PC infected

msobczak · Oct 24, 2010

Trust me, this will be the last time I do anything with torrents!

DDS (Ver_10-10-21.02) - NTFSx86
Run by msobczak at 11:01:21.65 on Sun 10/24/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2697 [GMT -4:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Lotus\Domino\nsd.exe
C:\Notes\nsd.exe
C:\WINDOWS\system32\lxdwcoms.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Lexmark 7600 Series\lxdwmon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Documents and Settings\msobczak\Application Data\Dropbox\bin\Dropbox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lexmark 7600 Series\lxdwMsdMon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\msobczak\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Tgbh_PreA1T] c:\program files\adware pro\Adware_Pro.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb06.exe
mRun: [EM_EXEC] c:\progra~1\logitech\mousew~1\system\EM_EXEC.EXE
mRun: [lxdwmon.exe] "c:\program files\lexmark 7600 series\lxdwmon.exe"
mRun: [lxdwamon] "c:\program files\lexmark 7600 series\lxdwamon.exe"
mRun: [Lexmark 7600 Series Fax Server] "c:\program files\lexmark 7600 series\fm3032.exe" /s
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
StartupFolder: c:\docume~1\msobczak\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\msobczak\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\msobczak\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: sterlingbank.com\mail
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - hxxp://files.member.yahoo.com/dl/installs/sbc/yinst.cab
DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxps://mail.sterlingbank.com/iNotes6W.cab
DPF: {75AA409D-05F9-4F27-BD53-C7339D4B1D0A} - hxxps://secure2.andersonsinc.com/,DanaInfo=andmail1.andent.andersonsinc.com,ST=1+/dwa85W.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxp://quickplace.ebiztech.com/dwa7W.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://secure2.andersonsinc.com/dana-cached/setup/JuniperSetupSP1.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://secure2.andersonsinc.com/dana-cached/sc/JuniperSetupClient.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
LSA: Authentication Packages = msv1_0 c:\windows\system32\qoMgfDsr
LSA: Notification Packages = scecli c:\windows\system32\diremise.dll yoyaheku.dll
IFEO: MpCmdRun.exe - c:\windows\system32\svchost.exe
IFEO: MSASCui.exe - c:\windows\system32\svchost.exe
IFEO: MsMpEng.exe - c:\windows\system32\svchost.exe
IFEO: msseces.exe - c:\windows\system32\svchost.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\msobczak\applic~1\mozilla\firefox\profiles\5wwmed26.default\
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R0 Pnp680;SiI 680 ATA Controller;c:\windows\system32\drivers\PnP680.sys [2008-11-2 66736]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2008-11-2 13696]
R1 BS_I2cIo;BS_I2cIo;c:\windows\system32\drivers\BS_I2cIo.sys [2008-11-29 8192]
R2 Lotus Domino Diagnostics (CLotusDomino);Lotus Domino Diagnostics (CLotusDomino);c:\lotus\domino\nsd.exe [2008-11-4 3309568]
R2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;c:\notes\nsd.exe -svcinvoke -ini "c:\notes\notes.ini" --> c:\notes\nsd.exe -svcinvoke -ini c:\notes\notes.ini [?]
R2 lxdw_device;lxdw_device;c:\windows\system32\lxdwcoms.exe -service --> c:\windows\system32\lxdwcoms.exe -service [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-12 135664]
S2 lxdwCATSCustConnectService;lxdwCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdwserv.exe [2009-10-11 98984]
S3 IBM RPT adapter for RQM;IBM RPT adapter for RQM;c:\ibm\sdp\rpt-rst_rqmadapter\bin\RPT-RST_RQMAdapterService.exe [2010-8-29 20480]
S3 Lotus Domino Server (LotusDominodata);Lotus Domino Server (LotusDominodata);c:\lotus\domino\nservice.exe [2008-11-4 99720]
S3 pppop;PPPoP WAN Adapter;c:\windows\system32\drivers\pppop.sys --> c:\windows\system32\drivers\pppop.sys [?]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-4-23 224896]
S3 Zope_-372241316;Zope instance at c:\program files\plone\parts\instance;c:\program files\plone\python\pythonservice.exe [2010-9-7 8704]

