-04-11 12:51 16,512 --a------ C:\WINDOWS\system32\drivers\grmn0400.sys
2008-08-03 12:13 . 2006-07-11 12:50 11,776 --a------ C:\WINDOWS\system32\drivers\grmn1200.sys
2008-08-03 12:13 . 2007-03-08 17:18 8,320 --a------ C:\WINDOWS\system32\drivers\grmnusb.sys
2008-08-03 12:12 . 2008-08-03 21:28 <DIR> d-------- C:\Garmin
2008-07-29 11:10 . 2008-07-29 11:10 <DIR> d-------- C:\Program Files\Tech-Pro World Clock 2
2008-07-29 11:10 . 2008-02-04 02:10 237,776 --a------ C:\WINDOWS\system32\tpuninst.exe
2008-07-29 11:08 . 2008-07-29 11:08 2,428,088 --a------ C:\Temp\wc2setup.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-21 21:20 --------- d-----w C:\Documents and Settings\Mike\Application Data\Skype
2008-08-21 19:20 --------- d-----w C:\Documents and Settings\Mike\Application Data\D-Link Media Server
2008-08-21 19:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-17 03:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-17 02:20 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-16 02:09 --------- d-----w C:\Documents and Settings\Mike\Application Data\dvdcss
2008-08-15 14:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\MediaMall
2008-08-15 00:24 --------- d-----w C:\Documents and Settings\Mike\Application Data\Apple Computer
2008-08-14 19:57 --------- d-----w C:\Program Files\Apple Software Update
2008-08-14 15:55 --------- d-----w C:\Documents and Settings\Mike\Application Data\Azureus
2008-08-12 18:28 --------- d-----w C:\Program Files\QuickTime
2008-08-10 20:41 --------- d-----w C:\Program Files\Internet Radio Recorder
2008-08-06 23:20 --------- d-----w C:\Program Files\Google
2008-08-03 20:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-27 00:05 --------- d-----w C:\Documents and Settings\Mike\Application Data\MediaServerDump
2008-07-21 03:16 --------- d-----w C:\Program Files\Picasa2
2008-07-21 02:59 --------- d-----w C:\Program Files\Sun
2008-07-21 02:59 --------- d-----w C:\Program Files\Java
2008-07-08 02:58 --------- d-----w C:\Program Files\D-Link Media Server
2008-07-08 02:22 --------- d-----w C:\Documents and Settings\Mike\Application Data\AdobeUM
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-25 01:38 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-04-30 18:49 92,064 -c--a-w C:\Documents and Settings\Mike\mqdmmdm.sys
2008-04-30 18:49 9,232 -c--a-w C:\Documents and Settings\Mike\mqdmmdfl.sys
2008-04-30 18:49 79,328 -c--a-w C:\Documents and Settings\Mike\mqdmserd.sys
2008-04-30 18:49 66,656 -c--a-w C:\Documents and Settings\Mike\mqdmbus.sys
2008-04-30 18:49 6,208 -c--a-w C:\Documents and Settings\Mike\mqdmcmnt.sys
2008-04-30 18:49 5,936 -c--a-w C:\Documents and Settings\Mike\mqdmwhnt.sys
2008-04-30 18:49 4,048 -c--a-w C:\Documents and Settings\Mike\mqdmcr.sys
2008-04-30 18:49 25,600 -c--a-w C:\Documents and Settings\Mike\usbsermptxp.sys
2008-04-30 18:49 22,768 -c--a-w C:\Documents and Settings\Mike\usbsermpt.sys
2007-05-29 05:17 81,920 ----a-w C:\Documents and Settings\Mike\Application Data\ezpinst.exe
2007-05-29 05:17 47,360 ----a-w C:\Documents and Settings\Mike\Application Data\pcouffin.sys
2006-03-19 16:36 13,824 -c--a-w C:\Documents and Settings\Mike\atwbxdet.dll
.
((((((((((((((((((((((((((((( snapshot@2008-08-21_12.25.29.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-21 19:10:16 76,266 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-21 19:22:35 76,266 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-21 19:10:17 443,916 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-21 19:22:35 443,916 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 20:42 32768]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 02:08 483328]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-10-08 11:52 221184]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-01-18 17:37 217088]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"Ulead Quick-Drop"="C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator\Ulead Quick-Drop 1.0\Quick-Drop.exe" [2005-01-31 17:32 102400]
"USIUDF_Eject_Monitor"="C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe" [2004-12-23 18:27 81920]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-01-18 17:07 196608]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-06 12:43 23165736]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 13:22 86016]
"RegClean"="C:\Program Files\RegClean\RegClean.exe" [2007-03-30 16:45 10065392]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 20:42 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-08-27 12:09 698864]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 17:12 110592 C:\WINDOWS\system32\bthprops.cpl]
C:\Documents and Settings\Mike\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-06-21 17:13:51 113664]
D-Link Media Server.lnk - C:\Program Files\D-Link Media Server\MediaGUI.exe [2008-07-07 19:58:32 1523831]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2005-03-13 19:02:09 25214]
HPAiODevice(hp officejet g series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 17:15:00 151552]
Logitech Harmony Remote V5.lnk - C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe [2006-02-22 15:47:44 94295]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytoosl"= 0 (0x0)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogOff"= 0 (0x0)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wcnotify]
2007-08-09 17:16 14656 C:\WINDOWS\system32\WcNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"C:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"C:\\Program Files\\Logitech\\Harmony Remote\\HarmonyClient.exe"=
"C:\\Program Files\\Logitech\\Harmony Remote\\PatchHelper.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MediaMall\\MediaMallServer.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R0 iteraid;ITERAID_Service_Install;C:\WINDOWS\system32\DRIVERS\iteraid.sys [2004-10-28 20:21]
R0 pxark;pxark;C:\WINDOWS\system32\drivers\pxark.sys [2008-08-16 13:50]
R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2008-08-16 12:17]
R1 BeTwinSystem;BeTwinSystem;C:\WINDOWS\system32\Drivers\BeTwinSystem.sys [2007-08-09 17:15]
R2 CSIScanner;CSIScanner;C:\Program Files\PrevxCSI\prevxcsi.exe [2008-08-16 13:50]
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2000-01-07 10:00]
R2 MediaMall Server;MediaMall Server;C:\Program Files\MediaMall\MediaMallServer.exe [2007-10-09 16:57]
R3 cmudax;C-Media High Definition Audio Interface;C:\WINDOWS\system32\drivers\cmudax.sys [2004-10-21 03:56]
R3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
NativeTS
*Newly Created Service* - SBAPIFS
.
Contents of the 'Scheduled Tasks' folder
2008-08-14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2008-08-21 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job
- C:\Program Files\RegClean\RegClean.exe [2007-03-30 16:45]
2008-08-21 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job
- C:\Program Files\RegClean [2007-04-18 22:17]
2008-08-21 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe [2007-08-02 09:20]
2008-02-21 C:\WINDOWS\Tasks\RegCure.job
- C:\Program Files\RegCure\RegCure.exe [2007-08-02 09:20]
2008-08-21 C:\WINDOWS\Tasks\User_Feed_Synchronization-{C34135C4-C5CE-440A-B981-1BFF8E5F71A9}.job
- C:\WINDOWS\system32\msfeedssync.exe [2006-10-17 12:58]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\xx0vemed.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - about:blank
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-21 14:20:46
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-08-21 14:26:02
ComboFix-quarantined-files.txt 2008-08-21 21:25:39
ComboFix2.txt 2008-08-21 19:29:36
Pre-Run: 118,994,350,080 bytes free
Post-Run: 118,981,718,016 bytes free
230
mhamilton
2008-08-22, 00:32
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:28:04 PM, on 8/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\MediaMall\MediaMallServer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
C:\Program Files\D-Link Media Server\MediaGUI.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\D-Link Media Server\MediaServer.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcrobatInfo.exe
C:\Temp\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Ulead Quick-Drop] C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator\Ulead Quick-Drop 1.0\Quick-Drop.exe WINDOWCALL
O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
O4 - HKLM\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKLM\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKLM\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RegClean] "C:\Program Files\RegClean\RegClean.exe" -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: D-Link Media Server.lnk = C:\Program Files\D-Link Media Server\MediaGUI.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Logitech Harmony Remote V5.lnk = C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217908534546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1217908520187
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://12.30.180.135/activex/AxisCamControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://juniper.provigent.com/dana-cached/setup/JuniperSetupSP1.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: vskype - (no CLSID) - (no file)
O20 - Winlogon Notify: wcnotify - C:\WINDOWS\SYSTEM32\wcnotify.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MediaMall Server - MediaMall Technologies, Inc. - C:\Program Files\MediaMall\MediaMallServer.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
--
End of file - 11728 bytes
mhamilton
2008-08-22, 01:57
UNINSTALL
----------------------
Abexo Registry Cleaner
Ad-Aware SE Personal
Adobe Acrobat 7.1.0 Professional
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player ActiveX
Adobe Help Center 1.0
Adobe Stock Photos 1.0
Apple Mobile Device Support
Apple Software Update
Avanquest update
Avi2Dvd 0.4.3 beta
AviSynth 2.5
Azureus
Bonjour
Calculator Powertoy for Windows XP
CCleaner (remove only)
C-Media High Definition Audio Driver
Combined Community Codec Pack 2007-07-22
Creative Jukebox Driver
D-Link Media Server 1.10
DVArchive V3.1
DVD Ripper 4
Filter Design 3.0
Garmin Trip and Waypoint Manager v4
Garmin WebUpdater
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Updater
GrabIt 1.7.1 Beta (build 960)
GSplit 2.1
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
hp instant support
hp officejet g series
Image Resizer Powertoy for Windows XP
Internet Radio Recorder
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_08
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Logitech Harmony Remote Software V5
Logitech QuickCam Software
Logitech® Camera Driver
Malwarebytes' Anti-Malware
MapSource
MapSource - City Select
MapSource - North American City Select v5 Update
Mathcad 14
Mathcad 14 Help
Mathcad 14 Resource Center
MATLAB 6.5
MATLAB 7.0.4
MediaMall
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Office Visio Professional 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
MotoKit 1.06
Motorola Phone Tools
Motorola PST
Mozilla Firefox (2.0)
MSXML 4.0 SP2 (KB936181)
Nero OEM
NetBeans IDE 4.1
Nikon Scan
NI-Reports
NOMAD Explorer
NVIDIA Drivers
OpenOffice.org Installer 1.0
Picasa 2
PowerDVD
PowerQuest BootMagic 8.0
PowerQuest PartitionMagic 8.0
Prevx CSI
QuickPar 0.9
QuickTime
RealPlayer
RegClean 2.6
RegCure 1.5.0.0
Registry Mechanic 5.0
RSD_LITE_2_5
Safari
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Skype™ 3.5
SmartFTP Client
SmartFTP Client
SmartFTP Client 2.0 Setup Files (remove only)
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
Tech-Pro World Clock 2
TimingTool Editor
Ulead Data-Add 2.0
Ulead DVD MovieFactory 4.0 Disc Creator
Ulead DVD Player 2.0
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
UUDeview for Windows
VideoLAN VLC media player 0.8.1
Visual SlickEdit 7.0
VX-6 Programmer
WebEx
WIBU-KEY Setup (WIBU-KEY Remove)
WinAVIVideoConverter
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
WinZip 11.1
XviD MPEG-4 Video Codec
-------------------------------------
HJT
-------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:53:38 PM, on 8/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\MediaMall\MediaMallServer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
C:\Program Files\D-Link Media Server\MediaGUI.exe
C:\Program Files\D-Link Media Server\MediaServer.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\explorer.exe
C:\Temp\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Ulead Quick-Drop] C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator\Ulead Quick-Drop 1.0\Quick-Drop.exe WINDOWCALL
O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
O4 - HKLM\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKLM\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKLM\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RegClean] "C:\Program Files\RegClean\RegClean.exe" -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: D-Link Media Server.lnk = C:\Program Files\D-Link Media Server\MediaGUI.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Logitech Harmony Remote V5.lnk = C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217908534546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1217908520187
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://12.30.180.135/activex/AxisCamControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://juniper.provigent.com/dana-cached/setup/JuniperSetupSP1.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: vskype - (no CLSID) - (no file)
O20 - Winlogon Notify: wcnotify - C:\WINDOWS\SYSTEM32\wcnotify.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MediaMall Server - MediaMall Technologies, Inc. - C:\Program Files\MediaMall\MediaMallServer.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
--
End of file - 11494 bytes
Hi
Uninstall following items thru add/remove programs:
Azureus
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_08
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) SE Runtime Environment 6 Update 1
Start hjt, do a system scan, check (if found):
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O18 - Protocol: vskype - (no CLSID) - (no file)
Close browsers and fix checked.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) (scan whole my computer). Post back its report & a fresh hjt log.
Don't do this following until cleaning process is completed(I just meantion it here to make sure I won't forget ;)):
If you use Firefox I recommend to update it since your version is quite old. Also, if you use Spybot 1.4 uninstall it and get the latest one at this location (http://www.download.com/Spybot-Search-Destroy/3000-8022-10122137.html?part=dl-spybot&subj=dl&tag=but)
mhamilton
2008-08-22, 19:57
I did all the steps up to the on-line scan.
When I launch iexplorer to start the on-line scan, the trojan loader started again "Select File to Crack" popped up. CounterSpy notifies me that hldrrr.exe is starting.
I am pretty sure it is reinstalling mdelk.exe and undoing any cleaning that was done by Combo-Fix
Kaspersky requires me to reinstall Jave 1.5 or later.
Will post back the logs when Kaspersky gets done.
Hi
Ok. Let me know if there're any problems running Kaspersky even after installing latest Java Runtime Environment version (Java Runtime Environment (JRE) 6 Update 7 (http://java.sun.com/javase/downloads/index.jsp)).
mhamilton
2008-08-22, 21:35
Hi
trying to run Kaspersky required turning off CounterSpy.
This allowed a full-blown infection to take off and lots of malware applications started running (e.g. 38323435.exe, etc).
I re-exectuted CF. and HJT.
I used an off-line install of java runtime to install java.
Now I am looking to see if I can download kaspersky from another computer and run it without opening IEXPLORE.
Is there a different scanner I can use?
Here is the CF log, HJT log and Uninstall list follow below...
-------------------------------------
ComboFix 08-08-21.02 - Mike 2008-08-22 11:00:32.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.707 [GMT -7:00]
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Mike\Application Data\m
C:\Documents and Settings\Mike\Application Data\m\data.oct
C:\Documents and Settings\Mike\Application Data\m\flec006.exe
C:\Documents and Settings\Mike\Application Data\m\list.oct
C:\Documents and Settings\Mike\Application Data\m\shared
C:\Documents and Settings\Mike\Application Data\m\shared\[HGame_XP][AVG][jpn_jpn][愛のチカラ].zip
C:\Documents and Settings\Mike\Application Data\m\shared\131_Ice_Cream_Maker_Recipes_1.0_Patch.zip
C:\Documents and Settings\Mike\Application Data\m\shared\3D_Haunting_Halloween_Screensaver_1.0_[Cracked].zip
C:\Documents and Settings\Mike\Application Data\m\shared\3D_Ultra_NASCAR_Pinball_1.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\ABCUpload_.NET_5.3.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\ACA_Capture_Pro_5.50_(KeyGen).zip
C:\Documents and Settings\Mike\Application Data\m\shared\Adoc2PDF_1.2.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Advanced_PDF_Generator_1.1.3.0_(Patch).zip
C:\Documents and Settings\Mike\Application Data\m\shared\Advanced_StartUp_Manager_1.41_With_Crack.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Aide_Onlinometer_1.70_Key+Serial.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Air_Messenger_Pro_6.7.4.zip
C:\Documents and Settings\Mike\Application Data\m\shared\AllPeers_0.55.1_Beta.zip
C:\Documents and Settings\Mike\Application Data\m\shared\AntiVir.PersonalEdition.Premium.v7.+.VDF.v6.34.00.48.+.Lizenz.Key.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Anubis_P2P_1.4.zip
C:\Documents and Settings\Mike\Application Data\m\shared\AnyForm_5.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\ApHeMo_1.5.0.8.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Aplus_DVD_Creator_4.52.zip
C:\Documents and Settings\Mike\Application Data\m\shared\AppSpy_2.3_(Key).zip
C:\Documents and Settings\Mike\Application Data\m\shared\Avoirdupois_Weight_Measure_Converter_1.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Backup_Chunker_2.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Backup_Premium_2.5_[Patch].zip
C:\Documents and Settings\Mike\Application Data\m\shared\Beta_Program_Bug_&_Feature_Database_1.0_Cracked.zip
C:\Documents and Settings\Mike\Application Data\m\shared\BidSolid_1.06.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Boombox_Granny_Demo_Screensaver_1.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Bronze_Sculpture_Jigsaw_Puzzle_45pcs.zip
C:\Documents and Settings\Mike\Application Data\m\shared\BT_Engine_4.8_build_0605.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Bukster_Link_Generator_1.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Business_Card_Printer_2.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\CATLearn_Reader_1.1.zip
C:\Documents and Settings\Mike\Application Data\m\shared\CD_WAVE_Ripper_1.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Christian_Virtual_Hymnal_2.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Claxa_1.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\CutePage_CoolText_1.5.zip
C:\Documents and Settings\Mike\Application Data\m\shared\DiskViz_-_Link_Checker_1.0_[Patch].zip
C:\Documents and Settings\Mike\Application Data\m\shared\DNS_Redirector_6.3.1_Crack.zip
C:\Documents and Settings\Mike\Application Data\m\shared\DXMan_1.10.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Dynamic_DBTreeView_1.8.zip
C:\Documents and Settings\Mike\Application Data\m\shared\E-Converter_1.50.zip
C:\Documents and Settings\Mike\Application Data\m\shared\E-mail_Redemption_for_Outlook_1.6.zip
C:\Documents and Settings\Mike\Application Data\m\shared\EcoKeno_3.74.zip
C:\Documents and Settings\Mike\Application Data\m\shared\EF_CheckSum_Manager_4.30_[Crack].zip
C:\Documents and Settings\Mike\Application Data\m\shared\Egypt_of_David_Roberts_1.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Email_Collector_Lite_1.6.8.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Express_Tax_Refund_1.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\EZRound_2.1.zip
C:\Documents and Settings\Mike\Application Data\m\shared\F-Prot.Antivirus.for.Windows.v3.16.Retail-DVT.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Fast_Port_Scanner_1.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\FastPhpInsert_News-Slide-Protected_page_1.0_Key+Serial.zip
C:\Documents and Settings\Mike\Application Data\m\shared\FirePanel_XP_2.2.0.0_(Patch).zip
C:\Documents and Settings\Mike\Application Data\m\shared\FotoTime_FotoAlbum_Pro_5.3.1.4_Cracked.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Ghost_MP3_CD_Maker_2.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Go_Game_Hamete_and_Overplay_for_Smartphone_1.1.zip
C:\Documents and Settings\Mike\Application Data\m\shared\GrabJPG_1.12.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Greek_Formulae_1.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Hawaii_Screensaver_4.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\HSLAB_Logger_3.4.28.124_With_Crack.zip
C:\Documents and Settings\Mike\Application Data\m\shared\imeem_2.4.38.2476.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Internet_Explorer_Password_Recovery_Master_1.4.zip
C:\Documents and Settings\Mike\Application Data\m\shared\IP_Monitor_5.1.zip
C:\Documents and Settings\Mike\Application Data\m\shared\IPComboBox_OCX_1.0.0.1.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Klinzter_Script_4.2.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Libcurl.NET_1.3.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Link_Folder_1.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Live_Search_Podcast_1.1.zip
C:\Documents and Settings\Mike\Application Data\m\shared\MarsEdit_1.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Mcafee.Virus.Scan.Professional.Edition.8.0-Ita.zip
C:\Documents and Settings\Mike\Application Data\m\shared\McAfee.VirusScan.10.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Medal_of_Honor_Allied_Assault_Spearhead_-_Southern_France_map.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Meteor_1.1.zip
C:\Documents and Settings\Mike\Application Data\m\shared\MindStudio_Vocab_1.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\MindVisualizer_Standard_1.4.4.0_(Serial).zip
C:\Documents and Settings\Mike\Application Data\m\shared\Minister_Scheduler_Pro_1.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\MouseClock_3.2_[Patch].zip
C:\Documents and Settings\Mike\Application Data\m\shared\MouseMeter_0.1.3.zip
C:\Documents and Settings\Mike\Application Data\m\shared\MSN_Cartoon_Avatar_Display_Pack_1.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\MSN_Webcam_Recorder_9.1.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Multiplayer_Championship_Poker_(Pocket_PC)_4.zip
C:\Documents and Settings\Mike\Application Data\m\shared\My_Downloads_1.4.zip
C:\Documents and Settings\Mike\Application Data\m\shared\MyJgui_0.5.3.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Neo_Pro_3.1.374.zip
C:\Documents and Settings\Mike\Application Data\m\shared\OutClock_1.1.zip
C:\Documents and Settings\Mike\Application Data\m\shared\OutlookFIX_Repair_and_Undelete_2.09_[Serial].zip
C:\Documents and Settings\Mike\Application Data\m\shared\Paintball_Office_Pro_2.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Panzer_Elite_Action_Fields_of_Glory_multiplayer_demo.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Password_Recovery_Software_2.1.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Patterns_of_Nature_Screensaver_2.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\PC_Recent_1.1.0_Key.zip
C:\Documents and Settings\Mike\Application Data\m\shared\PDB_Creator_Pro_1.0.2.zip
C:\Documents and Settings\Mike\Application Data\m\shared\PhotoElf_4.0.18_[With_Crack].zip
C:\Documents and Settings\Mike\Application Data\m\shared\PhotoLine_32_12.02.zip
C:\Documents and Settings\Mike\Application Data\m\shared\PHPRunner_4.0_Build_265.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Playtonium_Jigsaw_Patterns_in_Nature_1.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\PlugAdmin_Windows_1.0_Crack.zip
C:\Documents and Settings\Mike\Application Data\m\shared\PrintPictures_1.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\ProTarot_Reader_2.0.58_(Patch).zip
C:\Documents and Settings\Mike\Application Data\m\shared\Rmvb_Rm_Fix_Repair_Joiner_3.23_Cracked.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Robot_Shut_Down_5.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Sea_Bounty_1.1.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Serial_Port_Monitor_3.zip
C:\Documents and Settings\Mike\Application Data\m\shared\SGadget_1.2_Cracked.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Shadow_Professional_2.7_(Crack).zip
C:\Documents and Settings\Mike\Application Data\m\shared\ShowFont_-_Windows_Font_Lister_1.12.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Snail_Mail_1.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Source_Explorer_VS.NET_2003_plugin_1.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\SpaceMan_99_3.1.zip
C:\Documents and Settings\Mike\Application Data\m\shared\SpyCatcher_Express_2006_4.4.6.zip
C:\Documents and Settings\Mike\Application Data\m\shared\SQLWays_3.9.zip
C:\Documents and Settings\Mike\Application Data\m\shared\StormWarn_1.2.zip
C:\Documents and Settings\Mike\Application Data\m\shared\SunGlance_1.0_Serial.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Tele-Cap_Professional_3.0.1.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Text_Mnemonic_Generator_3.4.zip
C:\Documents and Settings\Mike\Application Data\m\shared\The_Quiz_Press_1.8_Crack.zip
C:\Documents and Settings\Mike\Application Data\m\shared\ThePlayground_1.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\TIFF_To_PDF_ActiveX_Component_2.0.2007.718_KeyGen.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Unreal_Tournament_2003_-_Vertical_deathmatch_map.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Unreal_Tournament_2004_Judge_Judy_Voice_Pack.zip
C:\Documents and Settings\Mike\Application Data\m\shared\US_meteo_by_sat_1.1.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Video_Matrix_Screensaver_1.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\VideoShotMaker_1.00.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Virtual_Hypnotist_5.551.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Web_Log_Explorer_3.31_Crack.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Windows_&_Internet_Cleaner_Pro_3.22_(Patch).zip
C:\Documents and Settings\Mike\Application Data\m\shared\Woize_2.5.0.32959.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Word_Blaster_3.5.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Wwhois_2.1.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Xceed_Chart_for_ASP.NET_3.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\XLPoints_Plus_1.3_(With_Crack).zip
C:\Documents and Settings\Mike\Application Data\m\shared\Xteq_URL_Bandit_1.2.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Yes_AntiVirus-Tool_Netsky-P_3.0.zip
C:\Documents and Settings\Mike\Application Data\m\srvlist.oct
C:\WINDOWS\system32\ban_list.txt
C:\WINDOWS\system32\drivers\downld
C:\WINDOWS\system32\drivers\downld\1255296.exe
C:\WINDOWS\system32\drivers\downld\1283890.exe
C:\WINDOWS\system32\drivers\downld\1288046.exe
C:\WINDOWS\system32\drivers\downld\1331109.exe
C:\WINDOWS\system32\drivers\downld\1336625.exe
C:\WINDOWS\system32\drivers\downld\1344515.exe
C:\WINDOWS\system32\drivers\downld\1382906.exe
C:\WINDOWS\system32\drivers\downld\1424375.exe
C:\WINDOWS\system32\drivers\downld\1477562.exe
C:\WINDOWS\system32\drivers\downld\1490562.exe
C:\WINDOWS\system32\drivers\downld\1609015.exe
C:\WINDOWS\system32\drivers\downld\1735109.exe
C:\WINDOWS\system32\drivers\downld\2360031.exe
C:\WINDOWS\system32\drivers\downld\3964390.exe
C:\WINDOWS\system32\drivers\downld\3967125.exe
C:\WINDOWS\system32\drivers\downld\3977296.exe
C:\WINDOWS\system32\drivers\downld\4161406.exe
C:\WINDOWS\system32\drivers\downld\4162406.exe
C:\WINDOWS\system32\drivers\downld\4172953.exe
C:\WINDOWS\system32\drivers\downld\4180859.exe
C:\WINDOWS\system32\drivers\downld\4189562.exe
C:\WINDOWS\system32\drivers\downld\4252406.exe
C:\WINDOWS\system32\drivers\downld\4257906.exe
C:\WINDOWS\system32\drivers\downld\4269546.exe
C:\WINDOWS\system32\drivers\downld\4277421.exe
C:\WINDOWS\system32\drivers\downld\4319500.exe
C:\WINDOWS\system32\drivers\downld\4330343.exe
C:\WINDOWS\system32\drivers\downld\4337218.exe
C:\WINDOWS\system32\drivers\downld\4339718.exe
C:\WINDOWS\system32\drivers\downld\4346031.exe
C:\WINDOWS\system32\drivers\downld\4361921.exe
C:\WINDOWS\system32\drivers\downld\4368562.exe
C:\WINDOWS\system32\drivers\downld\4375906.exe
C:\WINDOWS\system32\drivers\downld\4381171.exe
C:\WINDOWS\system32\drivers\downld\4394984.exe
C:\WINDOWS\system32\drivers\downld\4410156.exe
C:\WINDOWS\system32\drivers\downld\4423859.exe
C:\WINDOWS\system32\drivers\downld\4431593.exe
C:\WINDOWS\system32\drivers\downld\4440281.exe
C:\WINDOWS\system32\drivers\downld\4487875.exe
C:\WINDOWS\system32\drivers\downld\4535937.exe
C:\WINDOWS\system32\drivers\downld\4586921.exe
C:\WINDOWS\system32\drivers\downld\4611093.exe
C:\WINDOWS\system32\drivers\downld\4714437.exe
C:\WINDOWS\system32\drivers\downld\4724015.exe
C:\WINDOWS\system32\drivers\downld\4742078.exe
C:\WINDOWS\system32\drivers\downld\4744000.exe
C:\WINDOWS\system32\drivers\downld\4756078.exe
C:\WINDOWS\system32\drivers\downld\4763453.exe
C:\WINDOWS\system32\drivers\downld\4784343.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\mdelk.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\mdelk.exe
C:\WINDOWS\system32\wintems.exe
.
