Number of viruses 93, infected objects 719

I didn't do a complete scan with Avira, so I did a full scan. Then I realized most of the 901 viruses were already in quarantine by Spybot and Combofix (and 20 from Avira), so I deleted those and ran another scan. Seems some of the freeware downloads were infected.

----------------------------------------------------------------
FIRST FULL SCAN WITH AVIRA BEFORE DELETING OLD QUARANTINE
----------------------------------------------------------------

End of the scan: Saturday, June 21, 2008 16:34
Used time: 9:58:39 min

The scan has been done completely.

15699 Scanning directories
539792 Files were scanned
901 viruses and/or unwanted programs were found
8 Files were classified as suspicious:
0 files were deleted
0 files were repaired
21 files were moved to quarantine
0 files were renamed
5 Files cannot be scanned
538891 Files not concerned
10486 Archives were scanned
800 Warnings
21 Notes

----------------------------------------------------------------
2ND FULL SCAN WITH AVIRA AFTER DELETING OLD QUARANTINE
----------------------------------------------------------------




Avira AntiVir Personal
Report file date: Saturday, June 21, 2008 18:50

Scanning for 1349608 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: CTV

Version information:
BUILD.DAT : 8.1.00.295 16479 Bytes 4/9/2008 16:24:00
AVSCAN.EXE : 8.1.2.12 311553 Bytes 3/18/2008 15:02:56
AVSCAN.DLL : 8.1.1.0 53505 Bytes 2/7/2008 14:43:37
LUKE.DLL : 8.1.2.9 151809 Bytes 2/28/2008 14:41:23
LUKERES.DLL : 8.1.2.1 12033 Bytes 2/21/2008 14:28:40
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 16:33:34
ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 3/7/2008 19:08:58
ANTIVIR2.VDF : 7.0.4.195 2546176 Bytes 6/14/2008 04:07:10
ANTIVIR3.VDF : 7.0.4.232 250880 Bytes 6/20/2008 04:07:12
Engineversion : 8.1.0.59
AEVDF.DLL : 8.1.0.5 102772 Bytes 2/25/2008 15:58:21
AESCRIPT.DLL : 8.1.0.44 278907 Bytes 6/21/2008 04:07:25
AESCN.DLL : 8.1.0.22 119157 Bytes 6/21/2008 04:07:24
AERDL.DLL : 8.1.0.20 418165 Bytes 6/21/2008 04:07:23
AEPACK.DLL : 8.1.1.6 364918 Bytes 6/21/2008 04:07:22
AEOFFICE.DLL : 8.1.0.20 192891 Bytes 6/21/2008 04:07:21
AEHEUR.DLL : 8.1.0.32 1274231 Bytes 6/21/2008 04:07:21
AEHELP.DLL : 8.1.0.15 115063 Bytes 6/21/2008 04:07:18
AEGEN.DLL : 8.1.0.29 307573 Bytes 6/21/2008 04:07:17
AEEMU.DLL : 8.1.0.6 430451 Bytes 6/21/2008 04:07:15
AECORE.DLL : 8.1.0.31 168310 Bytes 6/21/2008 04:07:13
AVWINLL.DLL : 1.0.0.7 14593 Bytes 1/23/2008 23:07:53
AVPREF.DLL : 8.0.0.1 25857 Bytes 2/18/2008 16:37:50
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 19:26:47
AVREG.DLL : 8.0.0.0 30977 Bytes 1/23/2008 23:07:49
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 14:29:23
AVEVTLOG.DLL : 8.0.0.11 114945 Bytes 2/28/2008 14:31:31
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 23:28:02
SMTPLIB.DLL : 1.2.0.19 28929 Bytes 1/23/2008 23:08:39
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 18:05:10
RCIMAGE.DLL : 8.0.0.35 2371841 Bytes 3/10/2008 20:37:25
RCTEXT.DLL : 8.0.32.0 86273 Bytes 3/6/2008 18:02:11

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, E:, H:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Saturday, June 21, 2008 18:50

