View Full Version : trojan.agent infection
lonomatik
2009-08-19, 16:05
Tashi instructed me to post a new topic in this forum accompanied by a HJT log.
shortly after i posted to this forum i lost my internet connection and panicked. i attempted to fix my problem with HJT as well as COMBOFIX. i also ran MALWARE BYTES along with SOPHOS a number of times in both safe and normal mode from a DVD with little success. i say "little" because i have gotten back online and it appears that MALWARE BYTES despite not finding anything in my scans DETECTED an infection in passive mode (?) and quarantined some TROJAN.AGENT(?) tmp files numbered 1-6.
i dont consider myself an expert by any means but i have handled previous infections, however this one has me stumped. please help!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:47:11 AM, on 8/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1218053295500
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233702376765
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Issicpmkcsvs - S3/Diamond Multimedia Systems - C:\WINDOWS\System32\drivers\RIODRV.SYS
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Conexant - (no file)
--
End of file - 4758 bytes
Hi,
Do you have Malwarebytes' Anti-Malware report still around?
Post contents of c:\ComboFix.txt file, please.
lonomatik
2009-08-22, 06:16
thanks for the response! heres the Combofix log:
ComboFix 09-08-10.06 - Lonny Chant 08/18/2009 8:52.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1671 [GMT -4:00]
Running from: c:\documents and settings\Lonny Chant\Desktop\ComboFix.exe
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Lonny Chant\Application Data\inst.exe
c:\windows\box boat blue.ico
c:\windows\Installer\10bf4a.msi
c:\windows\Installer\10d63d.msp
c:\windows\Installer\10d643.msp
c:\windows\Installer\1fdcf13.msi
c:\windows\Installer\22224.msp
c:\windows\Installer\2988ef.msp
c:\windows\Installer\2cb62f2.msi
c:\windows\Installer\4a9e8.msp
c:\windows\Installer\4a9ef.msp
c:\windows\Installer\4aa0b.msp
c:\windows\Installer\4aa22.msp
c:\windows\Installer\85469.msi
c:\windows\Installer\aee550.msp
c:\windows\Installer\aee559.msp
c:\windows\Installer\aee56c.msp
c:\windows\Installer\aee575.msp
c:\windows\Installer\aee57e.msp
c:\windows\Installer\aee599.msp
c:\windows\Installer\aee59f.msp
c:\windows\Installer\aee5a7.msp
c:\windows\Installer\aee5ad.msp
c:\windows\Installer\be6630.msp
c:\windows\Installer\be6648.msp
c:\windows\Installer\be6651.msp
c:\windows\Installer\be6658.msp
c:\windows\Installer\be6661.msp
c:\windows\Installer\be6667.msp
c:\windows\Installer\be667f.msp
c:\windows\Installer\be6685.msp
c:\windows\Installer\be668e.msp
c:\windows\Installer\be66a9.msp
c:\windows\Installer\be66af.msp
c:\windows\Installer\f9a51e.msp
c:\windows\patch.exe
c:\windows\Readme.txt
c:\windows\system32\ad020326.de
c:\windows\system32\drivers\SKYNETnktlirns.sys
c:\windows\system32\open.ico
c:\windows\system32\SKYNETomdbwfoo.dat
c:\windows\system32\SKYNETpfwkkpba.dll
c:\windows\system32\SKYNETtnyymfmc.dat
c:\windows\system32\SKYNETyxumoavk.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_SKYNETxeoawvbl
-------\Legacy_SKYNETxeoawvbl
-------\Legacy_VDMT16
-------\Legacy_WINLOW
-------\Service_npf
((((((((((((((((((((((((( Files Created from 2009-07-18 to 2009-08-18 )))))))))))))))))))))))))))))))
.
2009-08-18 12:06 . 2009-08-18 12:06 -------- d-----w- C:\rsit
2009-08-18 12:02 . 2009-08-18 12:02 -------- d-----w- c:\documents and settings\Lonny Chant\.SunDownloadManager
2009-08-16 00:47 . 2009-08-16 00:47 -------- d-----w- c:\program files\Trend Micro
2009-08-14 14:28 . 2009-08-14 14:45 -------- d-----w- c:\documents and settings\Lonny Chant\Application Data\IObit
2009-08-14 14:28 . 2009-08-14 14:28 -------- d-----w- c:\program files\IObit
2009-08-14 11:40 . 2009-08-14 11:40 3942047 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-14 11:40 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-14 11:40 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-12 18:49 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-21 21:31 . 2009-07-21 21:31 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-17 10:34 . 2005-02-16 15:00 48622851 -c--a-w- c:\windows\Internet Logs\tvDebug.zip
2009-08-15 23:50 . 2002-10-04 20:51 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-15 22:29 . 2009-08-15 22:29 104618 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_08_15_18_24_23_small.dmp.zip
2009-08-15 22:29 . 2009-08-15 22:29 77703 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_08_15_18_24_22_small.dmp.zip
2009-08-15 22:24 . 2009-08-15 22:24 3391488 ----a-w- c:\windows\Internet Logs\xDB9A.tmp
2009-08-15 22:24 . 2009-08-15 22:24 25600 ----a-w- c:\windows\Internet Logs\xDB99.tmp
2009-08-15 20:53 . 2009-08-15 20:53 98332 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_08_15_16_48_11_small.dmp.zip
2009-08-15 20:53 . 2009-08-15 20:53 75976 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_08_15_16_48_10_small.dmp.zip
2009-08-15 20:48 . 2009-08-15 20:48 3390976 ----a-w- c:\windows\Internet Logs\xDB72.tmp
2009-08-15 20:48 . 2009-08-15 20:48 3000832 ----a-w- c:\windows\Internet Logs\xDB71.tmp
2009-08-14 14:44 . 2008-06-10 18:33 -------- d-----w- c:\program files\RightMark Memory Analyzer
2009-08-14 14:44 . 2008-03-04 14:35 -------- d-----w- c:\documents and settings\Lonny Chant\Application Data\Vso
2009-08-14 14:44 . 2007-12-24 15:30 -------- d-----w- c:\program files\EarthLink TotalAccess
2009-08-14 14:44 . 2007-07-04 00:46 -------- d-----w- c:\program files\Steam
2009-08-14 14:44 . 2007-05-24 22:58 -------- d-----w- c:\documents and settings\Lonny Chant\Application Data\Azureus
2009-08-14 14:44 . 2003-03-07 23:56 -------- d-----w- c:\program files\DivX
2009-08-14 14:44 . 2002-10-04 20:52 -------- d-----w- c:\program files\MUSICMATCH
2009-08-14 11:41 . 2009-05-30 11:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-05 09:01 . 2009-02-05 03:27 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-21 21:40 . 2007-10-27 18:03 -------- d-----w- c:\program files\iTunes
2009-07-21 21:40 . 2006-04-09 21:36 -------- d-----w- c:\program files\iPod
2009-07-21 21:40 . 2009-02-19 21:10 -------- d-----w- c:\program files\Common Files\Apple
2009-07-17 19:01 . 2009-02-05 03:28 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 2004-09-22 23:46 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-05 07:01 . 2009-07-05 07:01 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-07-05 07:01 . 2009-07-05 07:01 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-06-29 16:12 . 2009-02-05 03:27 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2009-02-05 03:28 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-29 16:12 . 2004-08-04 07:56 78336 ------w- c:\windows\system32\ieencode.dll
2009-06-18 16:52 . 2009-06-18 16:52 76453 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_06_18_12_00_12_small.dmp.zip
2009-06-18 15:56 . 2009-06-18 15:56 422 ----a-w- c:\documents and settings\Lonny Chant\Application Data\Adobe\socks32.exe
2009-06-18 15:56 . 2009-06-18 15:56 16141 ----a-w- c:\documents and settings\Lonny Chant\Application Data\Ahead\megalon.exe
2009-06-18 15:56 . 2009-06-18 15:56 145131 ----a-w- c:\documents and settings\Lonny Chant\Application Data\AdobeUM\horsi.exe
2009-06-18 15:56 . 2009-06-18 15:56 13221 ----a-w- c:\documents and settings\Lonny Chant\Application Data\acccore\reniga.dll
2009-06-18 15:56 . 2009-06-18 15:56 11232 ----a-w- c:\documents and settings\Lonny Chant\Application Data\.BitTornado\moha.exe
2009-06-16 14:36 . 2004-08-29 21:19 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2001-08-18 11:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2009-02-05 03:27 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-11 15:44 . 2002-11-21 21:00 209440 -c--a-w- c:\documents and settings\Lonny Chant\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-11 15:33 . 2009-06-11 15:33 36864 ----a-w- c:\documents and settings\All Users\Application Data\TEMP\{80E158EA-7181-40FE-A701-301CE6BE64AB}\PostBuild.exe
2009-06-10 14:13 . 2009-02-05 03:28 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2009-02-05 03:27 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2009-02-05 03:27 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 15:42 . 2009-05-13 19:15 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-05 15:42 . 2009-02-19 21:11 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-03 19:09 . 2009-02-05 03:27 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2006-01-20 00:23 . 2006-01-20 00:23 3072 ----a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2006-01-20 00:23 . 2006-01-20 00:23 245408 ----a-w- c:\program files\mozilla firefox\plugins\unicows.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-08-03 419088]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0SsiEfr.e\0smrgdf c:\program files\iolo\System Mechanic Professional 6\\0iolobtdfg c:\windows\system32
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=2 (0x2)
"ATI Smart"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SMSystemAnalyzer"="c:\program files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"Microsoft Works Update Detection"=c:\program files\Microsoft Works\WkDetect.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HPWITOOLBOX"=c:\program files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\HPWITBX.exe "-i"
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"Microsoft Works Update Detection"=c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"ioloDelayModule"=c:\program files\iolo\System Mechanic Professional 6\delay.exe
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\SYSTEM32\DRIVERS\ppa.sys [2/7/2003 12:37 PM 17792]
R1 atitray;atitray;c:\program files\Ray Adams\ATI Tray Tools\atitray.sys [5/22/2007 5:04 AM 18088]
R1 ATMhelpr;ATMhelpr;c:\windows\SYSTEM32\DRIVERS\ATMHELPR.SYS [10/9/2002 10:36 AM 4064]
R2 CachemanXPService;CachemanXP;c:\progra~1\CACHEM~1\CachemanXP.exe [6/10/2008 2:28 PM 243200]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/14/2009 7:40 AM 232720]
R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [8/14/2009 7:40 AM 19096]
S2 FCKYZQSL;FCKYZQSL;\??\c:\windows\System32\fckyzqsl.tcg --> c:\windows\System32\fckyzqsl.tcg [?]