((((((((((((((((((((((((( Files Created from 2008-07-22 to 2008-08-22 )))))))))))))))))))))))))))))))
.
2008-08-22 09:37 . 2008-08-22 09:37 <DIR> d-------- C:\Temp\backups
2008-08-22 09:29 . 2006-08-03 14:56 49,265 --a------ C:\WINDOWS\system32\jpicpl32.cpl
2008-08-16 19:03 . 2008-08-16 19:03 231,999 --a------ C:\Temp\Beagled.exe
2008-08-16 18:54 . 2008-08-16 18:58 <DIR> d-------- C:\ComboFix
2008-08-16 18:02 . 2008-08-16 18:16 250 --a------ C:\WINDOWS\gmer.ini
2008-08-16 18:01 . 2008-08-16 18:01 747,873 --a------ C:\Temp\gmer.zip
2008-08-16 17:54 . 2008-08-16 17:54 0 --a------ C:\WINDOWS\system32\SBRC.dat
2008-08-16 17:54 . 2008-08-16 17:54 0 --a------ C:\WINDOWS\system32\SBFC.dat
2008-08-16 15:53 . 2008-08-16 15:53 401,720 --a------ C:\Temp\HiJackThis.exe
2008-08-16 15:52 . 2008-08-16 15:53 716,539 --a------ C:\Temp\HJTInstall.exe
2008-08-16 15:31 . 2006-04-25 08:01 704,520 --a------ C:\WINDOWS\system32\RunDll32 cmicnfg.cpl,CMICtrlWnd
2008-08-16 13:50 . 2008-08-22 10:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-08-16 12:45 . 2008-08-16 16:28 15,083,520 --a------ C:\Temp\spybotsd160.exe
2008-08-16 12:17 . 2008-08-16 12:17 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2008-08-16 08:48 . 2008-08-16 08:48 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Sunbelt Software
2008-08-16 08:48 . 2008-08-16 08:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2008-08-16 08:47 . 2008-08-16 08:47 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-08-16 08:45 . 2008-08-16 08:42 45,935,776 --a------ C:\Temp\counterspy.exe
2008-08-15 18:02 . 2008-08-15 18:02 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Malwarebytes
2008-08-15 18:01 . 2008-08-16 15:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-15 18:01 . 2008-08-15 18:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-15 18:01 . 2008-08-06 21:59 1,885,120 --a------ C:\Temp\mbam-setup.exe
2008-08-15 18:01 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-15 18:01 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-15 17:49 . 2008-08-15 19:14 <DIR> d-------- C:\Documents and Settings\Mike\.housecall6.6
2008-08-15 07:48 . 2008-04-11 12:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-15 07:48 . 2008-05-01 07:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-14 12:57 . 2008-08-14 12:57 <DIR> d-------- C:\Program Files\Safari
2008-08-12 11:30 . 2008-08-12 11:30 <DIR> d-------- C:\Program Files\iPod
2008-08-12 11:29 . 2008-08-12 11:30 <DIR> d-------- C:\Program Files\iTunes
2008-08-12 11:28 . 2008-08-12 11:28 <DIR> d-------- C:\Program Files\Bonjour
2008-08-12 11:22 . 2008-08-12 11:22 63,530,280 --a------ C:\Temp\iTunesSetup.exe
2008-08-04 22:46 . 2008-08-04 22:46 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-08-04 22:35 . 2008-08-04 22:35 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-04 22:02 . 2008-08-04 22:02 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-04 21:33 . 2004-08-03 22:29 701,440 --------- C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-08-04 20:55 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-08-04 20:55 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-08-04 20:55 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-08-04 20:55 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-08-03 12:21 . 2008-08-03 12:21 2,108,504 --a------ C:\Temp\GPSMAP60CSx_370.exe
2008-08-03 12:13 . 2007-03-08 17:18 18,432 --a------ C:\WINDOWS\system32\drivers\grmngen.sys
2008-08-03 12:13 . 2006-02-20 11:25 17,536 --a------ C:\WINDOWS\system32\drivers\grmn0200.sys
2008-08-03 12:13 . 2006-04-11 12:51 16,512 --a------ C:\WINDOWS\system32\drivers\grmn0400.sys
2008-08-03 12:13 . 2006-07-11 12:50 11,776 --a------ C:\WINDOWS\system32\drivers\grmn1200.sys
2008-08-03 12:13 . 2007-03-08 17:18 8,320 --a------ C:\WINDOWS\system32\drivers\grmnusb.sys
2008-08-03 12:12 . 2008-08-03 21:28 <DIR> d-------- C:\Garmin
2008-07-29 11:10 . 2008-07-29 11:10 <DIR> d-------- C:\Program Files\Tech-Pro World Clock 2
2008-07-29 11:10 . 2008-02-04 02:10 237,776 --a------ C:\WINDOWS\system32\tpuninst.exe
2008-07-29 11:08 . 2008-07-29 11:08 2,428,088 --a------ C:\Temp\wc2setup.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-22 17:05 --------- d-----w C:\Documents and Settings\Mike\Application Data\Skype
2008-08-22 17:01 --------- d-----w C:\Program Files\Java
2008-08-22 16:34 --------- d-----w C:\Documents and Settings\Mike\Application Data\D-Link Media Server
2008-08-22 16:13 --------- d-----w C:\Program Files\Azureus
2008-08-21 19:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-17 03:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-17 02:20 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-16 02:09 --------- d-----w C:\Documents and Settings\Mike\Application Data\dvdcss
2008-08-15 14:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\MediaMall
2008-08-15 00:24 --------- d-----w C:\Documents and Settings\Mike\Application Data\Apple Computer
2008-08-14 19:57 --------- d-----w C:\Program Files\Apple Software Update
2008-08-14 15:55 --------- d-----w C:\Documents and Settings\Mike\Application Data\Azureus
2008-08-12 18:28 --------- d-----w C:\Program Files\QuickTime
2008-08-10 20:41 --------- d-----w C:\Program Files\Internet Radio Recorder
2008-08-06 23:20 --------- d-----w C:\Program Files\Google
2008-08-03 20:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-27 00:05 --------- d-----w C:\Documents and Settings\Mike\Application Data\MediaServerDump
2008-07-21 03:16 --------- d-----w C:\Program Files\Picasa2
2008-07-21 02:59 --------- d-----w C:\Program Files\Sun
2008-07-08 02:58 --------- d-----w C:\Program Files\D-Link Media Server
2008-07-08 02:22 --------- d-----w C:\Documents and Settings\Mike\Application Data\AdobeUM
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-25 01:38 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-04-30 18:49 92,064 -c--a-w C:\Documents and Settings\Mike\mqdmmdm.sys
2008-04-30 18:49 9,232 -c--a-w C:\Documents and Settings\Mike\mqdmmdfl.sys
2008-04-30 18:49 79,328 -c--a-w C:\Documents and Settings\Mike\mqdmserd.sys
2008-04-30 18:49 66,656 -c--a-w C:\Documents and Settings\Mike\mqdmbus.sys
2008-04-30 18:49 6,208 -c--a-w C:\Documents and Settings\Mike\mqdmcmnt.sys
2008-04-30 18:49 5,936 -c--a-w C:\Documents and Settings\Mike\mqdmwhnt.sys
2008-04-30 18:49 4,048 -c--a-w C:\Documents and Settings\Mike\mqdmcr.sys
2008-04-30 18:49 25,600 -c--a-w C:\Documents and Settings\Mike\usbsermptxp.sys
2008-04-30 18:49 22,768 -c--a-w C:\Documents and Settings\Mike\usbsermpt.sys
2007-05-29 05:17 81,920 ----a-w C:\Documents and Settings\Mike\Application Data\ezpinst.exe
2007-05-29 05:17 47,360 ----a-w C:\Documents and Settings\Mike\Application Data\pcouffin.sys
2006-03-19 16:36 13,824 -c--a-w C:\Documents and Settings\Mike\atwbxdet.dll
.
((((((((((((((((((((((((((((( snapshot@2008-08-21_12.25.29.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-21 19:18:21 225,097 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-08-22 18:00:06 225,098 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
- 2008-06-10 08:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2006-08-03 21:56:49 49,248 ----a-w C:\WINDOWS\system32\java.exe
- 2008-06-10 08:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2006-08-03 21:56:49 49,250 ----a-w C:\WINDOWS\system32\javaw.exe
- 2008-06-10 09:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2006-08-03 21:56:49 127,078 ----a-w C:\WINDOWS\system32\javaws.exe
- 2008-08-21 19:10:16 76,266 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-22 18:04:04 76,266 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-21 19:10:17 443,916 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-22 18:04:04 443,916 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 20:42 32768]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 02:08 483328]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-10-08 11:52 221184]
"USIUDF_Eject_Monitor"="C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe" [2004-12-23 18:27 81920]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-01-18 17:07 196608]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-06 12:43 23165736]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 13:22 86016]
"RegClean"="C:\Program Files\RegClean\RegClean.exe" [2007-03-30 16:45 10065392]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 20:42 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-08-27 12:09 698864]
"SunJavaUpdateSched"="c:\program files\timingtool\jre\bin\jusched.exe" [2006-08-03 14:56 36975]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 17:12 110592 C:\WINDOWS\system32\bthprops.cpl]
C:\Documents and Settings\Mike\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-06-21 17:13:51 113664]
D-Link Media Server.lnk - C:\Program Files\D-Link Media Server\MediaGUI.exe [2008-07-07 19:58:32 1523831]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2005-03-13 19:02:09 25214]
HPAiODevice(hp officejet g series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 17:15:00 151552]
Logitech Harmony Remote V5.lnk - C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe [2006-02-22 15:47:44 94295]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytoosl"= 0 (0x0)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogOff"= 0 (0x0)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wcnotify]
2007-08-09 17:16 14656 C:\WINDOWS\system32\WcNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"C:\\Program Files\\Logitech\\Harmony Remote\\HarmonyClient.exe"=
"C:\\Program Files\\Logitech\\Harmony Remote\\PatchHelper.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MediaMall\\MediaMallServer.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R0 iteraid;ITERAID_Service_Install;C:\WINDOWS\system32\DRIVERS\iteraid.sys [2004-10-28 20:21]
R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2008-08-16 12:17]
R1 BeTwinSystem;BeTwinSystem;C:\WINDOWS\system32\Drivers\BeTwinSystem.sys [2007-08-09 17:15]
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2000-01-07 10:00]
R2 MediaMall Server;MediaMall Server;C:\Program Files\MediaMall\MediaMallServer.exe [2007-10-09 16:57]
R3 cmudax;C-Media High Definition Audio Interface;C:\WINDOWS\system32\drivers\cmudax.sys [2004-10-21 03:56]
S3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
NativeTS
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
2008-08-14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2008-08-22 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job
- C:\Program Files\RegClean\RegClean.exe [2007-03-30 16:45]
2008-08-22 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job
- C:\Program Files\RegClean [2007-04-18 22:17]
2008-08-22 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe [2007-08-02 09:20]
2008-02-21 C:\WINDOWS\Tasks\RegCure.job
- C:\Program Files\RegCure\RegCure.exe [2007-08-02 09:20]
2008-08-21 C:\WINDOWS\Tasks\User_Feed_Synchronization-{C34135C4-C5CE-440A-B981-1BFF8E5F71A9}.job
- C:\WINDOWS\system32\msfeedssync.exe [2006-10-17 12:58]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\xx0vemed.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - about:blank
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-22 11:05:08
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
.
**************************************************************************
.
Completion time: 2008-08-22 11:07:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-22 18:07:52
ComboFix2.txt 2008-08-21 22:49:53
ComboFix3.txt 2008-08-21 21:26:04
ComboFix4.txt 2008-08-21 19:29:36
Pre-Run: 118,988,935,168 bytes free
Post-Run: 118,902,054,912 bytes free
437
-------------------------------------
HJT Log
---------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:30:28 AM, on 8/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\MediaMall\MediaMallServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Temp\HiJackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\inetsrv\DavCData.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
O4 - HKLM\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKLM\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKLM\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RegClean] "C:\Program Files\RegClean\RegClean.exe" -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: D-Link Media Server.lnk = C:\Program Files\D-Link Media Server\MediaGUI.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Logitech Harmony Remote V5.lnk = C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.kaspersky.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217908534546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1217908520187
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://12.30.180.135/activex/AxisCamControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://juniper.provigent.com/dana-cached/setup/JuniperSetupSP1.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: vskype - (no CLSID) - (no file)
O20 - Winlogon Notify: wcnotify - C:\WINDOWS\SYSTEM32\wcnotify.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MediaMall Server - MediaMall Technologies, Inc. - C:\Program Files\MediaMall\MediaMallServer.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
--
End of file - 10183 bytes
------------------------------------
Uninstall list
------------------------------------
Abexo Registry Cleaner
Ad-Aware SE Personal
Adobe Acrobat 7.1.0 Professional
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player ActiveX
Adobe Help Center 1.0
Adobe Stock Photos 1.0
Apple Mobile Device Support
Apple Software Update
Avanquest update
Avi2Dvd 0.4.3 beta
AviSynth 2.5
Bonjour
Calculator Powertoy for Windows XP
CCleaner (remove only)
C-Media High Definition Audio Driver
Combined Community Codec Pack 2007-07-22
Creative Jukebox Driver
D-Link Media Server 1.10
DVArchive V3.1
DVD Ripper 4
Filter Design 3.0
Garmin Trip and Waypoint Manager v4
Garmin WebUpdater
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Updater
GrabIt 1.7.1 Beta (build 960)
GSplit 2.1
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
hp instant support
hp officejet g series
Image Resizer Powertoy for Windows XP
Internet Radio Recorder
iTunes
Java(TM) 6 Update 7
Logitech Harmony Remote Software V5
Logitech QuickCam Software
Logitech® Camera Driver
Malwarebytes' Anti-Malware
MapSource
MapSource - City Select
MapSource - North American City Select v5 Update
Mathcad 14
Mathcad 14 Help
Mathcad 14 Resource Center
MATLAB 6.5
MATLAB 7.0.4
MediaMall
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Office Visio Professional 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
MotoKit 1.06
Motorola Phone Tools
Motorola PST
Mozilla Firefox (2.0)
MSXML 4.0 SP2 (KB936181)
Nero OEM
NetBeans IDE 4.1
Nikon Scan
NI-Reports
NOMAD Explorer
NVIDIA Drivers
OpenOffice.org Installer 1.0
Picasa 2
PowerDVD
PowerQuest BootMagic 8.0
PowerQuest PartitionMagic 8.0
QuickPar 0.9
QuickTime
RealPlayer
RegClean 2.6
RegCure 1.5.0.0
Registry Mechanic 5.0
RSD_LITE_2_5
Safari
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Skype™ 3.5
SmartFTP Client
SmartFTP Client
SmartFTP Client 2.0 Setup Files (remove only)
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
Tech-Pro World Clock 2
TimingTool Editor
Ulead Data-Add 2.0
Ulead DVD MovieFactory 4.0 Disc Creator
Ulead DVD Player 2.0
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
UUDeview for Windows
VideoLAN VLC media player 0.8.1
Visual SlickEdit 7.0
VX-6 Programmer
WebEx
WIBU-KEY Setup (WIBU-KEY Remove)
WinAVIVideoConverter
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
WinZip 11.1
XviD MPEG-4 Video Codec
mhamilton
2008-08-22, 22:01
I downloaded Kaspersky trial version and installed without seeing the trojan loader getting started. (Kaspersky seems to be happy wiht CounterSpy running, but not Spybot 1.2)
running scan now. Will post logs in a few hours.
mhamilton
2008-08-23, 00:36
I executed Kaspersky without ever opening Iexplore.
I have not exectued any clean up of the detected items.
What to do next?
