DarthAnalyst
2011-03-29, 19:38
Thanks in advance for any assistance!
It seems to be going around, but Spybot has repeatedly found and "removed" Click.Giftload. In looking over the board, I can see a recurring theme (don't trust the computer after this issue). Provided I'm not special and would get the same advice, how safe is it to backup files from the infected computer to a portable drive and then put them back onto the computer after a reformat and reinstall of Windows?
Background:
The first sign of trouble was a blue screen of death, seemingly related to my wireless adapter. After using Safemode to run Spybot and then also reinstall the adapter, the computer will boot, but symptoms are slow IE response, busy svchost.exe, and inability to load WindowsUpdate page.
DDS log and Spybot results are posted below:
****** DDS Log ******
.
DDS (Ver_11-03-05.01) - NTFSx86 NETWORK
Run by Steve at 9:49:52.09 on Tue 03/29/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1655 [GMT -6:00]
.
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
AV: AntiVir Desktop *Disabled/Outdated* {11638345-E4FC-4BEE-BB73-EC754659C5F6}
FW: Norton Internet Security *Enabled*
FW: Avira FireWall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Temp\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = https://www.paypal.com/
mWindow Title = Jingle Board
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IE to GetRight Helper: {31ff080d-12a3-439a-a2ef-4ba95a3148e8} - c:\program files\getright\xx2gr.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.5.0.125\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.5.0.125\ips\IPSBHO.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.5.0.125\coIEPlg.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SwiftToDoList] "c:\program files\swift to-do list\Swift To-Do List.exe" -minimized
uRun: [Google Update] "c:\documents and settings\steve\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [EPSON Stylus CX5400] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
StartupFolder: c:\docume~1\steve\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\network usb hub control center\Connect.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\getright.lnk - c:\program files\getright\GetRight.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\d-link\dwa-643 reva\wirelesscm.exe
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Download with GetRight - c:\program files\getright\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\getright\GRbrowse.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\avira\antivir desktop\avsda.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1283221047670
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1301282463467
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1205000.07d\symds.sys [2011-3-28 340016]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1205000.07d\symefa.sys [2011-3-28 652336]
R1 avfwot;avfwot;c:\windows\system32\drivers\avfwot.sys [2011-3-29 102856]
R3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\drivers\avfwim.sys [2011-3-29 79432]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2011-3-28 57440]
S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-8-31 11608]
S1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\bashdefs\20110309.001\BHDrvx86.sys [2011-3-9 800376]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1205000.07d\ironx86.sys [2011-3-28 136312]
S2 AntiVirFirewallService;Avira FireWall;c:\program files\avira\antivir desktop\avfwsvc.exe [2011-3-29 539304]
S2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\avira\antivir desktop\avmailc.exe [2010-8-31 339624]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-8-31 135336]
S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-8-31 269480]
S2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\avira\antivir desktop\avwebgrd.exe [2010-8-31 421032]
S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-8-31 61960]
S2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2001-8-23 14336]
S2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.5.0.125\ccsvchst.exe [2011-3-28 130000]
S2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\WLNdis50.sys [2011-3-28 20480]
S2 WLSVC;WLSVC;c:\program files\d-link\dwa-643 reva\WLSVC.exe [2011-3-28 167936]
S3 AllShare;SAMSUNG AllShare Service;c:\program files\samsung\samsung pc share manager\WiselinkPro.exe [2010-7-16 6638080]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-3-28 102448]
S3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\ipsdefs\20110325.001\IDSXpx86.sys [2011-3-28 341944]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2010-8-31 105984]
S3 jswpsapi;JumpStart Wi-Fi Protected Setup;c:\program files\d-link\dwa-643 reva\jswpsapi.exe [2011-3-28 356433]
S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\virusdefs\20110328.032\NAVENG.SYS [2011-3-28 86008]
S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\virusdefs\20110328.032\NAVEX15.SYS [2011-3-28 1360760]
S3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys [2007-9-27 79232]
.
=============== Created Last 30 ================
.