S3 Aastrams;Aastrams; [x]
S3 ADSFilter;ADSFilter - (Aluria Filter Driver);c:\windows\system32\DRIVERS\ADSFilter.sys --> c:\windows\system32\DRIVERS\ADSFilter.sys [?]
S3 ati2mpaa;ati2mpaa;c:\windows\system32\DRIVERS\ati2mpaa.sys --> c:\windows\system32\DRIVERS\ati2mpaa.sys [?]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]
S3 RTCore32;RTCore32;c:\program files\RightMark Memory Analyzer\RTCore32.sys [6/10/2008 2:33 PM 4608]
.
Contents of the 'Scheduled Tasks' folder
2009-08-16 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Lonny Chant.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-08-14 17:36]
2009-08-16 c:\windows\Tasks\Malwarebytes' Scheduled Update for Lonny Chant.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-08-14 17:36]
2009-06-18 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2005-12-09 19:45]
2009-08-16 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-03-09 18:39]
.
.
------- Supplementary Scan -------
.
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Lonny Chant\Application Data\Mozilla\Firefox\Profiles\h5abj7co.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - plugin: c:\documents and settings\Lonny Chant\Application Data\Mozilla\Firefox\Profiles\h5abj7co.default\extensions\{0C7E3F01-99E9-4095-9BDC-F84724960B57}\plugins\NPCpnMgr.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRACtrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-18 09:07
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\FCKYZQSL]
"ImagePath"="\??\c:\windows\System32\fckyzqsl.tcg"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\LP*]
"DisplayName"="?\13?\13"
"DeviceDesc"="?\13?\13"
"ProviderName"=""
"MFG"="???\\"
"ReinstallString"="c:\\WINDOWS\\System32\\ReinstallBackups\\?\13\\DriverFiles\\.INF"
"DeviceInstanceIds"=multi:"nf\\cx_08948.inf\00"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\}›őw”¶*]
"DisplayName"="\09"
"DeviceDesc"="\09"
"ProviderName"=""
"MFG"="?"
"ReinstallString"="2002, 6.13.10.5004"
"DeviceInstanceIds"=multi:"\00"
[HKEY_LOCAL_MACHINE\software\swearware\backup\winsock2]
@DACL=(02 0000)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
- - - - - - - > 'explorer.exe'(2656)
c:\windows\system32\WININET.dll
c:\windows\system32\wuaucpl.old.cpl
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\windows\SYSTEM32\taskmgr.exe
c:\windows\SYSTEM32\ZoneLabs\vsmon.exe
c:\windows\SYSTEM32\dwwin.exe
c:\windows\SYSTEM32\ZoneLabs\vsmon.exe
c:\windows\SYSTEM32\ZoneLabs\vsmon.exe
c:\windows\SYSTEM32\ZoneLabs\vsmon.exe
.
**************************************************************************
.
Completion time: 2009-08-18 9:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-18 13:17
Pre-Run: 14,085,390,336 bytes free
Post-Run: 13,873,573,888 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
Current=5 Default=5 Failed=4 LastKnownGood=7 Sets=1,2,3,4,5,6,7
286 --- E O F --- 2009-08-13 03:40
lonomatik
2009-08-22, 06:18
a Malwarebytes log from the same day:
Malwarebytes' Anti-Malware 1.40
Database version: 2648
Windows 5.1.2600 Service Pack 3
8/18/2009 11:12:39 AM
mbam-log-2009-08-18 (11-12-34).txt
Scan type: Full Scan (C:\|)
Objects scanned: 222948
Time elapsed: 1 hour(s), 15 minute(s), 18 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\SKYNETnktlirns.sys.vir (Trojan.TDSS) -> No action taken.
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP914\A0237590.sys (Trojan.TDSS) -> No action taken.
Hi,
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
Azureus
I'd like you to read this thread (http://forums.spybot.info/showthread.php?t=282).
Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
After that:
Generate an Uninstall List
* Open HijackThis
* Click on Open Misc Tools Section
* Click on Open Uninstall Manager
* Click on Save list
* Save it to your Desktop
* Post it on your next reply.
Open notepad and copy/paste the text in the quotebox below into it:
Driver::
FCKYZQSL
Aastrams
Folder::
c:\documents and settings\Lonny Chant\Application Data\Azureus
File::
c:\documents and settings\Lonny Chant\Application Data\Adobe\socks32.exe
c:\documents and settings\Lonny Chant\Application Data\Ahead\megalon.exe
c:\documents and settings\Lonny Chant\Application Data\AdobeUM\horsi.exe
c:\documents and settings\Lonny Chant\Application Data\acccore\reniga.dll
c:\documents and settings\Lonny Chant\Application Data\.BitTornado\moha.exe
c:\windows\System32\fckyzqsl.tcg
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\drivers\\svchost.exe"=-
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe (let ComboFix update itself if asked for a permission).
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).
Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.
lonomatik
2009-08-24, 03:44
alright, heres the Uninstall log you requested. i had actually already uninstalled the requested program but i guess there were some lingering files.
Active@ DVD Eraser v 1.1
Adobe Anchor Service CS4
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Drive CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Illustrator 10.0.3
Adobe InDesign CS4
Adobe InDesign CS4
Adobe InDesign CS4 Application Feature Set Files (Roman)
Adobe InDesign CS4 Common Base Files
Adobe InDesign CS4 Icon Handler
Adobe Linguistics CS4
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Reader 7.1.0
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Setup
Adobe SGM CS4
Adobe SING CS4
Adobe SVG Viewer 3.0
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Apple Mobile Device Support
Apple Software Update
ATI Catalyst Control Center
ATI Display Driver
Bonjour
CCleaner (remove only)
Conexant HSF V92 56K RTAD Speakerphone PCI Modem
Connect
ConvertXtoDVD 3.1.3.40c
CyberLink MediaShow
CyberLink MediaShow
Dell | Support
Dell Digital Jukebox Driver
Dell Modem-On-Hold
Dell ResourceCD
Digital Line Detect
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Web Player
DriverAgent by eSupport.com
Duplicate Cleaner 1.2
EarthLink Software
Easy CD Creator 5 Basic
ERUNT 1.1j
Half-Life 2
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
hp deskjet 9600 series
Internet Explorer Q903235
iolo technologies' System Mechanic Professional 6
iTunes
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 2
Java(TM) 6 Update 15
kuler
Learn2 Player (Uninstall Only)
Local Port Scanner v1.2.2
Macromedia Dreamweaver MX
Macromedia Extension Manager
Macromedia Fireworks 4
Macromedia Flash MX 2004
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Word 2002
Microsoft Works 2002 Setup Launcher
Microsoft Works 6.0
Microsoft Works Suite Add-in for Microsoft Word
MobileMe Control Panel
Mozilla Firefox (3.0.13)
MSN Music Assistant
MultiRes (remove only)
OpenMG AAC Add-on Module 1.0.00
OpenMG Secure Module 4.6.01
PDF Settings CS4
Photoshop Camera Raw
Picasa 2
QuickTime
Ray Adams ATI Tray Tools
RealPlayer
Realtek RTL8139 Diagnostics Program
Secure Delivery
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
SketchUp 4.0
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
Steam
Suite Shared Configuration CS4
Sun Download Manager 2.0 (web)
TaxCut Basic 2006
UnzipThemAll 1.3
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB973815)
VC 9.0 Runtime
VC 9.0 Runtime
VC80CRTRedist - 8.0.50727.762
VideoLAN VLC media player 0.8.6h
Winamp
Winamp Remote
Windows Backup Utility
Windows Genuine Advantage v1.3.0254.0
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows XP Service Pack 3
WinRAR archiver
XP Codec Pack
ZoneAlarm
Zune Desktop Theme
lonomatik
2009-08-24, 03:45
the Combofix log:
ComboFix 09-08-22.06 - Lonny Chant 08/23/2009 11:01.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1610 [GMT -4:00]
Running from: c:\documents and settings\Lonny Chant\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Lonny Chant\Desktop\CFScript.txt
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
FILE ::
"c:\documents and settings\Lonny Chant\Application Data\.BitTornado\moha.exe"
"c:\documents and settings\Lonny Chant\Application Data\acccore\reniga.dll"
"c:\documents and settings\Lonny Chant\Application Data\Adobe\socks32.exe"
"c:\documents and settings\Lonny Chant\Application Data\AdobeUM\horsi.exe"
"c:\documents and settings\Lonny Chant\Application Data\Ahead\megalon.exe"
"c:\windows\System32\fckyzqsl.tcg"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Lonny Chant\Application Data\.BitTornado\moha.exe
c:\documents and settings\Lonny Chant\Application Data\acccore\reniga.dll
c:\documents and settings\Lonny Chant\Application Data\Adobe\socks32.exe
c:\documents and settings\Lonny Chant\Application Data\AdobeUM\horsi.exe
c:\documents and settings\Lonny Chant\Application Data\Ahead\megalon.exe
c:\documents and settings\Lonny Chant\Application Data\Azureus
c:\documents and settings\Lonny Chant\Application Data\Azureus\.certs
c:\documents and settings\Lonny Chant\Application Data\Azureus\.keystore
c:\documents and settings\Lonny Chant\Application Data\Azureus\.lock
c:\documents and settings\Lonny Chant\Application Data\Azureus\active\3ABA38C3B576DE59531F45B332CCA4442BB129FA.dat
c:\documents and settings\Lonny Chant\Application Data\Azureus\active\3C2BA09E1624D7C14AAEE5ED004269311A98B512.dat
c:\documents and settings\Lonny Chant\Application Data\Azureus\active\4438AF41E59C98EED6CDE27F5CC4D3E355F73063.dat
c:\documents and settings\Lonny Chant\Application Data\Azureus\active\6B317A643211A899233B451452BFB4F551038E3E.dat
c:\documents and settings\Lonny Chant\Application Data\Azureus\active\A948D818834E3F34896A61EEE2361871704C1968.dat
c:\documents and settings\Lonny Chant\Application Data\Azureus\active\cache.dat
c:\documents and settings\Lonny Chant\Application Data\Azureus\azureus.config
c:\documents and settings\Lonny Chant\Application Data\Azureus\azureus.statistics
c:\documents and settings\Lonny Chant\Application Data\Azureus\banips.config
c:\documents and settings\Lonny Chant\Application Data\Azureus\cnetworks.config
c:\documents and settings\Lonny Chant\Application Data\Azureus\devices.config
c:\documents and settings\Lonny Chant\Application Data\Azureus\dht\addresses.dat
c:\documents and settings\Lonny Chant\Application Data\Azureus\dht\contacts.dat
c:\documents and settings\Lonny Chant\Application Data\Azureus\dht\diverse.dat
c:\documents and settings\Lonny Chant\Application Data\Azureus\dht\general.dat
c:\documents and settings\Lonny Chant\Application Data\Azureus\dht\version.dat
c:\documents and settings\Lonny Chant\Application Data\Azureus\downloads.config
c:\documents and settings\Lonny Chant\Application Data\Azureus\filters.config
c:\documents and settings\Lonny Chant\Application Data\Azureus\friends.config
c:\documents and settings\Lonny Chant\Application Data\Azureus\ipfilter.cache
c:\documents and settings\Lonny Chant\Application Data\Azureus\logs\MetaSearch_Engine_3.txt
c:\documents and settings\Lonny Chant\Application Data\Azureus\metasearch.config
c:\documents and settings\Lonny Chant\Application Data\Azureus\net\pm_22773.dat