-----------------------------------------
Full Scan: completed 8/22/2008 2:30:59 PM (events: 190, objects: 722494, time: 02:32:48)
8/22/2008 11:58:10 AM Task started
8/22/2008 11:59:18 AM Detected: http://www.viruslist.com/en/advisories/28506 c:\program files\microsoft office\office11\excel.exe
8/22/2008 11:59:21 AM Detected: http://www.viruslist.com/en/advisories/29320 c:\program files\microsoft office\office11\outlook.exe
8/22/2008 11:59:33 AM Detected: http://www.viruslist.com/en/advisories/30143 c:\program files\microsoft office\office11\winword.exe
8/22/2008 12:00:39 PM Detected: http://www.viruslist.com/en/advisories/30761 c:\program files\mozilla firefox\firefox.exe
8/22/2008 12:01:08 PM Detected: http://www.viruslist.com/en/advisories/27361 c:\program files\real\realplayer\realplay.exe
8/22/2008 12:01:15 PM Detected: http://www.viruslist.com/en/advisories/31010 c:\windows\java.exe
8/22/2008 12:02:38 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP16\A0003961.exe
8/22/2008 12:02:38 PM Untreated: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP16\A0003961.exe Postponed
8/22/2008 12:02:39 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP16\A0003963.exe
8/22/2008 12:02:39 PM Untreated: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP16\A0003963.exe Postponed
8/22/2008 12:02:39 PM Detected: Trojan-Downloader.Win32.Bagle.vj c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP16\A0003955.sys
8/22/2008 12:02:39 PM Untreated: Trojan-Downloader.Win32.Bagle.vj c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP16\A0003955.sys Postponed
8/22/2008 12:02:51 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004021.exe
8/22/2008 12:02:52 PM Untreated: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004021.exe Postponed
8/22/2008 12:02:53 PM Detected: Email-Worm.Win32.Bagle.vr c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004018.exe
8/22/2008 12:02:53 PM Untreated: Email-Worm.Win32.Bagle.vr c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004018.exe Postponed
8/22/2008 12:02:57 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004034.exe
8/22/2008 12:02:57 PM Untreated: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004034.exe Postponed
8/22/2008 12:02:58 PM Detected: Email-Worm.Win32.Bagle.vr c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004016.exe
8/22/2008 12:02:58 PM Untreated: Email-Worm.Win32.Bagle.vr c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004016.exe Postponed
8/22/2008 12:02:58 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004038.exe
8/22/2008 12:02:58 PM Untreated: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004038.exe Postponed
8/22/2008 12:02:59 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004042.exe
8/22/2008 12:02:59 PM Untreated: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004042.exe Postponed
8/22/2008 12:02:59 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004043.exe
8/22/2008 12:02:59 PM Untreated: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004043.exe Postponed
8/22/2008 12:03:02 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004047.exe
8/22/2008 12:03:02 PM Untreated: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004047.exe Postponed
8/22/2008 12:03:02 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004048.exe
8/22/2008 12:03:02 PM Untreated: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004048.exe Postponed
8/22/2008 12:03:06 PM Detected: Email-Worm.Win32.Bagle.vr c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004028.exe
8/22/2008 12:03:06 PM Untreated: Email-Worm.Win32.Bagle.vr c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004028.exe Postponed
8/22/2008 12:03:06 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004052.exe
8/22/2008 12:03:06 PM Untreated: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004052.exe Postponed
8/22/2008 12:03:07 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004060.exe
8/22/2008 12:03:07 PM Untreated: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004060.exe Postponed
8/22/2008 12:03:08 PM Detected: Email-Worm.Win32.Bagle.vr c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004045.exe
8/22/2008 12:03:08 PM Untreated: Email-Worm.Win32.Bagle.vr c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004045.exe Postponed
8/22/2008 12:03:08 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004064.exe
8/22/2008 12:03:08 PM Untreated: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004064.exe Postponed
8/22/2008 12:03:10 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004066.exe
8/22/2008 12:03:10 PM Untreated: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004066.exe Postponed
8/22/2008 12:03:10 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004067.exe
8/22/2008 12:03:11 PM Untreated: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004067.exe Postponed
8/22/2008 12:03:17 PM Detected: Trojan-Downloader.Win32.Bagle.vj c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004065.sys
8/22/2008 12:03:17 PM Untreated: Trojan-Downloader.Win32.Bagle.vj c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004065.sys Postponed
8/22/2008 12:03:18 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004072.exe
8/22/2008 12:03:18 PM Untreated: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004072.exe Postponed
8/22/2008 12:03:21 PM Detected: Email-Worm.Win32.Bagle.vr c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004062.exe
8/22/2008 12:03:21 PM Untreated: Email-Worm.Win32.Bagle.vr c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004062.exe Postponed
8/22/2008 12:08:46 PM Detected: http://www.viruslist.com/en/advisories/31010 c:\Documents and Settings\All Users\Documents\Matlab 7\Matlab 1\java\jre\win32\jre\bin\eula.dll
8/22/2008 12:28:49 PM Detected: http://www.viruslist.com/en/advisories/31010 c:\Documents and Settings\All Users\Documents\Software\matlab704\java\jre\win32\jre\bin\java.exe
8/22/2008 12:49:24 PM Detected: http://www.viruslist.com/en/advisories/25023 c:\program files\Adobe\Adobe Photoshop CS2\Plug-Ins\File Formats\BMP.8BI
8/22/2008 12:55:31 PM Detected: http://www.viruslist.com/en/advisories/31010 c:\program files\Logitech\Harmony Remote\JRE\bin\eula.dll
8/22/2008 12:56:47 PM Detected: http://www.viruslist.com/en/advisories/31010 c:\program files\MATLAB704\sys\java\jre\win32\jre1.5.0\bin\java.exe
8/22/2008 1:04:26 PM Detected: http://www.viruslist.com/en/advisories/31010 c:\program files\MATLAB704\uninstall\java\jre\win32\jre\bin\java.exe
8/22/2008 1:04:47 PM Detected: http://www.viruslist.com/en/advisories/28506 c:\program files\microsoft office\office11\excel.exe
8/22/2008 1:04:52 PM Detected: http://www.viruslist.com/en/advisories/29320 c:\program files\microsoft office\office11\outlook.exe
8/22/2008 1:04:55 PM Detected: http://www.viruslist.com/en/advisories/30143 c:\program files\microsoft office\office11\winword.exe
8/22/2008 1:06:20 PM Detected: http://www.viruslist.com/en/advisories/30761 c:\program files\mozilla firefox\firefox.exe
8/22/2008 1:08:05 PM Detected: http://www.viruslist.com/en/advisories/27361 c:\program files\real\realplayer\realplay.exe
8/22/2008 1:09:15 PM Detected: http://www.viruslist.com/en/advisories/31010 c:\program files\TimingTool\jre\bin\java.exe
8/22/2008 1:09:56 PM Detected: http://www.viruslist.com/en/advisories/28083 c:\program files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator\Ulead DMF Launcher 2.0\Flash.ocx
8/22/2008 1:11:28 PM Detected: http://www.viruslist.com/en/advisories/28083 c:\program files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator\Ulead Quick-Drop 1.0\Flash.ocx
8/22/2008 1:13:45 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\flec006.exe.vir
8/22/2008 1:13:45 PM Untreated: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\flec006.exe.vir Postponed
8/22/2008 1:16:13 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\mdelk.exe.vir
8/22/2008 1:16:14 PM Untreated: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\mdelk.exe.vir Postponed
8/22/2008 1:16:14 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\wintems.exe.vir
8/22/2008 1:16:14 PM Untreated: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\wintems.exe.vir Postponed
8/22/2008 1:16:31 PM Detected: Trojan-Downloader.Win32.Bagle.vj c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\srosa.sys.vir
8/22/2008 1:16:31 PM Detected: Email-Worm.Win32.Bagle.vr c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\1331109.exe.vir
8/22/2008 1:16:31 PM Untreated: Email-Worm.Win32.Bagle.vr c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\1331109.exe.vir Postponed
8/22/2008 1:16:31 PM Untreated: Trojan-Downloader.Win32.Bagle.vj c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\srosa.sys.vir Postponed
8/22/2008 1:16:31 PM Detected: Email-Worm.Win32.Bagle.vr c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\1283890.exe.vir
8/22/2008 1:16:32 PM Untreated: Email-Worm.Win32.Bagle.vr c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\1283890.exe.vir Postponed
8/22/2008 1:16:32 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\1382906.exe.vir
8/22/2008 1:16:32 PM Untreated: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\1382906.exe.vir Postponed
8/22/2008 1:16:36 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4180859.exe.vir
8/22/2008 1:16:36 PM Untreated: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4180859.exe.vir Postponed
8/22/2008 1:16:37 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4269546.exe.vir
8/22/2008 1:16:37 PM Untreated: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4269546.exe.vir Postponed
8/22/2008 1:16:38 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4337218.exe.vir
8/22/2008 1:16:39 PM Untreated: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4337218.exe.vir Postponed
8/22/2008 1:16:39 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4339718.exe.vir
8/22/2008 1:16:39 PM Untreated: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4339718.exe.vir Postponed
8/22/2008 1:16:40 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4375906.exe.vir
8/22/2008 1:16:41 PM Untreated: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4375906.exe.vir Postponed
8/22/2008 1:16:41 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4381171.exe.vir
8/22/2008 1:16:42 PM Untreated: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4381171.exe.vir Postponed
8/22/2008 1:16:43 PM Detected: Email-Worm.Win32.Bagle.vr c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\3964390.exe.vir
8/22/2008 1:16:44 PM Untreated: Email-Worm.Win32.Bagle.vr c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\3964390.exe.vir Postponed
8/22/2008 1:16:45 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4431593.exe.vir
8/22/2008 1:16:45 PM Untreated: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4431593.exe.vir Postponed
8/22/2008 1:16:46 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4742078.exe.vir
8/22/2008 1:16:47 PM Untreated: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4742078.exe.vir Postponed
8/22/2008 1:16:47 PM Detected: Email-Worm.Win32.Bagle.vr c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4361921.exe.vir
8/22/2008 1:16:47 PM Untreated: Email-Worm.Win32.Bagle.vr c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4361921.exe.vir Postponed
8/22/2008 1:16:48 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4784343.exe.vir
8/22/2008 1:16:49 PM Untreated: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4784343.exe.vir Postponed
8/22/2008 1:16:52 PM Detected: Email-Worm.Win32.Bagle.vr c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4756078.exe.vir
8/22/2008 1:16:52 PM Untreated: Email-Worm.Win32.Bagle.vr c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4756078.exe.vir Postponed
8/22/2008 1:17:16 PM Detected: http://www.viruslist.com/en/advisories/31010 c:\windows\java.exe
8/22/2008 1:23:02 PM Detected: http://www.viruslist.com/en/advisories/25570 c:\windows\Downloaded Program Files\vete.dll
8/22/2008 1:36:22 PM Detected: http://www.viruslist.com/en/advisories/31010 G:\IEGD\IEGD_6_1_Gold\jre\bin\javaws.exe
8/22/2008 1:59:42 PM Detected: http://www.viruslist.com/en/advisories/31010 G:\Temp\matlab704\java\jre\win32\jre\bin\java.exe
8/22/2008 2:29:10 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\flec006.exe.vir
8/22/2008 2:30:25 PM Deleted: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\flec006.exe.vir
8/22/2008 2:30:28 PM Detected: Email-Worm.Win32.Bagle.vr c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\1283890.exe.vir
8/22/2008 2:30:28 PM Deleted: Email-Worm.Win32.Bagle.vr c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\1283890.exe.vir
8/22/2008 2:30:30 PM Detected: Email-Worm.Win32.Bagle.vr c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\1331109.exe.vir
8/22/2008 2:30:30 PM Deleted: Email-Worm.Win32.Bagle.vr c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\1331109.exe.vir
8/22/2008 2:30:30 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\1382906.exe.vir
8/22/2008 2:30:30 PM Deleted: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\1382906.exe.vir
8/22/2008 2:30:32 PM Detected: Email-Worm.Win32.Bagle.vr c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\3964390.exe.vir
8/22/2008 2:30:32 PM Deleted: Email-Worm.Win32.Bagle.vr c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\3964390.exe.vir
8/22/2008 2:30:33 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4180859.exe.vir
8/22/2008 2:30:33 PM Deleted: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4180859.exe.vir
8/22/2008 2:30:33 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4269546.exe.vir
8/22/2008 2:30:33 PM Deleted: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4269546.exe.vir
8/22/2008 2:30:33 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4337218.exe.vir
8/22/2008 2:30:33 PM Deleted: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4337218.exe.vir
8/22/2008 2:30:33 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4339718.exe.vir
8/22/2008 2:30:33 PM Deleted: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4339718.exe.vir
8/22/2008 2:30:35 PM Detected: Email-Worm.Win32.Bagle.vr c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4361921.exe.vir
8/22/2008 2:30:35 PM Deleted: Email-Worm.Win32.Bagle.vr c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4361921.exe.vir
8/22/2008 2:30:36 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4375906.exe.vir
8/22/2008 2:30:36 PM Deleted: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4375906.exe.vir
8/22/2008 2:30:36 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4381171.exe.vir
8/22/2008 2:30:36 PM Deleted: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4381171.exe.vir
8/22/2008 2:30:36 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4431593.exe.vir
8/22/2008 2:30:36 PM Deleted: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4431593.exe.vir
8/22/2008 2:30:36 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4742078.exe.vir
8/22/2008 2:30:36 PM Deleted: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4742078.exe.vir
8/22/2008 2:30:38 PM Detected: Email-Worm.Win32.Bagle.vr c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4756078.exe.vir
8/22/2008 2:30:38 PM Deleted: Email-Worm.Win32.Bagle.vr c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4756078.exe.vir
8/22/2008 2:30:39 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4784343.exe.vir
8/22/2008 2:30:39 PM Deleted: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4784343.exe.vir
8/22/2008 2:30:41 PM Detected: Trojan-Downloader.Win32.Bagle.vj c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\srosa.sys.vir
8/22/2008 2:30:41 PM Deleted: Trojan-Downloader.Win32.Bagle.vj c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\srosa.sys.vir
8/22/2008 2:30:41 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\mdelk.exe.vir
8/22/2008 2:30:41 PM Deleted: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\mdelk.exe.vir
8/22/2008 2:30:41 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\wintems.exe.vir
8/22/2008 2:30:41 PM Deleted: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\wintems.exe.vir
8/22/2008 2:30:43 PM Detected: Trojan-Downloader.Win32.Bagle.vj c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP16\A0003955.sys
8/22/2008 2:30:43 PM Deleted: Trojan-Downloader.Win32.Bagle.vj c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP16\A0003955.sys
8/22/2008 2:30:44 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP16\A0003961.exe
8/22/2008 2:30:44 PM Deleted: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP16\A0003961.exe
8/22/2008 2:30:44 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP16\A0003963.exe
8/22/2008 2:30:44 PM Deleted: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP16\A0003963.exe
8/22/2008 2:30:46 PM Detected: Email-Worm.Win32.Bagle.vr c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004016.exe
8/22/2008 2:30:46 PM Deleted: Email-Worm.Win32.Bagle.vr c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004016.exe
8/22/2008 2:30:48 PM Detected: Email-Worm.Win32.Bagle.vr c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004018.exe
8/22/2008 2:30:48 PM Deleted: Email-Worm.Win32.Bagle.vr c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004018.exe
8/22/2008 2:30:48 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004021.exe
8/22/2008 2:30:48 PM Deleted: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004021.exe
8/22/2008 2:30:51 PM Detected: Email-Worm.Win32.Bagle.vr c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004028.exe
8/22/2008 2:30:51 PM Deleted: Email-Worm.Win32.Bagle.vr c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004028.exe
8/22/2008 2:30:51 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004034.exe
8/22/2008 2:30:51 PM Deleted: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004034.exe
8/22/2008 2:30:51 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004038.exe
8/22/2008 2:30:51 PM Deleted: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004038.exe
8/22/2008 2:30:51 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004042.exe
8/22/2008 2:30:51 PM Deleted: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004042.exe
8/22/2008 2:30:51 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004043.exe
8/22/2008 2:30:51 PM Deleted: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004043.exe
8/22/2008 2:30:53 PM Detected: Email-Worm.Win32.Bagle.vr c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004045.exe
8/22/2008 2:30:53 PM Deleted: Email-Worm.Win32.Bagle.vr c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004045.exe
8/22/2008 2:30:53 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004047.exe
8/22/2008 2:30:53 PM Deleted: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004047.exe
8/22/2008 2:30:54 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004048.exe
8/22/2008 2:30:54 PM Deleted: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004048.exe
8/22/2008 2:30:54 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004052.exe
8/22/2008 2:30:54 PM Deleted: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004052.exe
8/22/2008 2:30:54 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004060.exe
8/22/2008 2:30:54 PM Deleted: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004060.exe
8/22/2008 2:30:56 PM Detected: Email-Worm.Win32.Bagle.vr c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004062.exe
8/22/2008 2:30:56 PM Deleted: Email-Worm.Win32.Bagle.vr c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004062.exe
8/22/2008 2:30:56 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004064.exe
8/22/2008 2:30:56 PM Deleted: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004064.exe
8/22/2008 2:30:58 PM Detected: Trojan-Downloader.Win32.Bagle.vj c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004065.sys
8/22/2008 2:30:58 PM Deleted: Trojan-Downloader.Win32.Bagle.vj c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004065.sys
8/22/2008 2:30:58 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004066.exe
8/22/2008 2:30:59 PM Deleted: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004066.exe
8/22/2008 2:30:59 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004067.exe
8/22/2008 2:30:59 PM Deleted: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004067.exe
8/22/2008 2:30:59 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004072.exe
8/22/2008 2:30:59 PM Deleted: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004072.exe
8/22/2008 2:30:59 PM Task completed
mhamilton
2008-08-23, 08:14
While waiting around I decided to try to download the backup disk from Kaspersky. This launched IEXPLORER and the trojan Started up again.
So I re-ran CF, Kaspersky and HJT. New logs follow.
I don't see what it is that is connected to IEXPLORER that is getting activated.
-------------------
CF Log
-------------------
ComboFix 08-08-21.02 - Mike 2008-08-22 16:58:13.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.627 [GMT -7:00]
Running from: C:\Documents and Settings\Mike\Desktop\Combo-Fix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\drivers\downld
C:\WINDOWS\system32\drivers\mdelk.exe
.
((((((((((((((((((((((((( Files Created from 2008-07-23 to 2008-08-23 )))))))))))))))))))))))))))))))
.
2008-08-22 11:50 . 2008-08-22 17:35 96,976 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-08-22 11:50 . 2008-08-22 11:50 87,855 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-08-22 11:49 . 2008-08-22 11:49 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-08-22 11:49 . 2008-08-22 19:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-08-22 11:49 . 2008-08-22 17:27 7,526,432 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-22 11:49 . 2008-08-22 19:04 270,368 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-08-22 11:49 . 2008-08-22 17:27 60,928 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-22 11:49 . 2008-08-22 19:04 2,004 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-08-22 11:46 . 2008-08-22 11:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-08-22 11:46 . 2008-08-22 11:44 33,138,928 --a------ C:\Temp\kav8.0.0.454en.exe
2008-08-22 11:15 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-22 11:14 . 2008-08-22 11:14 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-22 11:13 . 2008-08-22 10:58 15,984,024 --a------ C:\Temp\jre-6u7-windows-i586-p-s.exe
2008-08-22 09:37 . 2008-08-22 11:30 <DIR> d-------- C:\Temp\backups
2008-08-16 19:03 . 2008-08-16 19:03 231,999 --a------ C:\Temp\Beagled.exe
2008-08-16 18:54 . 2008-08-16 18:58 <DIR> d-------- C:\ComboFix
2008-08-16 18:02 . 2008-08-16 18:16 250 --a------ C:\WINDOWS\gmer.ini
2008-08-16 18:01 . 2008-08-16 18:01 747,873 --a------ C:\Temp\gmer.zip
2008-08-16 17:54 . 2008-08-16 17:54 0 --a------ C:\WINDOWS\system32\SBRC.dat
2008-08-16 17:54 . 2008-08-16 17:54 0 --a------ C:\WINDOWS\system32\SBFC.dat
2008-08-16 15:53 . 2008-08-16 15:53 401,720 --a------ C:\Temp\HiJackThis.exe
2008-08-16 15:52 . 2008-08-16 15:53 716,539 --a------ C:\Temp\HJTInstall.exe
2008-08-16 15:31 . 2006-04-25 08:01 704,520 --a------ C:\WINDOWS\system32\RunDll32 cmicnfg.cpl,CMICtrlWnd
2008-08-16 13:50 . 2008-08-22 10:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-08-16 12:45 . 2008-08-16 16:28 15,083,520 --a------ C:\Temp\spybotsd160.exe
2008-08-16 12:17 . 2008-08-16 12:17 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2008-08-16 08:48 . 2008-08-16 08:48 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Sunbelt Software
2008-08-16 08:48 . 2008-08-16 08:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2008-08-16 08:47 . 2008-08-16 08:47 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-08-16 08:45 . 2008-08-16 08:42 45,935,776 --a------ C:\Temp\counterspy.exe
2008-08-15 18:02 . 2008-08-15 18:02 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Malwarebytes
2008-08-15 18:01 . 2008-08-16 15:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-15 18:01 . 2008-08-15 18:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-15 18:01 . 2008-08-06 21:59 1,885,120 --a------ C:\Temp\mbam-setup.exe
2008-08-15 18:01 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-15 18:01 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-15 17:49 . 2008-08-15 19:14 <DIR> d-------- C:\Documents and Settings\Mike\.housecall6.6
2008-08-15 07:48 . 2008-04-11 12:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-15 07:48 . 2008-05-01 07:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-14 12:57 . 2008-08-14 12:57 <DIR> d-------- C:\Program Files\Safari
2008-08-12 11:30 . 2008-08-12 11:30 <DIR> d-------- C:\Program Files\iPod
2008-08-12 11:29 . 2008-08-12 11:30 <DIR> d-------- C:\Program Files\iTunes
2008-08-12 11:28 . 2008-08-12 11:28 <DIR> d-------- C:\Program Files\Bonjour
2008-08-12 11:22 . 2008-08-12 11:22 63,530,280 --a------ C:\Temp\iTunesSetup.exe
2008-08-04 22:46 . 2008-08-04 22:46 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-08-04 22:35 . 2008-08-04 22:35 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-04 22:02 . 2008-08-04 22:02 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-04 21:33 . 2004-08-03 22:29 701,440 --------- C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-08-04 20:55 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-08-04 20:55 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-08-04 20:55 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-08-04 20:55 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-08-03 12:21 . 2008-08-03 12:21 2,108,504 --a------ C:\Temp\GPSMAP60CSx_370.exe
2008-08-03 12:13 . 2007-03-08 17:18 18,432 --a------ C:\WINDOWS\system32\drivers\grmngen.sys
2008-08-03 12:13 . 2006-02-20 11:25 17,536 --a------ C:\WINDOWS\system32\drivers\grmn0200.sys
2008-08-03 12:13 . 2006-04-11 12:51 16,512 --a------ C:\WINDOWS\system32\drivers\grmn0400.sys
2008-08-03 12:13 . 2006-07-11 12:50 11,776 --a------ C:\WINDOWS\system32\drivers\grmn1200.sys
2008-08-03 12:13 . 2007-03-08 17:18 8,320 --a------ C:\WINDOWS\system32\drivers\grmnusb.sys
2008-08-03 12:12 . 2008-08-03 21:28 <DIR> d-------- C:\Garmin
2008-07-29 20:21 . 2008-07-29 20:21 218,376 --a------ C:\WINDOWS\system32\klogon.dll
2008-07-29 20:20 . 2008-07-29 20:20 24,774 --a------ C:\WINDOWS\system32\drivers\klopp.dat
2008-07-29 11:10 . 2008-07-29 11:10 <DIR> d-------- C:\Program Files\Tech-Pro World Clock 2
2008-07-29 11:10 . 2008-02-04 02:10 237,776 --a------ C:\WINDOWS\system32\tpuninst.exe
2008-07-29 11:08 . 2008-07-29 11:08 2,428,088 --a------ C:\Temp\wc2setup.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-23 02:05 --------- d-----w C:\Documents and Settings\Mike\Application Data\Skype
2008-08-23 02:04 --------- d-----w C:\Documents and Settings\Mike\Application Data\D-Link Media Server
2008-08-22 20:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-22 18:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-22 18:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-22 18:15 --------- d-----w C:\Program Files\Java
2008-08-22 16:13 --------- d-----w C:\Program Files\Azureus
2008-08-16 02:09 --------- d-----w C:\Documents and Settings\Mike\Application Data\dvdcss
2008-08-15 14:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\MediaMall
2008-08-15 00:24 --------- d-----w C:\Documents and Settings\Mike\Application Data\Apple Computer
2008-08-14 19:57 --------- d-----w C:\Program Files\Apple Software Update
2008-08-14 15:55 --------- d-----w C:\Documents and Settings\Mike\Application Data\Azureus
2008-08-12 18:28 --------- d-----w C:\Program Files\QuickTime
2008-08-10 20:41 --------- d-----w C:\Program Files\Internet Radio Recorder
2008-08-06 23:20 --------- d-----w C:\Program Files\Google
2008-08-03 20:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-27 00:05 --------- d-----w C:\Documents and Settings\Mike\Application Data\MediaServerDump
2008-07-22 01:34 121,872 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-07-21 03:16 --------- d-----w C:\Program Files\Picasa2
2008-07-21 02:59 --------- d-----w C:\Program Files\Sun
2008-07-08 02:58 --------- d-----w C:\Program Files\D-Link Media Server
2008-07-08 02:22 --------- d-----w C:\Documents and Settings\Mike\Application Data\AdobeUM
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-25 01:38 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-04-30 18:49 92,064 -c--a-w C:\Documents and Settings\Mike\mqdmmdm.sys
2008-04-30 18:49 9,232 -c--a-w C:\Documents and Settings\Mike\mqdmmdfl.sys
2008-04-30 18:49 79,328 -c--a-w C:\Documents and Settings\Mike\mqdmserd.sys
2008-04-30 18:49 66,656 -c--a-w C:\Documents and Settings\Mike\mqdmbus.sys
2008-04-30 18:49 6,208 -c--a-w C:\Documents and Settings\Mike\mqdmcmnt.sys
2008-04-30 18:49 5,936 -c--a-w C:\Documents and Settings\Mike\mqdmwhnt.sys
2008-04-30 18:49 4,048 -c--a-w C:\Documents and Settings\Mike\mqdmcr.sys
2008-04-30 18:49 25,600 -c--a-w C:\Documents and Settings\Mike\usbsermptxp.sys
2008-04-30 18:49 22,768 -c--a-w C:\Documents and Settings\Mike\usbsermpt.sys
2007-05-29 05:17 81,920 ----a-w C:\Documents and Settings\Mike\Application Data\ezpinst.exe
2007-05-29 05:17 47,360 ----a-w C:\Documents and Settings\Mike\Application Data\pcouffin.sys
2006-03-19 16:36 13,824 -c--a-w C:\Documents and Settings\Mike\atwbxdet.dll
.