=============== Created Last 30 ================

2010-10-24 02:40:30 -------- d-----w- c:\windows\Internet Logs
2010-10-24 02:35:54 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2010-10-24 01:56:53 -------- d-----w- c:\docume~1\msobczak\applic~1\AVP 2009
2010-10-21 12:22:58 -------- d-----w- C:\cports
2010-10-21 12:09:50 3887480 ----a-w- C:\procexp.exe
2010-10-13 00:28:38 -------- d-----w- c:\docume~1\msobczak\locals~1\applic~1\Google
2010-10-13 00:27:08 -------- d-----w- c:\docume~1\alluse~1\applic~1\DivX

==================== Find3M ====================

2010-08-10 09:15:58 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-08-10 09:15:58 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-08-06 17:05:54 72080 ----a-w- c:\documents and settings\msobczak\g2mdlhlpx.exe
2010-08-04 23:36:13 48640 ----a-w- c:\windows\system32\libfdnvin.dll

============= FINISH: 11:03:03.64 ===============

Satchfan · Oct 27, 2010

PC Infected

Hello msobczak and welcome to Safer Networking Forums.

My name is Satchfan and I would be glad to help you with your computer problem. Please read the following guidelines which will help to make cleaning your machine easier:

• Please do not install/uninstall any programs unless asked to.
• Please do not run any scans other than those requested
• Please follow all instructions in the order posted
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
• If you don't understand something, please don't hesitate to ask for clarification before proceeding
• The fixes are specific to your problem and should only be used for this issue on this machine.
• Please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

Please note that I am still in training and my replies need to be checked by an expert in order for you to receive the best possible advice. This may result in a small delay between my posts but I shall try to keep this to a minimum.

I am looking through your log now and will reply as soon as possible.

Satchfan

msobczak · Oct 27, 2010

Current status

Hi Satchfan,

In the interim, I've been trying to run an Avast boot scan. It kept stalling at the Rational Application Developer software I had installed, so I uninstalled that.

Avast did find a corrupt file, but I still have the underlying issue.

Let me know if you need me to run the DDS again, and I'll do that later tonight.

Thanks,

- Mike.

Satchfan · Oct 30, 2010

PC Infected

Hello again msobczak

I see no sign of a current antivirus program. This is something that is crucial in protecting your computer. We’ll address this later when your computer is clean otherwise it might clear up something that we need to be aware of.

Meanwhile, please limit your internet activity to downloading tools and replying to this topic. Also, please do not run any other programs unless requested.

Re AVP 2009

Do you know what AVP 2009 is as it appears to have been downloaded very recently?.

OTL Custom Scan

Download OTL to your Desktop

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Click on Minimal Output at the top
Download the following file scan.txt to your Desktop. Click here to download it. You may need to right click on it and select "Save"
Double click inside the Custom Scan box at the bottom
A window will appear saying "Click OK to load a custom scan from a file or Cancel to cancel"
Click the OK button and navigate to the file scan.txt which we just saved to your desktop
Select scan.txt and click Open. Writing will now appear under the Custom Scan box
Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan won’t take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic.

Download the GMER Rootkit Scanner

Download GMER Rootkit Scanner from here or here.

Extract the contents of the zipped file to desktop.
Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- IAT/EAT
- All drives/partitions except C:\)
- Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and attach it in your reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Logs to include with next post:

OTL.txt
Extras.txt
Gmer.txt

Also please remember to tell me about AVP 2009.

Thanks

Satchfan

msobczak · Oct 31, 2010

Follow-up scans

I've attached OTL.Txt and Gmer.txt.

OTL did not produce Extras.txt with the Quick Scan. Should I run a full scan?

I'm not sure what AVP 2009 is. I don't remember explicitly downloading it myself.

I have Avast 5 running on my PC now. At one point, Adware Pro told me to uninstall Avast and ZoneAlarm. I've since readded both.

Satchfan · Nov 1, 2010

PC Infected

Hello msobczak

Please do not attach logs unless requested to do so: just copy and paste them into your reply.

You have downloaded programs which I asked you not to do. I realise that you are anxious to get your computer clean but running random programs in an attempt to quicken the process can sometimes make it worse. We run programs in a certain order for specific reasons so please don’t run or download any more programs until your computer is clean.

I'm afraid one or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files

I would suggest that you disconnect this PC from the Internet when you are not using it to download programs we request. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

I can help you in the cleaning if you don't want to reformat but I can't promise that we'll get you 100% clean.

Please let us know what you have decided to do in your next post.

Meanwhile, download ComboFix from the following location:

Link

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

Note: Do not mouse-click combofix's window while it is running. That may cause it to stall.

When finished, it will produce a log. Please include the ComboFix.txt in your next reply. It can be found at C:\ComboFix.txt

Thanks

Satchfan

msobczak · Nov 3, 2010

Could not paste OTL.txt - forum restriction

When I tried to paste OTL.txt into the body of a Reply, I got this error:

The text that you have entered is too long (80201 characters). Please shorten it to 64000 characters long.

msobczak · Nov 3, 2010

Results

I needed to rename ComboFix.exe to something else in order for it to run.

Then, it kept warning me that Avast scanners were running, even though I shut down the services and the real-time scanners.

I ran ComboFix.exe, and it mentioned that it found "Rootkit - TDL3".

When the computer restarted after the deep scans, ComboFix looked like it was trying to create the report. Then I saw a quick blue screen and the computer restarted itself again.

I don't see a ComboFix.txt file under c:\

What should I do now?

Satchfan · Nov 4, 2010

PC Infected

msobczak

You can post the OTL log using more than one post. Post the OTL log and then try running ComboFix again but first, try disabling Avast this way:

• right-click on the avast! icon in system tray
• select avast! shields control

There will be options to disable avast for 10 minutes, 1 hour, until the computer is restarted or permanently.

Choose 1 hour.

When you’ve done this, try running ComboFix again .

Ideally, we'd like to run ComboFix in normal mode, but if it still won't run in normal mode please do the following:

Boot your computer in Safe Mode

• Turn the computer on or Restart the computer
• Start tapping the F8 key.
• The Windows Advanced Options Menu appears (If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again)
• Use the arrow keys to select the Safe Mode menu option.
• Press Enter.
• The computer then begins to start in Safe mode.
• Log into your usual account

Try running ComboFix again. After running it, reboot into normal mode and post the log in your next reply using more than one post if necessary.

Satchfan

Satchfan · Nov 7, 2010

PC Infection

Hello msobczak

It has been several days since I sent my last post with instructions to help with your computer problem..

Please let me know if you are having problems and still require help.

Thanks

Satchfan

msobczak · Nov 7, 2010

ComboFix.txt

The first time I ran ComboFix, it stalled out on the 3rd scan. I killed the task, restarted, and ran it again. That time, it worked OK.

ComboFix 10-11-02.06 - msobczak 11/07/2010 9:35.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2751 [GMT -5:00]
Running from: c:\documents and settings\msobczak\Desktop\blah.exe
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2010-10-07 to 2010-11-07 )))))))))))))))))))))))))))))))
.

2010-10-31 17:13 . 2010-10-31 17:13 -------- d-----w- c:\program files\DVDFab 8
2010-10-24 17:17 . 2010-10-24 17:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-10-24 16:27 . 2010-10-24 16:27 -------- d-----w- c:\documents and settings\msobczak\Application Data\CheckPoint
2010-10-24 16:27 . 2010-11-07 14:01 -------- d-----w- c:\documents and settings\msobczak\Local Settings\Application Data\ZoneAlarm_Security
2010-10-24 16:27 . 2010-10-24 16:27 -------- d-----w- c:\program files\Conduit
2010-10-24 16:27 . 2010-10-24 16:27 -------- d-----w- c:\program files\ZoneAlarm_Security
2010-10-24 16:26 . 2010-10-24 16:26 -------- d-----w- c:\program files\CheckPoint
2010-10-24 16:26 . 2010-09-02 13:20 69120 ----a-w- c:\windows\system32\zlcomm.dll
2010-10-24 16:26 . 2010-09-02 13:20 103936 ----a-w- c:\windows\system32\zlcommdb.dll
2010-10-24 16:26 . 2010-09-02 13:20 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2010-10-24 16:26 . 2010-10-24 16:27 -------- d-----w- c:\windows\system32\ZoneLabs
2010-10-24 16:26 . 2010-10-24 16:26 -------- d-----w- c:\program files\Zone Labs
2010-10-24 15:18 . 2004-01-09 08:13 380928 ----a-w- c:\windows\system32\actskin4.ocx
2010-10-24 14:58 . 2010-10-24 14:59 -------- d-----w- c:\program files\ERUNT
2010-10-24 02:40 . 2010-11-07 14:37 -------- d-----w- c:\windows\Internet Logs
2010-10-24 02:37 . 2010-10-24 02:37 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-10-24 02:35 . 2010-10-24 02:35 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-10-24 01:56 . 2010-10-24 02:33 -------- d-----w- c:\documents and settings\msobczak\Application Data\AVP 2009
2010-10-21 12:22 . 2010-10-21 12:43 -------- d-----w- C:\cports
2010-10-21 12:09 . 2010-06-07 20:16 3887480 ----a-w- C:\procexp.exe
2010-10-13 12:31 . 2010-10-13 12:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-10-13 00:31 . 2010-10-13 00:31 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-10-13 00:28 . 2010-10-13 00:36 -------- d-----w- c:\documents and settings\msobczak\Local Settings\Application Data\Google
2010-10-13 00:28 . 2010-10-13 00:33 -------- d-----w- c:\program files\Google
2010-10-13 00:27 . 2010-10-13 00:34 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-07 14:28 . 2009-03-06 02:24 4526 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-08-10 09:15 . 2010-08-10 09:15 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-08-10 09:15 . 2010-08-10 09:15 69632 ----a-w- c:\windows\system32\QuickTime.qts
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-06-13 2734688]

[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
2010-06-13 23:10 2734688 ----a-w- c:\program files\ZoneAlarm_Security\tbZone.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-06-13 2734688]

[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{91DA5E8A-3318-4F8C-B67E-5964DE3AB546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-06-13 2734688]

[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\msobczak\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\msobczak\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\msobczak\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-03 13508608]
"nwiz"="nwiz.exe" [2008-01-03 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-01-03 86016]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-16 16855552]
"SkyTel"="SkyTel.EXE" [2007-10-11 1826816]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb06.exe" [2002-07-11 188416]
"EM_EXEC"="c:\progra~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2001-09-19 35328]
"lxdwmon.exe"="c:\program files\Lexmark 7600 Series\lxdwmon.exe" [2008-09-10 676520]
"lxdwamon"="c:\program files\Lexmark 7600 Series\lxdwamon.exe" [2008-09-10 16040]
"Lexmark 7600 Series Fax Server"="c:\program files\Lexmark 7600 Series\fm3032.exe" [2008-09-10 311976]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-09-02 1043968]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-09-02 738808]

c:\documents and settings\msobczak\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\msobczak\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2008-12-2 156160]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\lxdwcoms.exe"=
"c:\\Documents and Settings\\msobczak\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\SeaMonkey\\seamonkey.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\notes\\framework\\rcp\\eclipse\\plugins\\com.ibm.rcp.base_6.2.2.20100729-1241\\win32\\x86\\notes2.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

R0 Pnp680;SiI 680 ATA Controller;c:\windows\system32\drivers\PnP680.sys [11/2/2008 10:34 AM 66736]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [11/2/2008 10:10 AM 13696]
R1 BS_I2cIo;BS_I2cIo;c:\windows\system32\drivers\BS_I2cIo.sys [11/29/2008 4:34 PM 8192]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [9/2/2010 7:26 AM 26872]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [9/2/2010 7:26 AM 493048]
R2 Lotus Domino Diagnostics (CLotusDomino);Lotus Domino Diagnostics (CLotusDomino);c:\lotus\Domino\nsd.exe [11/4/2008 7:44 PM 3309568]
R2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;c:\notes\nsd.exe -svcinvoke -ini "c:\notes\notes.ini" --> c:\notes\nsd.exe -svcinvoke -ini c:\notes\notes.ini [?]
R2 lxdw_device;lxdw_device;c:\windows\system32\lxdwcoms.exe -service --> c:\windows\system32\lxdwcoms.exe -service [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/12/2010 7:29 PM 135664]
S2 lxdwCATSCustConnectService;lxdwCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdwserv.exe [10/11/2009 9:21 AM 98984]
S3 Lotus Domino Server (LotusDominodata);Lotus Domino Server (LotusDominodata);c:\lotus\Domino\nservice.exe [11/4/2008 7:46 PM 99720]
S3 pppop;PPPoP WAN Adapter;c:\windows\system32\DRIVERS\pppop.sys --> c:\windows\system32\DRIVERS\pppop.sys [?]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [4/23/2007 4:11 PM 224896]
S3 Zope_-372241316;Zope instance at c:\program files\Plone\parts\instance;c:\program files\Plone\python\pythonservice.exe [9/7/2010 8:09 AM 8704]
.
Contents of the 'Scheduled Tasks' folder

2010-11-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-13 00:28]

2010-11-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-13 00:28]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
Trusted Zone: sterlingbank.com\mail
DPF: {75AA409D-05F9-4F27-BD53-C7339D4B1D0A} - hxxps://secure2.andersonsinc.com/,DanaInfo=andmail1.andent.andersonsinc.com,ST=1+/dwa85W.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://secure2.andersonsinc.com/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\msobczak\Application Data\Mozilla\Firefox\Profiles\5wwmed26.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2645238&SearchSource=3&q={searchTerms}
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\program files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'lsass.exe'(752)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'explorer.exe'(2568)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\system32\nview.dll
c:\documents and settings\msobczak\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\ieframe.dll
c:\progra~1\Logitech\MOUSEW~1\SYSTEM\LgMousHk.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-11-07 09:44:21
ComboFix-quarantined-files.txt 2010-11-07 14:44

Pre-Run: 59,262,017,536 bytes free
Post-Run: 59,213,303,808 bytes free

- - End Of File - - 4385C00C47F61D387AD951705172D2DD

Satchfan · Nov 8, 2010

PC Infected

Hi msobczak

Open ComboFix

Please do the following:

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so that they do not interfere with the running of ComboFix.
• Open notepad and copy/paste the text in the codebox below into it:

Code:

DirLook:: c:\documents and settings\msobczak\Application Data\AVP 2009 Registry:: [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=- Reglock:: [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it produces a log at C:\ComboFix.txt. Post the contents of Combofix.txt in your next reply.

Run an on-line scan with Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.

Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

Please click on to Start, Run and copy/paste the following, then press Enter:

C:\QooBox\ComboFix-quarantined-files.txt

When it opens, post the contents of that logfile also.

Logs to include with your reply:

ComboFix.txt
Kasperskt scan log
ComboFix-quarantined-files.txt

Use more than one post if necessary.

Satchfan

msobczak · Nov 10, 2010

ComboFix.txt

ComboFix 10-11-09.01 - msobczak 11/09/2010 13:36:48.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2773 [GMT -5:00]
Running from: c:\documents and settings\msobczak\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\msobczak\Desktop\CFScript.txt
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2010-10-09 to 2010-11-09 )))))))))))))))))))))))))))))))
.

2010-11-09 10:45 . 2010-11-09 10:45 -------- d-----w- c:\documents and settings\msobczak\Application Data\smkits
2010-11-07 14:34 . 2010-11-07 14:44 -------- d-----w- C:\blah
2010-10-31 17:13 . 2010-10-31 17:13 -------- d-----w- c:\program files\DVDFab 8
2010-10-24 17:17 . 2010-10-24 17:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-10-24 16:27 . 2010-10-24 16:27 -------- d-----w- c:\documents and settings\msobczak\Application Data\CheckPoint
2010-10-24 16:27 . 2010-11-07 14:01 -------- d-----w- c:\documents and settings\msobczak\Local Settings\Application Data\ZoneAlarm_Security
2010-10-24 16:27 . 2010-10-24 16:27 -------- d-----w- c:\program files\Conduit
2010-10-24 16:27 . 2010-10-24 16:27 -------- d-----w- c:\program files\ZoneAlarm_Security
2010-10-24 16:26 . 2010-10-24 16:26 -------- d-----w- c:\program files\CheckPoint
2010-10-24 16:26 . 2010-09-02 13:20 69120 ----a-w- c:\windows\system32\zlcomm.dll
2010-10-24 16:26 . 2010-09-02 13:20 103936 ----a-w- c:\windows\system32\zlcommdb.dll
2010-10-24 16:26 . 2010-09-02 13:20 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2010-10-24 16:26 . 2010-10-24 16:27 -------- d-----w- c:\windows\system32\ZoneLabs
2010-10-24 16:26 . 2010-10-24 16:26 -------- d-----w- c:\program files\Zone Labs
2010-10-24 15:18 . 2004-01-09 08:13 380928 ----a-w- c:\windows\system32\actskin4.ocx
2010-10-24 14:58 . 2010-10-24 14:59 -------- d-----w- c:\program files\ERUNT
2010-10-24 02:40 . 2010-11-09 18:36 -------- d-----w- c:\windows\Internet Logs
2010-10-24 02:37 . 2010-10-24 02:37 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-10-24 02:35 . 2010-10-24 02:35 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-10-24 01:56 . 2010-10-24 02:33 -------- d-----w- c:\documents and settings\msobczak\Application Data\AVP 2009
2010-10-21 12:22 . 2010-10-21 12:43 -------- d-----w- C:\cports
2010-10-21 12:09 . 2010-06-07 20:16 3887480 ----a-w- C:\procexp.exe
2010-10-13 12:31 . 2010-10-13 12:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-10-13 00:31 . 2010-10-13 00:31 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-10-13 00:28 . 2010-10-13 00:36 -------- d-----w- c:\documents and settings\msobczak\Local Settings\Application Data\Google
2010-10-13 00:28 . 2010-10-13 00:33 -------- d-----w- c:\program files\Google
2010-10-13 00:27 . 2010-10-13 00:34 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-09 18:34 . 2009-03-06 02:24 4526 ----a-w- c:\windows\system32\PerfStringBackup.TMP
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\msobczak\Application Data\AVP 2009 ----

2010-10-24 02:33 . 2010-10-24 02:47 0 ----a-w- c:\documents and settings\msobczak\Application Data\AVP 2009\1.dat

((((((((((((((((((((((((((((( SnapShot@2010-11-07_14.43.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-09 18:30 . 2010-11-09 18:30 16384 c:\windows\Temp\Perflib_Perfdata_690.dat
+ 2010-11-09 18:31 . 2010-11-09 18:31 204800 c:\windows\ERDNT\AutoBackup\11-9-2010\Users\00000002\UsrClass.dat
+ 2010-11-09 18:31 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\11-9-2010\ERDNT.EXE
+ 2010-11-08 23:08 . 2010-11-08 23:08 204800 c:\windows\ERDNT\AutoBackup\11-8-2010\Users\00000002\UsrClass.dat
+ 2010-11-08 23:08 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\11-8-2010\ERDNT.EXE
+ 2010-11-09 18:31 . 2010-11-09 18:31 9715712 c:\windows\ERDNT\AutoBackup\11-9-2010\Users\00000001\NTUSER.DAT
+ 2010-11-08 23:08 . 2010-11-08 23:08 9707520 c:\windows\ERDNT\AutoBackup\11-8-2010\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-06-13 2734688]

[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
2010-06-13 23:10 2734688 ----a-w- c:\program files\ZoneAlarm_Security\tbZone.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-06-13 2734688]

[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{91DA5E8A-3318-4F8C-B67E-5964DE3AB546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-06-13 2734688]

[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\msobczak\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\msobczak\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\msobczak\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-03 13508608]
"nwiz"="nwiz.exe" [2008-01-03 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-01-03 86016]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-16 16855552]
"SkyTel"="SkyTel.EXE" [2007-10-11 1826816]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb06.exe" [2002-07-11 188416]
"EM_EXEC"="c:\progra~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2001-09-19 35328]
"lxdwmon.exe"="c:\program files\Lexmark 7600 Series\lxdwmon.exe" [2008-09-10 676520]
"lxdwamon"="c:\program files\Lexmark 7600 Series\lxdwamon.exe" [2008-09-10 16040]
"Lexmark 7600 Series Fax Server"="c:\program files\Lexmark 7600 Series\fm3032.exe" [2008-09-10 311976]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-09-02 1043968]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-09-02 738808]

c:\documents and settings\msobczak\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\msobczak\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2008-12-2 156160]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\lxdwcoms.exe"=
"c:\\Documents and Settings\\msobczak\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\SeaMonkey\\seamonkey.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\notes\\framework\\rcp\\eclipse\\plugins\\com.ibm.rcp.base_6.2.2.20100729-1241\\win32\\x86\\notes2.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

R0 Pnp680;SiI 680 ATA Controller;c:\windows\system32\drivers\PnP680.sys [11/2/2008 10:34 AM 66736]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [11/2/2008 10:10 AM 13696]
R1 BS_I2cIo;BS_I2cIo;c:\windows\system32\drivers\BS_I2cIo.sys [11/29/2008 4:34 PM 8192]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [9/2/2010 7:26 AM 26872]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [9/2/2010 7:26 AM 493048]
R2 Lotus Domino Diagnostics (CLotusDomino);Lotus Domino Diagnostics (CLotusDomino);c:\lotus\Domino\nsd.exe [11/4/2008 7:44 PM 3309568]
R2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;c:\notes\nsd.exe -svcinvoke -ini "c:\notes\notes.ini" --> c:\notes\nsd.exe -svcinvoke -ini c:\notes\notes.ini [?]
R2 lxdw_device;lxdw_device;c:\windows\system32\lxdwcoms.exe -service --> c:\windows\system32\lxdwcoms.exe -service [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/12/2010 7:29 PM 135664]
S2 lxdwCATSCustConnectService;lxdwCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdwserv.exe [10/11/2009 9:21 AM 98984]
S3 Lotus Domino Server (LotusDominodata);Lotus Domino Server (LotusDominodata);c:\lotus\Domino\nservice.exe [11/4/2008 7:46 PM 99720]
S3 pppop;PPPoP WAN Adapter;c:\windows\system32\DRIVERS\pppop.sys --> c:\windows\system32\DRIVERS\pppop.sys [?]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [4/23/2007 4:11 PM 224896]
S3 Zope_-372241316;Zope instance at c:\program files\Plone\parts\instance;c:\program files\Plone\python\pythonservice.exe [9/7/2010 8:09 AM 8704]
.
Contents of the 'Scheduled Tasks' folder