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_1.7.4.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_1.7.4.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_1.9.0.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_1.9.0.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_1.9.10.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_1.9.10.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_1.9.11.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_1.9.11.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_1.9.6.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_1.9.6.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_2.0.11.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_2.0.11.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_2.0.14.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_2.0.14.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_2.0.16.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_2.0.16.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_2.0.30.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_2.0.30.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_2.0.32.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_2.0.32.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_2.0.34.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_2.0.34.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_2.1.02.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_2.1.02.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azmplay.exe
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\cp1250-a.raw
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\cp1250-b.raw
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\font.desc
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\libInfoGetter.dll
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\osd-mplayer-a.raw
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\osd-mplayer-b.raw
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\plugin.properties
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\plugin.properties_1.7.4
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\plugin.properties_1.9.0
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\plugin.properties_1.9.10
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\plugin.properties_1.9.11
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\plugin.properties_1.9.6
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\plugin.properties_2.0.11
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\plugin.properties_2.0.14
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\plugin.properties_2.0.16
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\plugin.properties_2.0.30
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\plugin.properties_2.0.32
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\plugin.properties_2.0.34
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\plugin.properties_2.1.02
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azump\azump_1.2.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azump\azump_1.2.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azump\azump_1.3.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azump\azump_1.3.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azump\mplayer.exe
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azump\mplayer\config
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\azupnpav_0.1.2.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\azupnpav_0.1.2.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\azupnpav_0.1.3.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\azupnpav_0.1.3.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\azupnpav_0.1.6.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\azupnpav_0.1.6.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\azupnpav_0.1.7.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\azupnpav_0.1.7.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\azupnpav_0.2.0.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\azupnpav_0.2.0.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\azupnpav_0.2.1.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\azupnpav_0.2.1.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\azupnpav_0.2.17.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\azupnpav_0.2.17.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\azupnpav_0.2.2.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\azupnpav_0.2.2.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\azupnpav_0.2.5.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\azupnpav_0.2.5.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\cd.dat
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\plugin.properties
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\plugin.properties_0.1.2
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\plugin.properties_0.1.3
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\plugin.properties_0.1.6
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\plugin.properties_0.1.7
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\plugin.properties_0.2.0
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\plugin.properties_0.2.1
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\plugin.properties_0.2.17
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\plugin.properties_0.2.2
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\plugin.properties_0.2.5
c:\documents and settings\Lonny Chant\Application Data\Azureus\sidebarauto.config
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\01FE0E4954FEEB299706.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\0208EEB906A1C63F97E2.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\0FE2857420B40A53BB77.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\12533BF9649105ABA27A.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\1603EF58DAA24E05E927.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\1D2D9FBC3F4BE8AA689D.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\24DB0521CDEC3ACE7E8C.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\28CF14B604BFE173EEFF.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\292D07370EA3783CDCAC.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\29A2E7CB5E7A69DBBE14.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\2DCFAB8F832477D02694.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\2F7D51E79B34BE84F742.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\3C1C33756A83CC05D595.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\487A4B88740420E32C87.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\4964C136A88C465A6B48.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\4B713E793017BE7BA43A.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\4CD6D96573CE7093FB98.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\4F2AA8C2D919E9835A62.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\52C6D09A02BBB590C252.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\59A6E5D794A9DFCD6CDF.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\62E0DD046B0A2450A807.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\632A20E73961F1C133F2.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\65CE3C46ACE1B29F7AF8.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\6F5910EA3FFE2EA04ABF.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\71C6685E772F650EA387.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\72D2F5BA4A68FA6F677A.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\743517466E51A760F1BF.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\74F7267F1BCBC66CB79C.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\79D82923B992917F8430.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\79E766BACEC15D14BEA9.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\7D80FF0229178E1AD2BD.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\8208605FEAE769DF8C5B.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\829E59C40EFFE22EB406.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\83F9D7CFBA5E7496ACC5.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\88DA602C72BB0AB9CEE8.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\8A8138032CEB4BAFDDBC.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\8BF158E23CC6F3B41DF9.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\93B716386602D52C6EB7.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\95985978467DA9688755.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\9E68932BDE46973BFAD5.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\A36AB2DCB4226BA0F649.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\A37CED700C6A8093072F.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\A4C4F5D3B481321E52AF.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\A7EF32FC85BCF1692DDB.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\A8C1F452C6DA7C51AA2B.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\B23FF1607C78876627F3.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\B9F9824CB0A991DE3AC4.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\BA42C1C871ADA5B254DA.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\BAD9AC808DA5DC699651.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\C04565C3BABED3846AE4.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\C61A720916E29A0837B2.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\C868FF325124E3D0D58F.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\CE275B7D9043458D6329.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\D2D5ED50888A83E4C5DD.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\D2FC0BF3FD78ED958712.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\D36FC2A487705C854BDA.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\D5B735BDEA2EE95A3DFF.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\DB8EBA0A8243FAC1DD16.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\DCD20AB6684A16AA1475.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\E143495E02618735CB40.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\E267584D36198A287181.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\E32C595A861BADB257CC.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\E7CE62A3124A6E9AD402.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\F37F1C2264BA31BFB3E3.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\FC5CC391DA4BA78C3961.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subscriptions.config
c:\documents and settings\Lonny Chant\Application Data\Azureus\tables.config
c:\documents and settings\Lonny Chant\Application Data\Azureus\tmp\AZU36328.tmp\patch.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\torrents\Angel_complete_seasons_1_through_5.3351072.TPB [mininova].torrent
c:\documents and settings\Lonny Chant\Application Data\Azureus\torrents\Enchanted__2007__DVDRip-1.torrent
c:\documents and settings\Lonny Chant\Application Data\Azureus\torrents\Firefly_Series_200_2_DVDRip_x264.torrent
c:\documents and settings\Lonny Chant\Application Data\Azureus\torrents\Macromedia Flash 5 + Serial.zip [mininova].torrent
c:\documents and settings\Lonny Chant\Application Data\Azureus\torrents\NIN_-_THE_UNRELEASED_________________BEHIND_THE_SCENES_OF_CLOSER.4226814.TPB-1.torrent
c:\documents and settings\Lonny Chant\Application Data\Azureus\torrents\sims_2_all_expansions__november_9_2007_630462484091_913.torrent
c:\documents and settings\Lonny Chant\Application Data\Azureus\torrents\This.Film.Has.Not.Yet.Been.Rated.2006.DvdRip.eng.avi.4078123.TPB.torrent
c:\documents and settings\Lonny Chant\Application Data\Azureus\tracker.config
c:\documents and settings\Lonny Chant\Application Data\Azureus\unsentdata.config
c:\documents and settings\Lonny Chant\Application Data\Azureus\update.properties
c:\documents and settings\Lonny Chant\Application Data\Azureus\v3.Friends.dat
c:\documents and settings\Lonny Chant\Application Data\Azureus\VuzeActivities.config
c:\windows\Fonts\FRE3OF9X.TTF
c:\windows\Fonts\FREE3OF9.TTF
c:\windows\Fonts\GUNSHIP2.TTF
c:\windows\smproflt.dll
c:\windows\wpd99.drv
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_AASTRAMS
-------\Legacy_FCKYZQSL
-------\Service_Aastrams
-------\Service_FCKYZQSL
((((((((((((((((((((((((( Files Created from 2009-07-23 to 2009-08-23 )))))))))))))))))))))))))))))))
.