((((((((((((((((((((((((((((( snapshot@2008-08-21_12.25.29.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-05 05:12:58 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-08-23 00:30:05 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-08-05 05:12:58 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-23 00:30:05 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-08-21 19:18:12 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-23 00:29:53 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-30 01:29:38 32,784 ----a-w C:\WINDOWS\system32\drivers\klbg.sys
+ 2008-08-22 18:48:55 213,008 ----a-w C:\WINDOWS\system32\drivers\klif.sys
+ 2008-05-01 01:06:48 24,592 ----a-w C:\WINDOWS\system32\drivers\klim5.sys
- 2008-08-21 19:18:21 225,097 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-08-23 00:29:58 225,103 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
- 2008-08-21 19:10:16 76,266 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-23 00:34:07 76,266 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-21 19:10:17 443,916 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-23 00:34:07 443,916 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 20:42 32768]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 02:08 483328]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-10-08 11:52 221184]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-01-18 17:07 196608]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-06 12:43 23165736]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 13:22 86016]
"RegClean"="C:\Program Files\RegClean\RegClean.exe" [2007-03-30 16:45 10065392]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 20:42 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-08-27 12:09 698864]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2008-07-29 20:20 206088]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 17:12 110592 C:\WINDOWS\system32\bthprops.cpl]
C:\Documents and Settings\Mike\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-06-21 17:13:51 113664]
D-Link Media Server.lnk - C:\Program Files\D-Link Media Server\MediaGUI.exe [2008-07-07 19:58:32 1523831]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2005-03-13 19:02:09 25214]
HPAiODevice(hp officejet g series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 17:15:00 151552]
Logitech Harmony Remote V5.lnk - C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe [2006-02-22 15:47:44 94295]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytoosl"= 0 (0x0)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogOff"= 0 (0x0)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wcnotify]
2007-08-09 17:16 14656 C:\WINDOWS\system32\WcNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"C:\\Program Files\\Logitech\\Harmony Remote\\HarmonyClient.exe"=
"C:\\Program Files\\Logitech\\Harmony Remote\\PatchHelper.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MediaMall\\MediaMallServer.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R0 iteraid;ITERAID_Service_Install;C:\WINDOWS\system32\DRIVERS\iteraid.sys [2004-10-28 20:21]
R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 18:29]
R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2008-08-16 12:17]
R1 BeTwinSystem;BeTwinSystem;C:\WINDOWS\system32\Drivers\BeTwinSystem.sys [2007-08-09 17:15]
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2000-01-07 10:00]
R2 MediaMall Server;MediaMall Server;C:\Program Files\MediaMall\MediaMallServer.exe [2007-10-09 16:57]
R3 cmudax;C-Media High Definition Audio Interface;C:\WINDOWS\system32\drivers\cmudax.sys [2004-10-21 03:56]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-04-30 18:06]
R3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
NativeTS
*Newly Created Service* - SBAPIFS
.
Contents of the 'Scheduled Tasks' folder
2008-08-14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2008-08-23 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job
- C:\Program Files\RegClean\RegClean.exe [2007-03-30 16:45]
2008-08-23 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job
- C:\Program Files\RegClean [2007-04-18 22:17]
2008-08-23 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe [2007-08-02 09:20]
2008-02-21 C:\WINDOWS\Tasks\RegCure.job
- C:\Program Files\RegCure\RegCure.exe [2007-08-02 09:20]
2008-08-23 C:\WINDOWS\Tasks\User_Feed_Synchronization-{C34135C4-C5CE-440A-B981-1BFF8E5F71A9}.job
- C:\WINDOWS\system32\msfeedssync.exe [2006-10-17 12:58]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\xx0vemed.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - about:blank
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-22 19:04:58
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\D-Link Media Server\MediaServer.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\Bin\hposts07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\Bin\hpofxm07.exe
.
**************************************************************************
.
Completion time: 2008-08-22 19:17:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-23 02:16:59
ComboFix2.txt 2008-08-22 18:07:58
ComboFix3.txt 2008-08-21 22:49:53
ComboFix4.txt 2008-08-21 21:26:04
ComboFix5.txt 2008-08-22 23:55:52
Pre-Run: 118,557,425,664 bytes free
Post-Run: 118,497,886,208 bytes free
280
mhamilton
2008-08-23, 08:17
While waiting around I decided to try to download the recovery disk from Kaspersky. This process activated IEXPLORER and the Trojan started up again.
I reran CF, Kaspersky, and HJT. Logs follow.
I don't see what it is that is connected to IEXPLOER that is getting activated each time. It is Not being removed by any of the cleaners.
----------------------------
CF log
---------------------------
ComboFix 08-08-21.02 - Mike 2008-08-22 16:58:13.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.627 [GMT -7:00]
Running from: C:\Documents and Settings\Mike\Desktop\Combo-Fix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\drivers\downld
C:\WINDOWS\system32\drivers\mdelk.exe
.
((((((((((((((((((((((((( Files Created from 2008-07-23 to 2008-08-23 )))))))))))))))))))))))))))))))
.
2008-08-22 11:50 . 2008-08-22 17:35 96,976 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-08-22 11:50 . 2008-08-22 11:50 87,855 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-08-22 11:49 . 2008-08-22 11:49 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-08-22 11:49 . 2008-08-22 19:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-08-22 11:49 . 2008-08-22 17:27 7,526,432 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-22 11:49 . 2008-08-22 19:04 270,368 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-08-22 11:49 . 2008-08-22 17:27 60,928 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-22 11:49 . 2008-08-22 19:04 2,004 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-08-22 11:46 . 2008-08-22 11:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-08-22 11:46 . 2008-08-22 11:44 33,138,928 --a------ C:\Temp\kav8.0.0.454en.exe
2008-08-22 11:15 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-22 11:14 . 2008-08-22 11:14 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-22 11:13 . 2008-08-22 10:58 15,984,024 --a------ C:\Temp\jre-6u7-windows-i586-p-s.exe
2008-08-22 09:37 . 2008-08-22 11:30 <DIR> d-------- C:\Temp\backups
2008-08-16 19:03 . 2008-08-16 19:03 231,999 --a------ C:\Temp\Beagled.exe
2008-08-16 18:54 . 2008-08-16 18:58 <DIR> d-------- C:\ComboFix
2008-08-16 18:02 . 2008-08-16 18:16 250 --a------ C:\WINDOWS\gmer.ini
2008-08-16 18:01 . 2008-08-16 18:01 747,873 --a------ C:\Temp\gmer.zip
2008-08-16 17:54 . 2008-08-16 17:54 0 --a------ C:\WINDOWS\system32\SBRC.dat
2008-08-16 17:54 . 2008-08-16 17:54 0 --a------ C:\WINDOWS\system32\SBFC.dat
2008-08-16 15:53 . 2008-08-16 15:53 401,720 --a------ C:\Temp\HiJackThis.exe
2008-08-16 15:52 . 2008-08-16 15:53 716,539 --a------ C:\Temp\HJTInstall.exe
2008-08-16 15:31 . 2006-04-25 08:01 704,520 --a------ C:\WINDOWS\system32\RunDll32 cmicnfg.cpl,CMICtrlWnd
2008-08-16 13:50 . 2008-08-22 10:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-08-16 12:45 . 2008-08-16 16:28 15,083,520 --a------ C:\Temp\spybotsd160.exe
2008-08-16 12:17 . 2008-08-16 12:17 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2008-08-16 08:48 . 2008-08-16 08:48 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Sunbelt Software
2008-08-16 08:48 . 2008-08-16 08:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2008-08-16 08:47 . 2008-08-16 08:47 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-08-16 08:45 . 2008-08-16 08:42 45,935,776 --a------ C:\Temp\counterspy.exe
2008-08-15 18:02 . 2008-08-15 18:02 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Malwarebytes
2008-08-15 18:01 . 2008-08-16 15:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-15 18:01 . 2008-08-15 18:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-15 18:01 . 2008-08-06 21:59 1,885,120 --a------ C:\Temp\mbam-setup.exe
2008-08-15 18:01 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-15 18:01 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-15 17:49 . 2008-08-15 19:14 <DIR> d-------- C:\Documents and Settings\Mike\.housecall6.6
2008-08-15 07:48 . 2008-04-11 12:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-15 07:48 . 2008-05-01 07:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-14 12:57 . 2008-08-14 12:57 <DIR> d-------- C:\Program Files\Safari
2008-08-12 11:30 . 2008-08-12 11:30 <DIR> d-------- C:\Program Files\iPod
2008-08-12 11:29 . 2008-08-12 11:30 <DIR> d-------- C:\Program Files\iTunes
2008-08-12 11:28 . 2008-08-12 11:28 <DIR> d-------- C:\Program Files\Bonjour
2008-08-12 11:22 . 2008-08-12 11:22 63,530,280 --a------ C:\Temp\iTunesSetup.exe
2008-08-04 22:46 . 2008-08-04 22:46 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-08-04 22:35 . 2008-08-04 22:35 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-04 22:02 . 2008-08-04 22:02 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-04 21:33 . 2004-08-03 22:29 701,440 --------- C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-08-04 20:55 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-08-04 20:55 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-08-04 20:55 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-08-04 20:55 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-08-03 12:21 . 2008-08-03 12:21 2,108,504 --a------ C:\Temp\GPSMAP60CSx_370.exe
2008-08-03 12:13 . 2007-03-08 17:18 18,432 --a------ C:\WINDOWS\system32\drivers\grmngen.sys
2008-08-03 12:13 . 2006-02-20 11:25 17,536 --a------ C:\WINDOWS\system32\drivers\grmn0200.sys
2008-08-03 12:13 . 2006-04-11 12:51 16,512 --a------ C:\WINDOWS\system32\drivers\grmn0400.sys
2008-08-03 12:13 . 2006-07-11 12:50 11,776 --a------ C:\WINDOWS\system32\drivers\grmn1200.sys
2008-08-03 12:13 . 2007-03-08 17:18 8,320 --a------ C:\WINDOWS\system32\drivers\grmnusb.sys
2008-08-03 12:12 . 2008-08-03 21:28 <DIR> d-------- C:\Garmin
2008-07-29 20:21 . 2008-07-29 20:21 218,376 --a------ C:\WINDOWS\system32\klogon.dll
2008-07-29 20:20 . 2008-07-29 20:20 24,774 --a------ C:\WINDOWS\system32\drivers\klopp.dat
2008-07-29 11:10 . 2008-07-29 11:10 <DIR> d-------- C:\Program Files\Tech-Pro World Clock 2
2008-07-29 11:10 . 2008-02-04 02:10 237,776 --a------ C:\WINDOWS\system32\tpuninst.exe
2008-07-29 11:08 . 2008-07-29 11:08 2,428,088 --a------ C:\Temp\wc2setup.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-23 02:05 --------- d-----w C:\Documents and Settings\Mike\Application Data\Skype
2008-08-23 02:04 --------- d-----w C:\Documents and Settings\Mike\Application Data\D-Link Media Server
2008-08-22 20:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-22 18:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-22 18:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-22 18:15 --------- d-----w C:\Program Files\Java
2008-08-22 16:13 --------- d-----w C:\Program Files\Azureus
2008-08-16 02:09 --------- d-----w C:\Documents and Settings\Mike\Application Data\dvdcss
2008-08-15 14:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\MediaMall
2008-08-15 00:24 --------- d-----w C:\Documents and Settings\Mike\Application Data\Apple Computer
2008-08-14 19:57 --------- d-----w C:\Program Files\Apple Software Update
2008-08-14 15:55 --------- d-----w C:\Documents and Settings\Mike\Application Data\Azureus
2008-08-12 18:28 --------- d-----w C:\Program Files\QuickTime
2008-08-10 20:41 --------- d-----w C:\Program Files\Internet Radio Recorder
2008-08-06 23:20 --------- d-----w C:\Program Files\Google
2008-08-03 20:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-27 00:05 --------- d-----w C:\Documents and Settings\Mike\Application Data\MediaServerDump
2008-07-22 01:34 121,872 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-07-21 03:16 --------- d-----w C:\Program Files\Picasa2
2008-07-21 02:59 --------- d-----w C:\Program Files\Sun
2008-07-08 02:58 --------- d-----w C:\Program Files\D-Link Media Server
2008-07-08 02:22 --------- d-----w C:\Documents and Settings\Mike\Application Data\AdobeUM
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-25 01:38 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-04-30 18:49 92,064 -c--a-w C:\Documents and Settings\Mike\mqdmmdm.sys
2008-04-30 18:49 9,232 -c--a-w C:\Documents and Settings\Mike\mqdmmdfl.sys
2008-04-30 18:49 79,328 -c--a-w C:\Documents and Settings\Mike\mqdmserd.sys
2008-04-30 18:49 66,656 -c--a-w C:\Documents and Settings\Mike\mqdmbus.sys
2008-04-30 18:49 6,208 -c--a-w C:\Documents and Settings\Mike\mqdmcmnt.sys
2008-04-30 18:49 5,936 -c--a-w C:\Documents and Settings\Mike\mqdmwhnt.sys
2008-04-30 18:49 4,048 -c--a-w C:\Documents and Settings\Mike\mqdmcr.sys
2008-04-30 18:49 25,600 -c--a-w C:\Documents and Settings\Mike\usbsermptxp.sys
2008-04-30 18:49 22,768 -c--a-w C:\Documents and Settings\Mike\usbsermpt.sys
2007-05-29 05:17 81,920 ----a-w C:\Documents and Settings\Mike\Application Data\ezpinst.exe
2007-05-29 05:17 47,360 ----a-w C:\Documents and Settings\Mike\Application Data\pcouffin.sys
2006-03-19 16:36 13,824 -c--a-w C:\Documents and Settings\Mike\atwbxdet.dll
.
((((((((((((((((((((((((((((( snapshot@2008-08-21_12.25.29.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-05 05:12:58 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-08-23 00:30:05 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-08-05 05:12:58 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-23 00:30:05 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-08-21 19:18:12 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-23 00:29:53 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-30 01:29:38 32,784 ----a-w C:\WINDOWS\system32\drivers\klbg.sys
+ 2008-08-22 18:48:55 213,008 ----a-w C:\WINDOWS\system32\drivers\klif.sys
+ 2008-05-01 01:06:48 24,592 ----a-w C:\WINDOWS\system32\drivers\klim5.sys
- 2008-08-21 19:18:21 225,097 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-08-23 00:29:58 225,103 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
- 2008-08-21 19:10:16 76,266 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-23 00:34:07 76,266 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-21 19:10:17 443,916 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-23 00:34:07 443,916 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 20:42 32768]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 02:08 483328]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-10-08 11:52 221184]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-01-18 17:07 196608]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-06 12:43 23165736]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 13:22 86016]
"RegClean"="C:\Program Files\RegClean\RegClean.exe" [2007-03-30 16:45 10065392]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 20:42 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-08-27 12:09 698864]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2008-07-29 20:20 206088]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 17:12 110592 C:\WINDOWS\system32\bthprops.cpl]
C:\Documents and Settings\Mike\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-06-21 17:13:51 113664]
D-Link Media Server.lnk - C:\Program Files\D-Link Media Server\MediaGUI.exe [2008-07-07 19:58:32 1523831]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2005-03-13 19:02:09 25214]
HPAiODevice(hp officejet g series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 17:15:00 151552]
Logitech Harmony Remote V5.lnk - C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe [2006-02-22 15:47:44 94295]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytoosl"= 0 (0x0)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogOff"= 0 (0x0)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wcnotify]
2007-08-09 17:16 14656 C:\WINDOWS\system32\WcNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"C:\\Program Files\\Logitech\\Harmony Remote\\HarmonyClient.exe"=
"C:\\Program Files\\Logitech\\Harmony Remote\\PatchHelper.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MediaMall\\MediaMallServer.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R0 iteraid;ITERAID_Service_Install;C:\WINDOWS\system32\DRIVERS\iteraid.sys [2004-10-28 20:21]
R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 18:29]
R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2008-08-16 12:17]
R1 BeTwinSystem;BeTwinSystem;C:\WINDOWS\system32\Drivers\BeTwinSystem.sys [2007-08-09 17:15]
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2000-01-07 10:00]
R2 MediaMall Server;MediaMall Server;C:\Program Files\MediaMall\MediaMallServer.exe [2007-10-09 16:57]
R3 cmudax;C-Media High Definition Audio Interface;C:\WINDOWS\system32\drivers\cmudax.sys [2004-10-21 03:56]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-04-30 18:06]
R3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
NativeTS
*Newly Created Service* - SBAPIFS
.
Contents of the 'Scheduled Tasks' folder
2008-08-14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2008-08-23 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job
- C:\Program Files\RegClean\RegClean.exe [2007-03-30 16:45]
2008-08-23 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job
- C:\Program Files\RegClean [2007-04-18 22:17]
2008-08-23 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe [2007-08-02 09:20]
2008-02-21 C:\WINDOWS\Tasks\RegCure.job
- C:\Program Files\RegCure\RegCure.exe [2007-08-02 09:20]
2008-08-23 C:\WINDOWS\Tasks\User_Feed_Synchronization-{C34135C4-C5CE-440A-B981-1BFF8E5F71A9}.job
- C:\WINDOWS\system32\msfeedssync.exe [2006-10-17 12:58]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\xx0vemed.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - about:blank
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-22 19:04:58
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\D-Link Media Server\MediaServer.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\Bin\hposts07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\Bin\hpofxm07.exe
.
**************************************************************************
.
Completion time: 2008-08-22 19:17:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-23 02:16:59
ComboFix2.txt 2008-08-22 18:07:58
ComboFix3.txt 2008-08-21 22:49:53
ComboFix4.txt 2008-08-21 21:26:04
ComboFix5.txt 2008-08-22 23:55:52
Pre-Run: 118,557,425,664 bytes free
Post-Run: 118,497,886,208 bytes free
280
mhamilton
2008-08-23, 08:27
details of the first scan deleted from log to save space.... I don't know why it puts the second report in reverse order? This is the end chronologically.