2011-03-29 13:53:51 625664 ----a-w- c:\temp\dds.scr
2011-03-29 13:51:42 791393 ----a-w- c:\temp\erunt-setup.exe
2011-03-29 13:45:35 301568 ----a-w- c:\temp\jg1nfds1.exe
2011-03-29 13:17:21 79432 ----a-w- c:\windows\system32\drivers\avfwim.sys
2011-03-29 13:17:21 102856 ----a-w- c:\windows\system32\drivers\avfwot.sys
2011-03-29 13:10:30 825064 ----a-w- c:\temp\avira_premium_security_suite.exe
2011-03-29 02:48:50 57440 ----a-w- c:\windows\system32\jswscimd.sys
2011-03-29 02:48:50 57440 ----a-w- c:\windows\system32\drivers\jswscimd.sys
2011-03-29 02:48:50 405582 ----a-w- c:\windows\system32\jswscsup.dll
2011-03-29 02:48:46 20480 ----a-w- c:\windows\system32\wlndis50.sys
2011-03-29 02:48:46 20480 ----a-w- c:\windows\system32\drivers\WLNdis50.sys
2011-03-29 02:48:13 -------- d-----w- c:\windows\LastGood.Tmp
2011-03-29 02:48:12 1581792 ----a-w- c:\windows\system32\drivers\athw.sys
2011-03-29 02:48:12 -------- d-----w- c:\windows\pcidevice
2011-03-28 17:05:42 330360 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\symtdiv.sys
2011-03-28 17:05:41 368248 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\symtdi.sys
2011-03-28 17:05:41 295032 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\symnets.sys
2011-03-28 17:05:40 652336 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\symefa.sys
2011-03-28 17:05:39 50168 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\srtspx.sys
2011-03-28 17:05:39 340016 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\symds.sys
2011-03-28 17:05:38 509560 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\srtsp.sys
2011-03-28 17:05:38 136312 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\ironx86.sys
2011-03-28 17:03:23 -------- d-----w- c:\windows\system32\drivers\nis\1205000.07D
2011-03-28 16:48:56 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-03-28 16:48:56 126512 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-03-28 16:48:56 -------- d-----w- c:\program files\Symantec
2011-03-28 16:48:56 -------- d-----w- c:\program files\common files\Symantec Shared
2011-03-28 16:47:34 -------- d-----w- c:\windows\system32\drivers\NIS
2011-03-28 16:47:28 -------- d-----w- c:\program files\Norton Internet Security
2011-03-28 16:47:26 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton
2011-03-28 16:45:19 -------- d-----w- c:\program files\NortonInstaller
2011-03-28 16:45:19 -------- d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2011-03-28 16:39:42 119636624 ----a-w- c:\temp\NIS_18.1.0.37_SYMTB_CNET_LOEM_MRFTT_176_5407_P.exe
2011-03-28 15:37:12 -------- dc-h--w- c:\windows\ie8
2011-03-27 20:55:31 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-03-27 20:55:31 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-27 20:51:34 -------- d-----w- c:\docume~1\alluse~1\applic~1\D-Link
2011-03-27 06:06:25 0 ----a-w- c:\windows\Msupeqeqaluxo.bin
2011-03-27 06:06:09 -------- d-----w- c:\docume~1\steve\locals~1\applic~1\{C118AB6C-E271-4498-9705-2D4420AF96DA}
2011-03-12 18:28:40 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2011-03-08 01:08:54 -------- d-----w- c:\program files\Research In Motion Limited
2011-03-06 08:13:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-06 08:13:15 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-03-06 08:07:56 -------- d-----w- c:\program files\Wise Registry Cleaner
2011-03-06 07:44:41 -------- d-----w- c:\docume~1\steve\applic~1\Sammsoft
2011-03-06 07:43:59 -------- d-----w- c:\program files\Advanced Registry Optimizer
2011-03-06 07:43:03 -------- d-----w- c:\docume~1\steve\locals~1\applic~1\OpenCandy
2011-03-06 07:43:01 -------- d-----w- c:\docume~1\steve\applic~1\OpenCandy
2011-03-05 17:28:25 -------- d-----w- c:\docume~1\steve\locals~1\applic~1\Temp
2011-03-05 17:28:20 -------- d-----w- c:\docume~1\steve\locals~1\applic~1\Google
2011-03-05 17:28:07 -------- d-----w- c:\docume~1\steve\locals~1\applic~1\Deployment
.