2009-08-19 13:23 . 2009-08-19 13:23 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-19 13:23 . 2009-08-19 13:23 152576 ----a-w- c:\documents and settings\Lonny Chant\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-19 12:42 . 2009-08-19 12:42 -------- d-----w- c:\program files\ERUNT
2009-08-19 10:33 . 2009-08-19 10:33 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-08-19 02:30 . 2009-08-19 02:32 -------- d-----w- c:\program files\Malwar
2009-08-18 21:03 . 2009-08-18 21:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-18 17:25 . 2009-08-18 17:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-18 12:06 . 2009-08-18 12:06 -------- d-----w- C:\rsit
2009-08-18 12:02 . 2009-08-18 12:02 -------- d-----w- c:\documents and settings\Lonny Chant\.SunDownloadManager
2009-08-16 00:47 . 2009-08-16 00:47 -------- d-----w- c:\program files\Trend Micro
2009-08-14 14:28 . 2009-08-14 14:45 -------- d-----w- c:\documents and settings\Lonny Chant\Application Data\IObit
2009-08-14 14:28 . 2009-08-14 14:28 -------- d-----w- c:\program files\IObit
2009-08-14 11:40 . 2009-08-14 11:40 3942047 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-14 11:40 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-14 11:40 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-12 18:49 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-23 15:08 . 2008-03-07 08:49 -------- d-----w- c:\documents and settings\Lonny Chant\Application Data\Ahead
2009-08-23 15:08 . 2005-03-08 19:14 -------- d-----w- c:\documents and settings\Lonny Chant\Application Data\AdobeUM
2009-08-23 15:08 . 2007-03-13 20:47 -------- d-----w- c:\documents and settings\Lonny Chant\Application Data\acccore
2009-08-23 15:08 . 2005-03-22 17:02 -------- d-----w- c:\documents and settings\Lonny Chant\Application Data\.BitTornado
2009-08-23 13:26 . 2006-05-29 23:24 -------- d-----w- c:\program files\bl
2009-08-19 13:23 . 2005-03-14 03:19 -------- d-----w- c:\program files\Java
2009-08-19 13:17 . 2007-07-04 00:46 -------- d-----w- c:\program files\Steam
2009-08-18 20:43 . 2004-01-03 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-18 20:42 . 2008-03-11 11:54 -------- d-----w- c:\program files\CCleaner
2009-08-18 20:23 . 2005-02-16 04:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-08-18 15:15 . 2009-08-18 15:56 11264 ----a-w- c:\windows\Internet Logs\xDB5.tmp
2009-08-18 15:15 . 2009-08-18 15:56 3396608 ----a-w- c:\windows\Internet Logs\xDB6.tmp
2009-08-18 13:21 . 2009-08-18 13:52 13824 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2009-08-18 13:21 . 2009-08-18 13:52 3396096 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2009-08-18 13:08 . 2009-08-18 13:21 3396096 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2009-08-18 13:08 . 2009-08-18 13:21 44032 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-08-17 10:34 . 2005-02-16 15:00 48622851 -c--a-w- c:\windows\Internet Logs\tvDebug.zip
2009-08-15 23:50 . 2002-10-04 20:51 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-15 22:24 . 2009-08-15 22:24 3391488 ----a-w- c:\windows\Internet Logs\xDB9A.tmp
2009-08-15 22:24 . 2009-08-15 22:24 25600 ----a-w- c:\windows\Internet Logs\xDB99.tmp
2009-08-15 20:48 . 2009-08-15 20:48 3390976 ----a-w- c:\windows\Internet Logs\xDB72.tmp
2009-08-15 20:48 . 2009-08-15 20:48 3000832 ----a-w- c:\windows\Internet Logs\xDB71.tmp
2009-08-14 14:44 . 2008-06-10 18:33 -------- d-----w- c:\program files\RightMark Memory Analyzer
2009-08-14 14:44 . 2008-03-04 14:35 -------- d-----w- c:\documents and settings\Lonny Chant\Application Data\Vso
2009-08-14 14:44 . 2007-12-24 15:30 -------- d-----w- c:\program files\EarthLink TotalAccess
2009-08-14 14:44 . 2003-03-07 23:56 -------- d-----w- c:\program files\DivX
2009-08-14 14:44 . 2002-10-04 20:52 -------- d-----w- c:\program files\MUSICMATCH
2009-08-14 11:41 . 2009-05-30 11:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-05 09:01 . 2009-02-05 03:27 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-21 21:40 . 2007-10-27 18:03 -------- d-----w- c:\program files\iTunes
2009-07-21 21:40 . 2006-04-09 21:36 -------- d-----w- c:\program files\iPod
2009-07-21 21:40 . 2009-02-19 21:10 -------- d-----w- c:\program files\Common Files\Apple
2009-07-21 21:31 . 2009-07-21 21:31 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-07-17 19:01 . 2009-02-05 03:28 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 2004-09-22 23:46 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-05 07:01 . 2009-07-05 07:01 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-07-05 07:01 . 2009-07-05 07:01 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-06-29 16:12 . 2009-02-05 03:27 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2009-02-05 03:28 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-29 16:12 . 2004-08-04 07:56 78336 ------w- c:\windows\system32\ieencode.dll
2009-06-16 14:36 . 2004-08-29 21:19 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2001-08-18 11:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2009-02-05 03:27 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-11 15:44 . 2002-11-21 21:00 209440 -c--a-w- c:\documents and settings\Lonny Chant\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-11 15:33 . 2009-06-11 15:33 36864 ----a-w- c:\documents and settings\All Users\Application Data\TEMP\{80E158EA-7181-40FE-A701-301CE6BE64AB}\PostBuild.exe
2009-06-10 14:13 . 2009-02-05 03:28 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2009-02-05 03:27 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2009-02-05 03:27 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 15:42 . 2009-05-13 19:15 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-05 15:42 . 2009-02-19 21:11 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-03 19:09 . 2009-02-05 03:27 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2006-01-20 00:23 . 2006-01-20 00:23 3072 ----a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2006-01-20 00:23 . 2006-01-20 00:23 245408 ----a-w- c:\program files\mozilla firefox\plugins\unicows.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-08-03 419088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-19 149280]
c:\documents and settings\Lonny Chant\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0SsiEfr.e\0smrgdf c:\program files\iolo\System Mechanic Professional 6\\0iolobtdfg c:\windows\system32
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=2 (0x2)
"ATI Smart"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SMSystemAnalyzer"="c:\program files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"Microsoft Works Update Detection"=c:\program files\Microsoft Works\WkDetect.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HPWITOOLBOX"=c:\program files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\HPWITBX.exe "-i"
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"Microsoft Works Update Detection"=c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
"ioloDelayModule"=c:\program files\iolo\System Mechanic Professional 6\delay.exe
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\SYSTEM32\DRIVERS\ppa.sys [2/7/2003 12:37 PM 17792]
R1 atitray;atitray;c:\program files\Ray Adams\ATI Tray Tools\atitray.sys [5/22/2007 5:04 AM 18088]
R1 ATMhelpr;ATMhelpr;c:\windows\SYSTEM32\DRIVERS\ATMHELPR.SYS [10/9/2002 10:36 AM 4064]
R2 CachemanXPService;CachemanXP;c:\progra~1\CACHEM~1\CachemanXP.exe [6/10/2008 2:28 PM 243200]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/14/2009 7:40 AM 232720]
R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [8/14/2009 7:40 AM 19096]
S3 ADSFilter;ADSFilter - (Aluria Filter Driver);c:\windows\system32\DRIVERS\ADSFilter.sys --> c:\windows\system32\DRIVERS\ADSFilter.sys [?]
S3 ati2mpaa;ati2mpaa;c:\windows\system32\DRIVERS\ati2mpaa.sys --> c:\windows\system32\DRIVERS\ati2mpaa.sys [?]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\6.tmp --> c:\windows\system32\6.tmp [?]
S3 RTCore32;RTCore32;c:\program files\RightMark Memory Analyzer\RTCore32.sys [6/10/2008 2:33 PM 4608]
.
Contents of the 'Scheduled Tasks' folder
2009-06-18 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2005-12-09 19:45]
2009-08-16 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-03-09 18:39]
.
.
------- Supplementary Scan -------
.
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Lonny Chant\Application Data\Mozilla\Firefox\Profiles\h5abj7co.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRACtrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-23 11:12
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\6.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\LP*]
"DisplayName"="?\13?\13"
"DeviceDesc"="?\13?\13"
"ProviderName"=""
"MFG"="???\\"
"ReinstallString"="c:\\WINDOWS\\System32\\ReinstallBackups\\?\13\\DriverFiles\\.INF"
"DeviceInstanceIds"=multi:"nf\\cx_08948.inf\00"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\}›őw”¶*]
"DisplayName"="\09"
"DeviceDesc"="\09"
"ProviderName"=""
"MFG"="?"