----------------------------------------
2008-08-22 21:57 Task completed
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Yes_AntiVirus-Tool_Netsky-P_3.0.zip.vir/Yes_AntiVirus-Tool_Netsky-P_3.0.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Yes_AntiVirus-Tool_Netsky-P_3.0.zip.vir/Yes_AntiVirus-Tool_Netsky-P_3.0.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Xteq_URL_Bandit_1.2.zip.vir/Xteq_URL_Bandit_1.2.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Xteq_URL_Bandit_1.2.zip.vir/Xteq_URL_Bandit_1.2.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\XLPoints_Plus_1.3_(With_Crack).zip.vir/XLPoints_Plus_1.3_(With_Crack).exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\XLPoints_Plus_1.3_(With_Crack).zip.vir/XLPoints_Plus_1.3_(With_Crack).exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Xceed_Chart_for_ASP.NET_3.0.zip.vir/Xceed_Chart_for_ASP.NET_3.0.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Xceed_Chart_for_ASP.NET_3.0.zip.vir/Xceed_Chart_for_ASP.NET_3.0.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Wwhois_2.1.zip.vir/Wwhois_2.1.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Wwhois_2.1.zip.vir/Wwhois_2.1.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Word_Blaster_3.5.zip.vir/Word_Blaster_3.5.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Word_Blaster_3.5.zip.vir/Word_Blaster_3.5.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Woize_2.5.0.32959.zip.vir/Woize_2.5.0.32959.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Woize_2.5.0.32959.zip.vir/Woize_2.5.0.32959.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Windows_&_Internet_Cleaner_Pro_3.22_(Patch).zip.vir/Windows_&_Internet_Cleaner_Pro_3.22_(Patch).exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Windows_&_Internet_Cleaner_Pro_3.22_(Patch).zip.vir/Windows_&_Internet_Cleaner_Pro_3.22_(Patch).exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Web_Log_Explorer_3.31_Crack.zip.vir/Web_Log_Explorer_3.31_Crack.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Web_Log_Explorer_3.31_Crack.zip.vir/Web_Log_Explorer_3.31_Crack.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Virtual_Hypnotist_5.551.zip.vir/Virtual_Hypnotist_5.551.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Virtual_Hypnotist_5.551.zip.vir/Virtual_Hypnotist_5.551.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\VideoShotMaker_1.00.zip.vir/VideoShotMaker_1.00.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\VideoShotMaker_1.00.zip.vir/VideoShotMaker_1.00.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Video_Matrix_Screensaver_1.0.zip.vir/Video_Matrix_Screensaver_1.0.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Video_Matrix_Screensaver_1.0.zip.vir/Video_Matrix_Screensaver_1.0.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\US_meteo_by_sat_1.1.zip.vir/US_meteo_by_sat_1.1.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\US_meteo_by_sat_1.1.zip.vir/US_meteo_by_sat_1.1.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Unreal_Tournament_2004_Judge_Judy_Voice_Pack.zip.vir/Unreal_Tournament_2004_Judge_Judy_Voice_Pack.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Unreal_Tournament_2004_Judge_Judy_Voice_Pack.zip.vir/Unreal_Tournament_2004_Judge_Judy_Voice_Pack.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Unreal_Tournament_2003_-_Vertical_deathmatch_map.zip.vir/Unreal_Tournament_2003_-_Vertical_deathmatch_map.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Unreal_Tournament_2003_-_Vertical_deathmatch_map.zip.vir/Unreal_Tournament_2003_-_Vertical_deathmatch_map.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\TIFF_To_PDF_ActiveX_Component_2.0.2007.718_KeyGen.zip.vir/TIFF_To_PDF_ActiveX_Component_2.0.2007.718_KeyGen.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\TIFF_To_PDF_ActiveX_Component_2.0.2007.718_KeyGen.zip.vir/TIFF_To_PDF_ActiveX_Component_2.0.2007.718_KeyGen.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\ThePlayground_1.0.zip.vir/ThePlayground_1.0.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\ThePlayground_1.0.zip.vir/ThePlayground_1.0.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\The_Quiz_Press_1.8_Crack.zip.vir/The_Quiz_Press_1.8_Crack.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\The_Quiz_Press_1.8_Crack.zip.vir/The_Quiz_Press_1.8_Crack.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Text_Mnemonic_Generator_3.4.zip.vir/Text_Mnemonic_Generator_3.4.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Text_Mnemonic_Generator_3.4.zip.vir/Text_Mnemonic_Generator_3.4.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Tele-Cap_Professional_3.0.1.zip.vir/Tele-Cap_Professional_3.0.1.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Tele-Cap_Professional_3.0.1.zip.vir/Tele-Cap_Professional_3.0.1.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\SunGlance_1.0_Serial.zip.vir/SunGlance_1.0_Serial.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\SunGlance_1.0_Serial.zip.vir/SunGlance_1.0_Serial.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\StormWarn_1.2.zip.vir/StormWarn_1.2.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\StormWarn_1.2.zip.vir/StormWarn_1.2.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\SQLWays_3.9.zip.vir/SQLWays_3.9.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\SQLWays_3.9.zip.vir/SQLWays_3.9.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\SpyCatcher_Express_2006_4.4.6.zip.vir/SpyCatcher_Express_2006_4.4.6.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\SpyCatcher_Express_2006_4.4.6.zip.vir/SpyCatcher_Express_2006_4.4.6.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\SpaceMan_99_3.1.zip.vir/SpaceMan_99_3.1.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\SpaceMan_99_3.1.zip.vir/SpaceMan_99_3.1.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Source_Explorer_VS.NET_2003_plugin_1.0.zip.vir/Source_Explorer_VS.NET_2003_plugin_1.0.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Source_Explorer_VS.NET_2003_plugin_1.0.zip.vir/Source_Explorer_VS.NET_2003_plugin_1.0.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Snail_Mail_1.0.zip.vir/Snail_Mail_1.0.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Snail_Mail_1.0.zip.vir/Snail_Mail_1.0.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\ShowFont_-_Windows_Font_Lister_1.12.zip.vir/ShowFont_-_Windows_Font_Lister_1.12.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\ShowFont_-_Windows_Font_Lister_1.12.zip.vir/ShowFont_-_Windows_Font_Lister_1.12.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Shadow_Professional_2.7_(Crack).zip.vir/Shadow_Professional_2.7_(Crack).exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Shadow_Professional_2.7_(Crack).zip.vir/Shadow_Professional_2.7_(Crack).exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\SGadget_1.2_Cracked.zip.vir/SGadget_1.2_Cracked.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\SGadget_1.2_Cracked.zip.vir/SGadget_1.2_Cracked.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Serial_Port_Monitor_3.zip.vir/Serial_Port_Monitor_3.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Serial_Port_Monitor_3.zip.vir/Serial_Port_Monitor_3.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Sea_Bounty_1.1.zip.vir/Sea_Bounty_1.1.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Sea_Bounty_1.1.zip.vir/Sea_Bounty_1.1.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Robot_Shut_Down_5.0.zip.vir/Robot_Shut_Down_5.0.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Robot_Shut_Down_5.0.zip.vir/Robot_Shut_Down_5.0.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Rmvb_Rm_Fix_Repair_Joiner_3.23_Cracked.zip.vir/Rmvb_Rm_Fix_Repair_Joiner_3.23_Cracked.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Rmvb_Rm_Fix_Repair_Joiner_3.23_Cracked.zip.vir/Rmvb_Rm_Fix_Repair_Joiner_3.23_Cracked.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\ProTarot_Reader_2.0.58_(Patch).zip.vir/ProTarot_Reader_2.0.58_(Patch).exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\ProTarot_Reader_2.0.58_(Patch).zip.vir/ProTarot_Reader_2.0.58_(Patch).exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\PrintPictures_1.0.zip.vir/PrintPictures_1.0.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\PrintPictures_1.0.zip.vir/PrintPictures_1.0.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\PlugAdmin_Windows_1.0_Crack.zip.vir/PlugAdmin_Windows_1.0_Crack.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\PlugAdmin_Windows_1.0_Crack.zip.vir/PlugAdmin_Windows_1.0_Crack.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Playtonium_Jigsaw_Patterns_in_Nature_1.0.zip.vir/Playtonium_Jigsaw_Patterns_in_Nature_1.0.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Playtonium_Jigsaw_Patterns_in_Nature_1.0.zip.vir/Playtonium_Jigsaw_Patterns_in_Nature_1.0.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\PHPRunner_4.0_Build_265.zip.vir/PHPRunner_4.0_Build_265.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\PHPRunner_4.0_Build_265.zip.vir/PHPRunner_4.0_Build_265.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\PhotoLine_32_12.02.zip.vir/PhotoLine_32_12.02.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\PhotoLine_32_12.02.zip.vir/PhotoLine_32_12.02.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\PhotoElf_4.0.18_[With_Crack].zip.vir/PhotoElf_4.0.18_[With_Crack].exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\PhotoElf_4.0.18_[With_Crack].zip.vir/PhotoElf_4.0.18_[With_Crack].exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\PDB_Creator_Pro_1.0.2.zip.vir/PDB_Creator_Pro_1.0.2.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\PDB_Creator_Pro_1.0.2.zip.vir/PDB_Creator_Pro_1.0.2.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\PC_Recent_1.1.0_Key.zip.vir/PC_Recent_1.1.0_Key.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\PC_Recent_1.1.0_Key.zip.vir/PC_Recent_1.1.0_Key.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Patterns_of_Nature_Screensaver_2.0.zip.vir/Patterns_of_Nature_Screensaver_2.0.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Patterns_of_Nature_Screensaver_2.0.zip.vir/Patterns_of_Nature_Screensaver_2.0.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Password_Recovery_Software_2.1.zip.vir/Password_Recovery_Software_2.1.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Password_Recovery_Software_2.1.zip.vir/Password_Recovery_Software_2.1.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Panzer_Elite_Action_Fields_of_Glory_multiplayer_demo.zip.vir/Panzer_Elite_Action_Fields_of_Glory_multiplayer_demo.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Panzer_Elite_Action_Fields_of_Glory_multiplayer_demo.zip.vir/Panzer_Elite_Action_Fields_of_Glory_multiplayer_demo.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Paintball_Office_Pro_2.0.zip.vir/Paintball_Office_Pro_2.0.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Paintball_Office_Pro_2.0.zip.vir/Paintball_Office_Pro_2.0.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\OutlookFIX_Repair_and_Undelete_2.09_[Serial].zip.vir/OutlookFIX_Repair_and_Undelete_2.09_[Serial].exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\OutlookFIX_Repair_and_Undelete_2.09_[Serial].zip.vir/OutlookFIX_Repair_and_Undelete_2.09_[Serial].exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\OutClock_1.1.zip.vir/OutClock_1.1.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\OutClock_1.1.zip.vir/OutClock_1.1.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Neo_Pro_3.1.374.zip.vir/Neo_Pro_3.1.374.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Neo_Pro_3.1.374.zip.vir/Neo_Pro_3.1.374.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MyJgui_0.5.3.zip.vir/MyJgui_0.5.3.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MyJgui_0.5.3.zip.vir/MyJgui_0.5.3.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\My_Downloads_1.4.zip.vir/My_Downloads_1.4.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\My_Downloads_1.4.zip.vir/My_Downloads_1.4.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Multiplayer_Championship_Poker_(Pocket_PC)_4.zip.vir/Multiplayer_Championship_Poker_(Pocket_PC)_4.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Multiplayer_Championship_Poker_(Pocket_PC)_4.zip.vir/Multiplayer_Championship_Poker_(Pocket_PC)_4.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MSN_Webcam_Recorder_9.1.zip.vir/MSN_Webcam_Recorder_9.1.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MSN_Webcam_Recorder_9.1.zip.vir/MSN_Webcam_Recorder_9.1.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MSN_Cartoon_Avatar_Display_Pack_1.0.zip.vir/MSN_Cartoon_Avatar_Display_Pack_1.0.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MSN_Cartoon_Avatar_Display_Pack_1.0.zip.vir/MSN_Cartoon_Avatar_Display_Pack_1.0.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MouseMeter_0.1.3.zip.vir/MouseMeter_0.1.3.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MouseMeter_0.1.3.zip.vir/MouseMeter_0.1.3.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MouseClock_3.2_[Patch].zip.vir/MouseClock_3.2_[Patch].exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MouseClock_3.2_[Patch].zip.vir/MouseClock_3.2_[Patch].exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Minister_Scheduler_Pro_1.0.zip.vir/Minister_Scheduler_Pro_1.0.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Minister_Scheduler_Pro_1.0.zip.vir/Minister_Scheduler_Pro_1.0.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MindVisualizer_Standard_1.4.4.0_(Serial).zip.vir/MindVisualizer_Standard_1.4.4.0_(Serial).exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MindVisualizer_Standard_1.4.4.0_(Serial).zip.vir/MindVisualizer_Standard_1.4.4.0_(Serial).exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MindStudio_Vocab_1.0.zip.vir/MindStudio_Vocab_1.0.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MindStudio_Vocab_1.0.zip.vir/MindStudio_Vocab_1.0.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Meteor_1.1.zip.vir/Meteor_1.1.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Meteor_1.1.zip.vir/Meteor_1.1.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Medal_of_Honor_Allied_Assault_Spearhead_-_Southern_France_map.zip.vir/Medal_of_Honor_Allied_Assault_Spearhead_-_Southern_France_map.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Medal_of_Honor_Allied_Assault_Spearhead_-_Southern_France_map.zip.vir/Medal_of_Honor_Allied_Assault_Spearhead_-_Southern_France_map.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\McAfee.VirusScan.10.0.zip.vir/McAfee.VirusScan.10.0.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\McAfee.VirusScan.10.0.zip.vir/McAfee.VirusScan.10.0.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Mcafee.Virus.Scan.Professional.Edition.8.0-Ita.zip.vir/Mcafee.Virus.Scan.Professional.Edition.8.0-Ita.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Mcafee.Virus.Scan.Professional.Edition.8.0-Ita.zip.vir/Mcafee.Virus.Scan.Professional.Edition.8.0-Ita.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MarsEdit_1.0.zip.vir/MarsEdit_1.0.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MarsEdit_1.0.zip.vir/MarsEdit_1.0.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Live_Search_Podcast_1.1.zip.vir/Live_Search_Podcast_1.1.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Live_Search_Podcast_1.1.zip.vir/Live_Search_Podcast_1.1.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Link_Folder_1.0.zip.vir/Link_Folder_1.0.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Link_Folder_1.0.zip.vir/Link_Folder_1.0.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Libcurl.NET_1.3.zip.vir/Libcurl.NET_1.3.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Libcurl.NET_1.3.zip.vir/Libcurl.NET_1.3.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Klinzter_Script_4.2.zip.vir/Klinzter_Script_4.2.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Klinzter_Script_4.2.zip.vir/Klinzter_Script_4.2.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\IPComboBox_OCX_1.0.0.1.zip.vir/IPComboBox_OCX_1.0.0.1.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\IPComboBox_OCX_1.0.0.1.zip.vir/IPComboBox_OCX_1.0.0.1.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\IP_Monitor_5.1.zip.vir/IP_Monitor_5.1.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\IP_Monitor_5.1.zip.vir/IP_Monitor_5.1.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Internet_Explorer_Password_Recovery_Master_1.4.zip.vir/Internet_Explorer_Password_Recovery_Master_1.4.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Internet_Explorer_Password_Recovery_Master_1.4.zip.vir/Internet_Explorer_Password_Recovery_Master_1.4.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\imeem_2.4.38.2476.zip.vir/imeem_2.4.38.2476.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\imeem_2.4.38.2476.zip.vir/imeem_2.4.38.2476.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\HSLAB_Logger_3.4.28.124_With_Crack.zip.vir/HSLAB_Logger_3.4.28.124_With_Crack.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\HSLAB_Logger_3.4.28.124_With_Crack.zip.vir/HSLAB_Logger_3.4.28.124_With_Crack.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Hawaii_Screensaver_4.0.zip.vir/Hawaii_Screensaver_4.0.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Hawaii_Screensaver_4.0.zip.vir/Hawaii_Screensaver_4.0.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Greek_Formulae_1.0.zip.vir/Greek_Formulae_1.0.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Greek_Formulae_1.0.zip.vir/Greek_Formulae_1.0.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\GrabJPG_1.12.zip.vir/GrabJPG_1.12.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\GrabJPG_1.12.zip.vir/GrabJPG_1.12.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Go_Game_Hamete_and_Overplay_for_Smartphone_1.1.zip.vir/Go_Game_Hamete_and_Overplay_for_Smartphone_1.1.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Go_Game_Hamete_and_Overplay_for_Smartphone_1.1.zip.vir/Go_Game_Hamete_and_Overplay_for_Smartphone_1.1.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Ghost_MP3_CD_Maker_2.0.zip.vir/Ghost_MP3_CD_Maker_2.0.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Ghost_MP3_CD_Maker_2.0.zip.vir/Ghost_MP3_CD_Maker_2.0.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\FotoTime_FotoAlbum_Pro_5.3.1.4_Cracked.zip.vir/FotoTime_FotoAlbum_Pro_5.3.1.4_Cracked.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\FotoTime_FotoAlbum_Pro_5.3.1.4_Cracked.zip.vir/FotoTime_FotoAlbum_Pro_5.3.1.4_Cracked.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\FirePanel_XP_2.2.0.0_(Patch).zip.vir/FirePanel_XP_2.2.0.0_(Patch).exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\FirePanel_XP_2.2.0.0_(Patch).zip.vir/FirePanel_XP_2.2.0.0_(Patch).exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\FastPhpInsert_News-Slide-Protected_page_1.0_Key+Serial.zip.vir/FastPhpInsert_News-Slide-Protected_page_1.0_Key+Serial.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\FastPhpInsert_News-Slide-Protected_page_1.0_Key+Serial.zip.vir/FastPhpInsert_News-Slide-Protected_page_1.0_Key+Serial.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Fast_Port_Scanner_1.0.zip.vir/Fast_Port_Scanner_1.0.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Fast_Port_Scanner_1.0.zip.vir/Fast_Port_Scanner_1.0.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\F-Prot.Antivirus.for.Windows.v3.16.Retail-DVT.zip.vir/F-Prot.Antivirus.for.Windows.v3.16.Retail-DVT.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\F-Prot.Antivirus.for.Windows.v3.16.Retail-DVT.zip.vir/F-Prot.Antivirus.for.Windows.v3.16.Retail-DVT.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\EZRound_2.1.zip.vir/EZRound_2.1.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\EZRound_2.1.zip.vir/EZRound_2.1.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Express_Tax_Refund_1.0.zip.vir/Express_Tax_Refund_1.0.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Express_Tax_Refund_1.0.zip.vir/Express_Tax_Refund_1.0.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Email_Collector_Lite_1.6.8.zip.vir/Email_Collector_Lite_1.6.8.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Email_Collector_Lite_1.6.8.zip.vir/Email_Collector_Lite_1.6.8.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Egypt_of_David_Roberts_1.0.zip.vir/Egypt_of_David_Roberts_1.0.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Egypt_of_David_Roberts_1.0.zip.vir/Egypt_of_David_Roberts_1.0.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\EF_CheckSum_Manager_4.30_[Crack].zip.vir/EF_CheckSum_Manager_4.30_[Crack].exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\EF_CheckSum_Manager_4.30_[Crack].zip.vir/EF_CheckSum_Manager_4.30_[Crack].exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\EcoKeno_3.74.zip.vir/EcoKeno_3.74.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\EcoKeno_3.74.zip.vir/EcoKeno_3.74.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\E-mail_Redemption_for_Outlook_1.6.zip.vir/E-mail_Redemption_for_Outlook_1.6.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\E-mail_Redemption_for_Outlook_1.6.zip.vir/E-mail_Redemption_for_Outlook_1.6.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\E-Converter_1.50.zip.vir/E-Converter_1.50.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\E-Converter_1.50.zip.vir/E-Converter_1.50.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Dynamic_DBTreeView_1.8.zip.vir/Dynamic_DBTreeView_1.8.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Dynamic_DBTreeView_1.8.zip.vir/Dynamic_DBTreeView_1.8.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\DXMan_1.10.zip.vir/DXMan_1.10.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\DXMan_1.10.zip.vir/DXMan_1.10.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\DNS_Redirector_6.3.1_Crack.zip.vir/DNS_Redirector_6.3.1_Crack.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\DNS_Redirector_6.3.1_Crack.zip.vir/DNS_Redirector_6.3.1_Crack.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\DiskViz_-_Link_Checker_1.0_[Patch].zip.vir/DiskViz_-_Link_Checker_1.0_[Patch].exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\DiskViz_-_Link_Checker_1.0_[Patch].zip.vir/DiskViz_-_Link_Checker_1.0_[Patch].exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\CutePage_CoolText_1.5.zip.vir/CutePage_CoolText_1.5.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\CutePage_CoolText_1.5.zip.vir/CutePage_CoolText_1.5.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Claxa_1.0.zip.vir/Claxa_1.0.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Claxa_1.0.zip.vir/Claxa_1.0.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Christian_Virtual_Hymnal_2.zip.vir/Christian_Virtual_Hymnal_2.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Christian_Virtual_Hymnal_2.zip.vir/Christian_Virtual_Hymnal_2.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\CD_WAVE_Ripper_1.0.zip.vir/CD_WAVE_Ripper_1.0.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\CD_WAVE_Ripper_1.0.zip.vir/CD_WAVE_Ripper_1.0.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\CATLearn_Reader_1.1.zip.vir/CATLearn_Reader_1.1.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\CATLearn_Reader_1.1.zip.vir/CATLearn_Reader_1.1.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Business_Card_Printer_2.0.zip.vir/Business_Card_Printer_2.0.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Business_Card_Printer_2.0.zip.vir/Business_Card_Printer_2.0.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Bukster_Link_Generator_1.0.zip.vir/Bukster_Link_Generator_1.0.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Bukster_Link_Generator_1.0.zip.vir/Bukster_Link_Generator_1.0.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\BT_Engine_4.8_build_0605.zip.vir/BT_Engine_4.8_build_0605.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\BT_Engine_4.8_build_0605.zip.vir/BT_Engine_4.8_build_0605.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Bronze_Sculpture_Jigsaw_Puzzle_45pcs.zip.vir/Bronze_Sculpture_Jigsaw_Puzzle_45pcs.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Bronze_Sculpture_Jigsaw_Puzzle_45pcs.zip.vir/Bronze_Sculpture_Jigsaw_Puzzle_45pcs.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Boombox_Granny_Demo_Screensaver_1.0.zip.vir/Boombox_Granny_Demo_Screensaver_1.0.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Boombox_Granny_Demo_Screensaver_1.0.zip.vir/Boombox_Granny_Demo_Screensaver_1.0.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\BidSolid_1.06.zip.vir/BidSolid_1.06.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\BidSolid_1.06.zip.vir/BidSolid_1.06.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Beta_Program_Bug_&_Feature_Database_1.0_Cracked.zip.vir/Beta_Program_Bug_&_Feature_Database_1.0_Cracked.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Beta_Program_Bug_&_Feature_Database_1.0_Cracked.zip.vir/Beta_Program_Bug_&_Feature_Database_1.0_Cracked.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Backup_Premium_2.5_[Patch].zip.vir/Backup_Premium_2.5_[Patch].exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Backup_Premium_2.5_[Patch].zip.vir/Backup_Premium_2.5_[Patch].exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Backup_Chunker_2.0.zip.vir/Backup_Chunker_2.0.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Backup_Chunker_2.0.zip.vir/Backup_Chunker_2.0.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Avoirdupois_Weight_Measure_Converter_1.zip.vir/Avoirdupois_Weight_Measure_Converter_1.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Avoirdupois_Weight_Measure_Converter_1.zip.vir/Avoirdupois_Weight_Measure_Converter_1.