The scan of running processes will be started
Scan process 'avwsc.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'AcroRd32.exe' - '1' Module(s) have been scanned
Scan process 'notepad.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'taskmgr.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'oaui.exe' - '0' Module(s) have been scanned
Scan process 'CTSysVol.exe' - '1' Module(s) have been scanned
Scan process 'igfxtray.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'oasrv.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
21 processes with 21 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'E:\'
[INFO] No virus was found!
Boot sector 'H:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '18' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\WINDOWS\Installer\{1ad4b29b-ff03-42c5-9803-969fdcb47c9d}\zip.dll
[DETECTION] Is the Trojan horse TR/Shell.Eviell
[NOTE] The file was moved to '48cd9f4b.qua'!
C:\WINDOWS\Installer\{2931ea2a-6692-45ed-8180-2ffc3378c658}\zip.dll
[DETECTION] Is the Trojan horse TR/Shell.Eviell
[NOTE] The file was moved to '48cd9f54.qua'!
C:\WINDOWS\Installer\{29e9372a-d7d2-4003-91ea-da7e38635700}\zip.dll
[DETECTION] Is the Trojan horse TR/Shell.Eviell
[NOTE] The file was moved to '48cd9f55.qua'!
C:\WINDOWS\Installer\{47a73001-2c42-45e0-95ee-64c647a0c7b9}\zip.dll
[DETECTION] Is the Trojan horse TR/Shell.Eviell
[NOTE] The file was moved to '4944b606.qua'!
C:\WINDOWS\Installer\{53b4046e-0116-4d23-b5ce-a76c1a758511}\zip.dll
[DETECTION] Is the Trojan horse TR/Shell.Eviell
[NOTE] The file was moved to '48cd9f56.qua'!
C:\WINDOWS\Installer\{6ea97d2b-af03-4653-9ca0-ff61d00d5cbf}\zip.dll
[DETECTION] Is the Trojan horse TR/Shell.Eviell
[NOTE] The file was moved to '4944b607.qua'!
C:\WINDOWS\Installer\{74fdc03e-393c-4c0d-806a-19b427bfd6c8}\zip.dll
[DETECTION] Is the Trojan horse TR/Shell.Eviell
[NOTE] The file was moved to '48cd9f57.qua'!
C:\WINDOWS\Installer\{ac633de7-14d4-4297-8e5f-613b933fb5ab}\KbdSetup.dll
[DETECTION] Is the Trojan horse TR/Shell.Eviell
[NOTE] The file was moved to '48c19f53.qua'!
C:\WINDOWS\Installer\{d5922084-f076-4b91-abc8-9390f0f76e02}\zip.dll
[DETECTION] Is the Trojan horse TR/Shell.Eviell
[NOTE] The file was moved to '48cd9f5b.qua'!
C:\WINDOWS\Installer\{e82124db-dadc-4f41-977a-12c725dd7cc0}\DrvAvp.dll
[DETECTION] Is the Trojan horse TR/Shell.Eviell
[NOTE] The file was moved to '48d39f64.qua'!
C:\WINDOWS\Installer\{ffec9829-e3c4-4c07-ae34-3eadf8b7a6bf}\zip.dll
[DETECTION] Is the Trojan horse TR/Shell.Eviell
[NOTE] The file was moved to '4944b60c.qua'!
C:\WINDOWS\system32\drivers\OADriver.sys
[WARNING] The file could not be opened!
C:\WINDOWS\system32\drivers\OAmon.sys
[WARNING] The file could not be opened!
C:\WINDOWS\system32\drivers\oanet.sys
[WARNING] The file could not be opened!
C:\_OTMoveIt\MovedFiles\06202008_062618\WINDOWS\Installer\{0bfb355f-1157-4832-81f7-b2da5b3957c7}\zip.dll
[DETECTION] Is the Trojan horse TR/Shell.Eviell
[NOTE] The file was moved to '48cda0e4.qua'!
C:\_OTMoveIt\MovedFiles\06202008_062618\WINDOWS\Installer\{334ff6d0-523d-4f68-828b-09d34d3a6b9a}\zip.dll
[DETECTION] Is the Trojan horse TR/Shell.Eviell
[NOTE] The file was moved to '4941e0d5.qua'!
C:\_OTMoveIt\MovedFiles\06202008_062618\WINDOWS\Installer\{8dceb2ba-45a6-4b83-8580-51cb2b532546}\zip.dll
[DETECTION] Is the Trojan horse TR/Shell.Eviell
[NOTE] The file was moved to '48cda0e6.qua'!
C:\_OTMoveIt\MovedFiles\06202008_062618\WINDOWS\Installer\{9d00dc2b-b071-4706-876d-4bac586f2ab7}\zip.dll
[DETECTION] Is the Trojan horse TR/Shell.Eviell
[NOTE] The file was moved to '48cda0e5.qua'!
C:\_OTMoveIt\MovedFiles\06202008_062618\WINDOWS\Installer\{ac234da1-fa9d-4cff-850c-b9d5e6659f1b}\zip.dll
[DETECTION] Is the Trojan horse TR/Shell.Eviell
[NOTE] The file was moved to '4941e0d6.qua'!
Begin scan in 'E:\' <DSK2_VOL1>
E:\pagefile.sys
[WARNING] The file could not be opened!
E:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026306.exe
[DETECTION] Is the Trojan horse TR/Drop.Halloween.A
[NOTE] The file was moved to '488da33f.qua'!
E:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026307.exe
[DETECTION] Is the Trojan horse TR/Drop.Halloween.A
[NOTE] The file was moved to '488da340.qua'!
Begin scan in 'H:\' <Maxtor 300GB>
H:\C Program Backup Virus Crash 13mar08\CuteComp.exe
[DETECTION] Contains detection pattern of the dropper DR/WhenU.A.112
[NOTE] The file was moved to '48d1a3c0.qua'!
H:\C Program Backup Virus Crash 13mar08\SP-SpookySounds_Install.exe
[0] Archive type: ZIP SFX (self extracting)
--> setup.exe
[DETECTION] Is the Trojan horse TR/Drop.Joiner.DV.2
[NOTE] The file was moved to '488aa3ab.qua'!
H:\C Program Backup Virus Crash 13mar08\Robot Voices\male-voice-american.exe
[DETECTION] Contains detection pattern of the dropper DR/Spy.Delf.FK
[NOTE] The file was moved to '48c9a516.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP59\A0016208.dll
[DETECTION] Contains detection pattern of the worm WORM/Locksky.CM.1
[NOTE] The file was moved to '488da85b.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026154.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '488da85d.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026155.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '4904810e.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026156.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '488da85e.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026157.sys
[DETECTION] Contains detection pattern of the worm WORM/Locksky.CM.1
[NOTE] The file was moved to '4904810f.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026158.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '488da840.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026159.dll
[DETECTION] Contains detection pattern of the worm WORM/Locksky.CM.1
[NOTE] The file was moved to '49048111.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026160.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '488da85f.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026161.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '49048130.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026162.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '488da861.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026163.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '49048132.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026164.sys
[DETECTION] Contains detection pattern of the worm WORM/Locksky.CM.1
[NOTE] The file was moved to '488da860.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026165.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '49048131.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026166.dll
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '488da862.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026167.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '488da863.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026168.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '49048134.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026169.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '488da865.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026170.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '49048136.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026171.dll
[DETECTION] Contains detection pattern of the worm WORM/Locksky.CM.1
[NOTE] The file was moved to '49048133.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026173.sys
[DETECTION] Contains detection pattern of the worm WORM/Locksky.CM.1
[NOTE] The file was moved to '488da864.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026174.drv
[DETECTION] Contains detection pattern of the worm WORM/Locksky.CM.1
[NOTE] The file was moved to '49048135.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026175.drv
[DETECTION] Contains detection pattern of the worm WORM/Locksky.CM.1
[NOTE] The file was moved to '488da866.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026176.dll
[DETECTION] Contains detection pattern of the worm WORM/Locksky.CM.1
[NOTE] The file was moved to '488da867.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026177.dll
[DETECTION] Contains detection pattern of the worm WORM/Locksky.CM.1
[NOTE] The file was moved to '49048138.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026178.drv
[DETECTION] Contains detection pattern of the worm WORM/Locksky.CM.1
[NOTE] The file was moved to '488da869.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026181.exe
[DETECTION] Is the Trojan horse TR/Agent.fwi
[NOTE] The file was moved to '4904813a.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026182.exe
[DETECTION] Is the Trojan horse TR/Agent.fwi
[NOTE] The file was moved to '49048137.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026183.exe
[DETECTION] Is the Trojan horse TR/Agent.fwi
[NOTE] The file was moved to '488da868.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026184.exe
[DETECTION] Is the Trojan horse TR/Spy.Agent.aci
[NOTE] The file was moved to '49048139.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026185.exe
[DETECTION] Is the Trojan horse TR/Agent.fwi
[NOTE] The file was moved to '488da86b.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026186.exe
[DETECTION] Is the Trojan horse TR/Agent.fwi
[NOTE] The file was moved to '4904813c.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026187.exe
[DETECTION] Is the Trojan horse TR/Agent.fwi
[NOTE] The file was moved to '488da86a.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026188.exe
[DETECTION] Is the Trojan horse TR/Agent.fwi
[NOTE] The file was moved to '4904813b.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026189.exe
[DETECTION] Is the Trojan horse TR/Spy.Agent.aci
[NOTE] The file was moved to '488da86c.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026190.exe
[DETECTION] Is the Trojan horse TR/Agent.fwi
[NOTE] The file was moved to '488da86d.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026191.exe
[DETECTION] Is the Trojan horse TR/Agent.fwi
[NOTE] The file was moved to '4904813e.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026192.exe
[DETECTION] Is the Trojan horse TR/Agent.fwi
[NOTE] The file was moved to '488da86f.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026193.exe
[DETECTION] Is the Trojan horse TR/Agent.fwi
[NOTE] The file was moved to '49048120.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026194.exe
[DETECTION] Is the Trojan horse TR/Agent.fwi
[NOTE] The file was moved to '4904813d.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026195.exe
[DETECTION] Is the Trojan horse TR/Agent.fwi
[NOTE] The file was moved to '488da86e.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026196.exe
[DETECTION] Is the Trojan horse TR/Agent.fwi
[NOTE] The file was moved to '4904813f.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026197.exe
[DETECTION] Is the Trojan horse TR/Agent.fwi
[NOTE] The file was moved to '488da810.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026198.exe
[DETECTION] Is the Trojan horse TR/Agent.fwi
[NOTE] The file was moved to '488da871.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026199.exe
[DETECTION] Is the Trojan horse TR/Shell.Eviell
[NOTE] The file was moved to '49048122.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026200.exe
[DETECTION] Is the Trojan horse TR/Spy.Agent.aci
[NOTE] The file was moved to '488da873.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026201.exe
[DETECTION] Is the Trojan horse TR/Agent.fwi
[NOTE] The file was moved to '49048141.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026202.exe
[DETECTION] Is the Trojan horse TR/Agent.fwi
[NOTE] The file was moved to '488da812.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026203.exe
--> Object
[1] Archive type: RSRC
--> Object
[DETECTION] Is the Trojan horse TR/Click.Agent.WD