"ReinstallString"="2002, 6.13.10.5004"
"DeviceInstanceIds"=multi:"\00"
[HKEY_LOCAL_MACHINE\software\swearware\backup\winsock2]
@DACL=(02 0000)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
- - - - - - - > 'explorer.exe'(3040)
c:\windows\system32\WININET.dll
c:\windows\system32\wuaucpl.old.cpl
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\windows\SYSTEM32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-08-23 11:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-23 15:22
ComboFix2.txt 2009-08-18 13:17
Pre-Run: 13,385,707,520 bytes free
Post-Run: 13,315,846,144 bytes free
Current=5 Default=5 Failed=4 LastKnownGood=7 Sets=1,2,3,4,5,6,7
421 --- E O F --- 2009-08-13 03:40
lonomatik
2009-08-24, 03:48
the KAS log:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, August 23, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, August 23, 2009 18:15:43
Records in database: 2681285
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
Scan statistics:
Objects scanned: 117936
Threats found: 10
Infected objects found: 52
Suspicious objects found: 0
Scan duration: 06:24:26
File name / Threat / Threats count
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018463.dll.bac_a01676 Infected: Hoax.Win32.VB.l 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018464.exe.bac_a01676 Infected: Trojan-Downloader.Win32.Adload.aq 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018465.dll.bac_a01676 Infected: Trojan-Downloader.Win32.VB.aan 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018466.exe.bac_a01676 Infected: Trojan-Downloader.Win32.VB.aan 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018467.exe.bac_a01676 Infected: Hoax.Win32.VB.l 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018468.exe.bac_a01676 Infected: Packed.Win32.Tibs 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018469.exe.bac_a01676 Infected: Packed.Win32.Tibs 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018470.exe.bac_a01676 Infected: Packed.Win32.Tibs 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018471.exe.bac_a01676 Infected: Packed.Win32.Tibs 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018472.exe.bac_a01676 Infected: Packed.Win32.Tibs 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc10.dll.bac_a00192 Infected: Hoax.Win32.VB.l 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc11.exe.bac_a00192 Infected: Trojan-Downloader.Win32.Adload.aq 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc12.dll.bac_a00192 Infected: Trojan-Downloader.Win32.VB.aan 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc6.exe.bac_a01256 Infected: Trojan-Downloader.Win32.Small.dkt 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc67.exe.bac_a01920 Infected: Trojan-Downloader.Win32.Small.dam 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc8.exe.bac_a00192 Infected: Trojan-Downloader.Win32.VB.aan 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc9.exe.bac_a00192 Infected: Hoax.Win32.VB.l 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\internetoloper.exe.bac_a00192 Infected: Packed.Win32.Tibs 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\mwtanowo.exe.bac_a00192 Infected: Packed.Win32.Tibs 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\phqghume.exe.bac_a00192 Infected: Packed.Win32.Tibs 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\qdmbbqec.exe.bac_a00192 Infected: Packed.Win32.Tibs 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\vtcalhel.exe.bac_a01280 Infected: Trojan-Downloader.Win32.Small.dam 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\yunfyiwe.exe.bac_a00192 Infected: Packed.Win32.Tibs 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018463.dll.bac_a01676 Infected: Hoax.Win32.VB.l 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018464.exe.bac_a01676 Infected: Trojan-Downloader.Win32.Adload.aq 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018465.dll.bac_a01676 Infected: Trojan-Downloader.Win32.VB.aan 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018466.exe.bac_a01676 Infected: Trojan-Downloader.Win32.VB.aan 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018467.exe.bac_a01676 Infected: Hoax.Win32.VB.l 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018468.exe.bac_a01676 Infected: Packed.Win32.Tibs 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018469.exe.bac_a01676 Infected: Packed.Win32.Tibs 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018470.exe.bac_a01676 Infected: Packed.Win32.Tibs 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018471.exe.bac_a01676 Infected: Packed.Win32.Tibs 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018472.exe.bac_a01676 Infected: Packed.Win32.Tibs 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc10.dll.bac_a00192 Infected: Hoax.Win32.VB.l 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc11.exe.bac_a00192 Infected: Trojan-Downloader.Win32.Adload.aq 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc12.dll.bac_a00192 Infected: Trojan-Downloader.Win32.VB.aan 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc6.exe.bac_a01256 Infected: Trojan-Downloader.Win32.Small.dkt 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc67.exe.bac_a01920 Infected: Trojan-Downloader.Win32.Small.dam 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc8.exe.bac_a00192 Infected: Trojan-Downloader.Win32.VB.aan 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc9.exe.bac_a00192 Infected: Hoax.Win32.VB.l 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\internetoloper.exe.bac_a00192 Infected: Packed.Win32.Tibs 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\mwtanowo.exe.bac_a00192 Infected: Packed.Win32.Tibs 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\phqghume.exe.bac_a00192 Infected: Packed.Win32.Tibs 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\qdmbbqec.exe.bac_a00192 Infected: Packed.Win32.Tibs 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\vtcalhel.exe.bac_a01280 Infected: Trojan-Downloader.Win32.Small.dam 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\yunfyiwe.exe.bac_a00192 Infected: Packed.Win32.Tibs 1
C:\Program Files\Common Files\Real\Toolbar\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETpfwkkpba.dll.vir Infected: Trojan.Win32.Tdss.anus 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETyxumoavk.dll.vir Infected: Trojan.Win32.Tdss.anuv 1
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP914\A0237591.dll Infected: Trojan.Win32.Tdss.anus 1
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP914\A0237592.dll Infected: Trojan.Win32.Tdss.anuv 1
F:\torrents\!Nero 8 ULTRA Edition with Keygen Working and Tested!\!Nero 8 ULTRA Edition with Keygen Working and Tested!\keymakers 1.exe Infected: Trojan-Downloader.Win32.VB.gix 1
Selected area has been scanned.
---and the fresh HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:39:05 PM, on 8/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1218053295500
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233702376765
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Issicpmkcsvs - S3/Diamond Multimedia Systems - C:\WINDOWS\System32\drivers\RIODRV.SYS
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Conexant - (no file)
--
End of file - 5177 bytes
Uninstall old Adobe Reader versions and get the latest one (9.1 + updates 9.1.2 & 9.1.3) here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here (http://pdfreaders.org/).
Check here (http://www.adobe.com/software/flash/about/) to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here (http://kb2.adobe.com/cps/141/tn_14157.html). Fresh version can be obtained here (http://get.adobe.com/flashplayer/).
Uninstall these vulnerable Javas:
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 2
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018463.dll.bac_a01676
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018464.exe.bac_a01676
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018465.dll.bac_a01676
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018466.exe.bac_a01676
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018467.exe.bac_a01676
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018468.exe.bac_a01676
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018469.exe.bac_a01676
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018470.exe.bac_a01676
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018471.exe.bac_a01676
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018472.exe.bac_a01676
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc10.dll.bac_a00192
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc11.exe.bac_a00192
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc12.dll.bac_a00192
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc6.exe.bac_a01256
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc67.exe.bac_a01920
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc8.exe.bac_a00192
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc9.exe.bac_a00192
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\internetoloper.exe.bac_a00192
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\mwtanowo.exe.bac_a00192
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\phqghume.exe.bac_a00192
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\qdmbbqec.exe.bac_a00192
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\vtcalhel.exe.bac_a01280
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\yunfyiwe.exe.bac_a00192
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018463.dll.bac_a01676
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018464.exe.bac_a01676
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018465.dll.bac_a01676
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018466.exe.bac_a01676
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018467.exe.bac_a01676
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018468.exe.bac_a01676
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018469.exe.bac_a01676
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018470.exe.bac_a01676
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018471.exe.bac_a01676
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018472.exe.bac_a01676
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc10.dll.bac_a00192
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc11.exe.bac_a00192
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc12.dll.bac_a00192
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc6.exe.bac_a01256
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc67.exe.bac_a01920
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc8.exe.bac_a00192
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc9.exe.bac_a00192
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\internetoloper.exe.bac_a00192
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\mwtanowo.exe.bac_a00192
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\phqghume.exe.bac_a00192
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\qdmbbqec.exe.bac_a00192
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\vtcalhel.exe.bac_a01280
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\yunfyiwe.exe.bac_a00192
Folder::
F:\torrents\!Nero 8 ULTRA Edition with Keygen Working and Tested!
FixCSet::
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & fresh hjt log. How's the system running?
lonomatik
2009-08-24, 15:50
the system has been running reasonably well. malwarebytes continues to notify me of a detected infection (just got one now!) but there have been no google redirects. however i really havent done any google searches and not much browsing since this problem occurred. heres the combofix log:
ComboFix 09-08-23.01 - Lonny Chant 08/24/2009 8:12.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1639 [GMT -4:00]
Running from: c:\documents and settings\Lonny Chant\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Lonny Chant\Desktop\CFScript.txt
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
FILE ::
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\A0018463.dll.bac_a01676"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\A0018464.exe.bac_a01676"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\A0018465.dll.bac_a01676"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\A0018466.exe.bac_a01676"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\A0018467.exe.bac_a01676"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\A0018468.exe.bac_a01676"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\A0018469.exe.bac_a01676"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\A0018470.exe.bac_a01676"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\A0018471.exe.bac_a01676"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\A0018472.exe.bac_a01676"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\Dc10.dll.bac_a00192"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\Dc11.exe.bac_a00192"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\Dc12.dll.bac_a00192"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\Dc6.exe.bac_a01256"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\Dc67.exe.bac_a01920"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\Dc8.exe.bac_a00192"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\Dc9.exe.bac_a00192"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\internetoloper.exe.bac_a00192"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\mwtanowo.exe.bac_a00192"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\phqghume.exe.bac_a00192"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\qdmbbqec.exe.bac_a00192"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\vtcalhel.exe.bac_a01280"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\yunfyiwe.exe.bac_a00192"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\A0018463.dll.bac_a01676"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\A0018464.exe.bac_a01676"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\A0018465.dll.bac_a01676"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\A0018466.exe.bac_a01676"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\A0018467.exe.bac_a01676"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\A0018468.exe.bac_a01676"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\A0018469.exe.bac_a01676"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\A0018470.exe.bac_a01676"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\A0018471.exe.bac_a01676"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\A0018472.exe.bac_a01676"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\Dc10.dll.bac_a00192"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\Dc11.exe.bac_a00192"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\Dc12.dll.bac_a00192"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\Dc6.exe.bac_a01256"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\Dc67.exe.bac_a01920"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\Dc8.exe.bac_a00192"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\Dc9.exe.bac_a00192"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\internetoloper.exe.bac_a00192"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\mwtanowo.exe.bac_a00192"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\phqghume.exe.bac_a00192"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\qdmbbqec.exe.bac_a00192"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\vtcalhel.exe.bac_a01280"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\yunfyiwe.exe.bac_a00192"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
f:\torrents\!Nero 8 ULTRA Edition with Keygen Working and Tested!
f:\torrents\!Nero 8 ULTRA Edition with Keygen Working and Tested!\!Nero 8 ULTRA Edition with Keygen Working and Tested!\keymakers 1.exe
f:\torrents\!Nero 8 ULTRA Edition with Keygen Working and Tested!\!Nero 8 ULTRA Edition with Keygen Working and Tested!\Nero-8.3.2.1_eng_trial_2.exe
f:\torrents\!Nero 8 ULTRA Edition with Keygen Working and Tested!\!Nero 8 ULTRA Edition with Keygen Working and Tested!\Serials.txt
.
((((((((((((((((((((((((( Files Created from 2009-07-24 to 2009-08-24 )))))))))))))))))))))))))))))))
.