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\AppSpy_2.3_(Key).zip.vir/AppSpy_2.3_(Key).exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\AppSpy_2.3_(Key).zip.vir/AppSpy_2.3_(Key).exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Aplus_DVD_Creator_4.52.zip.vir/Aplus_DVD_Creator_4.52.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Aplus_DVD_Creator_4.52.zip.vir/Aplus_DVD_Creator_4.52.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\ApHeMo_1.5.0.8.zip.vir/ApHeMo_1.5.0.8.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\ApHeMo_1.5.0.8.zip.vir/ApHeMo_1.5.0.8.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\AnyForm_5.0.zip.vir/AnyForm_5.0.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\AnyForm_5.0.zip.vir/AnyForm_5.0.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Anubis_P2P_1.4.zip.vir/Anubis_P2P_1.4.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Anubis_P2P_1.4.zip.vir/Anubis_P2P_1.4.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\AntiVir.PersonalEdition.Premium.v7.+.VDF.v6.34.00.48.+.Lizenz.Key.zip.vir/AntiVir.PersonalEdition.Premium.v7.+.VDF.v6.34.00.48.+.Lizenz.Key.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\AntiVir.PersonalEdition.Premium.v7.+.VDF.v6.34.00.48.+.Lizenz.Key.zip.vir/AntiVir.PersonalEdition.Premium.v7.+.VDF.v6.34.00.48.+.Lizenz.Key.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\AllPeers_0.55.1_Beta.zip.vir/AllPeers_0.55.1_Beta.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\AllPeers_0.55.1_Beta.zip.vir/AllPeers_0.55.1_Beta.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Air_Messenger_Pro_6.7.4.zip.vir/Air_Messenger_Pro_6.7.4.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Air_Messenger_Pro_6.7.4.zip.vir/Air_Messenger_Pro_6.7.4.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Aide_Onlinometer_1.70_Key+Serial.zip.vir/Aide_Onlinometer_1.70_Key+Serial.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Aide_Onlinometer_1.70_Key+Serial.zip.vir/Aide_Onlinometer_1.70_Key+Serial.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Advanced_StartUp_Manager_1.41_With_Crack.zip.vir/Advanced_StartUp_Manager_1.41_With_Crack.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Advanced_StartUp_Manager_1.41_With_Crack.zip.vir/Advanced_StartUp_Manager_1.41_With_Crack.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Advanced_PDF_Generator_1.1.3.0_(Patch).zip.vir/Advanced_PDF_Generator_1.1.3.0_(Patch).exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Advanced_PDF_Generator_1.1.3.0_(Patch).zip.vir/Advanced_PDF_Generator_1.1.3.0_(Patch).exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Adoc2PDF_1.2.zip.vir/Adoc2PDF_1.2.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Adoc2PDF_1.2.zip.vir/Adoc2PDF_1.2.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\ACA_Capture_Pro_5.50_(KeyGen).zip.vir/ACA_Capture_Pro_5.50_(KeyGen).exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\ACA_Capture_Pro_5.50_(KeyGen).zip.vir/ACA_Capture_Pro_5.50_(KeyGen).exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\ABCUpload_.NET_5.3.0.zip.vir/ABCUpload_.NET_5.3.0.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\ABCUpload_.NET_5.3.0.zip.vir/ABCUpload_.NET_5.3.0.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\[HGame_XP][AVG][jpn_jpn][æ„›ã®ãƒã‚«ãƒ©].zip.vir/[HGame_XP][AVG][jpn_jpn][µä¢pü«pâüpé½pâ¬].exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\[HGame_XP][AVG][jpn_jpn][æ„›ã®ãƒã‚«ãƒ©].zip.vir/[HGame_XP][AVG][jpn_jpn][µä¢pü«pâüpé½pâ¬].exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\3D_Ultra_NASCAR_Pinball_1.0.zip.vir/3D_Ultra_NASCAR_Pinball_1.0.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\3D_Ultra_NASCAR_Pinball_1.0.zip.vir/3D_Ultra_NASCAR_Pinball_1.0.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\3D_Haunting_Halloween_Screensaver_1.0_[Cracked].zip.vir/3D_Haunting_Halloween_Screensaver_1.0_[Cracked].exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\3D_Haunting_Halloween_Screensaver_1.0_[Cracked].zip.vir/3D_Haunting_Halloween_Screensaver_1.0_[Cracked].exe
2008-08-22 21:55 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\131_Ice_Cream_Maker_Recipes_1.0_Patch.zip.vir/131_Ice_Cream_Maker_Recipes_1.0_Patch.exe
2008-08-22 21:55 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\131_Ice_Cream_Maker_Recipes_1.0_Patch.zip.vir/131_Ice_Cream_Maker_Recipes_1.0_Patch.exe
2008-08-22 21:55 Deleted: Trojan-Downloader.Win32.Bagle.yd c:\windows\system32\RunDll32 cmicnfg.cpl,CMICtrlWnd
2008-08-22 21:55 Detected: Trojan-Downloader.Win32.Bagle.yd c:\windows\system32\RunDll32 cmicnfg.cpl,CMICtrlWnd
2008-08-22 21:55 Deleted: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP2\A0002240.exe
2008-08-22 21:55 Detected: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP2\A0002240.exe
2008-08-22 21:55 Deleted: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP1\A0002223.exe
2008-08-22 21:55 Detected: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP1\A0002223.exe
2008-08-22 21:55 Deleted: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP1\A0002164.exe
2008-08-22 21:55 Detected: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP1\A0002164.exe
2008-08-22 21:55 Deleted: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP1\A0002067.exe
2008-08-22 21:55 Detected: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP1\A0002067.exe
2008-08-22 21:55 Deleted: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004069.exe
2008-08-22 21:55 Detected: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004069.exe
2008-08-22 21:55 Deleted: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004068.exe
2008-08-22 21:55 Detected: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004068.exe
2008-08-22 21:55 Deleted: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP16\A0003954.exe
2008-08-22 21:55 Detected: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP16\A0003954.exe
2008-08-22 21:55 Deleted: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP16\A0003953.exe
2008-08-22 21:55 Detected: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP16\A0003953.exe
2008-08-22 21:55 Deleted: Trojan-Downloader.Win32.Bagle.yd c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\mdelk.exe.vir
2008-08-22 21:55 Detected: Trojan-Downloader.Win32.Bagle.yd c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\mdelk.exe.vir
2008-08-22 21:55 Deleted: Trojan-Downloader.Win32.Bagle.yd c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\hldrrr.exe.vir
2008-08-22 21:55 Detected: Trojan-Downloader.Win32.Bagle.yd c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\hldrrr.exe.vir
2008-08-22 21:55 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\data.oct.vir
2008-08-22 21:55 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\data.oct.vir
2008-08-22 21:55 Deleted: Trojan-Downloader.Win32.Bagle.yd c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
2008-08-22 21:54 Detected: Trojan-Downloader.Win32.Bagle.yd c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
2008-08-22 21:25 Detected: http://www.viruslist.com/en/advisories/31010 G:\Temp\matlab704\java\jre\win32\jre\bin\java.exe
2008-08-22 21:02 Detected: http://www.viruslist.com/en/advisories/31010 G:\IEGD\IEGD_6_1_Gold\jre\bin\javaws.exe
2008-08-22 20:58 Untreated: Trojan-Downloader.Win32.Bagle.yd c:\windows\system32\RunDll32 cmicnfg.cpl,CMICtrlWnd Postponed
mhamilton
2008-08-23, 08:28
2008-08-22 20:58 Detected: Trojan-Downloader.Win32.Bagle.yd c:\windows\system32\RunDll32 cmicnfg.cpl,CMICtrlWnd
2008-08-22 20:50 Detected: http://www.viruslist.com/en/advisories/25570 c:\windows\Downloaded Program Files\vete.dll
2008-08-22 20:45 Detected: http://www.viruslist.com/en/advisories/31010 c:\windows\java.exe
2008-08-22 20:43 Untreated: Trojan-Downloader.Win32.Bagle.yd c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\mdelk.exe.vir Postponed
2008-08-22 20:43 Detected: Trojan-Downloader.Win32.Bagle.yd c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\mdelk.exe.vir
2008-08-22 20:43 Untreated: Trojan-Downloader.Win32.Bagle.yd c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\hldrrr.exe.vir Postponed
2008-08-22 20:43 Detected: Trojan-Downloader.Win32.Bagle.yd c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\hldrrr.exe.vir
2008-08-22 20:43 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\[HGame_XP][AVG][jpn_jpn][æ„›ã®ãƒã‚«ãƒ©].zip.vir/[HGame_XP][AVG][jpn_jpn][µä¢pü«pâüpé½pâ¬].exe Postponed
2008-08-22 20:43 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Xteq_URL_Bandit_1.2.zip.vir/Xteq_URL_Bandit_1.2.exe Postponed
2008-08-22 20:43 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\[HGame_XP][AVG][jpn_jpn][æ„›ã®ãƒã‚«ãƒ©].zip.vir/[HGame_XP][AVG][jpn_jpn][µä¢pü«pâüpé½pâ¬].exe
2008-08-22 20:43 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Yes_AntiVirus-Tool_Netsky-P_3.0.zip.vir/Yes_AntiVirus-Tool_Netsky-P_3.0.exe Postponed
2008-08-22 20:43 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Xteq_URL_Bandit_1.2.zip.vir/Xteq_URL_Bandit_1.2.exe
2008-08-22 20:43 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Yes_AntiVirus-Tool_Netsky-P_3.0.zip.vir/Yes_AntiVirus-Tool_Netsky-P_3.0.exe
2008-08-22 20:43 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\XLPoints_Plus_1.3_(With_Crack).zip.vir/XLPoints_Plus_1.3_(With_Crack).exe Postponed
2008-08-22 20:43 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\XLPoints_Plus_1.3_(With_Crack).zip.vir/XLPoints_Plus_1.3_(With_Crack).exe
2008-08-22 20:43 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Xceed_Chart_for_ASP.NET_3.0.zip.vir/Xceed_Chart_for_ASP.NET_3.0.exe Postponed
2008-08-22 20:43 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Xceed_Chart_for_ASP.NET_3.0.zip.vir/Xceed_Chart_for_ASP.NET_3.0.exe
2008-08-22 20:43 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Wwhois_2.1.zip.vir/Wwhois_2.1.exe Postponed
2008-08-22 20:43 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Wwhois_2.1.zip.vir/Wwhois_2.1.exe
2008-08-22 20:43 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Windows_&_Internet_Cleaner_Pro_3.22_(Patch).zip.vir/Windows_&_Internet_Cleaner_Pro_3.22_(Patch).exe Postponed
2008-08-22 20:43 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Woize_2.5.0.32959.zip.vir/Woize_2.5.0.32959.exe Postponed
2008-08-22 20:43 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Word_Blaster_3.5.zip.vir/Word_Blaster_3.5.exe Postponed
2008-08-22 20:43 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Windows_&_Internet_Cleaner_Pro_3.22_(Patch).zip.vir/Windows_&_Internet_Cleaner_Pro_3.22_(Patch).exe
2008-08-22 20:43 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Woize_2.5.0.32959.zip.vir/Woize_2.5.0.32959.exe
2008-08-22 20:43 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Word_Blaster_3.5.zip.vir/Word_Blaster_3.5.exe
2008-08-22 20:43 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Web_Log_Explorer_3.31_Crack.zip.vir/Web_Log_Explorer_3.31_Crack.exe Postponed
2008-08-22 20:43 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Web_Log_Explorer_3.31_Crack.zip.vir/Web_Log_Explorer_3.31_Crack.exe
2008-08-22 20:43 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Virtual_Hypnotist_5.551.zip.vir/Virtual_Hypnotist_5.551.exe Postponed
2008-08-22 20:43 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Video_Matrix_Screensaver_1.0.zip.vir/Video_Matrix_Screensaver_1.0.exe Postponed
2008-08-22 20:43 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Virtual_Hypnotist_5.551.zip.vir/Virtual_Hypnotist_5.551.exe
2008-08-22 20:43 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Video_Matrix_Screensaver_1.0.zip.vir/Video_Matrix_Screensaver_1.0.exe
2008-08-22 20:43 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\VideoShotMaker_1.00.zip.vir/VideoShotMaker_1.00.exe Postponed
2008-08-22 20:43 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\VideoShotMaker_1.00.zip.vir/VideoShotMaker_1.00.exe
2008-08-22 20:43 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\US_meteo_by_sat_1.1.zip.vir/US_meteo_by_sat_1.1.exe Postponed
2008-08-22 20:43 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Unreal_Tournament_2004_Judge_Judy_Voice_Pack.zip.vir/Unreal_Tournament_2004_Judge_Judy_Voice_Pack.exe Postponed
2008-08-22 20:43 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\US_meteo_by_sat_1.1.zip.vir/US_meteo_by_sat_1.1.exe
2008-08-22 20:43 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Unreal_Tournament_2004_Judge_Judy_Voice_Pack.zip.vir/Unreal_Tournament_2004_Judge_Judy_Voice_Pack.exe
2008-08-22 20:43 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Unreal_Tournament_2003_-_Vertical_deathmatch_map.zip.vir/Unreal_Tournament_2003_-_Vertical_deathmatch_map.exe Postponed
2008-08-22 20:43 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Unreal_Tournament_2003_-_Vertical_deathmatch_map.zip.vir/Unreal_Tournament_2003_-_Vertical_deathmatch_map.exe
2008-08-22 20:43 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\TIFF_To_PDF_ActiveX_Component_2.0.2007.718_KeyGen.zip.vir/TIFF_To_PDF_ActiveX_Component_2.0.2007.718_KeyGen.exe Postponed
2008-08-22 20:43 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\TIFF_To_PDF_ActiveX_Component_2.0.2007.718_KeyGen.zip.vir/TIFF_To_PDF_ActiveX_Component_2.0.2007.718_KeyGen.exe
2008-08-22 20:43 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\The_Quiz_Press_1.8_Crack.zip.vir/The_Quiz_Press_1.8_Crack.exe Postponed
2008-08-22 20:43 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\The_Quiz_Press_1.8_Crack.zip.vir/The_Quiz_Press_1.8_Crack.exe
2008-08-22 20:43 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\ThePlayground_1.0.zip.vir/ThePlayground_1.0.exe Postponed
2008-08-22 20:43 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\ThePlayground_1.0.zip.vir/ThePlayground_1.0.exe
2008-08-22 20:43 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\SunGlance_1.0_Serial.zip.vir/SunGlance_1.0_Serial.exe Postponed
2008-08-22 20:43 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Text_Mnemonic_Generator_3.4.zip.vir/Text_Mnemonic_Generator_3.4.exe Postponed
2008-08-22 20:43 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Tele-Cap_Professional_3.0.1.zip.vir/Tele-Cap_Professional_3.0.1.exe Postponed
2008-08-22 20:43 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\SunGlance_1.0_Serial.zip.vir/SunGlance_1.0_Serial.exe
2008-08-22 20:43 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Text_Mnemonic_Generator_3.4.zip.vir/Text_Mnemonic_Generator_3.4.exe
2008-08-22 20:43 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Tele-Cap_Professional_3.0.1.zip.vir/Tele-Cap_Professional_3.0.1.exe
2008-08-22 20:43 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\StormWarn_1.2.zip.vir/StormWarn_1.2.exe Postponed
2008-08-22 20:43 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\StormWarn_1.2.zip.vir/StormWarn_1.2.exe
2008-08-22 20:43 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\SQLWays_3.9.zip.vir/SQLWays_3.9.exe Postponed
2008-08-22 20:43 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\SQLWays_3.9.zip.vir/SQLWays_3.9.exe
2008-08-22 20:43 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\SpaceMan_99_3.1.zip.vir/SpaceMan_99_3.1.exe Postponed
2008-08-22 20:43 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\SpyCatcher_Express_2006_4.4.6.zip.vir/SpyCatcher_Express_2006_4.4.6.exe Postponed
2008-08-22 20:43 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\SpyCatcher_Express_2006_4.4.6.zip.vir/SpyCatcher_Express_2006_4.4.6.exe
2008-08-22 20:43 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\SpaceMan_99_3.1.zip.vir/SpaceMan_99_3.1.exe
2008-08-22 20:43 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Source_Explorer_VS.NET_2003_plugin_1.0.zip.vir/Source_Explorer_VS.NET_2003_plugin_1.0.exe Postponed
2008-08-22 20:43 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Source_Explorer_VS.NET_2003_plugin_1.0.zip.vir/Source_Explorer_VS.NET_2003_plugin_1.0.exe
2008-08-22 20:43 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Shadow_Professional_2.7_(Crack).zip.vir/Shadow_Professional_2.7_(Crack).exe Postponed
2008-08-22 20:43 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\ShowFont_-_Windows_Font_Lister_1.12.zip.vir/ShowFont_-_Windows_Font_Lister_1.12.exe Postponed
2008-08-22 20:43 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Snail_Mail_1.0.zip.vir/Snail_Mail_1.0.exe Postponed
2008-08-22 20:43 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\ShowFont_-_Windows_Font_Lister_1.12.zip.vir/ShowFont_-_Windows_Font_Lister_1.12.exe
2008-08-22 20:43 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Snail_Mail_1.0.zip.vir/Snail_Mail_1.0.exe
2008-08-22 20:43 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Shadow_Professional_2.7_(Crack).zip.vir/Shadow_Professional_2.7_(Crack).exe
2008-08-22 20:43 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Serial_Port_Monitor_3.zip.vir/Serial_Port_Monitor_3.exe Postponed
2008-08-22 20:43 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\SGadget_1.2_Cracked.zip.vir/SGadget_1.2_Cracked.exe Postponed
2008-08-22 20:43 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Sea_Bounty_1.1.zip.vir/Sea_Bounty_1.1.exe Postponed
2008-08-22 20:43 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\SGadget_1.2_Cracked.zip.vir/SGadget_1.2_Cracked.exe
2008-08-22 20:43 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Serial_Port_Monitor_3.zip.vir/Serial_Port_Monitor_3.exe
2008-08-22 20:43 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Sea_Bounty_1.1.zip.vir/Sea_Bounty_1.1.exe
2008-08-22 20:43 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Robot_Shut_Down_5.0.zip.vir/Robot_Shut_Down_5.0.exe Postponed
2008-08-22 20:43 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Robot_Shut_Down_5.0.zip.vir/Robot_Shut_Down_5.0.exe
2008-08-22 20:43 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\ProTarot_Reader_2.0.58_(Patch).zip.vir/ProTarot_Reader_2.0.58_(Patch).exe Postponed
2008-08-22 20:43 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Rmvb_Rm_Fix_Repair_Joiner_3.23_Cracked.zip.vir/Rmvb_Rm_Fix_Repair_Joiner_3.23_Cracked.exe Postponed
2008-08-22 20:43 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\PlugAdmin_Windows_1.0_Crack.zip.vir/PlugAdmin_Windows_1.0_Crack.exe Postponed
2008-08-22 20:43 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Rmvb_Rm_Fix_Repair_Joiner_3.23_Cracked.zip.vir/Rmvb_Rm_Fix_Repair_Joiner_3.23_Cracked.exe
2008-08-22 20:43 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\ProTarot_Reader_2.0.58_(Patch).zip.vir/ProTarot_Reader_2.0.58_(Patch).exe
2008-08-22 20:43 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\PrintPictures_1.0.zip.vir/PrintPictures_1.0.exe Postponed
2008-08-22 20:43 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\PrintPictures_1.0.zip.vir/PrintPictures_1.0.exe
2008-08-22 20:43 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\PlugAdmin_Windows_1.0_Crack.zip.vir/PlugAdmin_Windows_1.0_Crack.exe
2008-08-22 20:43 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Playtonium_Jigsaw_Patterns_in_Nature_1.0.zip.vir/Playtonium_Jigsaw_Patterns_in_Nature_1.0.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Playtonium_Jigsaw_Patterns_in_Nature_1.0.zip.vir/Playtonium_Jigsaw_Patterns_in_Nature_1.0.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\PHPRunner_4.0_Build_265.zip.vir/PHPRunner_4.0_Build_265.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\PHPRunner_4.0_Build_265.zip.vir/PHPRunner_4.0_Build_265.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\PhotoLine_32_12.02.zip.vir/PhotoLine_32_12.02.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\PhotoLine_32_12.02.zip.vir/PhotoLine_32_12.02.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\PhotoElf_4.0.18_[With_Crack].zip.vir/PhotoElf_4.0.18_[With_Crack].exe Postponed
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\PC_Recent_1.1.0_Key.zip.vir/PC_Recent_1.1.0_Key.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\PhotoElf_4.0.18_[With_Crack].zip.vir/PhotoElf_4.0.18_[With_Crack].exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\PDB_Creator_Pro_1.0.2.zip.vir/PDB_Creator_Pro_1.0.2.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\PDB_Creator_Pro_1.0.2.zip.vir/PDB_Creator_Pro_1.0.2.exe
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\PC_Recent_1.1.0_Key.zip.vir/PC_Recent_1.1.0_Key.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Password_Recovery_Software_2.1.zip.vir/Password_Recovery_Software_2.1.exe Postponed
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Patterns_of_Nature_Screensaver_2.0.zip.vir/Patterns_of_Nature_Screensaver_2.0.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Patterns_of_Nature_Screensaver_2.0.zip.vir/Patterns_of_Nature_Screensaver_2.0.exe
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Password_Recovery_Software_2.1.zip.vir/Password_Recovery_Software_2.1.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Panzer_Elite_Action_Fields_of_Glory_multiplayer_demo.zip.vir/Panzer_Elite_Action_Fields_of_Glory_multiplayer_demo.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Panzer_Elite_Action_Fields_of_Glory_multiplayer_demo.zip.vir/Panzer_Elite_Action_Fields_of_Glory_multiplayer_demo.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Paintball_Office_Pro_2.0.zip.vir/Paintball_Office_Pro_2.0.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Paintball_Office_Pro_2.0.zip.vir/Paintball_Office_Pro_2.0.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\OutlookFIX_Repair_and_Undelete_2.09_[Serial].zip.vir/OutlookFIX_Repair_and_Undelete_2.09_[Serial].exe Postponed
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Neo_Pro_3.1.374.zip.vir/Neo_Pro_3.1.374.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\OutlookFIX_Repair_and_Undelete_2.09_[Serial].zip.vir/OutlookFIX_Repair_and_Undelete_2.09_[Serial].exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\OutClock_1.1.zip.vir/OutClock_1.1.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\OutClock_1.1.zip.vir/OutClock_1.1.exe
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Neo_Pro_3.1.374.zip.vir/Neo_Pro_3.1.374.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MyJgui_0.5.3.zip.vir/MyJgui_0.5.3.exe Postponed
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\My_Downloads_1.4.zip.vir/My_Downloads_1.4.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\My_Downloads_1.4.zip.vir/My_Downloads_1.4.exe
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MyJgui_0.5.3.zip.vir/MyJgui_0.5.3.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Multiplayer_Championship_Poker_(Pocket_PC)_4.zip.vir/Multiplayer_Championship_Poker_(Pocket_PC)_4.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Multiplayer_Championship_Poker_(Pocket_PC)_4.zip.vir/Multiplayer_Championship_Poker_(Pocket_PC)_4.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MSN_Cartoon_Avatar_Display_Pack_1.0.zip.vir/MSN_Cartoon_Avatar_Display_Pack_1.0.exe Postponed
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MSN_Webcam_Recorder_9.1.zip.vir/MSN_Webcam_Recorder_9.1.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MSN_Cartoon_Avatar_Display_Pack_1.0.zip.vir/MSN_Cartoon_Avatar_Display_Pack_1.0.exe
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MSN_Webcam_Recorder_9.1.zip.vir/MSN_Webcam_Recorder_9.1.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MouseClock_3.2_[Patch].zip.vir/MouseClock_3.2_[Patch].exe Postponed
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MouseMeter_0.1.3.zip.vir/MouseMeter_0.1.3.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MouseMeter_0.1.3.zip.vir/MouseMeter_0.1.3.exe
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MouseClock_3.2_[Patch].zip.vir/MouseClock_3.2_[Patch].exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Minister_Scheduler_Pro_1.0.zip.vir/Minister_Scheduler_Pro_1.0.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Minister_Scheduler_Pro_1.0.zip.vir/Minister_Scheduler_Pro_1.0.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MindStudio_Vocab_1.0.zip.vir/MindStudio_Vocab_1.0.exe Postponed
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MindVisualizer_Standard_1.4.4.0_(Serial).zip.vir/MindVisualizer_Standard_1.4.4.0_(Serial).exe Postponed
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Meteor_1.1.zip.vir/Meteor_1.1.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MindVisualizer_Standard_1.4.4.0_(Serial).zip.vir/MindVisualizer_Standard_1.4.4.0_(Serial).exe
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MindStudio_Vocab_1.0.zip.vir/MindStudio_Vocab_1.0.exe
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Meteor_1.1.zip.vir/Meteor_1.1.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Medal_of_Honor_Allied_Assault_Spearhead_-_Southern_France_map.zip.vir/Medal_of_Honor_Allied_Assault_Spearhead_-_Southern_France_map.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Medal_of_Honor_Allied_Assault_Spearhead_-_Southern_France_map.zip.vir/Medal_of_Honor_Allied_Assault_Spearhead_-_Southern_France_map.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Mcafee.Virus.Scan.Professional.Edition.8.0-Ita.zip.vir/Mcafee.Virus.Scan.Professional.Edition.8.0-Ita.exe Postponed
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MarsEdit_1.0.zip.vir/MarsEdit_1.0.exe Postponed
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\McAfee.VirusScan.10.0.zip.vir/McAfee.VirusScan.10.0.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\McAfee.VirusScan.10.0.zip.vir/McAfee.VirusScan.10.0.exe
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Mcafee.Virus.Scan.Professional.Edition.8.0-Ita.zip.vir/Mcafee.Virus.Scan.Professional.Edition.8.0-Ita.exe
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MarsEdit_1.0.zip.vir/MarsEdit_1.0.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Live_Search_Podcast_1.1.zip.vir/Live_Search_Podcast_1.1.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Live_Search_Podcast_1.1.zip.vir/Live_Search_Podcast_1.1.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Klinzter_Script_4.2.zip.vir/Klinzter_Script_4.2.exe Postponed
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Link_Folder_1.0.zip.vir/Link_Folder_1.0.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Link_Folder_1.0.zip.vir/Link_Folder_1.0.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\IPComboBox_OCX_1.0.0.1.zip.vir/IPComboBox_OCX_1.0.0.1.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Klinzter_Script_4.2.zip.vir/Klinzter_Script_4.2.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Libcurl.NET_1.3.zip.vir/Libcurl.NET_1.3.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Libcurl.NET_1.3.zip.vir/Libcurl.NET_1.3.exe
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\IPComboBox_OCX_1.0.0.1.zip.vir/IPComboBox_OCX_1.0.0.1.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\IP_Monitor_5.1.zip.vir/IP_Monitor_5.1.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\IP_Monitor_5.1.zip.vir/IP_Monitor_5.1.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Internet_Explorer_Password_Recovery_Master_1.4.zip.vir/Internet_Explorer_Password_Recovery_Master_1.4.exe Postponed
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\HSLAB_Logger_3.4.28.124_With_Crack.zip.vir/HSLAB_Logger_3.4.28.124_With_Crack.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Internet_Explorer_Password_Recovery_Master_1.4.zip.vir/Internet_Explorer_Password_Recovery_Master_1.4.exe
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\HSLAB_Logger_3.4.28.124_With_Crack.zip.vir/HSLAB_Logger_3.4.28.124_With_Crack.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\imeem_2.4.38.2476.zip.vir/imeem_2.4.38.2476.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\imeem_2.4.38.2476.zip.vir/imeem_2.4.38.2476.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Greek_Formulae_1.0.zip.vir/Greek_Formulae_1.0.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Greek_Formulae_1.0.zip.vir/Greek_Formulae_1.0.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Hawaii_Screensaver_4.0.zip.vir/Hawaii_Screensaver_4.0.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Hawaii_Screensaver_4.0.zip.vir/Hawaii_Screensaver_4.0.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Go_Game_Hamete_and_Overplay_for_Smartphone_1.1.zip.vir/Go_Game_Hamete_and_Overplay_for_Smartphone_1.1.exe Postponed
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\GrabJPG_1.12.zip.vir/GrabJPG_1.12.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\GrabJPG_1.12.zip.vir/GrabJPG_1.12.exe
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Go_Game_Hamete_and_Overplay_for_Smartphone_1.1.zip.vir/Go_Game_Hamete_and_Overplay_for_Smartphone_1.1.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Ghost_MP3_CD_Maker_2.0.zip.vir/Ghost_MP3_CD_Maker_2.0.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Ghost_MP3_CD_Maker_2.0.zip.vir/Ghost_MP3_CD_Maker_2.0.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\FirePanel_XP_2.2.0.0_(Patch).zip.vir/FirePanel_XP_2.2.0.0_(Patch).exe Postponed
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\FastPhpInsert_News-Slide-Protected_page_1.0_Key+Serial.zip.vir/FastPhpInsert_News-Slide-Protected_page_1.0_Key+Serial.exe Postponed
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\FotoTime_FotoAlbum_Pro_5.3.1.4_Cracked.zip.vir/FotoTime_FotoAlbum_Pro_5.3.1.4_Cracked.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\FotoTime_FotoAlbum_Pro_5.3.1.4_Cracked.zip.vir/FotoTime_FotoAlbum_Pro_5.3.1.4_Cracked.exe
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\FirePanel_XP_2.2.0.0_(Patch).zip.vir/FirePanel_XP_2.2.0.0_(Patch).exe
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\FastPhpInsert_News-Slide-Protected_page_1.0_Key+Serial.zip.vir/FastPhpInsert_News-Slide-Protected_page_1.0_Key+Serial.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Fast_Port_Scanner_1.0.zip.vir/Fast_Port_Scanner_1.0.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Fast_Port_Scanner_1.0.zip.vir/Fast_Port_Scanner_1.0.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\F-Prot.Antivirus.for.Windows.v3.16.Retail-DVT.zip.vir/F-Prot.Antivirus.for.Windows.v3.16.Retail-DVT.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\F-Prot.Antivirus.for.Windows.v3.16.Retail-DVT.zip.vir/F-Prot.Antivirus.for.Windows.v3.16.Retail-DVT.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Email_Collector_Lite_1.6.8.zip.vir/Email_Collector_Lite_1.6.8.exe Postponed
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\EZRound_2.1.zip.vir/EZRound_2.1.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\EZRound_2.1.zip.vir/EZRound_2.1.exe
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Email_Collector_Lite_1.6.8.zip.vir/Email_Collector_Lite_1.6.8.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Egypt_of_David_Roberts_1.0.zip.vir/Egypt_of_David_Roberts_1.0.exe Postponed
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Express_Tax_Refund_1.0.zip.vir/Express_Tax_Refund_1.0.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Express_Tax_Refund_1.0.zip.vir/Express_Tax_Refund_1.0.exe
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Egypt_of_David_Roberts_1.0.zip.vir/Egypt_of_David_Roberts_1.0.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\EF_CheckSum_Manager_4.30_[Crack].zip.vir/EF_CheckSum_Manager_4.30_[Crack].exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\EF_CheckSum_Manager_4.30_[Crack].zip.vir/EF_CheckSum_Manager_4.30_[Crack].exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\E-mail_Redemption_for_Outlook_1.6.zip.vir/E-mail_Redemption_for_Outlook_1.6.exe Postponed
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\EcoKeno_3.74.zip.vir/EcoKeno_3.74.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\EcoKeno_3.74.zip.vir/EcoKeno_3.74.exe
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\E-mail_Redemption_for_Outlook_1.6.zip.vir/E-mail_Redemption_for_Outlook_1.6.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Dynamic_DBTreeView_1.8.zip.vir/Dynamic_DBTreeView_1.8.exe Postponed
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\E-Converter_1.50.zip.vir/E-Converter_1.50.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\E-Converter_1.50.zip.vir/E-Converter_1.50.exe
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Dynamic_DBTreeView_1.8.zip.vir/Dynamic_DBTreeView_1.8.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\DNS_Redirector_6.3.1_Crack.zip.vir/DNS_Redirector_6.3.1_Crack.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\DNS_Redirector_6.3.1_Crack.zip.vir/DNS_Redirector_6.3.1_Crack.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\DXMan_1.10.zip.vir/DXMan_1.10.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\DXMan_1.10.zip.vir/DXMan_1.10.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\DiskViz_-_Link_Checker_1.0_[Patch].zip.vir/DiskViz_-_Link_Checker_1.0_[Patch].exe Postponed
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Claxa_1.0.zip.vir/Claxa_1.0.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\DiskViz_-_Link_Checker_1.0_[Patch].zip.vir/DiskViz_-_Link_Checker_1.0_[Patch].exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\CD_WAVE_Ripper_1.0.zip.vir/CD_WAVE_Ripper_1.0.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Claxa_1.0.zip.vir/Claxa_1.0.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\CutePage_CoolText_1.5.zip.vir/CutePage_CoolText_1.5.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\CutePage_CoolText_1.5.zip.vir/CutePage_CoolText_1.5.exe
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\CD_WAVE_Ripper_1.0.zip.vir/CD_WAVE_Ripper_1.0.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Christian_Virtual_Hymnal_2.zip.vir/Christian_Virtual_Hymnal_2.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Christian_Virtual_Hymnal_2.zip.vir/Christian_Virtual_Hymnal_2.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\CATLearn_Reader_1.1.zip.vir/CATLearn_Reader_1.1.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\CATLearn_Reader_1.1.zip.vir/CATLearn_Reader_1.1.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Bukster_Link_Generator_1.0.zip.vir/Bukster_Link_Generator_1.0.exe Postponed
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\BT_Engine_4.8_build_0605.zip.vir/BT_Engine_4.8_build_0605.exe Postponed
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Business_Card_Printer_2.0.zip.vir/Business_Card_Printer_2.0.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Business_Card_Printer_2.0.zip.vir/Business_Card_Printer_2.0.exe
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\BT_Engine_4.8_build_0605.zip.vir/BT_Engine_4.8_build_0605.exe
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Bukster_Link_Generator_1.0.zip.vir/Bukster_Link_Generator_1.0.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Bronze_Sculpture_Jigsaw_Puzzle_45pcs.zip.vir/Bronze_Sculpture_Jigsaw_Puzzle_45pcs.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Bronze_Sculpture_Jigsaw_Puzzle_45pcs.zip.vir/Bronze_Sculpture_Jigsaw_Puzzle_45pcs.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Boombox_Granny_Demo_Screensaver_1.0.zip.vir/Boombox_Granny_Demo_Screensaver_1.0.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Boombox_Granny_Demo_Screensaver_1.0.zip.vir/Boombox_Granny_Demo_Screensaver_1.0.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Beta_Program_Bug_&_Feature_Database_1.0_Cracked.zip.vir/Beta_Program_Bug_&_Feature_Database_1.0_Cracked.exe Postponed
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\BidSolid_1.06.zip.vir/BidSolid_1.06.exe Postponed
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Backup_Chunker_2.0.zip.vir/Backup_Chunker_2.0.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\BidSolid_1.06.zip.vir/BidSolid_1.06.exe
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Beta_Program_Bug_&_Feature_Database_1.0_Cracked.zip.vir/Beta_Program_Bug_&_Feature_Database_1.0_Cracked.exe
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Backup_Chunker_2.0.zip.vir/Backup_Chunker_2.0.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Backup_Premium_2.5_[Patch].zip.vir/Backup_Premium_2.5_[Patch].exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Backup_Premium_2.5_[Patch].zip.vir/Backup_Premium_2.5_[Patch].exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Avoirdupois_Weight_Measure_Converter_1.zip.vir/Avoirdupois_Weight_Measure_Converter_1.exe Postponed
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Aplus_DVD_Creator_4.52.zip.vir/Aplus_DVD_Creator_4.52.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Avoirdupois_Weight_Measure_Converter_1.zip.vir/Avoirdupois_Weight_Measure_Converter_1.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\ApHeMo_1.5.0.8.zip.vir/ApHeMo_1.5.0.8.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Aplus_DVD_Creator_4.52.zip.vir/Aplus_DVD_Creator_4.52.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\AppSpy_2.3_(Key).zip.vir/AppSpy_2.3_(Key).exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\ApHeMo_1.5.0.8.zip.vir/ApHeMo_1.5.0.8.exe
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\AppSpy_2.3_(Key).zip.vir/AppSpy_2.3_(Key).exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Anubis_P2P_1.4.zip.vir/Anubis_P2P_1.4.exe Postponed
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\AnyForm_5.0.zip.vir/AnyForm_5.0.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\AnyForm_5.0.zip.vir/AnyForm_5.0.exe
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Anubis_P2P_1.4.zip.vir/Anubis_P2P_1.4.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\AllPeers_0.55.1_Beta.zip.vir/AllPeers_0.55.1_Beta.exe Postponed
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\AntiVir.PersonalEdition.Premium.v7.+.VDF.v6.34.00.48.+.Lizenz.Key.zip.vir/AntiVir.PersonalEdition.Premium.v7.+.VDF.v6.34.00.48.+.Lizenz.Key.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\AllPeers_0.55.1_Beta.zip.vir/AllPeers_0.55.1_Beta.exe
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\AntiVir.PersonalEdition.Premium.v7.+.VDF.v6.34.00.48.+.Lizenz.Key.zip.vir/AntiVir.PersonalEdition.Premium.v7.+.VDF.v6.34.00.48.+.Lizenz.Key.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Aide_Onlinometer_1.70_Key+Serial.zip.vir/Aide_Onlinometer_1.70_Key+Serial.exe Postponed
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Air_Messenger_Pro_6.7.4.zip.vir/Air_Messenger_Pro_6.7.4.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Aide_Onlinometer_1.70_Key+Serial.zip.vir/Aide_Onlinometer_1.70_Key+Serial.exe
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Air_Messenger_Pro_6.7.4.zip.vir/Air_Messenger_Pro_6.7.4.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Advanced_StartUp_Manager_1.41_With_Crack.zip.vir/Advanced_StartUp_Manager_1.41_With_Crack.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Advanced_StartUp_Manager_1.41_With_Crack.zip.vir/Advanced_StartUp_Manager_1.41_With_Crack.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Advanced_PDF_Generator_1.1.3.0_(Patch).zip.vir/Advanced_PDF_Generator_1.1.3.0_(Patch).exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Advanced_PDF_Generator_1.1.3.0_(Patch).zip.vir/Advanced_PDF_Generator_1.1.3.0_(Patch).exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Adoc2PDF_1.2.zip.vir/Adoc2PDF_1.2.exe Postponed
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\ABCUpload_.NET_5.3.0.zip.vir/ABCUpload_.NET_5.3.0.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Adoc2PDF_1.2.zip.vir/Adoc2PDF_1.2.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\ACA_Capture_Pro_5.50_(KeyGen).zip.vir/ACA_Capture_Pro_5.50_(KeyGen).exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\ACA_Capture_Pro_5.50_(KeyGen).zip.vir/ACA_Capture_Pro_5.50_(KeyGen).exe
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\ABCUpload_.NET_5.3.0.zip.vir/ABCUpload_.NET_5.3.0.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\data.oct.vir Postponed
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\3D_Ultra_NASCAR_Pinball_1.0.zip.vir/3D_Ultra_NASCAR_Pinball_1.0.exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\data.oct.vir
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\3D_Ultra_NASCAR_Pinball_1.0.zip.vir/3D_Ultra_NASCAR_Pinball_1.0.exe
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\131_Ice_Cream_Maker_Recipes_1.0_Patch.zip.vir/131_Ice_Cream_Maker_Recipes_1.0_Patch.exe Postponed
2008-08-22 20:42 Untreated: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\3D_Haunting_Halloween_Screensaver_1.0_[Cracked].zip.vir/3D_Haunting_Halloween_Screensaver_1.0_[Cracked].exe Postponed
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\131_Ice_Cream_Maker_Recipes_1.0_Patch.zip.vir/131_Ice_Cream_Maker_Recipes_1.0_Patch.exe
2008-08-22 20:42 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\3D_Haunting_Halloween_Screensaver_1.0_[Cracked].zip.vir/3D_Haunting_Halloween_Screensaver_1.0_[Cracked].exe
2008-08-22 20:39 Detected: http://www.viruslist.com/en/advisories/28083 c:\program files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator\Ulead Quick-Drop 1.0\Flash.ocx
2008-08-22 20:37 Detected: http://www.viruslist.com/en/advisories/28083 c:\program files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator\Ulead DMF Launcher 2.0\Flash.ocx
2008-08-22 20:36 Detected: http://www.viruslist.com/en/advisories/31010 c:\program files\TimingTool\jre\bin\java.exe
2008-08-22 20:35 Detected: http://www.viruslist.com/en/advisories/27620 c:\program files\real\realplayer\realplay.exe
2008-08-22 20:33 Detected: http://www.viruslist.com/en/advisories/30761 c:\program files\mozilla firefox\firefox.exe
2008-08-22 20:31 Detected: http://www.viruslist.com/en/advisories/30975 c:\program files\microsoft office\office11\winword.exe
2008-08-22 20:31 Detected: http://www.viruslist.com/en/advisories/31453 c:\program files\microsoft office\office11\powerpnt.exe
2008-08-22 20:31 Detected: http://www.viruslist.com/en/advisories/29320 c:\program files\microsoft office\office11\outlook.exe
2008-08-22 20:31 Detected: http://www.viruslist.com/en/advisories/31454 c:\program files\microsoft office\office11\excel.exe
2008-08-22 20:31 Detected: http://www.viruslist.com/en/advisories/31010 c:\program files\MATLAB704\uninstall\java\jre\win32\jre\bin\java.exe
2008-08-22 20:23 Detected: http://www.viruslist.com/en/advisories/31010 c:\program files\MATLAB704\sys\java\jre\win32\jre1.5.0\bin\java.exe
2008-08-22 20:22 Detected: http://www.viruslist.com/en/advisories/31010 c:\program files\Logitech\Harmony Remote\JRE\bin\eula.dll
2008-08-22 20:20 Untreated: Trojan-Downloader.Win32.Bagle.yd c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe Postponed
2008-08-22 20:20 Detected: Trojan-Downloader.Win32.Bagle.yd c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
2008-08-22 20:15 Detected: http://www.viruslist.com/en/advisories/25023 c:\program files\Adobe\Adobe Photoshop CS2\Plug-Ins\File Formats\BMP.8BI
2008-08-22 19:53 Detected: http://www.viruslist.com/en/advisories/31010 c:\Documents and Settings\All Users\Documents\Software\matlab704\java\jre\win32\jre\bin\java.exe
2008-08-22 19:31 Detected: http://www.viruslist.com/en/advisories/31010 c:\Documents and Settings\All Users\Documents\Matlab 7\Matlab 1\java\jre\win32\jre\bin\eula.dll
2008-08-22 19:26 Untreated: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP2\A0002240.exe Postponed
2008-08-22 19:26 Detected: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP2\A0002240.exe
2008-08-22 19:25 Untreated: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004069.exe Postponed
2008-08-22 19:25 Detected: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004069.exe
2008-08-22 19:25 Untreated: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004068.exe Postponed
2008-08-22 19:25 Detected: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004068.exe
2008-08-22 19:25 Untreated: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP16\A0003953.exe Postponed
2008-08-22 19:25 Untreated: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP16\A0003954.exe Postponed
2008-08-22 19:25 Detected: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP16\A0003954.exe
2008-08-22 19:25 Detected: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP16\A0003953.exe
2008-08-22 19:24 Untreated: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP1\A0002223.exe Postponed
2008-08-22 19:24 Detected: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP1\A0002223.exe
2008-08-22 19:24 Untreated: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP1\A0002164.exe Postponed
2008-08-22 19:24 Detected: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP1\A0002164.exe
2008-08-22 19:24 Untreated: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP1\A0002067.exe Postponed
2008-08-22 19:24 Detected: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP1\A0002067.exe
2008-08-22 19:23 Detected: http://www.viruslist.com/en/advisories/31010 c:\windows\java.exe
2008-08-22 19:23 Detected: http://www.viruslist.com/en/advisories/27620 c:\program files\real\realplayer\realplay.exe
2008-08-22 19:23 Detected: http://www.viruslist.com/en/advisories/30761 c:\program files\mozilla firefox\firefox.exe
2008-08-22 19:22 Detected: http://www.viruslist.com/en/advisories/30975 c:\program files\microsoft office\office11\winword.exe
2008-08-22 19:22 Detected: http://www.viruslist.com/en/advisories/31453 c:\program files\microsoft office\office11\powerpnt.exe
2008-08-22 19:22 Detected: http://www.viruslist.com/en/advisories/31454 c:\program files\microsoft office\office11\excel.exe
2008-08-22 19:22 Detected: http://www.viruslist.com/en/advisories/29320 c:\program files\microsoft office\office11\outlook.exe
2008-08-22 19:21 Task started
mhamilton
2008-08-23, 08:29
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:59 PM, on 8/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\MediaMall\MediaMallServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
C:\Program Files\D-Link Media Server\MediaGUI.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\D-Link Media Server\MediaServer.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\explorer.exe
C:\Temp\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKLM\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKLM\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RegClean] "C:\Program Files\RegClean\RegClean.exe" -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: D-Link Media Server.lnk = C:\Program Files\D-Link Media Server\MediaGUI.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Logitech Harmony Remote V5.lnk = C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.kaspersky.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217908534546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1217908520187
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://12.30.180.135/activex/AxisCamControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://juniper.provigent.com/dana-cached/setup/JuniperSetupSP1.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: vskype - (no CLSID) - (no file)
O20 - Winlogon Notify: wcnotify - C:\WINDOWS\SYSTEM32\wcnotify.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MediaMall Server - MediaMall Technologies, Inc. - C:\Program Files\MediaMall\MediaMallServer.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
--
End of file - 11173 bytes
Hi
According to Kaspersky report lots of your programs need updating. It's better you update those all (or uninstall completely if there're some you don't use anymore) after we've got you clean.
Please uninstall following items thru add/remove programs:
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Then delete following folder:
c:\program files\Google\GoogleToolbarNotifier
and file:
c:\windows\system32\RunDll32 cmicnfg.cpl,CMICtrlWnd
Launch Malwarebytes' Anti-Malware
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
After that run ComboFix again and post back its log, a fresh hjt log & Malwarebytes' Anti-Malware report.
mhamilton
2008-08-23, 16:30
After the last cleaning, I tried boot mode.
It will get as far as the startup screen now, then reboot.
Previously it would not even get this far.
Thanks for the heads up. Now please follow the instructions I posted :)
mhamilton
2008-08-25, 20:01
I will execute your directions on Wednesday
See you then.
Ok. I'll wait for your input :)
mhamilton
2008-08-28, 07:16
I removed Google Toolbar but could not find the directory or files
c:\windows\system32\RunDll32 cmicnfg.cpl,CMICtrlWnd
I ran Malwarebytes and here is the report. HJT and CF logs follow also.
-------------------------------------------------------
Malwarebytes' Anti-Malware 1.25
Database version: 1090
Windows 5.1.2600 Service Pack 3
7:55:35 PM 8/27/2008
mbam-log-08-27-2008 (19-55-35).txt
Scan type: Full Scan (C:\|G:\|J:\|)
Objects scanned: 238949
Time elapsed: 1 hour(s), 31 minute(s), 41 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
---------------------------------------------------------
HJT
--------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:57:14 PM, on 8/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\MediaMall\MediaMallServer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
C:\Program Files\D-Link Media Server\MediaGUI.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\D-Link Media Server\MediaServer.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Temp\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKLM\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKLM\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RegClean] "C:\Program Files\RegClean\RegClean.exe" -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: D-Link Media Server.lnk = C:\Program Files\D-Link Media Server\MediaGUI.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Logitech Harmony Remote V5.lnk = C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.kaspersky.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217908534546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1217908520187
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://12.30.180.135/activex/AxisCamControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://juniper.provigent.com/dana-cached/setup/JuniperSetupSP1.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: vskype - (no CLSID) - (no file)
O20 - Winlogon Notify: wcnotify - C:\WINDOWS\SYSTEM32\wcnotify.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MediaMall Server - MediaMall Technologies, Inc. - C:\Program Files\MediaMall\MediaMallServer.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
--
End of file - 10959 bytes
------------------------------------------------------------
CF log
--------------------------------------------------------
ComboFix 08-08-27.03 - Mike 2008-08-27 20:08:50.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.404 [GMT -7:00]
Running from: C:\Documents and Settings\Mike\Desktop\Combo-Fix.exe
* Created a new restore point
[b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Mike\Application Data\macromedia\Flash Player\#SharedObjects\5MCT9UUU\bin.clearspring.com
C:\Documents and Settings\Mike\Application Data\macromedia\Flash Player\#SharedObjects\5MCT9UUU\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\Mike\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\Mike\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
.
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-28 )))))))))))))))))))))))))))))))
.
2008-08-22 11:50 . 2008-08-22 17:35 96,976 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-08-22 11:50 . 2008-08-22 11:50 87,855 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-08-22 11:49 . 2008-08-22 11:49 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-08-22 11:49 . 2008-08-27 17:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-08-22 11:49 . 2008-08-23 06:25 7,526,432 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-22 11:49 . 2008-08-27 18:09 409,632 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-08-22 11:49 . 2008-08-23 06:25 60,928 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-22 11:49 . 2008-08-27 18:09 3,528 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-08-22 11:46 . 2008-08-22 11:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-08-22 11:46 . 2008-08-22 11:44 33,138,928 --a------ C:\Temp\kav8.0.0.454en.exe
2008-08-22 11:15 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-22 11:14 . 2008-08-22 11:14 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-22 11:13 . 2008-08-22 10:58 15,984,024 --a------ C:\Temp\jre-6u7-windows-i586-p-s.exe
2008-08-22 09:37 . 2008-08-22 19:19 <DIR> d-------- C:\Temp\backups
2008-08-16 19:03 . 2008-08-16 19:03 231,999 --a------ C:\Temp\Beagled.exe
2008-08-16 18:54 . 2008-08-16 18:58 <DIR> d-------- C:\ComboFix
2008-08-16 18:02 . 2008-08-16 18:16 250 --a------ C:\WINDOWS\gmer.ini
2008-08-16 18:01 . 2008-08-16 18:01 747,873 --a------ C:\Temp\gmer.zip
2008-08-16 17:54 . 2008-08-16 17:54 0 --a------ C:\WINDOWS\system32\SBRC.dat
2008-08-16 17:54 . 2008-08-16 17:54 0 --a------ C:\WINDOWS\system32\SBFC.dat
2008-08-16 15:53 . 2008-08-16 15:53 401,720 --a------ C:\Temp\HiJackThis.exe
2008-08-16 15:52 . 2008-08-16 15:53 716,539 --a------ C:\Temp\HJTInstall.exe
2008-08-16 13:50 . 2008-08-22 10:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-08-16 12:45 . 2008-08-16 16:28 15,083,520 --a------ C:\Temp\spybotsd160.exe
2008-08-16 12:17 . 2008-08-16 12:17 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2008-08-16 08:48 . 2008-08-16 08:48 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Sunbelt Software
2008-08-16 08:48 . 2008-08-16 08:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2008-08-16 08:47 . 2008-08-16 08:47 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-08-16 08:45 . 2008-08-16 08:42 45,935,776 --a------ C:\Temp\counterspy.exe
2008-08-15 18:02 . 2008-08-15 18:02 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Malwarebytes
2008-08-15 18:01 . 2008-08-27 18:10 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-15 18:01 . 2008-08-15 18:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-15 18:01 . 2008-08-06 21:59 1,885,120 --a------ C:\Temp\mbam-setup.exe
2008-08-15 18:01 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-15 18:01 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-15 17:49 . 2008-08-15 19:14 <DIR> d-------- C:\Documents and Settings\Mike\.housecall6.6
2008-08-15 07:48 . 2008-04-11 12:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-15 07:48 . 2008-05-01 07:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-14 12:57 . 2008-08-14 12:57 <DIR> d-------- C:\Program Files\Safari
2008-08-12 11:30 . 2008-08-12 11:30 <DIR> d-------- C:\Program Files\iPod
2008-08-12 11:29 . 2008-08-12 11:30 <DIR> d-------- C:\Program Files\iTunes
2008-08-12 11:28 . 2008-08-12 11:28 <DIR> d-------- C:\Program Files\Bonjour
2008-08-12 11:22 . 2008-08-12 11:22 63,530,280 --a------ C:\Temp\iTunesSetup.exe
2008-08-04 22:46 . 2008-08-04 22:46 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-08-04 22:35 . 2008-08-04 22:35 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-04 22:02 . 2008-08-04 22:02 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-04 21:33 . 2004-08-03 22:29 701,440 --------- C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-08-04 20:55 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-08-04 20:55 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-08-04 20:55 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-08-04 20:55 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-08-03 12:21 . 2008-08-03 12:21 2,108,504 --a------ C:\Temp\GPSMAP60CSx_370.exe
2008-08-03 12:13 . 2007-03-08 17:18 18,432 --a------ C:\WINDOWS\system32\drivers\grmngen.sys
2008-08-03 12:13 . 2006-02-20 11:25 17,536 --a------ C:\WINDOWS\system32\drivers\grmn0200.sys
2008-08-03 12:13 . 2006-04-11 12:51 16,512 --a------ C:\WINDOWS\system32\drivers\grmn0400.sys
2008-08-03 12:13 . 2006-07-11 12:50 11,776 --a------ C:\WINDOWS\system32\drivers\grmn1200.sys
2008-08-03 12:13 . 2007-03-08 17:18 8,320 --a------ C:\WINDOWS\system32\drivers\grmnusb.sys
2008-08-03 12:12 . 2008-08-03 21:28 <DIR> d-------- C:\Garmin
2008-07-29 20:21 . 2008-07-29 20:21 218,376 --a------ C:\WINDOWS\system32\klogon.dll
2008-07-29 20:20 . 2008-07-29 20:20 24,774 --a------ C:\WINDOWS\system32\drivers\klopp.dat
2008-07-29 11:10 . 2008-07-29 11:10 <DIR> d-------- C:\Program Files\Tech-Pro World Clock 2
2008-07-29 11:10 . 2008-02-04 02:10 237,776 --a------ C:\WINDOWS\system32\tpuninst.exe
2008-07-29 11:08 . 2008-07-29 11:08 2,428,088 --a------ C:\Temp\wc2setup.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-28 03:22 --------- d-----w C:\Documents and Settings\Mike\Application Data\Skype
2008-08-28 01:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-28 00:58 --------- d-----w C:\Program Files\Google
2008-08-28 00:54 --------- d-----w C:\Documents and Settings\Mike\Application Data\D-Link Media Server
2008-08-22 18:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-22 18:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-22 18:15 --------- d-----w C:\Program Files\Java
2008-08-22 16:13 --------- d-----w C:\Program Files\Azureus
2008-08-16 02:09 --------- d-----w C:\Documents and Settings\Mike\Application Data\dvdcss
2008-08-15 14:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\MediaMall
2008-08-15 00:24 --------- d-----w C:\Documents and Settings\Mike\Application Data\Apple Computer
2008-08-14 19:57 --------- d-----w C:\Program Files\Apple Software Update
2008-08-14 15:55 --------- d-----w C:\Documents and Settings\Mike\Application Data\Azureus
2008-08-12 18:28 --------- d-----w C:\Program Files\QuickTime
2008-08-10 20:41 --------- d-----w C:\Program Files\Internet Radio Recorder
2008-08-03 20:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-27 00:05 --------- d-----w C:\Documents and Settings\Mike\Application Data\MediaServerDump
2008-07-22 01:34 121,872 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-07-21 03:16 --------- d-----w C:\Program Files\Picasa2
2008-07-21 02:59 --------- d-----w C:\Program Files\Sun
2008-07-08 02:58 --------- d-----w C:\Program Files\D-Link Media Server
2008-07-08 02:22 --------- d-----w C:\Documents and Settings\Mike\Application Data\AdobeUM
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-04-30 18:49 92,064 -c--a-w C:\Documents and Settings\Mike\mqdmmdm.sys
2008-04-30 18:49 9,232 -c--a-w C:\Documents and Settings\Mike\mqdmmdfl.sys
2008-04-30 18:49 79,328 -c--a-w C:\Documents and Settings\Mike\mqdmserd.sys
2008-04-30 18:49 66,656 -c--a-w C:\Documents and Settings\Mike\mqdmbus.sys
2008-04-30 18:49 6,208 -c--a-w C:\Documents and Settings\Mike\mqdmcmnt.sys
2008-04-30 18:49 5,936 -c--a-w C:\Documents and Settings\Mike\mqdmwhnt.sys
2008-04-30 18:49 4,048 -c--a-w C:\Documents and Settings\Mike\mqdmcr.sys
2008-04-30 18:49 25,600 -c--a-w C:\Documents and Settings\Mike\usbsermptxp.sys
2008-04-30 18:49 22,768 -c--a-w C:\Documents and Settings\Mike\usbsermpt.sys
2007-05-29 05:17 81,920 ----a-w C:\Documents and Settings\Mike\Application Data\ezpinst.exe
2007-05-29 05:17 47,360 ----a-w C:\Documents and Settings\Mike\Application Data\pcouffin.sys
2006-03-19 16:36 13,824 -c--a-w C:\Documents and Settings\Mike\atwbxdet.dll
.
((((((((((((((((((((((((((((( snapshot@2008-08-21_12.25.29.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-05 05:12:58 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-08-23 13:16:15 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-08-05 05:12:58 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-23 13:16:15 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-08-21 19:18:12 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-28 01:06:56 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-30 01:29:38 32,784 ----a-w C:\WINDOWS\system32\drivers\klbg.sys
+ 2008-08-22 18:48:55 213,008 ----a-w C:\WINDOWS\system32\drivers\klif.sys
+ 2008-05-01 01:06:48 24,592 ----a-w C:\WINDOWS\system32\drivers\klim5.sys
- 2008-08-21 19:18:21 225,097 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-08-28 00:52:14 225,102 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
- 2008-08-21 19:10:16 76,266 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-28 00:56:19 76,266 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-21 19:10:17 443,916 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-28 00:56:19 443,916 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 20:42 32768]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 02:08 483328]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-10-08 11:52 221184]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-01-18 17:07 196608]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-06 12:43 23165736]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 13:22 86016]
"RegClean"="C:\Program Files\RegClean\RegClean.exe" [2007-03-30 16:45 10065392]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 20:42 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-08-27 12:09 698864]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2008-07-29 20:20 206088]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 17:12 110592 C:\WINDOWS\system32\bthprops.cpl]
C:\Documents and Settings\Mike\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-06-21 17:13:51 113664]
D-Link Media Server.lnk - C:\Program Files\D-Link Media Server\MediaGUI.exe [2008-07-07 19:58:32 1523831]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2005-03-13 19:02:09 25214]
HPAiODevice(hp officejet g series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 17:15:00 151552]
Logitech Harmony Remote V5.lnk - C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe [2006-02-22 15:47:44 94295]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytoosl"= 0 (0x0)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogOff"= 0 (0x0)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wcnotify]
2007-08-09 17:16 14656 C:\WINDOWS\system32\WcNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"C:\\Program Files\\Logitech\\Harmony Remote\\HarmonyClient.exe"=
"C:\\Program Files\\Logitech\\Harmony Remote\\PatchHelper.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MediaMall\\MediaMallServer.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R0 iteraid;ITERAID_Service_Install;C:\WINDOWS\system32\DRIVERS\iteraid.sys [2004-10-28 20:21]
R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 18:29]
R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2008-08-16 12:17]
R1 BeTwinSystem;BeTwinSystem;C:\WINDOWS\system32\Drivers\BeTwinSystem.sys [2007-08-09 17:15]
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2000-01-07 10:00]
R2 MediaMall Server;MediaMall Server;C:\Program Files\MediaMall\MediaMallServer.exe [2007-10-09 16:57]
R3 cmudax;C-Media High Definition Audio Interface;C:\WINDOWS\system32\drivers\cmudax.sys [2004-10-21 03:56]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-04-30 18:06]
R3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
NativeTS
*Newly Created Service* - CATCHME
*Newly Created Service* - SBAPIFS
.
Contents of the 'Scheduled Tasks' folder
2008-08-14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2008-08-28 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job
- C:\Program Files\RegClean\RegClean.exe [2007-03-30 16:45]
2008-08-28 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job
- C:\Program Files\RegClean [2007-04-18 22:17]
2008-08-28 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe [2007-08-02 09:20]
2008-02-21 C:\WINDOWS\Tasks\RegCure.job
- C:\Program Files\RegCure\RegCure.exe [2007-08-02 09:20]
2008-08-28 C:\WINDOWS\Tasks\User_Feed_Synchronization-{C34135C4-C5CE-440A-B981-1BFF8E5F71A9}.job
- C:\WINDOWS\system32\msfeedssync.exe [2006-10-17 12:58]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\xx0vemed.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - about:blank
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-27 20:22:45
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-08-27 20:29:42
ComboFix-quarantined-files.txt 2008-08-28 03:29:23
ComboFix2.txt 2008-08-23 02:17:43
ComboFix3.txt 2008-08-22 18:07:58
ComboFix4.txt 2008-08-21 22:49:53
ComboFix5.txt 2008-08-28 03:06:12
Pre-Run: 118,643,957,760 bytes free
Post-Run: 118,631,075,840 bytes free
261
mhamilton
2008-08-28, 08:12
Crashes at login screen
Hi
Start hjt, do a system scan, check (if found):
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll (file missing)
Close browsers and fix checked.
Please download SafeBootKeyRepair.exe by sUBs to repair Safe Mode.
http://download.bleepingcomputer.com/sUBs/SafeBootKeyRepair.exe
To run SafeBootKeyRepair.exe:
1. Close all programs/windows so that you have nothing open and are at your Desktop.
2. Double-click the SafeBootKeyRepair.exe file.
When finished, it shall produce a log for you.
3. Post the entire contents of C:\SafeBoot_Repair.txt in your next reply.
Are you able to run Kaspersky online scanner now? If you are, run it and post back its report. Post a fresh hjt log too.
mhamilton
2008-08-28, 19:09
Deleted O2-BHO: Google.... using HJT
Ran tKeyRepair.exe
Tried to run Kaspersky online scanner. Used Firefox so not to risk IEXPLORE.
Kaspersky went through the initialization process and then crashed as soon as it started the scan. Will try it one more time.
After reboot I ran HJT again.
Here is the HJT log followed by the tKeyRepair log.
---------------------------
HJT
-------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:54 AM, on 8/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\MediaMall\MediaMallServer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
C:\Program Files\D-Link Media Server\MediaGUI.exe
C:\Program Files\D-Link Media Server\MediaServer.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Temp\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKLM\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKLM\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RegClean] "C:\Program Files\RegClean\RegClean.exe" -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: D-Link Media Server.lnk = C:\Program Files\D-Link Media Server\MediaGUI.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Logitech Harmony Remote V5.lnk = C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.kaspersky.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217908534546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1217908520187
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://12.30.180.135/activex/AxisCamControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://juniper.provigent.com/dana-cached/setup/JuniperSetupSP1.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: vskype - (no CLSID) - (no file)
O20 - Winlogon Notify: wcnotify - C:\WINDOWS\SYSTEM32\wcnotify.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MediaMall Server - MediaMall Technologies, Inc. - C:\Program Files\MediaMall\MediaMallServer.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
--
End of file - 10500 bytes
---------------------------------
SAFEBOOT
----------------------------------
Reg export of SafeBoot key after repair:
========================
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot]
"AlternateShell"="cmd.exe"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\AppMgmt]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Base]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot Bus Extender]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot file system]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\CryptSvc]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\DcomLaunch]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmadmin]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmboot.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmio.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmload.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmserver]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\EventLog]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\File system]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Filter]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\HelpSvc]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Netlogon]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PCI Configuration]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PlugPlay]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PNP Filter]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Primary disk]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PSEXESVC]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\RpcSs]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SCSI Class]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sermouse.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sr.sys]
@="FSFilter System Recovery"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SRService]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\System Bus Extender]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vga.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vgasave.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\WinMgmt]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AFD]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AppMgmt]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Base]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot Bus Extender]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot file system]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Browser]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\CryptSvc]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DcomLaunch]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Dhcp]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmadmin]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmboot.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmio.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmload.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmserver]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DnsCache]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\EventLog]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\File system]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Filter]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\HelpSvc]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ip6fw.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ipnat.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanServer]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanWorkstation]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LmHosts]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Messenger]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS Wrapper]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Ndisuio]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOS]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOSGroup]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBT]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetDDEGroup]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Netlogon]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetMan]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Network]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetworkProvider]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NtLmSsp]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PCI Configuration]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PlugPlay]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP Filter]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP_TDI]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Primary disk]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PSEXESVC]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpcdd.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpdd.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpwd.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdsessmgr]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\RpcSs]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SCSI Class]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sermouse.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SharedAccess]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sr.sys]
@="FSFilter System Recovery"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SRService]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Streams Drivers]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\System Bus Extender]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Tcpip]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\TDI]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdpipe.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdtcp.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\termservice]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vga.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vgasave.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WinMgmt]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WZCSVC]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
@="Net"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
@="NetClient"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
@="NetService"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
@="NetTrans"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"
========================
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\PSEXESVC
mhamilton
2008-08-28, 19:17
Tried Safe Boot and it crashed again at the startup screen.
Tried Kaspersky on line for a second time, also crashed again.
I get the feeling something deep and ugly is in there.
Hi
Hjt log looks ok. Please defrag your hard drives and try running Kaspersky online scanner and GMER after that. Keep antivirus programs disabled during both scans.
mhamilton
2008-08-29, 00:22
Kaspersky on-line still crashes. Safe mode crashes.
GMER does run. Here is log.
------------------------------------
GMER report after it starts up - full scan follows
------------------------------------
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-08-28 13:58:15
Windows 5.1.2600 Service Pack 3
---- Disk sectors - GMER 1.0.14 ----
Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR
---- System - GMER 1.0.14 ----
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateKey [0xF3FFA6E8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateValueKey [0xF3FFA750]
---- Devices - GMER 1.0.14 ----
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
---- EOF - GMER 1.0.14 ----
---------------------------------
GMER full scan
---------------------------------
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-08-28 14:17:57
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.14 ----
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwAdjustPrivilegesToken [0xF3FFA81A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwClose [0xF3FFADC6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwConnectPort [0xF3FFC82A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateFile [0xF3FFC1E0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateKey [0xF3FF9F90]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xF3FFE18C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateThread [0xF3FFABC2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteKey [0xF3FFA3D2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteValueKey [0xF3FFA5D2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeviceIoControlFile [0xF3FFC4EC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDuplicateObject [0xF3FFE698]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateKey [0xF3FFA6E8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateValueKey [0xF3FFA750]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwFsControlFile [0xF3FFC3A2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwLoadDriver [0xF3FFDC50]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenFile [0xF3FFC03C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenKey [0xF3FFA0F2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenProcess [0xF3FFA9E8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenSection [0xF3FFE1B6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenThread [0xF3FFA93E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryKey [0xF3FFA7B8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryMultipleValueKey [0xF3FFA4BC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryValueKey [0xF3FFA29A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueueApcThread [0xF3FFDEB8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwReplaceKey [0xF3FF9C12]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRequestWaitReplyPort [0xF3FFD0B4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRestoreKey [0xF3FF9D74]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwResumeThread [0xF3FFE568]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSaveKey [0xF3FF9A10]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSecureConnectPort [0xF3FFC6CC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetContextThread [0xF3FFACC0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSecurityObject [0xF3FFDD4A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSystemInformation [0xF3FFE1E0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetValueKey [0xF3FFA148]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendProcess [0xF3FFE2C4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendThread [0xF3FFE3F0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSystemDebugControl [0xF3FFDB7C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwTerminateProcess [0xF3FFAA92]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwWriteVirtualMemory [0xF3FFAB04]
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) IoIsOperationSynchronous
---- Kernel code sections - GMER 1.0.14 ----
.text ntoskrnl.exe!ZwYieldExecution + 46A 804E4C94 12 Bytes [ C4, E2, FF, F3, F0, E3, FF, ... ]
.text ntoskrnl.exe!IoIsOperationSynchronous 804EAF9E 5 Bytes JMP F40113D6 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab)
.text ntoskrnl.exe!FsRtlCheckLockForReadAccess 804F4583 5 Bytes JMP F401101C \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab)
? C:\WINDOWS\system32\drivers\sbapifs.sys The system cannot find the file specified. !
---- Kernel IAT/EAT - GMER 1.0.14 ----
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[ntoskrnl.exe!IoCreateDevice] [F7117D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject] [F7117DF0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!IoCreateDevice] [F7117D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] [F7117DF0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\ipnat.sys[ntoskrnl.exe!IoCreateDevice] [F7117D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateDevice] [F7117D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\netbios.sys[ntoskrnl.exe!IoCreateDevice] [F7117D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[ntoskrnl.exe!IoCreateDevice] [F7117D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\rdbss.sys[ntoskrnl.exe!IoCreateDevice] [F7117D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\mrxsmb.sys[ntoskrnl.exe!IoCreateDevice] [F7117D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\Fips.SYS[ntoskrnl.exe!IoCreateDevice] [F7117D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\USBSTOR.SYS[ntoskrnl.exe!IoCreateDevice] [F7117D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\dot4usb.sys[ntoskrnl.exe!IoCreateDevice] [F7117D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\Dot4.sys[ntoskrnl.exe!IoCreateDevice] [F7117D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\Dot4Scan.sys[ntoskrnl.exe!IoCreateDevice] [F7117D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\Dot4Prt.sys[ntoskrnl.exe!IoCreateDevice] [F7117D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\usbccgp.sys[NTOSKRNL.EXE!IoCreateDevice] [F7117D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\bthport.sys[ntoskrnl.exe!IoCreateDevice] [F7117D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\STREAM.SYS[NTOSKRNL.EXE!IoCreateDevice] [F7117D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\rfcomm.sys[ntoskrnl.exe!IoCreateDevice] [F7117D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\BthEnum.sys[ntoskrnl.exe!IoCreateDevice] [F7117D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\bthmodem.sys[ntoskrnl.exe!IoCreateDevice] [F7117D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\Modem.SYS[ntoskrnl.exe!IoCreateDevice] [F7117D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\Fastfat.SYS[ntoskrnl.exe!IoCreateDevice] [F7117D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\drivers\wdmaud.sys[ntoskrnl.exe!IoCreateDevice] [F7117D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\drivers\sysaudio.sys[ntoskrnl.exe!IoCreateDevice] [F7117D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\mrxdav.sys[ntoskrnl.exe!IoCreateDevice] [F7117D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\HTTP.sys[ntoskrnl.exe!IoCreateDevice] [F7117D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateDevice] [F7117D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\Cdfs.SYS[ntoskrnl.exe!IoCreateDevice] [F7117D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\TDTCP.SYS[ntoskrnl.exe!IoCreateDevice] [F7117D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\RDPWD.SYS[ntoskrnl.exe!IoCreateDevice] [F7117D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
---- Devices - GMER 1.0.14 ----
AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Registry - GMER 1.0.14 ----
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\0020e078b8e2
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\0020e078b8e2@00149a467348 0x02 0x9B 0x7F 0xFD ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0020e078b8e2
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0020e078b8e2@00149a467348 0x02 0x9B 0x7F 0xFD ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\68AB67CA330100007706000000000020\Usage@PDFMakerForIE 958172943
---- EOF - GMER 1.0.14 ----
Unfortunately your log shows signs of a rootkit being present on your system.This means your PC is at risk now and sadly may always be.
The problem with rootkits is they are very hard to detect and extremely hard to remove completely.
Rootkits may also have what is known as a backdoor.The backdoor, if present, will give complete remote access to your system.This means someone will be able to steal any information stored on your PC including addresses, names and telephone numbers and more worryingly passwords, bank account details and any other financial information, basically they will have access to any data that you do.
At this point you have 2 options :-
OPTION 1
We attempt to remove the rootkit but will never really know if it is completely removed which means all the above applies.
There will be no guarantees with this option.
OPTION 2
We reformat your system.
This will destroy the rootkit but means you will have to reinstall everything.
My advice would be OPTION 2 It is the only safe, effective and positive way of dealing with this type of infection.
It will also be much quicker to reformat/reinstall than to attempt the removal.
I would like you to read the information over and when you have decided which option to choose post back and I will gladly assist with what ever route you choose to take.
mhamilton
2008-08-29, 18:45
Thanks for the advice.
I have to collect all my drivers and SW from my office to try to do the rebuild this weekend.
If you can list the initial steps to go through the reformat and install of XP it would be a useful guide. I have done it in the past, but a step by step won't hurt.
Can I be reasonably sure that the problem is only on the boot drive?
Is my data disk OK if the scans are clean?
Hi
This is a good tutorial by wng_z3r0 for reformatting XP:
http://spyware-free.us/tutorials/reformat/
If your data drive consists of videos, pictures and music then it should be in safe.
Since this issue appears to be resolved ... this Topic has been closed.
Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.