[NOTE] The file was moved to '49048143.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026207.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[NOTE] The file was moved to '49048124.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026209.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '488da814.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026210.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '49048145.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026214.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[NOTE] The file was moved to '488da875.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026215.exe
[DETECTION] Is the Trojan horse TR/Dldr.Adload.MA.3
[NOTE] The file was moved to '49048126.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026216.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '488da877.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026217.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '49048128.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026218.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '488da816.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026219.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '49048147.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026220.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '488da818.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026221.drv
[DETECTION] Contains detection pattern of the worm WORM/Locksky.CM.1
[NOTE] The file was moved to '49048149.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026222.drv
[DETECTION] Contains detection pattern of the worm WORM/Locksky.CM.1
[NOTE] The file was moved to '488da879.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026223.dll
[DETECTION] Contains detection pattern of the worm WORM/Locksky.CM.1
[NOTE] The file was moved to '4904812a.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026224.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '488da87b.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026225.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '4904812c.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026226.dll
[DETECTION] Contains detection pattern of the worm WORM/Locksky.CM.1
[NOTE] The file was moved to '488da870.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026227.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '49048121.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026228.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '488da872.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026229.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '49048123.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026230.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '488da87d.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026231.dll
[DETECTION] Is the Trojan horse TR/Downloader.Gen
[NOTE] The file was moved to '4904812e.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026232.dll
[DETECTION] Contains detection pattern of the worm WORM/Locksky.CM.1
[NOTE] The file was moved to '488da87f.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026233.drv
[DETECTION] Contains detection pattern of the worm WORM/Locksky.CM.1
[NOTE] The file was moved to '490481d0.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026234.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '488da874.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026235.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '49048125.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026236.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '488da876.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026237.drv
[DETECTION] Contains detection pattern of the worm WORM/Locksky.CM.1
[NOTE] The file was moved to '49048127.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026238.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '488da881.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026239.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '490481d2.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026240.sys
[DETECTION] Contains detection pattern of the worm WORM/Locksky.CM.1
[NOTE] The file was moved to '488da883.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026241.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '490481d4.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026242.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '488da878.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026243.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '49048129.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026244.exe
[DETECTION] Contains detection pattern of the worm WORM/Socks.C
[NOTE] The file was moved to '488da87a.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026245.exe
[DETECTION] Is the Trojan horse TR/Hijacker.Gen
[NOTE] The file was moved to '488da885.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026246.exe
[DETECTION] Is the Trojan horse TR/Dldr.Small.svf
[NOTE] The file was moved to '490481d6.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026247.exe
[DETECTION] Is the Trojan horse TR/Pakes.cif
[NOTE] The file was moved to '488da887.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026248.exe
[DETECTION] Is the Trojan horse TR/Peed.A.41
[NOTE] The file was moved to '4904812b.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026249.exe
[DETECTION] Is the Trojan horse TR/Clicker.Agent.TP
[NOTE] The file was moved to '488da87c.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026250.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '490481d8.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026251.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '488da889.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026252.dll
[DETECTION] Contains detection pattern of the worm WORM/Locksky.CM.1
[NOTE] The file was moved to '490481da.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026253.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '488da88b.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026254.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '4904812d.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026255.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '488da87e.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026256.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '4904812f.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026257.sys
[DETECTION] Contains detection pattern of the worm WORM/Locksky.CM.1
[NOTE] The file was moved to '490481dc.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026258.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '488da88d.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026259.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '490481de.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026260.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '488da88f.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026261.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '488da81a.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026262.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '4904814b.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026264.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '490481c0.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026265.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '488da891.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026266.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '488da81c.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026267.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '4904814d.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026268.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '488da81e.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026269.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '490481c2.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026270.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '488da893.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026271.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '490481c4.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026272.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '4904814f.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026273.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '488da800.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026274.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '49048151.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026275.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '488da895.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026276.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '490481c6.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026277.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '488da897.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026283.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '490481c8.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026284.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '488da880.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026285.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '490481d1.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026286.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '488da882.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026287.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '488da899.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026288.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '490481ca.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026289.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '488da89b.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026290.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '490481cc.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026291.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '490481d3.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026292.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '49048f54.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026293.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '49048f56.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026294.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '49048f58.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026295.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '488da884.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026296.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '49048f55.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026298.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '488da886.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026299.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '49048f5a.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026300.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '49048f5c.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026301.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '49048f5e.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026302.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '49048f40.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026368.exe
[DETECTION] Contains detection pattern of the dropper DR/WhenU.A.112
[NOTE] The file was moved to '49048f57.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026369.exe
[0] Archive type: ZIP SFX (self extracting)
--> setup.exe
[DETECTION] Is the Trojan horse TR/Drop.Joiner.DV.2
[NOTE] The file was moved to '488da888.qua'!
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026370.exe
[DETECTION] Contains detection pattern of the dropper DR/Spy.Delf.FK
[NOTE] The file was moved to '49048f42.qua'!