==================== Find3M ====================
.
2011-03-27 23:49:24 7 ----a-w- c:\windows\treeskp.sys
2011-03-27 23:49:24 7 ----a-w- c:\windows\sbacknt.bin
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: FUJITSU_MHY2120BH rev.0085000B -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-e
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A522439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a5287d0]; MOV EAX, [0x8a52884c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x8A5CBAB8]
3 CLASSPNP[0xF7657FD7] -> nt!IofCallDriver[0x804E13B9] -> [0x8A4B3368]
\Driver\atapi[0x8A51BDD0] -> IRP_MJ_CREATE -> 0x8A522439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-e -> \??\IDE#DiskFUJITSU_MHY2120BH_______________________0085000B#5&2747c3d6&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A52227F
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 9:52:04.23 ===============
****** Spybot Results ******
Click.GiftLoad: [SBI $89783858] User settings (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2011-03-06 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2011-03-18 Includes\Adware.sbi (*)
2011-03-22 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-03-08 Includes\DialerC.sbi (*)
2011-02-24 Includes\HeavyDuty.sbi (*)
2010-11-30 Includes\Hijackers.sbi (*)
2011-03-08 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2011-03-08 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2011-02-24 Includes\Malware.sbi (*)
2011-03-22 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2011-03-15 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2011-03-08 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2011-02-24 Includes\Spyware.sbi (*)
2011-03-15 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-12-28 Includes\Trojans.sbi (*)
2011-03-22 Includes\TrojansC-02.sbi (*)
2011-03-03 Includes\TrojansC-03.sbi (*)
2011-03-08 Includes\TrojansC-04.sbi (*)
2011-03-21 Includes\TrojansC-05.sbi (*)
2011-03-08 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
It seems to be going around, but Spybot has repeatedly found and "removed" Click.Giftload. In looking over the board, I can see a recurring theme (don't trust the computer after this issue). Provided I'm not special and would get the same advice, how safe is it to backup files from the infected computer to a portable drive and then put them back onto the computer after a reformat and reinstall of Windows?
Background:
The first sign of trouble was a blue screen of death, seemingly related to my wireless adapter. After using Safemode to run Spybot and then also reinstall the adapter, the computer will boot, but symptoms are slow IE response, busy svchost.exe, and inability to load WindowsUpdate page.
DDS log and Spybot results are posted below:
****** DDS Log ******
.
DDS (Ver_11-03-05.01) - NTFSx86 NETWORK
Run by Steve at 9:49:52.09 on Tue 03/29/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1655 [GMT -6:00]
.