2010-11-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-13 00:28]

2010-11-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-13 00:28]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
Trusted Zone: sterlingbank.com\mail
DPF: {75AA409D-05F9-4F27-BD53-C7339D4B1D0A} - hxxps://secure2.andersonsinc.com/,DanaInfo=andmail1.andent.andersonsinc.com,ST=1+/dwa85W.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://secure2.andersonsinc.com/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\msobczak\Application Data\Mozilla\Firefox\Profiles\5wwmed26.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2645238&SearchSource=3&q={searchTerms}
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\program files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'lsass.exe'(752)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'explorer.exe'(1064)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\system32\nview.dll
c:\documents and settings\msobczak\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\ieframe.dll
c:\progra~1\Logitech\MOUSEW~1\SYSTEM\LgMousHk.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-11-09 13:45:46
ComboFix-quarantined-files.txt 2010-11-09 18:45
ComboFix2.txt 2010-11-07 14:44

Pre-Run: 59,152,023,552 bytes free
Post-Run: 59,133,296,640 bytes free

- - End Of File - - C2937C2471614D5CFF87E20796DA9B93

msobczak · Nov 10, 2010

Kaspersky download is in progress

I will run the scan first thing in the morning.

msobczak · Nov 11, 2010

Kaspersky results

I started the scan this morning. When I returned home in the evening, my computer had rebooted itself. When Windows finished loading, it said it had recovered from an error.

I tried running Kaspersky again, but it said my license is expired. Is that a one-time only scan?

Satchfan · Nov 11, 2010

PC Infected

msobczak

It won’t let you run another scan until you have deleted the old ActiveX download component. The easiest way to solve this is to close your browser and uninstall the program via Start, Control Panel, Add/Remove programs.When you have removed/uninstalled it, download and run it again.

When you reply with the scan result, please also include the quarantined-files.txt log as previously requested and let me know how your computer is running.

msobczak · Nov 12, 2010

Nothing to uninstall

I ran the program with Firefox, so there's no ActiveX control to uninstall. There's also nothing Kaspersky-related in Control Panel to uninstall.

Satchfan · Nov 12, 2010

PC Infected

Msobczak

I don’t know why you are having a problem with Kaspersky, but we’ll try a different scan.

Run ESET Online Scan

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan

1. Click the Eset online Scanner button.
2. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on esetinstaller.exe to download the ESET Smart Installer. Save it to your desktop.
• Double click on the Eset installer icon on your desktop.
3. Check Yes, I accept the Terms of Use
4. Click the Start button.
5. Accept any security warnings from your browser.
6. Check Scan archives
7. Push the Start button.
8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
9. When the scan completes, push List of found threats
10. Push Export to Text file and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Note - when ESET doesn't find any threats, no report will be created.
11. Push the back button.
12. Push Finish

If a log has been produced post it in your next reply.

Please also include quarantined-files.txt and let me know how your computer is running.

Thanks

Satchfan

msobczak · Nov 13, 2010

ESET Scan Results

C:\Documents and Settings\msobczak\Application Data\Sun\Java\Deployment\cache\6.0\51\578cd3b3-216e18ae a variant of Java/TrojanDownloader.OpenStream.NAU trojan
C:\Program Files\Logitech\Desktop Messenger\8876480\6.1.0.155-8876480L\Program\Restart.exe probably a variant of Win32/Agent.BRGLHTJ trojan
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090303-201218-209.dll Win32/Adware.Virtumonde.NEK application
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090303-201218-571.dll Win32/Adware.Virtumonde.NEK application
C:\System Volume Information\_restore{D242A14B-1B9D-46C4-B604-2105E3716A41}\RP533\A0066615.dll a variant of Win32/Olmarik.AFZ trojan
C:\System Volume Information\_restore{D242A14B-1B9D-46C4-B604-2105E3716A41}\RP533\A0066616.dll a variant of Win32/Olmarik.AFZ trojan
C:\System Volume Information\_restore{D242A14B-1B9D-46C4-B604-2105E3716A41}\RP535\A0067156.dll a variant of Win32/Adware.AntiMalwarePro.AA application
C:\System Volume Information\_restore{D242A14B-1B9D-46C4-B604-2105E3716A41}\RP544\A0080262.sys Win32/Olmarik.AGD trojan
C:\System Volume Information\_restore{D242A14B-1B9D-46C4-B604-2105E3716A41}\RP544\A0080335.sys Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{D242A14B-1B9D-46C4-B604-2105E3716A41}\RP544\A0080397.dll a variant of Win32/Kryptik.DNI trojan
C:\System Volume Information\_restore{D242A14B-1B9D-46C4-B604-2105E3716A41}\RP544\A0080398.dll a variant of Win32/Kryptik.DNI trojan
C:\System Volume Information\_restore{D242A14B-1B9D-46C4-B604-2105E3716A41}\RP544\A0080399.dll a variant of Win32/Kryptik.DNI trojan
C:\System Volume Information\_restore{D242A14B-1B9D-46C4-B604-2105E3716A41}\RP544\A0080400.dll a variant of Win32/Kryptik.DNI trojan
C:\System Volume Information\_restore{D242A14B-1B9D-46C4-B604-2105E3716A41}\RP544\A0080401.dll a variant of Win32/Kryptik.DNI trojan
C:\System Volume Information\_restore{D242A14B-1B9D-46C4-B604-2105E3716A41}\RP544\A0080402.dll a variant of Win32/Kryptik.DNI trojan
C:\System Volume Information\_restore{D242A14B-1B9D-46C4-B604-2105E3716A41}\RP544\A0080403.dll a variant of Win32/Kryptik.DNI trojan
C:\System Volume Information\_restore{D242A14B-1B9D-46C4-B604-2105E3716A41}\RP544\A0080404.dll a variant of Win32/Kryptik.DNI trojan
C:\System Volume Information\_restore{D242A14B-1B9D-46C4-B604-2105E3716A41}\RP544\A0080406.dll a variant of Win32/Kryptik.DQT trojan
C:\System Volume Information\_restore{D242A14B-1B9D-46C4-B604-2105E3716A41}\RP544\A0080407.dll a variant of Win32/Kryptik.DQT trojan
C:\System Volume Information\_restore{D242A14B-1B9D-46C4-B604-2105E3716A41}\RP544\A0080408.dll a variant of Win32/Kryptik.DQT trojan
C:\System Volume Information\_restore{D242A14B-1B9D-46C4-B604-2105E3716A41}\RP544\A0080409.dll a variant of Win32/Kryptik.DQT trojan
C:\System Volume Information\_restore{D242A14B-1B9D-46C4-B604-2105E3716A41}\RP544\A0080410.dll a variant of Win32/Adware.SuperJuan.U application
C:\System Volume Information\_restore{D242A14B-1B9D-46C4-B604-2105E3716A41}\RP544\A0080412.dll a variant of Win32/Kryptik.DNI trojan

msobczak · Nov 13, 2010

ComboFix Quarantine files

2010-11-09 18:17:41 . 2010-11-09 18:17:41 0 ----a-w- C:\Qoobox\Quarantine\Replicators\Replicator_3.txt
2010-11-09 18:05:11 . 2010-11-09 18:36:45 0 ----a-w- C:\Qoobox\Quarantine\catchme.txt
2010-11-07 14:43:52 . 2010-11-07 14:43:52 1,174 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-{7B63B2922B174135AFC0E1377DD81EC2}.reg.dat
2010-11-03 22:35:00 . 2010-11-09 18:43:35 8,439 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-11-03 22:10:51 . 2010-11-09 18:35:44 408 ----a-w- C:\Qoobox\Quarantine\catchme.log
2010-08-06 17:05:53 . 2010-08-06 17:05:54 72,080 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\msobczak\g2mdlhlpx.exe.vir
2009-07-31 21:03:10 . 2010-09-29 19:55:32 1 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\etc\lmhosts.vir
2008-12-16 23:46:12 . 2010-02-06 14:15:29 87,608 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\msobczak\Application Data\inst.exe.vir
2008-12-14 17:19:26 . 2008-12-14 17:19:29 8 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\wiaserviv.log.vir

PC infected

New member

Security Expert

New member

Security Expert

New member

Security Expert

New member

New member

Security Expert

Security Expert

New member

Security Expert

New member

New member

New member

Security Expert

New member

Security Expert

New member

New member