End of the scan: Saturday, June 21, 2008 21:19
Used time: 2:28:29 min

The scan has been done completely.

15569 Scanning directories
532542 Files were scanned
157 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
157 files were moved to quarantine
0 files were renamed
5 Files cannot be scanned
532385 Files not concerned
8990 Archives were scanned
5 Warnings
157 Notes
 
SDFix: Version 1.195
Run by John Lee on Sat 06/21/2008 at 23:23

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Windows Registry Values
Restoring Windows Default Hosts File






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:13:20, on 6/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///E:/September911surprise%20CTV/PirateNews-org/Homepage/index2.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\JOHN LEE\Application Data\Mozilla\Profiles\default\f5sn9q7e.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\JOHN LEE\Application Data\Mozilla\Profiles\default\f5sn9q7e.slt\prefs.js)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
O8 - Extra context menu item: Save Flash with Flash Catcher - res://C:\Program Files\Common Files\Justdo\IECatcher.DLL/FlashCatcher.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: http://www.archive.org
O15 - Trusted Zone: http://tvplanner.comcast.net
O15 - Trusted Zone: http://www.comcast.net
O15 - Trusted Zone: http://www.disabilityforms.com
O15 - Trusted Zone: http://www.fireflyfans.net
O15 - Trusted Zone: http://www.infowars.com
O15 - Trusted Zone: http://www.infowars.net
O15 - Trusted Zone: http://*.infowars.net
O15 - Trusted Zone: http://*.myspace.com
O15 - Trusted Zone: http://ww2.nero.com
O15 - Trusted Zone: http://vhost.oddcast.com
O15 - Trusted Zone: http://flash.picturetail.com
O15 - Trusted Zone: http://www.picturetrail.com
O15 - Trusted Zone: *.picturetrail.com
O15 - Trusted Zone: www.piratenews.org
O15 - Trusted Zone: *.piratenews.org
O15 - Trusted Zone: http://*.piratenews.org
O15 - Trusted Zone: *.piratenews_supremecenter38.com
O15 - Trusted Zone: http://forums.spybot.info
O15 - Trusted Zone: *.supremecenter38.com
O15 - Trusted Zone: http://www.tallemu.com
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

--
End of file - 5104 bytes
 
It took over 45 minutes for SDfix to run Final Check Catchme Rootkit Scan after reboot.

Also noticed that Spybot S&D Teatimer was off for the past 2 weeks. Resident was checked ON in Tools, but apparently its not really ON without double clicking REPORT. Only then is the Resident Teatimer checkbox visible. Spybot might want to simplify the Teatimer ON/OFF display to make it more obvious. Online Armor Firewall Program Guard was on at all times.




SDFix: Version 1.195
Run by John Lee on Sun 06/22/2008 at 18:20

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\TASKKILL.EXE - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-22 18:38:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.0"
"C:\\Program Files\\SmartFTP\\SmartFTP.exe"="C:\\Program Files\\SmartFTP\\SmartFTP.exe:*:Enabled:SmartFTP Client"
"C:\\Program Files\\Conference\\Conference.dll"="C:\\Program Files\\Conference\\Conference.dll:*:Enabled:Audio/Video Conference by KIOSK Team"
"C:\\Program Files\\support.com\\bin\\tgcmd.exe"="C:\\Program Files\\support.com\\bin\\tgcmd.exe:*:Disabled:Support.com Scheduler and Command Dispatcher"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\dxdiag.exe"="C:\\WINDOWS\\system32\\dxdiag.exe:*:Enabled:Microsoft DirectX Diagnostic Tool"
"C:\\WINDOWS\\system32\\dpnsvr.exe"="C:\\WINDOWS\\system32\\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"\\findfast.exe"="\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Wed 4 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Tue 4 Jun 2002 84,992 A..HR --- "C:\Program Files\Replay Converter\14_43260.dll"
Tue 4 Jun 2002 44,032 A..HR --- "C:\Program Files\Replay Converter\28_83260.dll"
Mon 9 Dec 2002 73,766 A..HR --- "C:\Program Files\Replay Converter\atrc3260.dll"
Mon 9 Dec 2002 65,575 A..HR --- "C:\Program Files\Replay Converter\cook3260.dll"
Sun 26 Jun 2005 616,448 A.SHR --- "C:\Program Files\Replay Converter\cygwin1.dll"
Wed 22 Jun 2005 45,568 A.SHR --- "C:\Program Files\Replay Converter\cygz.dll"
Tue 4 Jun 2002 20,480 A..HR --- "C:\Program Files\Replay Converter\dnet3260.dll"
Mon 9 Dec 2002 176,165 A..HR --- "C:\Program Files\Replay Converter\drv23260.dll"
Mon 9 Dec 2002 94,208 A..HR --- "C:\Program Files\Replay Converter\drv33260.dll"
Mon 9 Dec 2002 217,127 A..HR --- "C:\Program Files\Replay Converter\drv43260.dll"
Sat 3 Nov 2001 225,280 A..HR --- "C:\Program Files\Replay Converter\ivvideo.dll"
Tue 10 Apr 2001 225,280 A..HR --- "C:\Program Files\Replay Converter\qtmlClient.dll"
Fri 20 Feb 2004 548,940 A..HR --- "C:\Program Files\Replay Converter\raac.dll"
Mon 9 Dec 2002 102,439 A..HR --- "C:\Program Files\Replay Converter\sipr3260.dll"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sat 5 Jan 2008 4,378,338 A.SH. --- "C:\Program Files\vixy.net\conv.exe"
Thu 14 Jul 2005 27,648 A.SH. --- "C:\WINDOWS\system32\AVSredirect.dll"
Tue 27 May 2008 12,208 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Tue 18 Mar 2008 145,920 ..SHR --- "C:\Program Files\BillP Studios\WinPatrol\Setup.exe"

Finished!






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:43:39, on 6/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///E:/September911surprise%20CTV/PirateNews-org/Homepage/index2.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\JOHN LEE\Application Data\Mozilla\Profiles\default\f5sn9q7e.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\JOHN LEE\Application Data\Mozilla\Profiles\default\f5sn9q7e.slt\prefs.js)
O2 - BHO: (no name) - {344B7EF2-9819-299E-51CB-018EEAA2D736} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-1420582129-1497244195-3520757181-1006\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O8 - Extra context menu item: Save Flash with Flash Catcher - res://C:\Program Files\Common Files\Justdo\IECatcher.DLL/FlashCatcher.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: http://www.archive.org
O15 - Trusted Zone: http://tvplanner.comcast.net
O15 - Trusted Zone: http://www.comcast.net
O15 - Trusted Zone: http://www.disabilityforms.com
O15 - Trusted Zone: http://www.fireflyfans.net
O15 - Trusted Zone: http://www.infowars.com
O15 - Trusted Zone: http://www.infowars.net
O15 - Trusted Zone: http://*.infowars.net
O15 - Trusted Zone: http://*.myspace.com
O15 - Trusted Zone: http://ww2.nero.com
O15 - Trusted Zone: http://vhost.oddcast.com
O15 - Trusted Zone: http://flash.picturetail.com
O15 - Trusted Zone: http://www.picturetrail.com
O15 - Trusted Zone: *.picturetrail.com
O15 - Trusted Zone: www.piratenews.org
O15 - Trusted Zone: *.piratenews.org
O15 - Trusted Zone: http://*.piratenews.org
O15 - Trusted Zone: *.piratenews_supremecenter38.com
O15 - Trusted Zone: http://forums.spybot.info
O15 - Trusted Zone: *.supremecenter38.com
O15 - Trusted Zone: http://www.tallemu.com
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O20 - Winlogon Notify: hgnid - C:\WINDOWS\
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

--
End of file - 5213 bytes
 
Hi

Please disable TeaTimer or it will interfere this process.