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
AV: AntiVir Desktop *Disabled/Outdated* {11638345-E4FC-4BEE-BB73-EC754659C5F6}
FW: Norton Internet Security *Enabled*
FW: Avira FireWall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Temp\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = https://www.paypal.com/
mWindow Title = Jingle Board
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IE to GetRight Helper: {31ff080d-12a3-439a-a2ef-4ba95a3148e8} - c:\program files\getright\xx2gr.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.5.0.125\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.5.0.125\ips\IPSBHO.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.5.0.125\coIEPlg.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SwiftToDoList] "c:\program files\swift to-do list\Swift To-Do List.exe" -minimized
uRun: [Google Update] "c:\documents and settings\steve\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [EPSON Stylus CX5400] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
StartupFolder: c:\docume~1\steve\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\network usb hub control center\Connect.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\getright.lnk - c:\program files\getright\GetRight.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\d-link\dwa-643 reva\wirelesscm.exe
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Download with GetRight - c:\program files\getright\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\getright\GRbrowse.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\avira\antivir desktop\avsda.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1283221047670
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1301282463467
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1205000.07d\symds.sys [2011-3-28 340016]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1205000.07d\symefa.sys [2011-3-28 652336]
R1 avfwot;avfwot;c:\windows\system32\drivers\avfwot.sys [2011-3-29 102856]
R3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\drivers\avfwim.sys [2011-3-29 79432]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2011-3-28 57440]
S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-8-31 11608]
S1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\bashdefs\20110309.001\BHDrvx86.sys [2011-3-9 800376]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1205000.07d\ironx86.sys [2011-3-28 136312]
S2 AntiVirFirewallService;Avira FireWall;c:\program files\avira\antivir desktop\avfwsvc.exe [2011-3-29 539304]
S2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\avira\antivir desktop\avmailc.exe [2010-8-31 339624]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-8-31 135336]
S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-8-31 269480]
S2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\avira\antivir desktop\avwebgrd.exe [2010-8-31 421032]
S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-8-31 61960]
S2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2001-8-23 14336]
S2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.5.0.125\ccsvchst.exe [2011-3-28 130000]
S2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\WLNdis50.sys [2011-3-28 20480]
S2 WLSVC;WLSVC;c:\program files\d-link\dwa-643 reva\WLSVC.exe [2011-3-28 167936]
S3 AllShare;SAMSUNG AllShare Service;c:\program files\samsung\samsung pc share manager\WiselinkPro.exe [2010-7-16 6638080]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-3-28 102448]
S3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\ipsdefs\20110325.001\IDSXpx86.sys [2011-3-28 341944]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2010-8-31 105984]
S3 jswpsapi;JumpStart Wi-Fi Protected Setup;c:\program files\d-link\dwa-643 reva\jswpsapi.exe [2011-3-28 356433]
S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\virusdefs\20110328.032\NAVENG.SYS [2011-3-28 86008]
S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\virusdefs\20110328.032\NAVEX15.SYS [2011-3-28 1360760]
S3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys [2007-9-27 79232]
.
=============== Created Last 30 ================
.
2011-03-29 13:53:51 625664 ----a-w- c:\temp\dds.scr
2011-03-29 13:51:42 791393 ----a-w- c:\temp\erunt-setup.exe
2011-03-29 13:45:35 301568 ----a-w- c:\temp\jg1nfds1.exe
2011-03-29 13:17:21 79432 ----a-w- c:\windows\system32\drivers\avfwim.sys
2011-03-29 13:17:21 102856 ----a-w- c:\windows\system32\drivers\avfwot.sys
2011-03-29 13:10:30 825064 ----a-w- c:\temp\avira_premium_security_suite.exe
2011-03-29 02:48:50 57440 ----a-w- c:\windows\system32\jswscimd.sys
2011-03-29 02:48:50 57440 ----a-w- c:\windows\system32\drivers\jswscimd.sys
2011-03-29 02:48:50 405582 ----a-w- c:\windows\system32\jswscsup.dll
2011-03-29 02:48:46 20480 ----a-w- c:\windows\system32\wlndis50.sys
2011-03-29 02:48:46 20480 ----a-w- c:\windows\system32\drivers\WLNdis50.sys
2011-03-29 02:48:13 -------- d-----w- c:\windows\LastGood.Tmp
2011-03-29 02:48:12 1581792 ----a-w- c:\windows\system32\drivers\athw.sys