2009-08-19 13:23 . 2009-08-19 13:23 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-19 13:23 . 2009-08-19 13:23 152576 ----a-w- c:\documents and settings\Lonny Chant\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-19 12:42 . 2009-08-19 12:42 -------- d-----w- c:\program files\ERUNT
2009-08-19 10:33 . 2009-08-19 10:33 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-08-19 02:30 . 2009-08-19 02:32 -------- d-----w- c:\program files\Malwar
2009-08-18 21:03 . 2009-08-18 21:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-18 17:25 . 2009-08-18 17:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-18 12:06 . 2009-08-18 12:06 -------- d-----w- C:\rsit
2009-08-18 12:02 . 2009-08-18 12:02 -------- d-----w- c:\documents and settings\Lonny Chant\.SunDownloadManager
2009-08-16 00:47 . 2009-08-16 00:47 -------- d-----w- c:\program files\Trend Micro
2009-08-14 14:28 . 2009-08-14 14:45 -------- d-----w- c:\documents and settings\Lonny Chant\Application Data\IObit
2009-08-14 14:28 . 2009-08-14 14:28 -------- d-----w- c:\program files\IObit
2009-08-14 11:40 . 2009-08-14 11:40 3942047 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-14 11:40 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-14 11:40 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-12 18:49 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-24 12:00 . 2005-03-14 03:19 -------- d-----w- c:\program files\Java
2009-08-23 15:08 . 2008-03-07 08:49 -------- d-----w- c:\documents and settings\Lonny Chant\Application Data\Ahead
2009-08-23 15:08 . 2005-03-08 19:14 -------- d-----w- c:\documents and settings\Lonny Chant\Application Data\AdobeUM
2009-08-23 15:08 . 2007-03-13 20:47 -------- d-----w- c:\documents and settings\Lonny Chant\Application Data\acccore
2009-08-23 15:08 . 2005-03-22 17:02 -------- d-----w- c:\documents and settings\Lonny Chant\Application Data\.BitTornado
2009-08-23 13:26 . 2006-05-29 23:24 -------- d-----w- c:\program files\bl
2009-08-19 13:17 . 2007-07-04 00:46 -------- d-----w- c:\program files\Steam
2009-08-18 20:43 . 2004-01-03 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-18 20:42 . 2008-03-11 11:54 -------- d-----w- c:\program files\CCleaner
2009-08-18 20:23 . 2005-02-16 04:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-08-18 15:15 . 2009-08-18 15:56 11264 ----a-w- c:\windows\Internet Logs\xDB5.tmp
2009-08-18 15:15 . 2009-08-18 15:56 3396608 ----a-w- c:\windows\Internet Logs\xDB6.tmp
2009-08-18 13:21 . 2009-08-18 13:52 13824 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2009-08-18 13:21 . 2009-08-18 13:52 3396096 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2009-08-18 13:08 . 2009-08-18 13:21 3396096 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2009-08-18 13:08 . 2009-08-18 13:21 44032 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-08-17 10:34 . 2005-02-16 15:00 48622851 -c--a-w- c:\windows\Internet Logs\tvDebug.zip
2009-08-15 23:50 . 2002-10-04 20:51 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-15 22:24 . 2009-08-15 22:24 3391488 ----a-w- c:\windows\Internet Logs\xDB9A.tmp
2009-08-15 22:24 . 2009-08-15 22:24 25600 ----a-w- c:\windows\Internet Logs\xDB99.tmp
2009-08-15 20:48 . 2009-08-15 20:48 3390976 ----a-w- c:\windows\Internet Logs\xDB72.tmp
2009-08-15 20:48 . 2009-08-15 20:48 3000832 ----a-w- c:\windows\Internet Logs\xDB71.tmp
2009-08-14 14:44 . 2008-06-10 18:33 -------- d-----w- c:\program files\RightMark Memory Analyzer
2009-08-14 14:44 . 2008-03-04 14:35 -------- d-----w- c:\documents and settings\Lonny Chant\Application Data\Vso
2009-08-14 14:44 . 2007-12-24 15:30 -------- d-----w- c:\program files\EarthLink TotalAccess
2009-08-14 14:44 . 2003-03-07 23:56 -------- d-----w- c:\program files\DivX
2009-08-14 14:44 . 2002-10-04 20:52 -------- d-----w- c:\program files\MUSICMATCH
2009-08-14 11:41 . 2009-05-30 11:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-05 09:01 . 2009-02-05 03:27 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-21 21:40 . 2007-10-27 18:03 -------- d-----w- c:\program files\iTunes
2009-07-21 21:40 . 2006-04-09 21:36 -------- d-----w- c:\program files\iPod
2009-07-21 21:40 . 2009-02-19 21:10 -------- d-----w- c:\program files\Common Files\Apple
2009-07-21 21:31 . 2009-07-21 21:31 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-07-17 19:01 . 2009-02-05 03:28 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 2004-09-22 23:46 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-05 07:01 . 2009-07-05 07:01 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-07-05 07:01 . 2009-07-05 07:01 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-06-29 16:12 . 2009-02-05 03:27 827392 ------w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2009-02-05 03:28 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-29 16:12 . 2004-08-04 07:56 78336 ------w- c:\windows\system32\ieencode.dll
2009-06-16 14:36 . 2004-08-29 21:19 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2001-08-18 11:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2009-02-05 03:27 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-11 15:44 . 2002-11-21 21:00 209440 -c--a-w- c:\documents and settings\Lonny Chant\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-11 15:33 . 2009-06-11 15:33 36864 ----a-w- c:\documents and settings\All Users\Application Data\TEMP\{80E158EA-7181-40FE-A701-301CE6BE64AB}\PostBuild.exe
2009-06-10 14:13 . 2009-02-05 03:28 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2009-02-05 03:27 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2009-02-05 03:27 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 15:42 . 2009-05-13 19:15 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-05 15:42 . 2009-02-19 21:11 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-03 19:09 . 2009-02-05 03:27 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2006-01-20 00:23 . 2006-01-20 00:23 3072 ----a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2006-01-20 00:23 . 2006-01-20 00:23 245408 ----a-w- c:\program files\mozilla firefox\plugins\unicows.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-08-23_15.13.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-24 12:21 . 2009-08-24 12:21 16384 c:\windows\temp\Perflib_Perfdata_734.dat
+ 2009-08-24 12:21 . 2009-08-24 12:21 16384 c:\windows\temp\Perflib_Perfdata_558.dat
+ 2008-11-14 02:23 . 2009-08-24 12:04 84661 c:\windows\SYSTEM32\Macromed\Flash\uninstall_plugin.exe
- 2008-11-14 02:23 . 2009-03-27 10:53 84661 c:\windows\SYSTEM32\Macromed\Flash\uninstall_plugin.exe
+ 2009-07-18 03:21 . 2009-07-18 03:21 257440 c:\windows\SYSTEM32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2009-08-24 10:36 . 2009-08-24 10:36 266240 c:\windows\ERDNT\AutoBackup\8-24-2009\Users\00000002\UsrClass.dat
+ 2009-08-24 10:36 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\8-24-2009\ERDNT.EXE
+ 2009-07-18 03:21 . 2009-07-18 03:21 3883424 c:\windows\SYSTEM32\Macromed\Flash\NPSWF32.dll
+ 2009-08-24 10:36 . 2009-08-24 10:36 13410304 c:\windows\ERDNT\AutoBackup\8-24-2009\Users\00000001\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-08-03 419088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-19 149280]
c:\documents and settings\Lonny Chant\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0SsiEfr.e\0smrgdf c:\program files\iolo\System Mechanic Professional 6\\0iolobtdfg c:\windows\system32
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=2 (0x2)
"ATI Smart"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SMSystemAnalyzer"="c:\program files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"Microsoft Works Update Detection"=c:\program files\Microsoft Works\WkDetect.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HPWITOOLBOX"=c:\program files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\HPWITBX.exe "-i"
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"Microsoft Works Update Detection"=c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
"ioloDelayModule"=c:\program files\iolo\System Mechanic Professional 6\delay.exe
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\SYSTEM32\DRIVERS\ppa.sys [2/7/2003 12:37 PM 17792]
R1 atitray;atitray;c:\program files\Ray Adams\ATI Tray Tools\atitray.sys [5/22/2007 5:04 AM 18088]
R1 ATMhelpr;ATMhelpr;c:\windows\SYSTEM32\DRIVERS\ATMHELPR.SYS [10/9/2002 10:36 AM 4064]
R2 CachemanXPService;CachemanXP;c:\progra~1\CACHEM~1\CachemanXP.exe [6/10/2008 2:28 PM 243200]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/14/2009 7:40 AM 232720]
R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [8/14/2009 7:40 AM 19096]
S3 ADSFilter;ADSFilter - (Aluria Filter Driver);c:\windows\system32\DRIVERS\ADSFilter.sys --> c:\windows\system32\DRIVERS\ADSFilter.sys [?]
S3 ati2mpaa;ati2mpaa;c:\windows\system32\DRIVERS\ati2mpaa.sys --> c:\windows\system32\DRIVERS\ati2mpaa.sys [?]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\6.tmp --> c:\windows\system32\6.tmp [?]
S3 RTCore32;RTCore32;c:\program files\RightMark Memory Analyzer\RTCore32.sys [6/10/2008 2:33 PM 4608]
.
Contents of the 'Scheduled Tasks' folder
2009-06-18 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2005-12-09 19:45]
2009-08-16 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-03-09 18:39]
.
.
------- Supplementary Scan -------
.
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Lonny Chant\Application Data\Mozilla\Firefox\Profiles\h5abj7co.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRACtrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-24 08:22
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\6.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\LP*]
"DisplayName"="?\13?\13"
"DeviceDesc"="?\13?\13"
"ProviderName"=""
"MFG"="???\\"
"ReinstallString"="c:\\WINDOWS\\System32\\ReinstallBackups\\?\13\\DriverFiles\\.INF"
"DeviceInstanceIds"=multi:"nf\\cx_08948.inf\00"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\}›őw”¶*]
"DisplayName"="\09"
"DeviceDesc"="\09"
"ProviderName"=""
"MFG"="?"
"ReinstallString"="2002, 6.13.10.5004"
"DeviceInstanceIds"=multi:"\00"
[HKEY_LOCAL_MACHINE\software\swearware\backup\winsock2]
@DACL=(02 0000)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
- - - - - - - > 'explorer.exe'(1980)
c:\windows\system32\WININET.dll
c:\windows\system32\wuaucpl.old.cpl
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\windows\SYSTEM32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-08-24 8:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-24 12:32
ComboFix2.txt 2009-08-23 15:22
ComboFix3.txt 2009-08-18 13:17
Pre-Run: 13,629,009,920 bytes free
Post-Run: 13,654,831,104 bytes free
274 --- E O F --- 2009-08-13 03:40
lonomatik
2009-08-24, 15:51
the latest HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:42:44 AM, on 8/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_15.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_15.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1218053295500
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233702376765
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Issicpmkcsvs - S3/Diamond Multimedia Systems - C:\WINDOWS\System32\drivers\RIODRV.SYS
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Conexant - (no file)
--
End of file - 5429 bytes
malwarebytes continues to notify me of a detected infection (just got one now!)
Hi,
In which locations are those detections made?
lonomatik
2009-08-24, 22:53
the warnings come in the form of popups from the malwarebytes icon in the system tray when firefox is open and online. it provides no other details except for a sequence of 2 digit numbers separated by periods.
Could you grab a screenshot of those warnings?
lonomatik
2009-08-25, 15:37
here it is:
http://img.photobucket.com/albums/v201/hollowpointstudio/mbamalert.jpg
the number is obviously an IP address. guess i wasnt paying close attention when i first noticed it. anyways i'm not browsing in any sketchy websites, so i'm not quite sure why this is popping up.
lonomatik
2009-08-25, 15:39
btw-- if i try to click on it for more info it simply disappears as if it was never there.
Please take a look at this (http://www.malwarebytes.org/forums/index.php?showtopic=21836) topic.
lonomatik
2009-08-26, 14:58
okay, i followed and read the link. i d/l AVIRA and did a scan. the first scan turned up 77 problems/infections! heres the logfile:
Avira AntiVir Personal
Report file date: Tuesday, August 25, 2009 16:32
Scanning for 1660377 virus strains and unwanted programs.
Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : HPS
Version information:
BUILD.DAT : 9.0.0.407 17961 Bytes 7/29/2009 10:34:00
AVSCAN.EXE : 9.0.3.7 466689 Bytes 7/21/2009 18:36:14
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 15:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 16:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 15:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:36
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 14:21:42
ANTIVIR2.VDF : 7.1.5.146 3087360 Bytes 8/21/2009 15:08:57
ANTIVIR3.VDF : 7.1.5.160 129024 Bytes 8/25/2009 15:08:59
Engineversion : 8.2.1.3
AEVDF.DLL : 8.1.1.1 106868 Bytes 7/28/2009 18:31:50
AESCRIPT.DLL : 8.1.2.25 459130 Bytes 8/25/2009 15:09:14
AESCN.DLL : 8.1.2.4 127348 Bytes 7/23/2009 14:59:39
AERDL.DLL : 8.1.2.4 430452 Bytes 7/23/2009 14:59:39
AEPACK.DLL : 8.1.3.18 401783 Bytes 7/28/2009 18:31:50
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/23/2009 14:59:39
AEHEUR.DLL : 8.1.0.155 1921400 Bytes 8/25/2009 15:09:12
AEHELP.DLL : 8.1.6.0 233846 Bytes 8/25/2009 15:09:02
AEGEN.DLL : 8.1.1.57 356725 Bytes 8/25/2009 15:09:01
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 19:32:40
AECORE.DLL : 8.1.7.6 184694 Bytes 7/23/2009 14:59:39
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 19:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 15:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 19:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 15:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 20:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 15:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 20:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 13:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 15:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 20:39:58
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 15:19:48
Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, F:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Start of the scan: Tuesday, August 25, 2009 16:32
Starting search for hidden objects.
'55865' objects were checked, '0' hidden objects were found.
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'RichVideo.exe' - '1' Module(s) have been scanned
Scan process 'mbamservice.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'CachemanXP.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'mbamgui.exe' - '1' Module(s) have been scanned
Scan process 'ipoint.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
32 processes with 32 modules were scanned
Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'F:\'
[INFO] No virus was found!
Starting to scan executable files (registry).
The registry was scanned ( '46' files ).
Starting the file scan:
Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Qoobox\Quarantine\[4]-Submit_2009-08-24_08.10.42.zip
[0] Archive type: ZIP
--> A0018463.dll.bac_a01676
[1] Archive type: HIDDEN
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
--> A0018464.exe.bac_a01676
[1] Archive type: HIDDEN
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
--> A0018465.dll.bac_a01676
[1] Archive type: HIDDEN
--> MEM\AV00029d15.AV$
[DETECTION] Is the TR/Dldr.VB.aan.1 Trojan
--> A0018466.exe.bac_a01676
[1] Archive type: HIDDEN
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
--> A0018467.exe.bac_a01676
[1] Archive type: HIDDEN
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
--> A0018468.exe.bac_a01676
[1] Archive type: HIDDEN
--> MEM\AV00029d18.AV$
[DETECTION] Is the TR/Dldr.Agent.QO Trojan
--> A0018469.exe.bac_a01676
[1] Archive type: HIDDEN
--> MEM\AV00029d19.AV$
[DETECTION] Is the TR/Tibs.E Trojan
--> A0018470.exe.bac_a01676
[1] Archive type: HIDDEN
--> MEM\AV00029d1a.AV$
[DETECTION] Is the TR/Tibs.E Trojan
--> A0018471.exe.bac_a01676
[1] Archive type: HIDDEN
--> MEM\AV00029d1b.AV$
[DETECTION] Is the TR/Tibs.E Trojan
--> A0018472.exe.bac_a01676
[1] Archive type: HIDDEN
--> MEM\AV00029d1c.AV$
[DETECTION] Is the TR/Tibs.E Trojan
--> Dc10.dll.bac_a00192
[1] Archive type: HIDDEN
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
--> Dc11.exe.bac_a00192
[1] Archive type: HIDDEN
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
--> Dc12.dll.bac_a00192
[1] Archive type: HIDDEN
--> MEM\AV00029d1f.AV$
[DETECTION] Is the TR/Dldr.VB.aan.1 Trojan
--> Dc6.exe.bac_a01256
[1] Archive type: HIDDEN
[DETECTION] Is the TR/Crypt.F.Gen Trojan
--> Dc67.exe.bac_a01920
[1] Archive type: HIDDEN
[DETECTION] Is the TR/Crypt.F.Gen Trojan
--> Dc8.exe.bac_a00192
[1] Archive type: HIDDEN
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
--> Dc9.exe.bac_a00192
[1] Archive type: HIDDEN
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
--> internetoloper.exe.bac_a00192
[1] Archive type: HIDDEN
--> MEM\AV00029d24.AV$
[DETECTION] Is the TR/Dldr.Agent.QO Trojan
--> mwtanowo.exe.bac_a00192
[1] Archive type: HIDDEN
--> MEM\AV00029d25.AV$
[DETECTION] Is the TR/Tibs.E Trojan
--> phqghume.exe.bac_a00192
[1] Archive type: HIDDEN
--> MEM\AV00029d26.AV$
[DETECTION] Is the TR/Tibs.E Trojan
--> qdmbbqec.exe.bac_a00192
[1] Archive type: HIDDEN
--> MEM\AV00029d27.AV$
[DETECTION] Is the TR/Tibs.E Trojan
--> vtcalhel.exe.bac_a01280
[1] Archive type: HIDDEN
--> MEM\AV00029d28.AV$
[DETECTION] Is the TR/Dldr.Botol.C.1 Trojan
--> yunfyiwe.exe.bac_a00192
[1] Archive type: HIDDEN
--> MEM\AV00029d29.AV$
[DETECTION] Is the TR/Tibs.E Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018463.dll.bac_a01676.vir
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018464.exe.bac_a01676.vir
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018465.dll.bac_a01676.vir
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018465.dll.bac_a01676.vir
[DETECTION] Is the TR/Dldr.VB.aan.1 Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018466.exe.bac_a01676.vir
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018467.exe.bac_a01676.vir
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018468.exe.bac_a01676.vir
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018468.exe.bac_a01676.vir
[DETECTION] Is the TR/Dldr.Agent.QO Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018469.exe.bac_a01676.vir
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018469.exe.bac_a01676.vir
[DETECTION] Is the TR/Tibs.E Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018470.exe.bac_a01676.vir
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018470.exe.bac_a01676.vir
[DETECTION] Is the TR/Tibs.E Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018471.exe.bac_a01676.vir
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018471.exe.bac_a01676.vir
[DETECTION] Is the TR/Tibs.E Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018472.exe.bac_a01676.vir
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018472.exe.bac_a01676.vir
[DETECTION] Is the TR/Tibs.E Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc10.dll.bac_a00192.vir
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc11.exe.bac_a00192.vir
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc12.dll.bac_a00192.vir
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc12.dll.bac_a00192.vir
[DETECTION] Is the TR/Dldr.VB.aan.1 Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc6.exe.bac_a01256.vir
[DETECTION] Is the TR/Crypt.F.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc67.exe.bac_a01920.vir
[DETECTION] Is the TR/Crypt.F.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc8.exe.bac_a00192.vir
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc9.exe.bac_a00192.vir
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\internetoloper.exe.bac_a00192.vir
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\internetoloper.exe.bac_a00192.vir
[DETECTION] Is the TR/Dldr.Agent.QO Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\mwtanowo.exe.bac_a00192.vir
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\mwtanowo.exe.bac_a00192.vir
[DETECTION] Is the TR/Tibs.E Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\phqghume.exe.bac_a00192.vir
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\phqghume.exe.bac_a00192.vir
[DETECTION] Is the TR/Tibs.E Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\qdmbbqec.exe.bac_a00192.vir
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\qdmbbqec.exe.bac_a00192.vir
[DETECTION] Is the TR/Tibs.E Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\vtcalhel.exe.bac_a01280.vir
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\vtcalhel.exe.bac_a01280.vir
[DETECTION] Is the TR/Dldr.Botol.C.1 Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\yunfyiwe.exe.bac_a00192.vir
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\yunfyiwe.exe.bac_a00192.vir
[DETECTION] Is the TR/Tibs.E Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018463.dll.bac_a01676.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018464.exe.bac_a01676.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018465.dll.bac_a01676.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018466.exe.bac_a01676.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018467.exe.bac_a01676.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018468.exe.bac_a01676.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018469.exe.bac_a01676.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018470.exe.bac_a01676.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018471.exe.bac_a01676.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018472.exe.bac_a01676.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc10.dll.bac_a00192.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc11.exe.bac_a00192.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc12.dll.bac_a00192.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc6.exe.bac_a01256.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc67.exe.bac_a01920.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc8.exe.bac_a00192.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc9.exe.bac_a00192.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\internetoloper.exe.bac_a00192.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\mwtanowo.exe.bac_a00192.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\phqghume.exe.bac_a00192.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\qdmbbqec.exe.bac_a00192.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\vtcalhel.exe.bac_a01280.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\yunfyiwe.exe.bac_a00192.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\Application Data\.BitTornado\moha.exe.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\Application Data\acccore\reniga.dll.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\Application Data\AdobeUM\horsi.exe.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\Application Data\Ahead\megalon.exe.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETpfwkkpba.dll.vir
[DETECTION] Is the TR/TDss.anus Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETyxumoavk.dll.vir
[DETECTION] Is the TR/TDss.anuv Trojan
C:\WINDOWS\SYSTEM32\DRIVERS\sptd.sys
[WARNING] The file could not be opened!
Begin scan in 'F:\' <New Volume>
F:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
F:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP923\A0238540.exe
[DETECTION] Contains recognition pattern of the DR/Dldr.VB.gix.25 dropper
F:\torrents\VueScan Professional Edition 8.4.06\Keygen.exe
[DETECTION] Is the TR/Packed.25689 Trojan
Beginning disinfection:
C:\Qoobox\Quarantine\[4]-Submit_2009-08-24_08.10.42.zip
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018463.dll.bac_a01676.vir
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018464.exe.bac_a01676.vir
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018465.dll.bac_a01676.vir
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018466.exe.bac_a01676.vir
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018467.exe.bac_a01676.vir
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018468.exe.bac_a01676.vir
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018469.exe.bac_a01676.vir
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018470.exe.bac_a01676.vir
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018471.exe.bac_a01676.vir
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018472.exe.bac_a01676.vir
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc10.dll.bac_a00192.vir
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc11.exe.bac_a00192.vir
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc12.dll.bac_a00192.vir
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc6.exe.bac_a01256.vir
[DETECTION] Is the TR/Crypt.F.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc67.exe.bac_a01920.vir
[DETECTION] Is the TR/Crypt.F.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc8.exe.bac_a00192.vir
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc9.exe.bac_a00192.vir
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\internetoloper.exe.bac_a00192.vir
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\mwtanowo.exe.bac_a00192.vir
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\phqghume.exe.bac_a00192.vir
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\qdmbbqec.exe.bac_a00192.vir
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\vtcalhel.exe.bac_a01280.vir
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\yunfyiwe.exe.bac_a00192.vir
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018463.dll.bac_a01676.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018464.exe.bac_a01676.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018465.dll.bac_a01676.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018466.exe.bac_a01676.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018467.exe.bac_a01676.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018468.exe.bac_a01676.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018469.exe.bac_a01676.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018470.exe.bac_a01676.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018471.exe.bac_a01676.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018472.exe.bac_a01676.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc10.dll.bac_a00192.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc11.exe.bac_a00192.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc12.dll.bac_a00192.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc6.exe.bac_a01256.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc67.exe.bac_a01920.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc8.exe.bac_a00192.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc9.exe.bac_a00192.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\internetoloper.exe.bac_a00192.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\mwtanowo.exe.bac_a00192.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\phqghume.exe.bac_a00192.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\qdmbbqec.exe.bac_a00192.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\vtcalhel.exe.bac_a01280.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\yunfyiwe.exe.bac_a00192.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\Application Data\.BitTornado\moha.exe.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\Application Data\acccore\reniga.dll.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\Application Data\AdobeUM\horsi.exe.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\Application Data\Ahead\megalon.exe.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETpfwkkpba.dll.vir
[DETECTION] Is the TR/TDss.anus Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETyxumoavk.dll.vir
[DETECTION] Is the TR/TDss.anuv Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
F:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP923\A0238540.exe
[DETECTION] Contains recognition pattern of the DR/Dldr.VB.gix.25 dropper
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
F:\torrents\VueScan Professional Edition 8.4.06\Keygen.exe
[DETECTION] Is the TR/Packed.25689 Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
End of the scan: Tuesday, August 25, 2009 23:49
Used time: 1:43:24 Hour(s)
The scan has been done completely.
11308 Scanned directories
371051 Files were scanned
77 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
3 Files cannot be scanned
370971 Files not concerned
7537 Archives were scanned
58 Warnings
57 Notes
55865 Objects were scanned with rootkit scan
0 Hidden objects were found
lonomatik
2009-08-26, 15:00
i used AVIRA again after a reboot and it turned up only 1 problem which was quarantined. heres the log:
Avira AntiVir Personal
Report file date: Tuesday, August 25, 2009 23:56
Scanning for 1662031 virus strains and unwanted programs.
Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : HPS
Version information:
BUILD.DAT : 9.0.0.407 17961 Bytes 7/29/2009 10:34:00
AVSCAN.EXE : 9.0.3.7 466689 Bytes 7/21/2009 18:36:14
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 15:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 16:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 15:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:36
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 14:21:42
ANTIVIR2.VDF : 7.1.5.146 3087360 Bytes 8/21/2009 15:08:57
ANTIVIR3.VDF : 7.1.5.162 149504 Bytes 8/25/2009 03:55:14
Engineversion : 8.2.1.3
AEVDF.DLL : 8.1.1.1 106868 Bytes 7/28/2009 18:31:50
AESCRIPT.DLL : 8.1.2.25 459130 Bytes 8/25/2009 15:09:14
AESCN.DLL : 8.1.2.4 127348 Bytes 7/23/2009 14:59:39
AERDL.DLL : 8.1.2.4 430452 Bytes 7/23/2009 14:59:39
AEPACK.DLL : 8.1.3.18 401783 Bytes 7/28/2009 18:31:50
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/23/2009 14:59:39
AEHEUR.DLL : 8.1.0.155 1921400 Bytes 8/25/2009 15:09:12
AEHELP.DLL : 8.1.6.0 233846 Bytes 8/25/2009 15:09:02
AEGEN.DLL : 8.1.1.57 356725 Bytes 8/25/2009 15:09:01
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 19:32:40
AECORE.DLL : 8.1.7.6 184694 Bytes 7/23/2009 14:59:39
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 19:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 15:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 19:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 15:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 20:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 15:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 20:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 13:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 15:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 20:39:58
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 15:19:48
Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, F:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Start of the scan: Tuesday, August 25, 2009 23:56
Starting search for hidden objects.
'55984' objects were checked, '0' hidden objects were found.
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'RichVideo.exe' - '1' Module(s) have been scanned
Scan process 'mbamservice.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'CachemanXP.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'ipoint.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
30 processes with 30 modules were scanned
Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'F:\'
[INFO] No virus was found!
Starting to scan executable files (registry).
The registry was scanned ( '46' files ).
Starting the file scan:
Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\WINDOWS\SYSTEM32\DRIVERS\sptd.sys
[WARNING] The file could not be opened!
Begin scan in 'F:\' <New Volume>
F:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
F:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP925\A0238842.exe
[DETECTION] Is the TR/Packed.25689 Trojan
Beginning disinfection:
F:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP925\A0238842.exe
[DETECTION] Is the TR/Packed.25689 Trojan
[NOTE] The file was moved to '4ac716d6.qua'!
End of the scan: Wednesday, August 26, 2009 07:04
Used time: 1:11:45 Hour(s)
The scan has been done completely.
11320 Scanned directories
371114 Files were scanned
1 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
1 Files were moved to quarantine
0 Files were renamed
3 Files cannot be scanned
371110 Files not concerned
7549 Archives were scanned
3 Warnings
3 Notes
55984 Objects were scanned with rootkit scan
0 Hidden objects were found
Hi,
System restore will be resetted as a final step. Before that and other final things, please post a fresh hjt log.
lonomatik
2009-08-26, 21:36
fresh HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:35:34 PM, on 8/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\taskmgr.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1218053295500
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233702376765
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Issicpmkcsvs - S3/Diamond Multimedia Systems - C:\WINDOWS\System32\drivers\RIODRV.SYS
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Conexant - (no file)
--
End of file - 6193 bytes
Hi,
Your present Spybot version is 1.4, right? If so, please uninstall it and get the latest one here (http://www.safer-networking.org/en/spybotsd/index.html).
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
Now lets uninstall ComboFix:
Click START then RUN
Now copy-paste Combofix /u in the runbox and click OK
Please download OTC (http://oldtimer.geekstogo.com/OTC.exe) and save it to desktop.
Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
lonomatik
2009-08-27, 16:40
hi! according to my control panel/add/remove i have two SPYBOT programs installed. one is version 1.6 and the other is 1.4. should i uninstall the 1.4 version then?
Yes, uninstall 1.4 version.
lonomatik
2009-08-28, 16:25
hello-- the system is running well. i've done everything you instructed me to do in the previous post. however, that Malwarebytes popup is still appearing when i'm online. i did another AVIRA scan and it came back clean except for 3 warnings. i've copy/pasted them here:
Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\WINDOWS\SYSTEM32\DRIVERS\sptd.sys
[WARNING] The file could not be opened!
Begin scan in 'F:\' <New Volume>
F:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
the only one i'm curious/worried about is the sptd.sys file. i googled it but get conflicting information on it, so i thot i might check with you.
thanks again for the great help and assistance btw!
Hi,
That file belongs to Daemon Tools (not malicious). Have you had such software installed there?
lonomatik
2009-08-28, 17:44
it prolly was installed on the system at one time. i know i've installed similar programs previously, but i've always ended up removing them. should i bother trying to get rid of it, or is it simply harmless and better left alone?
It's harmless and I'd leave it alone :)
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.