After that, fix these:


O2 - BHO: (no name) - {344B7EF2-9819-299E-51CB-018EEAA2D736} - (no file)
O20 - Winlogon Notify: hgnid - C:\WINDOWS\
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\


Reboot.

Please make sure that all programs are closed when installing Java.

  1. Click here to visit Java's website.
  2. Scroll down to Java Runtime Environment (JRE) 6 Update 6. Click on Download.
  3. Select Windows from the drop-down list for Platform.
  4. Select Multi-language from the drop-down list for Language.
  5. Check (tick) I agree to the Java SE Runtime Environment 6 License Agreement box and click on Continue.
  6. Click on jre-6u6-windows-i586-p.exe link to download it and save this to a convenient location.
  7. Double click on jre-6u6-windows-i586-p.exe to install Java.
  8. After the Java installation has finished, please go to Kaspersky website and perform an online antivirus scan.
  9. Read through the requirements and privacy statement and click on Accept button.
  10. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  11. When the downloads have finished, click on Settings.
  12. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  13. Click on My Computer under Scan.
  14. Once the scan is complete, it will display the results. Click on View Scan Report.
  15. You will see a list of infected items there. Click on Save Report As....
  16. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  17. Please post this log in your next reply along with a fresh HijackThis log.
 
I disabled TeaTimer.

I removed the BHOs with Hijack This.

I downloaded the Java file, but it will not install or run. Nothing happens at all when I double click on the file, nor right click RUN.

This appears to be related to Windows Installer failure, and inability to Repair it.

The only other program this affects is MS Word, which has "Windows Installer Error 1601".
 
Hi

Try this then:

Please make sure that all programs are closed when installing Java.

  1. Click here to visit Java's website.
  2. Scroll down to Java Runtime Environment (JRE) 6 Update 6. Click on Download.
  3. Select Windows from the drop-down list for Platform.
  4. Select Multi-language from the drop-down list for Language.
  5. Check (tick) I agree to the Java SE Runtime Environment 6 License Agreement box and click on Continue.
  6. Click on jre-6u6-windows-i586-p.exe link to download it and save this to a convenient location.
  7. Double click on jre-6u6-windows-i586-p.exe to install Java.
  8. After the Java installation has finished, please go to Kaspersky website and perform an online antivirus scan.
  9. Read through the requirements and privacy statement and click on Accept button.
  10. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  11. When the downloads have finished, click on Settings.
  12. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  13. Click on My Computer under Scan.
  14. Once the scan is complete, it will display the results. Click on View Scan Report.
  15. You will see a list of infected items there. Click on Save Report As....
  16. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  17. Please post this log in your next reply along with a fresh HijackThis log.
 
I'm still trying to get Java to work. The Java installation seems okay.

Is there some way to test if Java is working?

Maybe a setting on my computer is keeping Java from working?

The old Kasperkey scan page worked fine this month, but that was before I upgraded Java.
 
My Java Control Panel says:

Java Platform Standard Edition 6
Version 6 Update 6
Build 1.6.0_06-b.02

Kasperkey says:

You need to install Java Version 1.5 or later to run Kasperkey Online Scanner 7.0
 
Hi

Then we try non-java version of kaspersky:

  1. Please go to Kaspersky website to perform an online scan. Please use Internet Explorer as it uses ActiveX.
  2. Click on Accept.
  3. It will prompt you to download an ActiveX. Allow it.
  4. After that, you will be prompted to install it.

    Note: For Vista users, if UAC is enabled, you will receive an UAC prompt. Click on Continue to install it.

  5. Once installed, it will start downloading the definitions. This will take some time. At the same time, you may also receive another prompt to install another ActiveX. Allow it again and repeat Step 2.
  6. When the definitions have finished downloading, click Next.
  7. Click on Scan Settings.
  8. Under Scan using the following antivirus database:, choose extended - protect your computer from Spyware, adware, dialers and potentially dangerous software such as remote access utilities, prank programs and jokes. We do not recommend this option to beginners or inexperienced users.
  9. Under Scan options:, check (tick) both boxes.
  10. Click Ok.
  11. Under Please select a target to scan:, click on My Computer. It will start scanning. Please be patient.
  12. Click on Save Report As....
  13. Give this report a name and change the Save as type: to Text file (*.txt) before clicking on Save.
  14. Please post this log in your next reply along with a fresh HijackThis log.
 
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, June 27, 2008 13:16:34
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/06/2008
Kaspersky Anti-Virus database records: 887388
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
H:\

Scan Statistics:
Total number of scanned objects: 239667
Number of viruses found: 8
Number of infected objects: 17
Number of suspicious objects: 0
Duration of the scan process: 03:15:39

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\John Lee\Application Data\OnlineArmor\client.dat Object is locked skipped
C:\Documents and Settings\John Lee\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\John Lee\Desktop\Unused Desktop Shortcuts\cool-speech-59mary-sap14.exe/Realtime.dll Infected: Trojan-Spy.Win32.Delf.fk skipped
C:\Documents and Settings\John Lee\Desktop\Unused Desktop Shortcuts\cool-speech-59mary-sap14.exe CreateInstall: infected - 1 skipped
C:\Documents and Settings\John Lee\Desktop\Unused Desktop Shortcuts\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\John Lee\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\John Lee\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\John Lee\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\John Lee\Local Settings\History\History.IE5\MSHist012008062620080627\index.dat Object is locked skipped
C:\Documents and Settings\John Lee\Local Settings\History\History.IE5\MSHist012008062720080628\index.dat Object is locked skipped
C:\Documents and Settings\John Lee\Local Settings\Temp\hsperfdata_John Lee\3984 Object is locked skipped
C:\Documents and Settings\John Lee\Local Settings\Temp\jar_cache18932.tmp Object is locked skipped
C:\Documents and Settings\John Lee\Local Settings\Temporary Internet Files\Content.IE5\89A7C9EF\get_video[1].182&ipbits=16&expire=1214553038&key=yt1&sver=2 Object is locked skipped
C:\Documents and Settings\John Lee\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\John Lee\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\John Lee\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\backups\backup-20061219-025422-705.dll Infected: Trojan-Clicker.Win32.BHO.r skipped
C:\Program Files\Bat\Bat.dll Infected: not-a-virus:AdWare.Win32.Rabio.m skipped
C:\Program Files\Bat\Info.dll Infected: not-a-virus:AdWare.Win32.Rabio.m skipped
C:\Program Files\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Program Files\Tall Emu\Online Armor\antispam.dat Object is locked skipped
C:\Program Files\Tall Emu\Online Armor\DNSTask.dat Object is locked skipped
C:\Program Files\Tall Emu\Online Armor\firewall.dat Object is locked skipped
C:\Program Files\Tall Emu\Online Armor\fwdata.dat Object is locked skipped
C:\Program Files\Tall Emu\Online Armor\history.dat Object is locked skipped
C:\Program Files\Tall Emu\Online Armor\IPRanges.dat Object is locked skipped
C:\Program Files\Tall Emu\Online Armor\NoteBook.dat Object is locked skipped
C:\Program Files\Tall Emu\Online Armor\NoteBook.pak Object is locked skipped
C:\Program Files\Tall Emu\Online Armor\oacached.dat Object is locked skipped
C:\Program Files\Tall Emu\Online Armor\programs.dat Object is locked skipped
C:\Program Files\Tall Emu\Online Armor\reference.dat Object is locked skipped
C:\Program Files\Tall Emu\Online Armor\SentList.dat Object is locked skipped
C:\Program Files\Tall Emu\Online Armor\server.dat Object is locked skipped
C:\Program Files\Tall Emu\Online Armor\signs.dat Object is locked skipped
C:\Program Files\Tall Emu\Online Armor\sites.dat Object is locked skipped
C:\Program Files\Tall Emu\Online Armor\unins000.dat Object is locked skipped
C:\SDFix\backups_old3\def.htm Infected: not-virus:Hoax.HTML.Secureinvites.c skipped
C:\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SmitfraudFix\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SmitfraudFix\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP73\A0019478.exe Infected: not-a-virus:Downloader.Win32.UltimateFix.e skipped
C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP86\A0024943.dll Infected: Email-Worm.Win32.Locksky.da skipped
C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP89\A0025981.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP96\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\OADriver.sys Object is locked skipped
C:\WINDOWS\system32\drivers\OAmon.sys Object is locked skipped
C:\WINDOWS\system32\drivers\oanet.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
H:\Old Computer Archive Files 3\SECRET SOCIETIES\BOHEMIAN GROVE CULT\BOHEMIAN-GROVE.HTML Infected: Trojan.IRC.KarmaHotel skipped
H:\Old Computer Archive Files 3\SECRET SOCIETIES\SKULLS\SKULL_BONES_MEMBER_LIST.HTML Infected: Trojan.IRC.KarmaHotel skipped
H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
H:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP91\A0026297.exe Infected: not-a-virus:Downloader.Win32.UltimateFix.e skipped

Scan process completed.






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:26:44, on 6/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///E:/September911surprise%20CTV/PirateNews-org/Homepage/index2.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
N2 - Netscape 6: # Mozilla User Preferences
// This is a generated file!

user_pref(".aim.away.autoreply", true);
user_pref(".aim.buddy.SndPlayFirstIncoming", true);
user_pref(".aim.buddy.SndPlayIncoming", true);
user_pref(".aim.buddy.SndPlayOutgoing", true);
user_pref(".aim.buddy.SndPlaySignOff", true);
user_pref(".aim.buddy.SndPlaySignOn", true);
user_pref(".aim.chat.AnnounceChatRoom", true);
user_pref(".aim.chat.FlashChatWin", true);
user_pref(".aim.chat.SndPlayIncoming", true);
user_pref(".aim.chat.SndPlayOutgoing", true);
user_pref(".aim.chat.unavailable", false);
user_pref(".aim.general.im.enterCR", false);
user_pref(".aim.general.im.smilies", true);
user_pref(".aim.general.im.tabKey", false);
user_pref(".aim.general.im.timeStamp", true);
user_pref(".aim.im.playall", false);
user_pref(".aim.mail.presence", true);
user_pref(".aim.proxy.host", "");
user_pref(".aim.proxy.password", "");
user_pref(".aim.proxy.port", 1080);
user_pref(".aim.proxy.protocol", 1);
user_pref(".aim.proxy.use", false);
user_pref(".
N2 - Netscape 6: # Mozilla User Preferences
// This is a generated file!

user_pref(".aim.away.autoreply", true);
user_pref(".aim.buddy.SndPlayFirstIncoming", true);
user_pref(".aim.buddy.SndPlayIncoming", true);
user_pref(".aim.buddy.SndPlayOutgoing", true);
user_pref(".aim.buddy.SndPlaySignOff", true);
user_pref(".aim.buddy.SndPlaySignOn", true);
user_pref(".aim.chat.AnnounceChatRoom", true);
user_pref(".aim.chat.FlashChatWin", true);
user_pref(".aim.chat.SndPlayIncoming", true);
user_pref(".aim.chat.SndPlayOutgoing", true);
user_pref(".aim.chat.unavailable", false);
user_pref(".aim.general.im.enterCR", false);
user_pref(".aim.general.im.smilies", true);
user_pref(".aim.general.im.tabKey", false);
user_pref(".aim.general.im.timeStamp", true);
user_pref(".aim.im.playall", false);
user_pref(".aim.mail.presence", true);
user_pref(".aim.proxy.host", "");
user_pref(".aim.proxy.password", "");
user_pref(".aim.proxy.port", 1080);
user_pref(".aim.proxy.protocol", 1);
user_pref(".aim.proxy.use", false);
user_pref(".
O2 - BHO: (no name) - {344B7EF2-9819-299E-51CB-018EEAA2D736} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O8 - Extra context menu item: Save Flash with Flash Catcher - res://C:\Program Files\Common Files\Justdo\IECatcher.DLL/FlashCatcher.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O15 - Trusted Zone: http://www.archive.org
O15 - Trusted Zone: http://tvplanner.comcast.net
O15 - Trusted Zone: http://www.comcast.net
O15 - Trusted Zone: http://www.disabilityforms.com
O15 - Trusted Zone: http://www.fireflyfans.net
O15 - Trusted Zone: http://www.infowars.com
O15 - Trusted Zone: http://www.infowars.net
O15 - Trusted Zone: http://*.infowars.net
O15 - Trusted Zone: http://*.myspace.com
O15 - Trusted Zone: http://ww2.nero.com
O15 - Trusted Zone: http://vhost.oddcast.com
O15 - Trusted Zone: http://flash.picturetail.com
O15 - Trusted Zone: http://www.picturetrail.com
O15 - Trusted Zone: *.picturetrail.com
O15 - Trusted Zone: www.piratenews.org
O15 - Trusted Zone: *.piratenews.org
O15 - Trusted Zone: http://*.piratenews.org
O15 - Trusted Zone: *.piratenews_supremecenter38.com
O15 - Trusted Zone: http://forums.spybot.info
O15 - Trusted Zone: *.supremecenter38.com
O15 - Trusted Zone: http://www.tallemu.com
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O20 - Winlogon Notify: hgnid - C:\WINDOWS\
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

--
End of file - 6934 bytes
 
Hi

Delete these:

C:\Documents and Settings\John Lee\Desktop\Unused Desktop Shortcuts\cool-speech-59mary-sap14.exe
C:\Program Files\Bat\
C:\SDFix\backups_old3
H:\Old Computer Archive Files 3\SECRET SOCIETIES\BOHEMIAN GROVE CULT\BOHEMIAN-GROVE.HTML
H:\Old Computer Archive Files 3\SECRET SOCIETIES\SKULLS\SKULL_BONES_MEMBER_LIST.HTML

Empty Recycle Bin.

Logs look good.

All other viruses are in system restore and inactive.

I give you later instructions how to empty it.

Other than that, any problems left?
 
MS Explorer will still not run in Kasperkey, with message: "You need to install Java version 1.5 or later."

With MS Explorer the Java.com test page message: "You have the recommended Java installed (Version 6 Update 6)."
http://java.com/en/download/installed.jsp?detect=jre&try=1

Opera is now installed and runs fine in Kasperkey Java page.

With Opera the Java.com test page message: "You have the recommended Java installed (Version 6 Update 6)."
http://java.com/en/download/installed.jsp?detect=jre&try=1

In MS Explorer I'm having severe problems with my website filemanager uploads, with CPU at 100% for 10 minutes just to upload 2 small files. Problem began about 2 months ago, after the virus attack, but my webhost also changed their format on that upload page. Opera will not upload files at all. Is this a Java problem?

Opera is having problems with basic Flash and/or javascript on my homepage, which has never happened in MS Explorer. Flash runs slow, and text looks like an earthquake.

I manually deleted older versions of Java directories, but the only change it made is that Java.com now recognizes Java 6.6 in MS Explorer.
 
MS Windows Installer Cleanup Tool says I have:

Java DB 10.3.1.4.
Java 2 Runtime Environment SE v1.4.2
Java 6 Update 6 (1.6.0.60)
Java SE Development Kit 6 Update (1.6.0.60)
J2SE Runtime Environment 5.0 Update 3 (1.5.0.30)
J2SE Runtime Environment 5.0 Update 7 (1.5.0.70)

Do I need to manually remove any of these using Installer Cleanup Tool?
 
Hi

Remove only these:

Java 2 Runtime Environment SE v1.4.2
J2SE Runtime Environment 5.0 Update 3 (1.5.0.30)
J2SE Runtime Environment 5.0 Update 7 (1.5.0.70)

And let me know if that helped.
 
Back
Top