2011-03-29 02:48:12 -------- d-----w- c:\windows\pcidevice
2011-03-28 17:05:42 330360 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\symtdiv.sys
2011-03-28 17:05:41 368248 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\symtdi.sys
2011-03-28 17:05:41 295032 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\symnets.sys
2011-03-28 17:05:40 652336 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\symefa.sys
2011-03-28 17:05:39 50168 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\srtspx.sys
2011-03-28 17:05:39 340016 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\symds.sys
2011-03-28 17:05:38 509560 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\srtsp.sys
2011-03-28 17:05:38 136312 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\ironx86.sys
2011-03-28 17:03:23 -------- d-----w- c:\windows\system32\drivers\nis\1205000.07D
2011-03-28 16:48:56 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-03-28 16:48:56 126512 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-03-28 16:48:56 -------- d-----w- c:\program files\Symantec
2011-03-28 16:48:56 -------- d-----w- c:\program files\common files\Symantec Shared
2011-03-28 16:47:34 -------- d-----w- c:\windows\system32\drivers\NIS
2011-03-28 16:47:28 -------- d-----w- c:\program files\Norton Internet Security
2011-03-28 16:47:26 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton
2011-03-28 16:45:19 -------- d-----w- c:\program files\NortonInstaller
2011-03-28 16:45:19 -------- d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2011-03-28 16:39:42 119636624 ----a-w- c:\temp\NIS_18.1.0.37_SYMTB_CNET_LOEM_MRFTT_176_5407_P.exe
2011-03-28 15:37:12 -------- dc-h--w- c:\windows\ie8
2011-03-27 20:55:31 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-03-27 20:55:31 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-27 20:51:34 -------- d-----w- c:\docume~1\alluse~1\applic~1\D-Link
2011-03-27 06:06:25 0 ----a-w- c:\windows\Msupeqeqaluxo.bin
2011-03-27 06:06:09 -------- d-----w- c:\docume~1\steve\locals~1\applic~1\{C118AB6C-E271-4498-9705-2D4420AF96DA}
2011-03-12 18:28:40 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2011-03-08 01:08:54 -------- d-----w- c:\program files\Research In Motion Limited
2011-03-06 08:13:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-06 08:13:15 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-03-06 08:07:56 -------- d-----w- c:\program files\Wise Registry Cleaner
2011-03-06 07:44:41 -------- d-----w- c:\docume~1\steve\applic~1\Sammsoft
2011-03-06 07:43:59 -------- d-----w- c:\program files\Advanced Registry Optimizer
2011-03-06 07:43:03 -------- d-----w- c:\docume~1\steve\locals~1\applic~1\OpenCandy
2011-03-06 07:43:01 -------- d-----w- c:\docume~1\steve\applic~1\OpenCandy
2011-03-05 17:28:25 -------- d-----w- c:\docume~1\steve\locals~1\applic~1\Temp
2011-03-05 17:28:20 -------- d-----w- c:\docume~1\steve\locals~1\applic~1\Google
2011-03-05 17:28:07 -------- d-----w- c:\docume~1\steve\locals~1\applic~1\Deployment
.
==================== Find3M ====================
.
2011-03-27 23:49:24 7 ----a-w- c:\windows\treeskp.sys
2011-03-27 23:49:24 7 ----a-w- c:\windows\sbacknt.bin
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: FUJITSU_MHY2120BH rev.0085000B -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-e
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A522439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a5287d0]; MOV EAX, [0x8a52884c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x8A5CBAB8]
3 CLASSPNP[0xF7657FD7] -> nt!IofCallDriver[0x804E13B9] -> [0x8A4B3368]
\Driver\atapi[0x8A51BDD0] -> IRP_MJ_CREATE -> 0x8A522439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-e -> \??\IDE#DiskFUJITSU_MHY2120BH_______________________0085000B#5&2747c3d6&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A52227F
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 9:52:04.23 ===============
****** Spybot Results ******
Click.GiftLoad: [SBI $89783858] User settings (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2011-03-06 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2011-03-18 Includes\Adware.sbi (*)
2011-03-22 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-03-08 Includes\DialerC.sbi (*)
2011-02-24 Includes\HeavyDuty.sbi (*)
2010-11-30 Includes\Hijackers.sbi (*)
2011-03-08 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2011-03-08 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2011-02-24 Includes\Malware.sbi (*)
2011-03-22 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2011-03-15 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2011-03-08 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2011-02-24 Includes\Spyware.sbi (*)
2011-03-15 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-12-28 Includes\Trojans.sbi (*)
2011-03-22 Includes\TrojansC-02.sbi (*)
2011-03-03 Includes\TrojansC-03.sbi (*)
2011-03-08 Includes\TrojansC-04.sbi (*)
2011-03-21 Includes\TrojansC-05.sbi (*)
2011-03-08 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll