starting from beginning. MDELK, Bagle and more

mhamilton · Aug 17, 2008

Hi
Running WinXP SP3. SP3 installed before virus took hold.

A malware loader is running (seems to be launched some how when I start iexplorer)

Running Counter Spy which is keeping Bagle.hk.12 and mdelk.exe blocked

Cannot enter Safe Mode (machine reboots when I try)
Cannot run Spybot.

When running GMER scan the machine hits some point and crashes
(I think it is \8th\modem)

Have run Prevx, Malwarebytes, and CounterSpy scans. They find and delete things like srosa.sys, hldrrr.exe, mdelk.exe and lots of numbered .exe. files.
Along the way I have also removed flec006.exe and winterms.exe - but these don't seem to be coming back as long as counter spy is runnign.

But something is still resident and keeps trying to launch Bagle.hk.12 (hldrrr.exe) and mdelk.exe.

What should I do to restore ability to get to Safe Mode?

Thanks in advace

Mike

HijackThis Log
----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:56:19 PM, on 8/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\MediaMall\MediaMallServer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
C:\Program Files\D-Link Media Server\MediaGUI.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\D-Link Media Server\MediaServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Temp\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Ulead Quick-Drop] C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator\Ulead Quick-Drop 1.0\Quick-Drop.exe WINDOWCALL
O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
O4 - HKLM\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKLM\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKLM\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RegClean] "C:\Program Files\RegClean\RegClean.exe" -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [SBRegRebootCleaner] C:\Program Files\Sunbelt Software\CounterSpy\SBRC.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: D-Link Media Server.lnk = C:\Program Files\D-Link Media Server\MediaGUI.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Logitech Harmony Remote V5.lnk = C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1217908534546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1217908520187
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://12.30.180.135/activex/AxisCamControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://juniper.provigent.com/dana-cached/setup/JuniperSetupSP1.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: vskype - (no CLSID) - (no file)
O20 - Winlogon Notify: wcnotify - C:\WINDOWS\SYSTEM32\wcnotify.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MediaMall Server - MediaMall Technologies, Inc. - C:\Program Files\MediaMall\MediaMallServer.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 11466 bytes

----------------------------------

Hijack this startup log-----------------------------------------------------------

StartupList report, 8/16/2008, 3:57:40 PM
StartupList version: 1.52.2
Started from : C:\Temp\HiJackThis.EXE
Detected: Windows XP SP3 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16705)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\MediaMall\MediaMallServer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
C:\Program Files\D-Link Media Server\MediaGUI.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\D-Link Media Server\MediaServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Temp\HiJackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Mike\Start Menu\Programs\Startup]
Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
D-Link Media Server.lnk = C:\Program Files\D-Link Media Server\MediaGUI.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Acrobat Speed Launcher.lnk = ?
HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
Logitech Harmony Remote V5.lnk = C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
RemoteControl = "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
Cmaudio = RunDll32 cmicnfg.cpl,CMICtrlWnd
Acrobat Assistant 7.0 = "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
LVCOMSX = C:\WINDOWS\system32\LVCOMSX.EXE
LogitechVideoRepair = C:\Program Files\Logitech\Video\ISStart.exe
LogitechVideoTray = C:\Program Files\Logitech\Video\LogiTray.exe
SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
Ulead Quick-Drop = C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator\Ulead Quick-Drop 1.0\Quick-Drop.exe WINDOWCALL
USIUDF_Eject_Monitor = C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
LogitechSoftwareUpdate = "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
Skype = "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
updateMgr = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
RegClean = "C:\Program Files\RegClean\RegClean.exe" -boot
QuickTime Task = "C:\Program Files\QuickTime\QTTask.exe" -atboottime
BluetoothAuthenticationAgent = rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
AppleSyncNotifier = C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
(Default) =
SBCSTray = C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
SBRegRebootCleaner = C:\Program Files\Sunbelt Software\CounterSpy\SBRC.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\scrnsave.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll - {22BF413B-C6D2-4d91-82A9-A0F997BA588C}
(no name) - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll - {AE7CD045-E861-484f-8273-0445EE161910}
(no name) - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job
RegClean Scheduled Scan.job
RegCure Program Check.job
RegCure.job
User_Feed_Synchronization-{C34135C4-C5CE-440A-B981-1BFF8E5F71A9}.job

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Trend Micro ActiveX Scan Agent 6.6]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
CODEBASE = http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1217908534546

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1217908520187

[WScanCtl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\webscan.dll
CODEBASE = http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

[{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]
CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

[CamImage Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\AxisCamControl.ocx
CODEBASE = http://12.30.180.135/activex/AxisCamControl.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9f.ocx
CODEBASE = http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

[JuniperSetupSP1 Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\JUNIPE~1.OCX
CODEBASE = https://juniper.provigent.com/dana-cached/setup/JuniperSetupSP1.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #4: C:\Program Files\Bonjour\mdnsNSP.dll
NameSpace #5: C:\WINDOWS\system32\wshbth.dll

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\WINDOWS\system32\wintems.exe||C:\WINDOWS\system32\drivers\mdelk.exe||C:\DOCUME~1\Mike\LOCALS~1\Temp\_iu14D2N.tmp||C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
End of report, 10,114 bytes
Report generated in 0.078 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

mhamilton · Aug 17, 2008

followup - bagle remover

I ran beagled.exe

I guess it found nothing. The log file is empty except timestamp.

Still each time I execute iexplorer I get a long pause (before it will load the google toolbar) and then Counter Spy says TrojanDownloader.Bagle.hk.12(hldrrr.exe) is trying to execute.

After 2 warning messages, then the google toolbar will load and I get near-normal operation for awhile. Periodically the counterspy message will pop up.

Takes forever to start any download from the web - as if it is being stalled.

mhamilton · Aug 17, 2008

followup - spybot report (part 1) finally

Was able to install and run spy bot by turning off Tea Timer install option

here is the log before running fix problems.
I did not try to fix the RegClean issues. I have been using RegClean without problems.

---------------

--- Search result list ---
Hint of the Day: Click the bar at the right of this to see more information! ()

RegClean: [SBI $4BF3377D] Uninstall settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RegClean_is1

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_04_18_22_17_55.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_04_18_22_17_57.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_04_26_17_32_54.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_05_15_11_12_04.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_05_17_08_58_38.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_05_18_17_53_52.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_06_16_01_14_22.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_06_21_08_08_01.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_07_05_19_04_40.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_08_05_15_38_43.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_08_17_10_20_32.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_08_19_14_01_22.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_09_10_22_26_14.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_09_20_08_43_04.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_09_24_12_05_01.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_09_25_20_27_03.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_10_01_09_11_19.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_10_07_05_29_46.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_10_31_08_15_50.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_11_18_08_21_50.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_11_26_19_01_57.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_12_18_20_08_30.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_12_18_20_28_58.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_12_21_21_37_44.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2007_12_28_18_25_10.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_01_06_10_57_56.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_01_11_14_01_32.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_01_21_10_02_55.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_01_27_10_01_13.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_02_05_21_43_03.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_02_09_08_41_09.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_02_20_10_00_08.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_02_20_21_58_25.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_02_21_03_30_00.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_03_05_15_10_07.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_03_12_22_04_08.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_03_23_08_04_41.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_03_28_07_56_14.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_03_29_17_44_02.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_03_31_20_24_44.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_04_19_07_56_18.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_04_20_15_03_37.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_04_20_16_59_58.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_04_21_08_02_32.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_04_21_08_32_13.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_04_22_07_50_27.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_04_30_11_54_07.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_05_10_09_04_04.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_05_13_07_27_07.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_05_15_19_25_56.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_05_22_19_05_15.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_06_11_09_18_36.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_06_13_11_24_50.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_06_21_16_16_52.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_06_22_12_56_20.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_06_30_18_31_06.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_07_07_19_22_17.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_07_07_19_49_39.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_07_20_19_31_34.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_07_23_10_00_18.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_07_23_10_05_20.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_08_04_22_14_03.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_08_04_22_59_23.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_08_09_10_55_02.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_08_09_20_08_51.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_08_15_08_14_00.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_08_15_17_27_55.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_08_15_18_51_15.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_08_15_21_53_35.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_08_16_08_17_14.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_08_16_09_00_57.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_08_16_12_11_44.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_08_16_12_16_26.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_08_16_13_22_27.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_08_16_13_39_06.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_08_16_14_18_15.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_08_16_17_00_34.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_08_16_17_52_48.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_08_16_18_08_43.log

RegClean: [SBI $F74F39E0] Log file (File, nothing done)
C:\Documents and Settings\Mike\Application Data\RegClean\Log\log_2008_08_16_18_35_24.log

RegClean: [SBI $89B7497E] Executable (File, nothing done)
C:\Program Files\RegClean\Launcher.exe

RegClean: [SBI $CB9ED0F9] Web page (File, nothing done)
C:\Program Files\RegClean\RegClean.url

RegClean: [SBI $25F894B1] Data (File, nothing done)
C:\WINDOWS\Tasks\RegClean Scheduled Scan.job

RegClean: [SBI $8F06398F] Data (File, nothing done)
C:\Program Files\RegClean\license.txt

Microsoft.Windows.ActiveDesktop: [SBI $377029D9] User settings (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoHTMLWallPaper

Microsoft.Windows.ActiveDesktop: [SBI $377029D9] User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-789336058-1177238915-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoHTMLWallPaper

Microsoft.Windows.ActiveDesktop: [SBI $377029D9] User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoHTMLWallPaper

Win32.Agent.bgy: [SBI $3FF5579E] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-789336058-1177238915-682003330-1003\Software\FirstRRRun

MediaPlex: Tracking cookie (Internet Explorer: Mike) (Cookie, nothing done)

MediaPlex: Tracking cookie (Internet Explorer: Mike) (Cookie, nothing done)

BurstMedia: Tracking cookie (Internet Explorer: Mike) (Cookie, nothing done)

AdRevolver: Tracking cookie (Internet Explorer: Mike) (Cookie, nothing done)

--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---

2008-07-07 blindman.exe (1.0.0.8)
2008-07-07 SDFiles.exe (1.6.0.4)
2008-07-07 SDMain.exe (1.0.0.6)
2008-07-07 SDShred.exe (1.0.2.3)
2008-07-07 SDUpdate.exe (1.6.0.8)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-07 SpybotSD.exe (1.6.0.30)
2008-07-07 TeaTimer.exe (1.6.0.20)
2007-01-26 unins000.exe (51.41.0.0)
2008-08-16 unins001.exe (51.49.0.0)
2008-07-07 Update.exe (1.6.0.7)
2008-07-07 advcheck.dll (1.6.1.12)
2007-04-02 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-07-07 SDHelper.dll (1.6.0.12)
2008-06-19 sqlite3.dll
2008-07-07 Tools.dll (2.1.5.7)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2008-08-05 Includes\Adware.sbi (*)
2008-08-12 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-06-03 Includes\Dialer.sbi (*)
2008-08-05 Includes\DialerC.sbi (*)
2008-07-22 Includes\HeavyDuty.sbi (*)
2008-07-30 Includes\Hijackers.sbi (*)
2008-08-12 Includes\HijackersC.sbi (*)
2008-08-05 Includes\Keyloggers.sbi (*)
2008-08-12 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-08-05 Includes\Malware.sbi (*)
2008-08-12 Includes\MalwareC.sbi (*)
2008-08-05 Includes\PUPS.sbi (*)
2008-08-12 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-18 Includes\Security.sbi (*)
2008-08-12 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-08-11 Includes\Spyware.sbi (*)
2008-08-11 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2008-08-05 Includes\Trojans.sbi (*)
2008-08-12 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

--- System information ---
Windows XP (Build: 2600) Service Pack 3 (5.1.2600)
/ Microsoft .NET Framework 2.0: This Security Update is for Microsoft .NET Framework 2.0. \n
If you later install a more recent service pack, this Security Update will be uninstalled automatically. \n
For more information, visit http://support.microsoft.com/kb/928365
/ MSXML4SP2: Security update for MSXML4 SP2 (KB936181)
/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs
/ Windows / SP1: Microsoft National Language Support Downlevel APIs
/ Windows Media Format 11 SDK: Hotfix for Windows Media Format 11 SDK (KB929399)
/ Windows Media Player 11: Security Update for Windows Media Player 11 (KB936782)
/ Windows Media Player 11: Hotfix for Windows Media Player 11 (KB939683)
/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB917734)
/ Windows XP: Security Update for Windows XP (KB941569)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB950759)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB953838)
/ Windows XP / SP10: Microsoft Compression Client Pack 1.0 for Windows XP
/ Windows XP / SP3: Windows XP Service Pack 3
/ Windows XP / SP4: Update for Windows XP (KB942763)
/ Windows XP / SP4: Security Update for Windows XP (KB946648)
/ Windows XP / SP4: Security Update for Windows XP (KB950760)
/ Windows XP / SP4: Security Update for Windows XP (KB950762)
/ Windows XP / SP4: Security Update for Windows XP (KB950974)
/ Windows XP / SP4: Security Update for Windows XP (KB951066)
/ Windows XP / SP4: Update for Windows XP (KB951072-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB951376-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB951698)
/ Windows XP / SP4: Security Update for Windows XP (KB951748)
/ Windows XP / SP4: Update for Windows XP (KB951978)
/ Windows XP / SP4: Hotfix for Windows XP (KB952287)
/ Windows XP / SP4: Security Update for Windows XP (KB952954)
/ Windows XP / SP4: Security Update for Windows XP (KB953839)
/ Windows XP OOB / SP10: High Definition Audio Driver Package - KB835221

--- Startup entries list ---
Located: HK_LM:Run,
command:
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, Acrobat Assistant 7.0
command: "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
file: C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
size: 483328
MD5: B985665B63E92D8DF8859EAE21E7B52F

Located: HK_LM:Run, AppleSyncNotifier
command: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
file: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
size: 116040
MD5: 0BBC0204478194E404DF71B7A3E3FC22

Located: HK_LM:Run, BluetoothAuthenticationAgent
command: rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
file: C:\WINDOWS\system32\bthprops.cpl
size: 110592
MD5: 80AA4214C5BC0A355151BD115017313F

Located: HK_LM:Run, Cmaudio
command: RunDll32 cmicnfg.cpl,CMICtrlWnd
file: C:\WINDOWS\system\cmicnfg.cpl
size: 4001792
MD5: 49944533CA69A1E998C69B6DA65C00F2

Located: HK_LM:Run, ctfmon.exe
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3

Located: HK_LM:Run, iTunesHelper
command: "C:\Program Files\iTunes\iTunesHelper.exe"
file: C:\Program Files\iTunes\iTunesHelper.exe
size: 289064
MD5: 4CED92963F453EB8DCFE67FD4248D657

Located: HK_LM:Run, LogitechSoftwareUpdate
command: "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
file: C:\Program Files\Logitech\Video\ManifestEngine.exe
size: 196608
MD5: 660B6158BC2BC5D7CB1FF18D148C17AA

Located: HK_LM:Run, LogitechVideoRepair
command: C:\Program Files\Logitech\Video\ISStart.exe
file: C:\Program Files\Logitech\Video\ISStart.exe
size: 458752
MD5: 93C8B9C6FD3D243D4B2C8C03C44B18E9

Located: HK_LM:Run, LogitechVideoTray
command: C:\Program Files\Logitech\Video\LogiTray.exe
file: C:\Program Files\Logitech\Video\LogiTray.exe
size: 217088
MD5: F433926BBEC782B603BA3BE0D4E92B7B

Located: HK_LM:Run, LVCOMSX
command: C:\WINDOWS\system32\LVCOMSX.EXE
file: C:\WINDOWS\system32\LVCOMSX.EXE
size: 221184
MD5: 5BA8A7DA5D0573F7923E02B260AAD2F1

Located: HK_LM:Run, NeroFilterCheck
command: C:\WINDOWS\system32\NeroCheck.exe
file: C:\WINDOWS\system32\NeroCheck.exe
size: 155648
MD5: 3E4C03CEFAD8DE135263236B61A49C90

Located: HK_LM:Run, NvMediaCenter
command: RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
file: C:\WINDOWS\system32\NvMcTray.dll
size: 86016
MD5: 1FF171FBAF6E5A29C07B1F8D318B607A

Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\QTTask.exe" -atboottime
file: C:\Program Files\QuickTime\QTTask.exe
size: 413696
MD5: F34EB5D4F145ED5FE50033CA3A41ED24

Located: HK_LM:Run, RegClean
command: "C:\Program Files\RegClean\RegClean.exe" -boot
file: C:\Program Files\RegClean\RegClean.exe
size: 10065392
MD5: E17FE7AC4E2FC47FB8E2058D6AA81A00

Located: HK_LM:Run, RemoteControl
command: "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
file: C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
size: 32768
MD5: 915A106A2FB87292CEF0AD4F36ADF313

Located: HK_LM:Run, SBCSTray
command: C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
file: C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
size: 698864
MD5: 6CEC5278A917DCBDE0A7D3B0EBC3DD1E

Located: HK_LM:Run, Skype
command: "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
file: C:\Program Files\Skype\Phone\Skype.exe
size: 23165736
MD5: D1C4805584C7A74DA35452473A1445EA

Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
file: C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
size: 144784
MD5: 6AB4C021FBD36DC6764924C312428D97

Located: HK_LM:Run, Ulead Quick-Drop
command: C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator\Ulead Quick-Drop 1.0\Quick-Drop.exe WINDOWCALL
file: C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator\Ulead Quick-Drop 1.0\Quick-Drop.exe
size: 102400
MD5: 715C7B67525107E896E21525F374D4BB

Located: HK_LM:Run, updateMgr
command: "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1
file: C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe
size: 313472
MD5: 43F3F6D33C793089A7C32B45DA16094B

Located: HK_LM:Run, USIUDF_Eject_Monitor
command: C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
file: C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
size: 81920
MD5: D9C8A14D9C2168C29A068B2C470E37B4

Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-789336058-1177238915-682003330-1003...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3

Located: Startup (common), Adobe Acrobat Speed Launcher.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe
file: C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe
size: 25214
MD5: D6294D59171AC375CD142003566AA89E

Located: Startup (common), HPAiODevice(hp officejet g series) - 1.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
file: C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
size: 151552
MD5: 0C284F768815000381E76898624C2E68

Located: Startup (common), Logitech Harmony Remote V5.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
file: C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
size: 94295
MD5: 67766472D5EEB88250158B2B907A7448

Located: Startup (user), Adobe Gamma.lnk
where: C:\Documents and Settings\Mike\Start Menu\Programs\Startup...
command: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
file: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
size: 113664
MD5: C2FF17734176CD15221C10044EF0BA1A

Located: Startup (user), D-Link Media Server.lnk
where: C:\Documents and Settings\Mike\Start Menu\Programs\Startup...
command: C:\Program Files\D-Link Media Server\MediaGUI.exe
file: C:\Program Files\D-Link Media Server\MediaGUI.exe
size: 1523831
MD5: 489A77E81450B92BC6C048A869FC6F1E

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, dimsntfy
command: %SystemRoot%\System32\dimsntfy.dll
file: %SystemRoot%\System32\dimsntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, wcnotify
command: wcnotify.dll
file: wcnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, WgaLogon
command: WgaLogon.dll
file: WgaLogon.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Adobe PDF Reader Link Helper
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Adobe\Acrobat 7.0\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 12/14/2004 2:56:50 AM
Date (last access): 8/16/2008 8:03:24 PM
Date (last write): 12/18/2006 5:16:42 AM
Filesize: 59032
Attributes: archive
MD5: 4EA3A6CD9D20584FFAFDB1E47DBF0E20
CRC32: 7B0A854F
Version: 7.0.9.50

{22BF413B-C6D2-4d91-82A9-A0F997BA588C} (Skype add-on (mastermind))
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: Skype add-on (mastermind)
CLSID name: Skype add-on (mastermind)
Path: C:\Program Files\Skype\Toolbars\Internet Explorer\
Long name: SkypeIEPlugin.dll
Short name: SKYPEI~1.DLL
Date (created): 8/6/2007 12:43:22 PM
Date (last access): 8/16/2008 8:16:44 PM
Date (last write): 8/6/2007 12:43:22 PM
Filesize: 1062184
Attributes: archive
MD5: 6E7F682F1AB484A10DF4A27BFC52C3FF
CRC32: CC900F47
Version: 2.2.0.105

{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\Program Files\Spybot - Search & Destroy\
Long name: SDHelper.dll
Short name:
Date (created): 8/16/2008 7:20:06 PM
Date (last access): 8/16/2008 8:20:40 PM
Date (last write): 7/7/2008 9:41:58 AM
Filesize: 1562448
Attributes: archive
MD5: 32981ADE44D01EC2A9EBC2E311291707
CRC32: C2F522E6
Version: 1.6.0.12

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: SSVHelper Class
Path: C:\Program Files\Java\jre1.6.0_07\bin\
Long name: ssv.dll
Short name:
Date (created): 7/20/2008 7:59:02 PM
Date (last access): 8/16/2008 6:58:22 PM
Date (last write): 6/10/2008 4:27:02 AM
Filesize: 509328
Attributes: archive
MD5: F921D875A1CBD69A6A462BA2514BC831
CRC32: 38AC9EE2
Version: 6.0.70.6

{AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Google Toolbar Helper
description: Google toolbar
classification: Open for discussion
known filename: googletoolbar.dll googletoolbar*.dll (* = number) googletoolbar_en_*.**-big.dll Googletoolbar_en_*.*.**-deleon.dll
info link: http://toolbar.google.com/
info source: TonyKlein
Path: c:\program files\google\
Long name: GoogleToolbar1.dll
Short name: GOOGLE~1.DLL
Date (created): 5/20/2008 4:13:20 PM
Date (last access): 8/16/2008 8:16:46 PM
Date (last write): 5/20/2008 4:13:20 PM
Filesize: 2549368
Attributes: readonly archive
MD5: CC489913075050292FCF09A02A449522
CRC32: FAE9D654
Version: 4.0.1602.35650

{AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Adobe PDF Conversion Toolbar Helper
description: Adobe Acrobat
classification: Legitimate
known filename: AcroIEFavClient.dll
info link: http://www.adobe.com/products/acrobatpro/main.html
info source: TonyKlein
Path: C:\Program Files\Adobe\Acrobat 7.0\Acrobat\
Long name: AcroIEFavClient.dll
Short name: ACROIE~1.DLL
Date (created): 9/23/2005 10:41:42 PM
Date (last access): 8/16/2008 8:03:24 PM
Date (last write): 12/18/2006 5:18:14 AM
Filesize: 231160
Attributes: archive
MD5: 00AA6DF95E24DE4C616127EE739897F4
CRC32: D6B49BBF
Version: 7.0.9.50

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Google Toolbar Notifier BHO
Path: C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\
Long name: swg.dll
Short name:
Date (created): 5/1/2008 11:55:42 AM
Date (last access): 8/16/2008 8:16:46 PM
Date (last write): 5/1/2008 11:55:42 AM
Filesize: 734704
Attributes: archive
MD5: F1D0608833F726C8FF84E11A46843CDE
CRC32: 0AF4F0EF
Version: 3.0.1225.9868

--- ActiveX list ---
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla

{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object)
DPF name:
CLSID name: QuickTime Object
Installer: C:\WINDOWS\Downloaded Program Files\QTPlugin.inf
Codebase: http://www.apple.com/qtactivex/qtplugin.cab
description: Apple Quicktime
classification: Legitimate
known filename: QTPLUGIN.OCX
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\QuickTime\
Long name: QTPlugin.ocx
Short name:
Date (created): 5/27/2008 10:50:48 AM
Date (last access): 8/16/2008 4:52:26 PM
Date (last write): 5/27/2008 10:50:48 AM
Filesize: 779568
Attributes: archive
MD5: 2895E4DA45C169531EA5DF01E3829B23
CRC32: 95147D29
Version: 7.50.61.0

{215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6)
DPF name:
CLSID name: Trend Micro ActiveX Scan Agent 6.6
Installer: C:\WINDOWS\Downloaded Program Files\hcImpl.inf
Codebase: http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
Path: C:\WINDOWS\Downloaded Program Files\
Long name: Housecall_ActiveX.dll
Short name: HOUSEC~1.DLL
Date (created): 5/2/2008 2:22:56 PM
Date (last access): 8/16/2008 4:56:52 PM
Date (last write): 5/2/2008 2:22:56 PM
Filesize: 385536
Attributes: archive
MD5: 4CF2B39A5AB298CFFA2674CB8AD66A63
CRC32: BC7E68C2
Version: 6.51.0.1028

{6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
DPF name:
CLSID name: WUWebControl Class
Installer: C:\WINDOWS\Downloaded Program Files\wuweb.inf
Codebase: http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1217908534546
Path: C:\WINDOWS\system32\
Long name: wuweb.dll
Short name:
Date (created): 3/11/2005 4:32:24 AM
Date (last access): 8/16/2008 7:32:46 PM
Date (last write): 7/30/2007 7:19:46 PM
Filesize: 203096
Attributes: archive
MD5: FD984F9BFC9C62BD6546BD183CE5ADE7
CRC32: 8092F837
Version: 7.0.6000.381

{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
DPF name:
CLSID name: MUWebControl Class
Installer: C:\WINDOWS\Downloaded Program Files\muweb.inf
Codebase: http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1217908520187
Path: C:\WINDOWS\system32\
Long name: muweb.dll
Short name:
Date (created): 5/26/2005 4:19:32 AM
Date (last access): 8/16/2008 7:32:44 PM
Date (last write): 7/30/2007 7:18:34 PM
Filesize: 207736
Attributes: archive
MD5: 8038B166CE79E58E193566150CE26465
CRC32: 9137D395
Version: 7.0.6000.381

{7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class)
DPF name:
CLSID name: WScanCtl Class
Installer: C:\WINDOWS\Downloaded Program Files\webscan.inf
Codebase: http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
Path: C:\WINDOWS\Downloaded Program Files\
Long name: webscan.dll
Short name:
Date (created): 11/20/2006 1:02:34 PM
Date (last access): 8/16/2008 4:56:52 PM
Date (last write): 11/20/2006 1:02:34 PM
Filesize: 180282
Attributes: archive
MD5: 76EA3ABECE61FBA3C07F61E42BB0CA48
CRC32: AECD0E4D
Version: 1.1.0.1049

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_07
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre1.6.0_07\bin\
Long name: npjpi160_07.dll
Short name: NPJPI1~1.DLL
Date (created): 6/10/2008 2:32:34 AM
Date (last access): 8/16/2008 4:43:14 PM
Date (last write): 6/10/2008 4:27:02 AM
Filesize: 132496
Attributes: archive
MD5: 7C83A2809E13950359189767AC9D5DB8
CRC32: 925C2A88
Version: 6.0.70.6

{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\erma.inf
Codebase: http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

{917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class)
DPF name:
CLSID name: CamImage Class
Installer: C:\WINDOWS\Downloaded Program Files\AxisCamControl.inf
Codebase: http://12.30.180.135/activex/AxisCamControl.cab
Path: C:\WINDOWS\Downloaded Program Files\
Long name: AxisCamControl.ocx
Short name: AXISCA~1.OCX
Date (created): 10/29/2004 11:01:34 AM
Date (last access): 8/16/2008 4:56:50 PM
Date (last write): 10/29/2004 11:01:34 AM
Filesize: 204800
Attributes: archive
MD5: 85284D40568AE8D20718C4AE34F673AB
CRC32: 69273103
Version: 2.23.0.0

{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_04
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
Path: C:\Program Files\Java\jre1.5.0_04\bin\
Long name: NPJPI150_04.dll
Short name: NPJPI1~1.DLL
Date (created): 6/3/2005 3:52:58 AM
Date (last access): 8/16/2008 4:41:34 PM
Date (last write): 6/3/2005 4:09:54 AM
Filesize: 69746
Attributes: archive
MD5: 8548FE98BD687F35AFD0AED9C2A2DEE3
CRC32: 4058FA1B
Version: 5.0.40.5

{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_06
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Path: C:\Program Files\Java\jre1.5.0_06\bin\
Long name: NPJPI150_06.dll
Short name: NPJPI1~1.DLL
Date (created): 11/10/2005 2:03:56 PM
Date (last access): 8/16/2008 4:41:42 PM
Date (last write): 11/10/2005 2:22:10 PM
Filesize: 69746
Attributes: archive
MD5: D2CF6BB5E9020E6707B62575F8083954
CRC32: 7F39DC54
Version: 5.0.60.5

{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_08
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
Path: C:\Program Files\Java\jre1.5.0_08\bin\
Long name: NPJPI150_08.dll
Short name: NPJPI1~1.DLL
Date (created): 7/26/2006 3:03:18 AM
Date (last access): 8/16/2008 4:41:52 PM
Date (last write): 7/26/2006 3:17:56 AM
Filesize: 69746
Attributes: archive
MD5: C10D603F2BD3B0A2EAC4EC5B743430D3
CRC32: 1EB99B36
Version: 5.0.80.3

{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_09
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
Path: C:\Program Files\Java\jre1.5.0_09\bin\
Long name: NPJPI150_09.dll
Short name: NPJPI1~1.DLL
Date (created): 10/12/2006 4:10:58 AM
Date (last access): 8/16/2008 4:42:02 PM
Date (last write): 10/12/2006 4:25:44 AM
Filesize: 69746
Attributes: archive
MD5: A3CDEB59B6B8C2EA81B9ED2D3EF4C95E
CRC32: 2A32A9A2
Version: 5.0.90.3

{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_10
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
Path: C:\Program Files\Java\jre1.5.0_10\bin\
Long name: NPJPI150_10.dll
Short name: NPJPI1~1.DLL
Date (created): 11/9/2006 4:07:34 PM
Date (last access): 8/16/2008 4:42:12 PM
Date (last write): 11/9/2006 4:21:54 PM
Filesize: 75528
Attributes: archive
MD5: 635F4B3A0F1C661B5CEDE628BA85E46B
CRC32: 0C9B7145
Version: 5.0.100.3

{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_11
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
Path: C:\Program Files\Java\jre1.5.0_11\bin\
Long name: NPJPI150_11.dll
Short name: NPJPI1~1.DLL
Date (created): 12/15/2006 4:09:16 AM
Date (last access): 8/16/2008 4:42:22 PM
Date (last write): 12/15/2006 4:23:26 AM
Filesize: 75528
Attributes: archive
MD5: 3B3F6984DBF972DAFF1B7E9C44E2FE75
CRC32: 4BDE2041
Version: 5.0.110.3

{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_01
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
Path: C:\Program Files\Java\jre1.6.0_01\bin\
Long name: npjpi160_01.dll
Short name: NPJPI1~1.DLL
Date (created): 3/14/2007 2:04:46 AM
Date (last access): 8/16/2008 4:42:32 PM
Date (last write): 3/14/2007 3:43:42 AM
Filesize: 132760
Attributes: archive
MD5: F112FB2FD2EF66D439799E3F834DF000
CRC32: D2B09219
Version: 6.0.0.6

{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_02
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
Path: C:\Program Files\Java\jre1.6.0_02\bin\
Long name: npjpi160_02.dll
Short name: NPJPI1~1.DLL
Date (created): 7/12/2007 2:22:38 AM
Date (last access): 8/16/2008 4:42:42 PM
Date (last write): 7/12/2007 4:00:36 AM
Filesize: 132496
Attributes: archive
MD5: E3811F1A1C5063C941EC0E2766C3EA39
CRC32: AEFD3747
Version: 6.0.20.6

{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_03
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
Path: C:\Program Files\Java\jre1.6.0_03\bin\
Long name: npjpi160_03.dll
Short name: NPJPI1~1.DLL
Date (created): 9/25/2007 12:31:44 AM
Date (last access): 8/16/2008 4:42:52 PM
Date (last write): 9/25/2007 2:11:34 AM
Filesize: 132496
Attributes: archive
MD5: D6A4682A6FF41832A3F1A7AB9AE08199
CRC32: 9080B537
Version: 6.0.30.5

{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_05
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
Path: C:\Program Files\Java\jre1.6.0_05\bin\
Long name: npjpi160_05.dll
Short name: NPJPI1~1.DLL
Date (created): 2/22/2008 2:33:32 AM
Date (last access): 8/16/2008 4:43:02 PM
Date (last write): 2/22/2008 4:25:20 AM
Filesize: 132496
Attributes: archive
MD5: 4FDFB86D78994BD71CBB779A7809E9CD
CRC32: 5A0EB880
Version: 6.0.50.13

{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_07
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Path: C:\Program Files\Java\jre1.6.0_07\bin\
Long name: npjpi160_07.dll
Short name: NPJPI1~1.DLL
Date (created): 6/10/2008 2:32:34 AM
Date (last access): 8/16/2008 8:20:42 PM
Date (last write): 6/10/2008 4:27:02 AM
Filesize: 132496
Attributes: archive
MD5: 7C83A2809E13950359189767AC9D5DB8
CRC32: 925C2A88
Version: 6.0.70.6

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_07
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Path: C:\Program Files\Java\jre1.6.0_07\bin\
Long name: npjpi160_07.dll
Short name: NPJPI1~1.DLL
Date (created): 6/10/2008 2:32:34 AM
Date (last access): 8/16/2008 8:20:42 PM
Date (last write): 6/10/2008 4:27:02 AM
Filesize: 132496
Attributes: archive
MD5: 7C83A2809E13950359189767AC9D5DB8
CRC32: 925C2A88
Version: 6.0.70.6

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf
Codebase: http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Macromed\Flash\
Long name: Flash9f.ocx
Short name:
Date (created): 3/24/2008 7:32:42 PM
Date (last access): 8/16/2008 7:59:44 PM
Date (last write): 3/24/2008 7:32:42 PM
Filesize: 2991488
Attributes: readonly archive
MD5: 48FDF435B8595604E54125B321924510
CRC32: 12335E29
Version: 9.0.124.0

{E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control)
DPF name:
CLSID name: JuniperSetupSP1 Control
Installer: C:\WINDOWS\Downloaded Program Files\JuniperSetup.INF
Codebase: https://juniper.provigent.com/dana-cached/setup/JuniperSetupSP1.cab
Path: C:\WINDOWS\DOWNLO~1\
Long name: JuniperSetup.ocx
Short name: JUNIPE~1.OCX
Date (created): 4/10/2007 6:59:50 PM
Date (last access): 8/16/2008 4:56:52 PM
Date (last write): 4/10/2007 6:59:50 PM
Filesize: 98371
Attributes: archive
MD5: 59A13BACF3033749FC0E6D7C179F850F
CRC32: FDA271CD
Version: 1.0.0.12

--- Process list ---
PID: 0 ( 0) [System]
PID: 692 ( 4) \SystemRoot\System32\smss.exe
size: 50688
PID: 808 ( 692) \??\C:\WINDOWS\system32\csrss.exe
size: 6144
PID: 832 ( 692) \??\C:\WINDOWS\system32\winlogon.exe
size: 507904
PID: 876 ( 832) C:\WINDOWS\system32\services.exe
size: 108544
MD5: 0E776ED5F7CC9F94299E70461B7B8185
PID: 888 ( 832) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: BF2466B3E18E970D8A976FB95FC1CA85
PID: 1056 ( 876) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1104 ( 876) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1248 ( 876) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1308 ( 876) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1408 ( 876) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1460 ( 876) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: D8E14A61ACC1D4A6CD0D38AEBAC7FA3B
PID: 1564 ( 876) C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
size: 116040
MD5: 2BDA4A9480B550FCCA6D29C22CA54C0D
PID: 1576 ( 876) C:\Program Files\Bonjour\mDNSResponder.exe
size: 229376
MD5: CFD4C3352E29A8B729536648466E8DF5
PID: 1604 ( 876) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1676 ( 876) C:\Program Files\PrevxCSI\prevxcsi.exe
size: 618040
MD5: 49863CB74B67FEC24E9469B909390A25
PID: 1880 ( 876) C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
size: 137200
MD5: 1BF044E23206FDDC16891A32922D571B
PID: 1996 ( 876) C:\WINDOWS\system32\inetsrv\inetinfo.exe
size: 15360
MD5: DB3C22745C0DA4666F3BE31F1AF36B2F
PID: 252 ( 876) C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
size: 788976
MD5: 5F8945CF66D646A8CF2A0E207F1241B3
PID: 780 ( 876) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1088 ( 876) C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
size: 49152
MD5: 332D341D92B933600D41953B08360DFB
PID: 1188 ( 876) C:\Program Files\MediaMall\MediaMallServer.exe
size: 1190912
MD5: 5A62EB4F34BAD7E62ACD25345032ACEE
PID: 192 ( 876) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 568 (1676) C:\Program Files\PrevxCSI\prevxcsi.exe
size: 618040
MD5: 49863CB74B67FEC24E9469B909390A25
PID: 1956 ( 688) C:\WINDOWS\Explorer.EXE
size: 1033728
MD5: 12896823FB95BFB3DC9B46BCAEDC9923
PID: 3220 (1956) C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
size: 32768
MD5: 915A106A2FB87292CEF0AD4F36ADF313
PID: 3256 (1956) C:\WINDOWS\system32\RunDll32.exe
size: 33280
MD5: 037B1E7798960E0420003D05BB577EE6
PID: 3488 (1956) C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
size: 483328
MD5: B985665B63E92D8DF8859EAE21E7B52F
PID: 3552 (1956) C:\WINDOWS\system32\LVCOMSX.EXE
size: 221184
MD5: 5BA8A7DA5D0573F7923E02B260AAD2F1
PID: 3808 (1956) C:\Program Files\Logitech\Video\LogiTray.exe
size: 217088
MD5: F433926BBEC782B603BA3BE0D4E92B7B
PID: 3940 (1956) C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
size: 144784
MD5: 6AB4C021FBD36DC6764924C312428D97
PID: 940 (1956) C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
size: 81920
MD5: D9C8A14D9C2168C29A068B2C470E37B4
PID: 2400 (1956) C:\Program Files\Skype\Phone\Skype.exe
size: 23165736
MD5: D1C4805584C7A74DA35452473A1445EA
PID: 2592 (1956) C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
PID: 2764 (1956) C:\WINDOWS\system32\RUNDLL32.EXE
size: 33280
MD5: 037B1E7798960E0420003D05BB577EE6
PID: 3836 (1956) C:\WINDOWS\system32\rundll32.exe
size: 33280
MD5: 037B1E7798960E0420003D05BB577EE6
PID: 224 (1956) C:\Program Files\iTunes\iTunesHelper.exe
size: 289064
MD5: 4CED92963F453EB8DCFE67FD4248D657
PID: 556 (1956) C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
size: 698864
MD5: 6CEC5278A917DCBDE0A7D3B0EBC3DD1E
PID: 2876 ( 876) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 2072 (1956) C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
size: 151552
MD5: 0C284F768815000381E76898624C2E68
PID: 2364 (1956) C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
size: 94295
MD5: 67766472D5EEB88250158B2B907A7448
PID: 2564 (1956) C:\Program Files\D-Link Media Server\MediaGUI.exe
size: 1523831
MD5: 489A77E81450B92BC6C048A869FC6F1E
PID: 4092 ( 876) C:\Program Files\iPod\bin\iPodService.exe
size: 532264
MD5: D7ED7D86C9FDDC2EEE637B303B3D6A6B
PID: 2108 (2564) C:\Program Files\D-Link Media Server\MediaServer.exe
size: 655360
MD5: 9FC62EA932D196722AB90BC9B217A0A6
PID: 3188 (1056) C:\Program Files\Logitech\Video\FxSvr2.exe
size: 192512
MD5: 951504797D17139BDCA8F962DF65FDAB
PID: 3856 (1056) C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
size: 299008
MD5: 786A9556B35CA88E867213E135BB5DEF
PID: 2312 (2072) C:\WINDOWS\system32\hpoipm07.exe
size: 57344
MD5: 9F1573F5069BA5B0A7CA131C52430E65
PID: 2912 (2400) C:\Program Files\Skype\Plugin Manager\SkypePM.exe
size: 1942472
MD5: 7C27CCFDE444A377BFC87A3B17031DC8
PID: 3100 (3856) C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
size: 294912
MD5: C596C2F76134513F5429215F06EC72D7
PID: 1808 (3856) C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
size: 188416
MD5: 9719062F746282C1C1095F62CD870D2A
PID: 3292 (2620) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4891472
MD5: 3B1B5D09D3C9C4CD39D4DB06ED7A0855
PID: 660 (3136) C:\Program Files\RegClean\RegClean.exe
size: 10065392
MD5: E17FE7AC4E2FC47FB8E2058D6AA81A00
PID: 4 ( 0) System

--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 8/16/2008 8:20:44 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.google.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
http://www.google.com/ie
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
about:blank
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.google.com/ie
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://www.google.com/ie
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://www.google.com/search?q=%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://www.google.com/ie
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD RfComm [Bluetooth]
GUID: {9FC48064-7298-43E4-B7BD-181F2089792A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Bluetooth
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD RfComm [Bluetooth]

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A9C30D3D-7444-4350-AD42-725F4CE84012}] SEQPACKET 8
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A9C30D3D-7444-4350-AD42-725F4CE84012}] DATAGRAM 8
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A54DF575-11A9-4DB0-98E9-6FB075102772}] SEQPACKET 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A54DF575-11A9-4DB0-98E9-6FB075102772}] DATAGRAM 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D98AB491-55A4-43F1-BD3D-4095B84B64FE}] SEQPACKET 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D98AB491-55A4-43F1-BD3D-4095B84B64FE}] DATAGRAM 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{BAD61B5D-BE5D-4AE9-9C8D-27B17886463F}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{BAD61B5D-BE5D-4AE9-9C8D-27B17886463F}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2710509B-5384-4EE3-8A44-C44C6B629B50}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

mhamilton · Aug 17, 2008

spybot report part 2

Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2710509B-5384-4EE3-8A44-C44C6B629B50}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{29E09D19-EF0F-4D45-8A03-F93BAFAD3D09}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip_{29E09D19-EF0F-4D45-8A03-F93BAFAD3D09}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B6338DA5-E01C-4F7F-807C-9CF3BFD0A344}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 19: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B6338DA5-E01C-4F7F-807C-9CF3BFD0A344}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 20: MSAFD NetBIOS [\Device\NetBT_Tcpip_{35DDE95D-BC8F-4F7A-95F1-B93FA198A36C}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 21: MSAFD NetBIOS [\Device\NetBT_Tcpip_{35DDE95D-BC8F-4F7A-95F1-B93FA198A36C}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 22: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C6CDB976-E5B8-4FD6-BE2B-E4FBC57F9862}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 23: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C6CDB976-E5B8-4FD6-BE2B-E4FBC57F9862}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

Namespace Provider 3: mdnsNSP
GUID: {B600E6E9-553B-4A19-8696-335E5C896153}
Filename: C:\Program Files\Bonjour\mdnsNSP.dll
Description: Apple Rendezvous protocol
DB filename: %ProgramFiles%\Rendezvous\bin\mdnsNSP.dll
DB protocol: mdnsNSP

Namespace Provider 4: Bluetooth Namespace
GUID: {06AA63E0-7D60-41FF-AFB2-3EE6D2D9392D}
Filename: %SystemRoot%\system32\wshbth.dll
Description: Bluetooth
DB filename: %SystemRoot%\system32\wshbth.dll
DB protocol: Bluetooth-Namespace

Blade81 · Aug 21, 2008

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Download ***Combofix**** from any of the links below. You****** must ***********rename it ****before saving it. Save it to your desktop.

***Link 1****
***Link 2****
***Link 3****

--------------------------------------------------------------------

Double click on ***Combo-Fix.exe**** & follow the prompts.

When finished, it will produce a report for you.
Please post the ***C:\ComboFix.txt ****along with a *** HijackThis log**** so we can continue cleaning the system.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

mhamilton · Aug 21, 2008

CF log

Here is the CF log.

Note: after the finish, I started IExplorer and immediately a Pop-up program launched "Select File to Crack".

this re-infected the computer.

I think it is either attached to the IEXPLORER or to the Google Toolbar (it happens before the Google Toolbar has a chance to load).
---------------------------------------------------------------

ComboFix 08-08-19.06 - Mike 2008-08-21 12:07:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.674 [GMT -7:00]
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
Rootkit driver pe386 is present. ... attempting disinfection
pe386 ...... driver unloaded successfully.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Mike\Application Data\macromedia\Flash Player\#SharedObjects\5MCT9UUU\interclick.com
C:\Documents and Settings\Mike\Application Data\macromedia\Flash Player\#SharedObjects\5MCT9UUU\interclick.com\ud.sol
C:\Documents and Settings\Mike\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Mike\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Mike\Cookies\mike@a.tomshardware[2].txt
C:\Documents and Settings\Mike\Cookies\mike@ads.revsci[3].txt
C:\Documents and Settings\Mike\Cookies\mike@circuitcity[1].txt
C:\Documents and Settings\Mike\Cookies\mike@clicktorrent[3].txt
C:\Documents and Settings\Mike\Cookies\mike@my.clearchannelradio[1].txt
C:\Documents and Settings\Mike\Cookies\mike@track.bestbuy[1].txt
C:\Documents and Settings\Mike\Cookies\mike@turn[1].txt
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\drivers\downld
C:\WINDOWS\system32\drivers\mdelk.exe
G:\Temp\Temporary Internet Files\ENCSC-Download.com.2.5.1040.0.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SROSA

((((((((((((((((((((((((( Files Created from 2008-07-21 to 2008-08-21 )))))))))))))))))))))))))))))))
.

2008-08-16 19:03 . 2008-08-16 19:03 231,999 --a------ C:\Temp\Beagled.exe
2008-08-16 18:54 . 2008-08-16 18:58 <DIR> d-------- C:\ComboFix
2008-08-16 18:02 . 2008-08-16 18:16 250 --a------ C:\WINDOWS\gmer.ini
2008-08-16 18:01 . 2008-08-16 18:01 747,873 --a------ C:\Temp\gmer.zip
2008-08-16 17:54 . 2008-08-16 17:54 0 --a------ C:\WINDOWS\system32\SBRC.dat
2008-08-16 17:54 . 2008-08-16 17:54 0 --a------ C:\WINDOWS\system32\SBFC.dat
2008-08-16 15:53 . 2008-08-16 15:53 401,720 --a------ C:\Temp\HiJackThis.exe
2008-08-16 15:52 . 2008-08-16 15:53 716,539 --a------ C:\Temp\HJTInstall.exe
2008-08-16 15:31 . 2006-04-25 08:01 704,520 --a------ C:\WINDOWS\system32\RunDll32 cmicnfg.cpl,CMICtrlWnd
2008-08-16 13:50 . 2008-08-16 13:50 <DIR> d-------- C:\Program Files\PrevxCSI
2008-08-16 13:50 . 2008-08-16 16:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-08-16 13:50 . 2008-08-16 13:50 17,408 --a------ C:\WINDOWS\system32\drivers\pxark.sys
2008-08-16 12:45 . 2008-08-16 16:28 15,083,520 --a------ C:\Temp\spybotsd160.exe
2008-08-16 12:17 . 2008-08-16 12:17 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2008-08-16 08:48 . 2008-08-16 08:48 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Sunbelt Software
2008-08-16 08:48 . 2008-08-16 08:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2008-08-16 08:47 . 2008-08-16 08:47 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-08-16 08:45 . 2008-08-16 08:42 45,935,776 --a------ C:\Temp\counterspy.exe
2008-08-15 18:02 . 2008-08-15 18:02 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Malwarebytes
2008-08-15 18:01 . 2008-08-16 15:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-15 18:01 . 2008-08-15 18:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-15 18:01 . 2008-08-06 21:59 1,885,120 --a------ C:\Temp\mbam-setup.exe
2008-08-15 18:01 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-15 18:01 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-15 17:49 . 2008-08-15 19:14 <DIR> d-------- C:\Documents and Settings\Mike\.housecall6.6
2008-08-15 07:48 . 2008-04-11 12:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-15 07:48 . 2008-05-01 07:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-14 12:57 . 2008-08-14 12:57 <DIR> d-------- C:\Program Files\Safari
2008-08-12 11:30 . 2008-08-12 11:30 <DIR> d-------- C:\Program Files\iPod
2008-08-12 11:29 . 2008-08-12 11:30 <DIR> d-------- C:\Program Files\iTunes
2008-08-12 11:28 . 2008-08-12 11:28 <DIR> d-------- C:\Program Files\Bonjour
2008-08-12 11:22 . 2008-08-12 11:22 63,530,280 --a------ C:\Temp\iTunesSetup.exe
2008-08-04 22:46 . 2008-08-04 22:46 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-08-04 22:35 . 2008-08-04 22:35 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-04 22:02 . 2008-08-04 22:02 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-04 21:33 . 2004-08-03 22:29 701,440 --------- C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-08-04 20:55 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-08-04 20:55 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-08-04 20:55 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-08-04 20:55 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-08-03 12:21 . 2008-08-03 12:21 2,108,504 --a------ C:\Temp\GPSMAP60CSx_370.exe
2008-08-03 12:13 . 2007-03-08 17:18 18,432 --a------ C:\WINDOWS\system32\drivers\grmngen.sys
2008-08-03 12:13 . 2006-02-20 11:25 17,536 --a------ C:\WINDOWS\system32\drivers\grmn0200.sys
2008-08-03 12:13 . 2006-04-11 12:51 16,512 --a------ C:\WINDOWS\system32\drivers\grmn0400.sys
2008-08-03 12:13 . 2006-07-11 12:50 11,776 --a------ C:\WINDOWS\system32\drivers\grmn1200.sys
2008-08-03 12:13 . 2007-03-08 17:18 8,320 --a------ C:\WINDOWS\system32\drivers\grmnusb.sys
2008-08-03 12:12 . 2008-08-03 21:28 <DIR> d-------- C:\Garmin
2008-07-29 11:10 . 2008-07-29 11:10 <DIR> d-------- C:\Program Files\Tech-Pro World Clock 2
2008-07-29 11:10 . 2008-02-04 02:10 237,776 --a------ C:\WINDOWS\system32\tpuninst.exe
2008-07-29 11:08 . 2008-07-29 11:08 2,428,088 --a------ C:\Temp\wc2setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-21 19:20 --------- d-----w C:\Documents and Settings\Mike\Application Data\D-Link Media Server
2008-08-21 19:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-21 18:54 --------- d-----w C:\Documents and Settings\Mike\Application Data\Skype
2008-08-17 03:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-17 02:20 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-16 02:09 --------- d-----w C:\Documents and Settings\Mike\Application Data\dvdcss
2008-08-16 00:25 --------- d-----w C:\Program Files\eMule
2008-08-15 14:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\MediaMall
2008-08-15 00:24 --------- d-----w C:\Documents and Settings\Mike\Application Data\Apple Computer
2008-08-14 19:57 --------- d-----w C:\Program Files\Apple Software Update
2008-08-14 15:55 --------- d-----w C:\Documents and Settings\Mike\Application Data\Azureus
2008-08-12 18:28 --------- d-----w C:\Program Files\QuickTime
2008-08-10 20:41 --------- d-----w C:\Program Files\Internet Radio Recorder
2008-08-06 23:20 --------- d-----w C:\Program Files\Google
2008-08-03 20:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-27 00:05 --------- d-----w C:\Documents and Settings\Mike\Application Data\MediaServerDump
2008-07-21 03:16 --------- d-----w C:\Program Files\Picasa2
2008-07-21 02:59 --------- d-----w C:\Program Files\Sun
2008-07-21 02:59 --------- d-----w C:\Program Files\Java
2008-07-08 02:58 --------- d-----w C:\Program Files\D-Link Media Server
2008-07-08 02:22 --------- d-----w C:\Documents and Settings\Mike\Application Data\AdobeUM
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-25 01:38 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-04-30 18:49 92,064 -c--a-w C:\Documents and Settings\Mike\mqdmmdm.sys
2008-04-30 18:49 9,232 -c--a-w C:\Documents and Settings\Mike\mqdmmdfl.sys
2008-04-30 18:49 79,328 -c--a-w C:\Documents and Settings\Mike\mqdmserd.sys
2008-04-30 18:49 66,656 -c--a-w C:\Documents and Settings\Mike\mqdmbus.sys
2008-04-30 18:49 6,208 -c--a-w C:\Documents and Settings\Mike\mqdmcmnt.sys
2008-04-30 18:49 5,936 -c--a-w C:\Documents and Settings\Mike\mqdmwhnt.sys
2008-04-30 18:49 4,048 -c--a-w C:\Documents and Settings\Mike\mqdmcr.sys
2008-04-30 18:49 25,600 -c--a-w C:\Documents and Settings\Mike\usbsermptxp.sys
2008-04-30 18:49 22,768 -c--a-w C:\Documents and Settings\Mike\usbsermpt.sys
2007-05-29 05:17 81,920 ----a-w C:\Documents and Settings\Mike\Application Data\ezpinst.exe
2007-05-29 05:17 47,360 ----a-w C:\Documents and Settings\Mike\Application Data\pcouffin.sys
2006-03-19 16:36 13,824 -c--a-w C:\Documents and Settings\Mike\atwbxdet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 20:42 32768]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 02:08 483328]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-10-08 11:52 221184]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-01-18 17:47 458752]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-01-18 17:37 217088]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"Ulead Quick-Drop"="C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator\Ulead Quick-Drop 1.0\Quick-Drop.exe" [2005-01-31 17:32 102400]
"USIUDF_Eject_Monitor"="C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe" [2004-12-23 18:27 81920]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-01-18 17:07 196608]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-06 12:43 23165736]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 13:22 86016]
"RegClean"="C:\Program Files\RegClean\RegClean.exe" [2007-03-30 16:45 10065392]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 20:42 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-08-27 12:09 698864]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 17:12 110592 C:\WINDOWS\system32\bthprops.cpl]

C:\Documents and Settings\Mike\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-06-21 17:13:51 113664]
D-Link Media Server.lnk - C:\Program Files\D-Link Media Server\MediaGUI.exe [2008-07-07 19:58:32 1523831]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2005-03-13 19:02:09 25214]
HPAiODevice(hp officejet g series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 17:15:00 151552]
Logitech Harmony Remote V5.lnk - C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe [2006-02-22 15:47:44 94295]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytoosl"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogOff"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wcnotify]
2007-08-09 17:16 14656 C:\WINDOWS\system32\WcNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"C:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"C:\\Program Files\\Logitech\\Harmony Remote\\HarmonyClient.exe"=
"C:\\Program Files\\Logitech\\Harmony Remote\\PatchHelper.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MediaMall\\MediaMallServer.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP

xpsp2res.dll,-22009

R0 iteraid;ITERAID_Service_Install;C:\WINDOWS\system32\DRIVERS\iteraid.sys [2004-10-28 20:21]
R0 pxark;pxark;C:\WINDOWS\system32\drivers\pxark.sys [2008-08-16 13:50]
R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2008-08-16 12:17]
R1 BeTwinSystem;BeTwinSystem;C:\WINDOWS\system32\Drivers\BeTwinSystem.sys [2007-08-09 17:15]
R2 CSIScanner;CSIScanner;C:\Program Files\PrevxCSI\prevxcsi.exe [2008-08-16 13:50]
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2000-01-07 10:00]
R2 MediaMall Server;MediaMall Server;C:\Program Files\MediaMall\MediaMallServer.exe [2007-10-09 16:57]
R3 cmudax;C-Media High Definition Audio Interface;C:\WINDOWS\system32\drivers\cmudax.sys [2004-10-21 03:56]
R3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
NativeTS

*Newly Created Service* - SBAPIFS
.
Contents of the 'Scheduled Tasks' folder

2008-08-14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-08-21 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job
- C:\Program Files\RegClean\RegClean.exe [2007-03-30 16:45]

2008-08-21 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job
- C:\Program Files\RegClean [2007-04-18 22:17]

2008-08-21 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe [2007-08-02 09:20]

2008-08-21 C:\WINDOWS\Tasks\User_Feed_Synchronization-{C34135C4-C5CE-440A-B981-1BFF8E5F71A9}.job
- C:\WINDOWS\system32\msfeedssync.exe [2006-10-17 12:58]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Cmaudio - cmicnfg.cpl

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\xx0vemed.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - about:blank
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-21 12:19:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\D-Link Media Server\MediaServer.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\Bin\hposts07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\Bin\hpofxm07.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2008-08-21 12:29:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-21 19:28:48

Pre-Run: 118,582,091,776 bytes free
Post-Run: 118,520,954,880 bytes free

265

mhamilton · Aug 21, 2008

HJT Log

Here is the HJT log after the CF run.
(and after re-infection)

------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:13 PM, on 8/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\MediaMall\MediaMallServer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
C:\Program Files\D-Link Media Server\MediaGUI.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\D-Link Media Server\MediaServer.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcrobatInfo.exe
C:\Temp\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Ulead Quick-Drop] C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator\Ulead Quick-Drop 1.0\Quick-Drop.exe WINDOWCALL
O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
O4 - HKLM\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKLM\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKLM\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RegClean] "C:\Program Files\RegClean\RegClean.exe" -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: D-Link Media Server.lnk = C:\Program Files\D-Link Media Server\MediaGUI.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Logitech Harmony Remote V5.lnk = C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1217908534546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1217908520187
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://12.30.180.135/activex/AxisCamControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://juniper.provigent.com/dana-cached/setup/JuniperSetupSP1.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: vskype - (no CLSID) - (no file)
O20 - Winlogon Notify: wcnotify - C:\WINDOWS\SYSTEM32\wcnotify.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MediaMall Server - MediaMall Technologies, Inc. - C:\Program Files\MediaMall\MediaMallServer.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 11880 bytes

Blade81 · Aug 21, 2008

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

eMule

I'd like you to read the this thread.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Delete these folders afterwards:

C:\Program Files\eMule

Empty Recycle Bin.

After that:

a) Run ComboFix again & post its log.

b) Generate an Uninstall List

* Open HijackThis
* Click on Open Misc Tools Section
* Click on Open Uninstall Manager
* Click on Save list
* Save it to your Desktop
* Post it & a fresh hjt log on your next reply.

mhamilton · Aug 21, 2008

deleted emule and ran CF and HJT

CF log

-----------------------------------

ComboFix 08-08-19.06 - Mike 2008-08-21 14:13:40.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.467 [GMT -7:00]
Running from: C:\Documents and Settings\Mike\Desktop\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\downld
C:\WINDOWS\system32\drivers\mdelk.exe

.
((((((((((((((((((((((((( Files Created from 2008-07-21 to 2008-08-21 )))))))))))))))))))))))))))))))
.

2008-08-16 19:03 . 2008-08-16 19:03 231,999 --a------ C:\Temp\Beagled.exe
2008-08-16 18:54 . 2008-08-16 18:58 <DIR> d-------- C:\ComboFix
2008-08-16 18:02 . 2008-08-16 18:16 250 --a------ C:\WINDOWS\gmer.ini
2008-08-16 18:01 . 2008-08-16 18:01 747,873 --a------ C:\Temp\gmer.zip
2008-08-16 17:54 . 2008-08-16 17:54 0 --a------ C:\WINDOWS\system32\SBRC.dat
2008-08-16 17:54 . 2008-08-16 17:54 0 --a------ C:\WINDOWS\system32\SBFC.dat
2008-08-16 15:53 . 2008-08-16 15:53 401,720 --a------ C:\Temp\HiJackThis.exe
2008-08-16 15:52 . 2008-08-16 15:53 716,539 --a------ C:\Temp\HJTInstall.exe
2008-08-16 15:31 . 2006-04-25 08:01 704,520 --a------ C:\WINDOWS\system32\RunDll32 cmicnfg.cpl,CMICtrlWnd
2008-08-16 13:50 . 2008-08-16 13:50 <DIR> d-------- C:\Program Files\PrevxCSI
2008-08-16 13:50 . 2008-08-21 13:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-08-16 13:50 . 2008-08-16 13:50 17,408 --a------ C:\WINDOWS\system32\drivers\pxark.sys
2008-08-16 12:45 . 2008-08-16 16:28 15,083,520 --a------ C:\Temp\spybotsd160.exe
2008-08-16 12:17 . 2008-08-16 12:17 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2008-08-16 08:48 . 2008-08-16 08:48 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Sunbelt Software
2008-08-16 08:48 . 2008-08-16 08:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2008-08-16 08:47 . 2008-08-16 08:47 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-08-16 08:45 . 2008-08-16 08:42 45,935,776 --a------ C:\Temp\counterspy.exe
2008-08-15 18:02 . 2008-08-15 18:02 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Malwarebytes
2008-08-15 18:01 . 2008-08-16 15:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-15 18:01 . 2008-08-15 18:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-15 18:01 . 2008-08-06 21:59 1,885,120 --a------ C:\Temp\mbam-setup.exe
2008-08-15 18:01 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-15 18:01 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-15 17:49 . 2008-08-15 19:14 <DIR> d-------- C:\Documents and Settings\Mike\.housecall6.6
2008-08-15 07:48 . 2008-04-11 12:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-15 07:48 . 2008-05-01 07:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-14 12:57 . 2008-08-14 12:57 <DIR> d-------- C:\Program Files\Safari
2008-08-12 11:30 . 2008-08-12 11:30 <DIR> d-------- C:\Program Files\iPod
2008-08-12 11:29 . 2008-08-12 11:30 <DIR> d-------- C:\Program Files\iTunes
2008-08-12 11:28 . 2008-08-12 11:28 <DIR> d-------- C:\Program Files\Bonjour
2008-08-12 11:22 . 2008-08-12 11:22 63,530,280 --a------ C:\Temp\iTunesSetup.exe
2008-08-04 22:46 . 2008-08-04 22:46 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-08-04 22:35 . 2008-08-04 22:35 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-04 22:02 . 2008-08-04 22:02 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-04 21:33 . 2004-08-03 22:29 701,440 --------- C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-08-04 20:55 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-08-04 20:55 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-08-04 20:55 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-08-04 20:55 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-08-03 12:21 . 2008-08-03 12:21 2,108,504 --a------ C:\Temp\GPSMAP60CSx_370.exe
2008-08-03 12:13 . 2007-03-08 17:18 18,432 --a------ C:\WINDOWS\system32\drivers\grmngen.sys
2008-08-03 12:13 . 2006-02-20 11:25 17,536 --a------ C:\WINDOWS\system32\drivers\grmn0200.sys
2008-08-03 12:13 . 2006-04-11 12:51 16,512 --a------ C:\WINDOWS\system32\drivers\grmn0400.sys
2008-08-03 12:13 . 2006-07-11 12:50 11,776 --a------ C:\WINDOWS\system32\drivers\grmn1200.sys
2008-08-03 12:13 . 2007-03-08 17:18 8,320 --a------ C:\WINDOWS\system32\drivers\grmnusb.sys
2008-08-03 12:12 . 2008-08-03 21:28 <DIR> d-------- C:\Garmin
2008-07-29 11:10 . 2008-07-29 11:10 <DIR> d-------- C:\Program Files\Tech-Pro World Clock 2
2008-07-29 11:10 . 2008-02-04 02:10 237,776 --a------ C:\WINDOWS\system32\tpuninst.exe
2008-07-29 11:08 . 2008-07-29 11:08 2,428,088 --a------ C:\Temp\wc2setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-21 21:20 --------- d-----w C:\Documents and Settings\Mike\Application Data\Skype
2008-08-21 19:20 --------- d-----w C:\Documents and Settings\Mike\Application Data\D-Link Media Server
2008-08-21 19:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-17 03:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-17 02:20 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-16 02:09 --------- d-----w C:\Documents and Settings\Mike\Application Data\dvdcss
2008-08-15 14:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\MediaMall
2008-08-15 00:24 --------- d-----w C:\Documents and Settings\Mike\Application Data\Apple Computer
2008-08-14 19:57 --------- d-----w C:\Program Files\Apple Software Update
2008-08-14 15:55 --------- d-----w C:\Documents and Settings\Mike\Application Data\Azureus
2008-08-12 18:28 --------- d-----w C:\Program Files\QuickTime
2008-08-10 20:41 --------- d-----w C:\Program Files\Internet Radio Recorder
2008-08-06 23:20 --------- d-----w C:\Program Files\Google
2008-08-03 20:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-27 00:05 --------- d-----w C:\Documents and Settings\Mike\Application Data\MediaServerDump
2008-07-21 03:16 --------- d-----w C:\Program Files\Picasa2
2008-07-21 02:59 --------- d-----w C:\Program Files\Sun
2008-07-21 02:59 --------- d-----w C:\Program Files\Java
2008-07-08 02:58 --------- d-----w C:\Program Files\D-Link Media Server
2008-07-08 02:22 --------- d-----w C:\Documents and Settings\Mike\Application Data\AdobeUM
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-25 01:38 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-04-30 18:49 92,064 -c--a-w C:\Documents and Settings\Mike\mqdmmdm.sys
2008-04-30 18:49 9,232 -c--a-w C:\Documents and Settings\Mike\mqdmmdfl.sys
2008-04-30 18:49 79,328 -c--a-w C:\Documents and Settings\Mike\mqdmserd.sys
2008-04-30 18:49 66,656 -c--a-w C:\Documents and Settings\Mike\mqdmbus.sys
2008-04-30 18:49 6,208 -c--a-w C:\Documents and Settings\Mike\mqdmcmnt.sys
2008-04-30 18:49 5,936 -c--a-w C:\Documents and Settings\Mike\mqdmwhnt.sys
2008-04-30 18:49 4,048 -c--a-w C:\Documents and Settings\Mike\mqdmcr.sys
2008-04-30 18:49 25,600 -c--a-w C:\Documents and Settings\Mike\usbsermptxp.sys
2008-04-30 18:49 22,768 -c--a-w C:\Documents and Settings\Mike\usbsermpt.sys
2007-05-29 05:17 81,920 ----a-w C:\Documents and Settings\Mike\Application Data\ezpinst.exe
2007-05-29 05:17 47,360 ----a-w C:\Documents and Settings\Mike\Application Data\pcouffin.sys
2006-03-19 16:36 13,824 -c--a-w C:\Documents and Settings\Mike\atwbxdet.dll
.

((((((((((((((((((((((((((((( snapshot@2008-08-21_12.25.29.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-21 19:10:16 76,266 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-21 19:22:35 76,266 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-21 19:10:17 443,916 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-21 19:22:35 443,916 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 20:42 32768]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 02:08 483328]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-10-08 11:52 221184]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-01-18 17:37 217088]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"Ulead Quick-Drop"="C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator\Ulead Quick-Drop 1.0\Quick-Drop.exe" [2005-01-31 17:32 102400]
"USIUDF_Eject_Monitor"="C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe" [2004-12-23 18:27 81920]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-01-18 17:07 196608]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-06 12:43 23165736]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 13:22 86016]
"RegClean"="C:\Program Files\RegClean\RegClean.exe" [2007-03-30 16:45 10065392]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 20:42 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-08-27 12:09 698864]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 17:12 110592 C:\WINDOWS\system32\bthprops.cpl]

C:\Documents and Settings\Mike\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-06-21 17:13:51 113664]
D-Link Media Server.lnk - C:\Program Files\D-Link Media Server\MediaGUI.exe [2008-07-07 19:58:32 1523831]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2005-03-13 19:02:09 25214]
HPAiODevice(hp officejet g series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 17:15:00 151552]
Logitech Harmony Remote V5.lnk - C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe [2006-02-22 15:47:44 94295]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytoosl"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogOff"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wcnotify]
2007-08-09 17:16 14656 C:\WINDOWS\system32\WcNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"C:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"C:\\Program Files\\Logitech\\Harmony Remote\\HarmonyClient.exe"=
"C:\\Program Files\\Logitech\\Harmony Remote\\PatchHelper.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MediaMall\\MediaMallServer.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP

xpsp2res.dll,-22009

R0 iteraid;ITERAID_Service_Install;C:\WINDOWS\system32\DRIVERS\iteraid.sys [2004-10-28 20:21]
R0 pxark;pxark;C:\WINDOWS\system32\drivers\pxark.sys [2008-08-16 13:50]
R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2008-08-16 12:17]
R1 BeTwinSystem;BeTwinSystem;C:\WINDOWS\system32\Drivers\BeTwinSystem.sys [2007-08-09 17:15]
R2 CSIScanner;CSIScanner;C:\Program Files\PrevxCSI\prevxcsi.exe [2008-08-16 13:50]
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2000-01-07 10:00]
R2 MediaMall Server;MediaMall Server;C:\Program Files\MediaMall\MediaMallServer.exe [2007-10-09 16:57]
R3 cmudax;C-Media High Definition Audio Interface;C:\WINDOWS\system32\drivers\cmudax.sys [2004-10-21 03:56]
R3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
NativeTS

*Newly Created Service* - SBAPIFS
.
Contents of the 'Scheduled Tasks' folder

2008-08-14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-08-21 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job
- C:\Program Files\RegClean\RegClean.exe [2007-03-30 16:45]

2008-08-21 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job
- C:\Program Files\RegClean [2007-04-18 22:17]

2008-08-21 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe [2007-08-02 09:20]

2008-02-21 C:\WINDOWS\Tasks\RegCure.job
- C:\Program Files\RegCure\RegCure.exe [2007-08-02 09:20]

2008-08-21 C:\WINDOWS\Tasks\User_Feed_Synchronization-{C34135C4-C5CE-440A-B981-1BFF8E5F71A9}.job
- C:\WINDOWS\system32\msfeedssync.exe [2006-10-17 12:58]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\xx0vemed.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - about:blank
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-21 14:20:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-21 14:26:02
ComboFix-quarantined-files.txt 2008-08-21 21:25:39
ComboFix2.txt 2008-08-21 19:29:36

Pre-Run: 118,994,350,080 bytes free
Post-Run: 118,981,718,016 bytes free

230

mhamilton · Aug 21, 2008

hjt log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:28:04 PM, on 8/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\MediaMall\MediaMallServer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
C:\Program Files\D-Link Media Server\MediaGUI.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\D-Link Media Server\MediaServer.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcrobatInfo.exe
C:\Temp\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Ulead Quick-Drop] C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator\Ulead Quick-Drop 1.0\Quick-Drop.exe WINDOWCALL
O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
O4 - HKLM\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKLM\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKLM\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RegClean] "C:\Program Files\RegClean\RegClean.exe" -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: D-Link Media Server.lnk = C:\Program Files\D-Link Media Server\MediaGUI.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Logitech Harmony Remote V5.lnk = C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1217908534546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1217908520187
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://12.30.180.135/activex/AxisCamControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://juniper.provigent.com/dana-cached/setup/JuniperSetupSP1.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: vskype - (no CLSID) - (no file)
O20 - Winlogon Notify: wcnotify - C:\WINDOWS\SYSTEM32\wcnotify.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MediaMall Server - MediaMall Technologies, Inc. - C:\Program Files\MediaMall\MediaMallServer.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 11728 bytes

mhamilton · Aug 21, 2008

uninstall and hjt log - sorry

UNINSTALL
----------------------

Abexo Registry Cleaner
Ad-Aware SE Personal
Adobe Acrobat 7.1.0 Professional
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player ActiveX
Adobe Help Center 1.0
Adobe Stock Photos 1.0
Apple Mobile Device Support
Apple Software Update
Avanquest update
Avi2Dvd 0.4.3 beta
AviSynth 2.5
Azureus
Bonjour
Calculator Powertoy for Windows XP
CCleaner (remove only)
C-Media High Definition Audio Driver
Combined Community Codec Pack 2007-07-22
Creative Jukebox Driver
D-Link Media Server 1.10
DVArchive V3.1
DVD Ripper 4
Filter Design 3.0
Garmin Trip and Waypoint Manager v4
Garmin WebUpdater
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Updater
GrabIt 1.7.1 Beta (build 960)
GSplit 2.1
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
hp instant support
hp officejet g series
Image Resizer Powertoy for Windows XP
Internet Radio Recorder
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_08
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Logitech Harmony Remote Software V5
Logitech QuickCam Software
Logitech® Camera Driver
Malwarebytes' Anti-Malware
MapSource
MapSource - City Select
MapSource - North American City Select v5 Update
Mathcad 14
Mathcad 14 Help
Mathcad 14 Resource Center
MATLAB 6.5
MATLAB 7.0.4
MediaMall
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Office Visio Professional 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
MotoKit 1.06
Motorola Phone Tools
Motorola PST
Mozilla Firefox (2.0)
MSXML 4.0 SP2 (KB936181)
Nero OEM
NetBeans IDE 4.1
Nikon Scan
NI-Reports
NOMAD Explorer
NVIDIA Drivers
OpenOffice.org Installer 1.0
Picasa 2
PowerDVD
PowerQuest BootMagic 8.0
PowerQuest PartitionMagic 8.0
Prevx CSI
QuickPar 0.9
QuickTime
RealPlayer
RegClean 2.6
RegCure 1.5.0.0
Registry Mechanic 5.0
RSD_LITE_2_5
Safari
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Skype™ 3.5
SmartFTP Client
SmartFTP Client
SmartFTP Client 2.0 Setup Files (remove only)
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
Tech-Pro World Clock 2
TimingTool Editor
Ulead Data-Add 2.0
Ulead DVD MovieFactory 4.0 Disc Creator
Ulead DVD Player 2.0
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
UUDeview for Windows
VideoLAN VLC media player 0.8.1
Visual SlickEdit 7.0
VX-6 Programmer
WebEx
WIBU-KEY Setup (WIBU-KEY Remove)
WinAVIVideoConverter
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
WinZip 11.1
XviD MPEG-4 Video Codec

-------------------------------------
HJT
-------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:53:38 PM, on 8/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\MediaMall\MediaMallServer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
C:\Program Files\D-Link Media Server\MediaGUI.exe
C:\Program Files\D-Link Media Server\MediaServer.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\explorer.exe
C:\Temp\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Ulead Quick-Drop] C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator\Ulead Quick-Drop 1.0\Quick-Drop.exe WINDOWCALL
O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
O4 - HKLM\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKLM\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKLM\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RegClean] "C:\Program Files\RegClean\RegClean.exe" -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: D-Link Media Server.lnk = C:\Program Files\D-Link Media Server\MediaGUI.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Logitech Harmony Remote V5.lnk = C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1217908534546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1217908520187
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://12.30.180.135/activex/AxisCamControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://juniper.provigent.com/dana-cached/setup/JuniperSetupSP1.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: vskype - (no CLSID) - (no file)
O20 - Winlogon Notify: wcnotify - C:\WINDOWS\SYSTEM32\wcnotify.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MediaMall Server - MediaMall Technologies, Inc. - C:\Program Files\MediaMall\MediaMallServer.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 11494 bytes

Blade81 · Aug 22, 2008

Hi

Uninstall following items thru add/remove programs:
Azureus
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_08
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) SE Runtime Environment 6 Update 1

Start hjt, do a system scan, check (if found):
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O18 - Protocol: vskype - (no CLSID) - (no file)

Close browsers and fix checked.

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Please run an online scan with Kaspersky Online Scanner (scan whole my computer). Post back its report & a fresh hjt log.

Don't do this following until cleaning process is completed(I just meantion it here to make sure I won't forget

):
If you use Firefox I recommend to update it since your version is quite old. Also, if you use Spybot 1.4 uninstall it and get the latest one at this location

mhamilton · Aug 22, 2008

Notes about online scan

I did all the steps up to the on-line scan.
When I launch iexplorer to start the on-line scan, the trojan loader started again "Select File to Crack" popped up. CounterSpy notifies me that hldrrr.exe is starting.

I am pretty sure it is reinstalling mdelk.exe and undoing any cleaning that was done by Combo-Fix

Kaspersky requires me to reinstall Jave 1.5 or later.

Will post back the logs when Kaspersky gets done.

Blade81 · Aug 22, 2008

Hi

Ok. Let me know if there're any problems running Kaspersky even after installing latest Java Runtime Environment version (Java Runtime Environment (JRE) 6 Update 7).

mhamilton · Aug 22, 2008

Problems with reinfection - new logs

Hi
trying to run Kaspersky required turning off CounterSpy.
This allowed a full-blown infection to take off and lots of malware applications started running (e.g. 38323435.exe, etc).

I re-exectuted CF. and HJT.

I used an off-line install of java runtime to install java.
Now I am looking to see if I can download kaspersky from another computer and run it without opening IEXPLORE.

Is there a different scanner I can use?

Here is the CF log, HJT log and Uninstall list follow below...
-------------------------------------

ComboFix 08-08-21.02 - Mike 2008-08-22 11:00:32.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.707 [GMT -7:00]
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Mike\Application Data\m
C:\Documents and Settings\Mike\Application Data\m\data.oct
C:\Documents and Settings\Mike\Application Data\m\flec006.exe
C:\Documents and Settings\Mike\Application Data\m\list.oct
C:\Documents and Settings\Mike\Application Data\m\shared
C:\Documents and Settings\Mike\Application Data\m\shared\[HGame_XP][AVG][jpn_jpn][愛のチカラ].zip
C:\Documents and Settings\Mike\Application Data\m\shared\131_Ice_Cream_Maker_Recipes_1.0_Patch.zip
C:\Documents and Settings\Mike\Application Data\m\shared\3D_Haunting_Halloween_Screensaver_1.0_[Cracked].zip
C:\Documents and Settings\Mike\Application Data\m\shared\3D_Ultra_NASCAR_Pinball_1.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\ABCUpload_.NET_5.3.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\ACA_Capture_Pro_5.50_(KeyGen).zip
C:\Documents and Settings\Mike\Application Data\m\shared\Adoc2PDF_1.2.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Advanced_PDF_Generator_1.1.3.0_(Patch).zip
C:\Documents and Settings\Mike\Application Data\m\shared\Advanced_StartUp_Manager_1.41_With_Crack.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Aide_Onlinometer_1.70_Key+Serial.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Air_Messenger_Pro_6.7.4.zip
C:\Documents and Settings\Mike\Application Data\m\shared\AllPeers_0.55.1_Beta.zip
C:\Documents and Settings\Mike\Application Data\m\shared\AntiVir.PersonalEdition.Premium.v7.+.VDF.v6.34.00.48.+.Lizenz.Key.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Anubis_P2P_1.4.zip
C:\Documents and Settings\Mike\Application Data\m\shared\AnyForm_5.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\ApHeMo_1.5.0.8.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Aplus_DVD_Creator_4.52.zip
C:\Documents and Settings\Mike\Application Data\m\shared\AppSpy_2.3_(Key).zip
C:\Documents and Settings\Mike\Application Data\m\shared\Avoirdupois_Weight_Measure_Converter_1.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Backup_Chunker_2.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Backup_Premium_2.5_[Patch].zip
C:\Documents and Settings\Mike\Application Data\m\shared\Beta_Program_Bug_&_Feature_Database_1.0_Cracked.zip
C:\Documents and Settings\Mike\Application Data\m\shared\BidSolid_1.06.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Boombox_Granny_Demo_Screensaver_1.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Bronze_Sculpture_Jigsaw_Puzzle_45pcs.zip
C:\Documents and Settings\Mike\Application Data\m\shared\BT_Engine_4.8_build_0605.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Bukster_Link_Generator_1.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Business_Card_Printer_2.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\CATLearn_Reader_1.1.zip
C:\Documents and Settings\Mike\Application Data\m\shared\CD_WAVE_Ripper_1.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Christian_Virtual_Hymnal_2.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Claxa_1.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\CutePage_CoolText_1.5.zip
C:\Documents and Settings\Mike\Application Data\m\shared\DiskViz_-_Link_Checker_1.0_[Patch].zip
C:\Documents and Settings\Mike\Application Data\m\shared\DNS_Redirector_6.3.1_Crack.zip
C:\Documents and Settings\Mike\Application Data\m\shared\DXMan_1.10.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Dynamic_DBTreeView_1.8.zip
C:\Documents and Settings\Mike\Application Data\m\shared\E-Converter_1.50.zip
C:\Documents and Settings\Mike\Application Data\m\shared\E-mail_Redemption_for_Outlook_1.6.zip
C:\Documents and Settings\Mike\Application Data\m\shared\EcoKeno_3.74.zip
C:\Documents and Settings\Mike\Application Data\m\shared\EF_CheckSum_Manager_4.30_[Crack].zip
C:\Documents and Settings\Mike\Application Data\m\shared\Egypt_of_David_Roberts_1.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Email_Collector_Lite_1.6.8.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Express_Tax_Refund_1.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\EZRound_2.1.zip
C:\Documents and Settings\Mike\Application Data\m\shared\F-Prot.Antivirus.for.Windows.v3.16.Retail-DVT.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Fast_Port_Scanner_1.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\FastPhpInsert_News-Slide-Protected_page_1.0_Key+Serial.zip
C:\Documents and Settings\Mike\Application Data\m\shared\FirePanel_XP_2.2.0.0_(Patch).zip
C:\Documents and Settings\Mike\Application Data\m\shared\FotoTime_FotoAlbum_Pro_5.3.1.4_Cracked.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Ghost_MP3_CD_Maker_2.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Go_Game_Hamete_and_Overplay_for_Smartphone_1.1.zip
C:\Documents and Settings\Mike\Application Data\m\shared\GrabJPG_1.12.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Greek_Formulae_1.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Hawaii_Screensaver_4.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\HSLAB_Logger_3.4.28.124_With_Crack.zip
C:\Documents and Settings\Mike\Application Data\m\shared\imeem_2.4.38.2476.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Internet_Explorer_Password_Recovery_Master_1.4.zip
C:\Documents and Settings\Mike\Application Data\m\shared\IP_Monitor_5.1.zip
C:\Documents and Settings\Mike\Application Data\m\shared\IPComboBox_OCX_1.0.0.1.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Klinzter_Script_4.2.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Libcurl.NET_1.3.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Link_Folder_1.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Live_Search_Podcast_1.1.zip
C:\Documents and Settings\Mike\Application Data\m\shared\MarsEdit_1.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Mcafee.Virus.Scan.Professional.Edition.8.0-Ita.zip
C:\Documents and Settings\Mike\Application Data\m\shared\McAfee.VirusScan.10.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Medal_of_Honor_Allied_Assault_Spearhead_-_Southern_France_map.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Meteor_1.1.zip
C:\Documents and Settings\Mike\Application Data\m\shared\MindStudio_Vocab_1.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\MindVisualizer_Standard_1.4.4.0_(Serial).zip
C:\Documents and Settings\Mike\Application Data\m\shared\Minister_Scheduler_Pro_1.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\MouseClock_3.2_[Patch].zip
C:\Documents and Settings\Mike\Application Data\m\shared\MouseMeter_0.1.3.zip
C:\Documents and Settings\Mike\Application Data\m\shared\MSN_Cartoon_Avatar_Display_Pack_1.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\MSN_Webcam_Recorder_9.1.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Multiplayer_Championship_Poker_(Pocket_PC)_4.zip
C:\Documents and Settings\Mike\Application Data\m\shared\My_Downloads_1.4.zip
C:\Documents and Settings\Mike\Application Data\m\shared\MyJgui_0.5.3.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Neo_Pro_3.1.374.zip
C:\Documents and Settings\Mike\Application Data\m\shared\OutClock_1.1.zip
C:\Documents and Settings\Mike\Application Data\m\shared\OutlookFIX_Repair_and_Undelete_2.09_[Serial].zip
C:\Documents and Settings\Mike\Application Data\m\shared\Paintball_Office_Pro_2.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Panzer_Elite_Action_Fields_of_Glory_multiplayer_demo.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Password_Recovery_Software_2.1.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Patterns_of_Nature_Screensaver_2.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\PC_Recent_1.1.0_Key.zip
C:\Documents and Settings\Mike\Application Data\m\shared\PDB_Creator_Pro_1.0.2.zip
C:\Documents and Settings\Mike\Application Data\m\shared\PhotoElf_4.0.18_[With_Crack].zip
C:\Documents and Settings\Mike\Application Data\m\shared\PhotoLine_32_12.02.zip
C:\Documents and Settings\Mike\Application Data\m\shared\PHPRunner_4.0_Build_265.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Playtonium_Jigsaw_Patterns_in_Nature_1.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\PlugAdmin_Windows_1.0_Crack.zip
C:\Documents and Settings\Mike\Application Data\m\shared\PrintPictures_1.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\ProTarot_Reader_2.0.58_(Patch).zip
C:\Documents and Settings\Mike\Application Data\m\shared\Rmvb_Rm_Fix_Repair_Joiner_3.23_Cracked.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Robot_Shut_Down_5.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Sea_Bounty_1.1.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Serial_Port_Monitor_3.zip
C:\Documents and Settings\Mike\Application Data\m\shared\SGadget_1.2_Cracked.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Shadow_Professional_2.7_(Crack).zip
C:\Documents and Settings\Mike\Application Data\m\shared\ShowFont_-_Windows_Font_Lister_1.12.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Snail_Mail_1.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Source_Explorer_VS.NET_2003_plugin_1.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\SpaceMan_99_3.1.zip
C:\Documents and Settings\Mike\Application Data\m\shared\SpyCatcher_Express_2006_4.4.6.zip
C:\Documents and Settings\Mike\Application Data\m\shared\SQLWays_3.9.zip
C:\Documents and Settings\Mike\Application Data\m\shared\StormWarn_1.2.zip
C:\Documents and Settings\Mike\Application Data\m\shared\SunGlance_1.0_Serial.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Tele-Cap_Professional_3.0.1.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Text_Mnemonic_Generator_3.4.zip
C:\Documents and Settings\Mike\Application Data\m\shared\The_Quiz_Press_1.8_Crack.zip
C:\Documents and Settings\Mike\Application Data\m\shared\ThePlayground_1.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\TIFF_To_PDF_ActiveX_Component_2.0.2007.718_KeyGen.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Unreal_Tournament_2003_-_Vertical_deathmatch_map.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Unreal_Tournament_2004_Judge_Judy_Voice_Pack.zip
C:\Documents and Settings\Mike\Application Data\m\shared\US_meteo_by_sat_1.1.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Video_Matrix_Screensaver_1.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\VideoShotMaker_1.00.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Virtual_Hypnotist_5.551.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Web_Log_Explorer_3.31_Crack.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Windows_&_Internet_Cleaner_Pro_3.22_(Patch).zip
C:\Documents and Settings\Mike\Application Data\m\shared\Woize_2.5.0.32959.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Word_Blaster_3.5.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Wwhois_2.1.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Xceed_Chart_for_ASP.NET_3.0.zip
C:\Documents and Settings\Mike\Application Data\m\shared\XLPoints_Plus_1.3_(With_Crack).zip
C:\Documents and Settings\Mike\Application Data\m\shared\Xteq_URL_Bandit_1.2.zip
C:\Documents and Settings\Mike\Application Data\m\shared\Yes_AntiVirus-Tool_Netsky-P_3.0.zip
C:\Documents and Settings\Mike\Application Data\m\srvlist.oct
C:\WINDOWS\system32\ban_list.txt
C:\WINDOWS\system32\drivers\downld
C:\WINDOWS\system32\drivers\downld\1255296.exe
C:\WINDOWS\system32\drivers\downld\1283890.exe
C:\WINDOWS\system32\drivers\downld\1288046.exe
C:\WINDOWS\system32\drivers\downld\1331109.exe
C:\WINDOWS\system32\drivers\downld\1336625.exe
C:\WINDOWS\system32\drivers\downld\1344515.exe
C:\WINDOWS\system32\drivers\downld\1382906.exe
C:\WINDOWS\system32\drivers\downld\1424375.exe
C:\WINDOWS\system32\drivers\downld\1477562.exe
C:\WINDOWS\system32\drivers\downld\1490562.exe
C:\WINDOWS\system32\drivers\downld\1609015.exe
C:\WINDOWS\system32\drivers\downld\1735109.exe
C:\WINDOWS\system32\drivers\downld\2360031.exe
C:\WINDOWS\system32\drivers\downld\3964390.exe
C:\WINDOWS\system32\drivers\downld\3967125.exe
C:\WINDOWS\system32\drivers\downld\3977296.exe
C:\WINDOWS\system32\drivers\downld\4161406.exe
C:\WINDOWS\system32\drivers\downld\4162406.exe
C:\WINDOWS\system32\drivers\downld\4172953.exe
C:\WINDOWS\system32\drivers\downld\4180859.exe
C:\WINDOWS\system32\drivers\downld\4189562.exe
C:\WINDOWS\system32\drivers\downld\4252406.exe
C:\WINDOWS\system32\drivers\downld\4257906.exe
C:\WINDOWS\system32\drivers\downld\4269546.exe
C:\WINDOWS\system32\drivers\downld\4277421.exe
C:\WINDOWS\system32\drivers\downld\4319500.exe
C:\WINDOWS\system32\drivers\downld\4330343.exe
C:\WINDOWS\system32\drivers\downld\4337218.exe
C:\WINDOWS\system32\drivers\downld\4339718.exe
C:\WINDOWS\system32\drivers\downld\4346031.exe
C:\WINDOWS\system32\drivers\downld\4361921.exe
C:\WINDOWS\system32\drivers\downld\4368562.exe
C:\WINDOWS\system32\drivers\downld\4375906.exe
C:\WINDOWS\system32\drivers\downld\4381171.exe
C:\WINDOWS\system32\drivers\downld\4394984.exe
C:\WINDOWS\system32\drivers\downld\4410156.exe
C:\WINDOWS\system32\drivers\downld\4423859.exe
C:\WINDOWS\system32\drivers\downld\4431593.exe
C:\WINDOWS\system32\drivers\downld\4440281.exe
C:\WINDOWS\system32\drivers\downld\4487875.exe
C:\WINDOWS\system32\drivers\downld\4535937.exe
C:\WINDOWS\system32\drivers\downld\4586921.exe
C:\WINDOWS\system32\drivers\downld\4611093.exe
C:\WINDOWS\system32\drivers\downld\4714437.exe
C:\WINDOWS\system32\drivers\downld\4724015.exe
C:\WINDOWS\system32\drivers\downld\4742078.exe
C:\WINDOWS\system32\drivers\downld\4744000.exe
C:\WINDOWS\system32\drivers\downld\4756078.exe
C:\WINDOWS\system32\drivers\downld\4763453.exe
C:\WINDOWS\system32\drivers\downld\4784343.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\mdelk.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\mdelk.exe
C:\WINDOWS\system32\wintems.exe

.
((((((((((((((((((((((((( Files Created from 2008-07-22 to 2008-08-22 )))))))))))))))))))))))))))))))
.

2008-08-22 09:37 . 2008-08-22 09:37 <DIR> d-------- C:\Temp\backups
2008-08-22 09:29 . 2006-08-03 14:56 49,265 --a------ C:\WINDOWS\system32\jpicpl32.cpl
2008-08-16 19:03 . 2008-08-16 19:03 231,999 --a------ C:\Temp\Beagled.exe
2008-08-16 18:54 . 2008-08-16 18:58 <DIR> d-------- C:\ComboFix
2008-08-16 18:02 . 2008-08-16 18:16 250 --a------ C:\WINDOWS\gmer.ini
2008-08-16 18:01 . 2008-08-16 18:01 747,873 --a------ C:\Temp\gmer.zip
2008-08-16 17:54 . 2008-08-16 17:54 0 --a------ C:\WINDOWS\system32\SBRC.dat
2008-08-16 17:54 . 2008-08-16 17:54 0 --a------ C:\WINDOWS\system32\SBFC.dat
2008-08-16 15:53 . 2008-08-16 15:53 401,720 --a------ C:\Temp\HiJackThis.exe
2008-08-16 15:52 . 2008-08-16 15:53 716,539 --a------ C:\Temp\HJTInstall.exe
2008-08-16 15:31 . 2006-04-25 08:01 704,520 --a------ C:\WINDOWS\system32\RunDll32 cmicnfg.cpl,CMICtrlWnd
2008-08-16 13:50 . 2008-08-22 10:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-08-16 12:45 . 2008-08-16 16:28 15,083,520 --a------ C:\Temp\spybotsd160.exe
2008-08-16 12:17 . 2008-08-16 12:17 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2008-08-16 08:48 . 2008-08-16 08:48 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Sunbelt Software
2008-08-16 08:48 . 2008-08-16 08:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2008-08-16 08:47 . 2008-08-16 08:47 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-08-16 08:45 . 2008-08-16 08:42 45,935,776 --a------ C:\Temp\counterspy.exe
2008-08-15 18:02 . 2008-08-15 18:02 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Malwarebytes
2008-08-15 18:01 . 2008-08-16 15:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-15 18:01 . 2008-08-15 18:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-15 18:01 . 2008-08-06 21:59 1,885,120 --a------ C:\Temp\mbam-setup.exe
2008-08-15 18:01 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-15 18:01 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-15 17:49 . 2008-08-15 19:14 <DIR> d-------- C:\Documents and Settings\Mike\.housecall6.6
2008-08-15 07:48 . 2008-04-11 12:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-15 07:48 . 2008-05-01 07:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-14 12:57 . 2008-08-14 12:57 <DIR> d-------- C:\Program Files\Safari
2008-08-12 11:30 . 2008-08-12 11:30 <DIR> d-------- C:\Program Files\iPod
2008-08-12 11:29 . 2008-08-12 11:30 <DIR> d-------- C:\Program Files\iTunes
2008-08-12 11:28 . 2008-08-12 11:28 <DIR> d-------- C:\Program Files\Bonjour
2008-08-12 11:22 . 2008-08-12 11:22 63,530,280 --a------ C:\Temp\iTunesSetup.exe
2008-08-04 22:46 . 2008-08-04 22:46 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-08-04 22:35 . 2008-08-04 22:35 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-04 22:02 . 2008-08-04 22:02 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-04 21:33 . 2004-08-03 22:29 701,440 --------- C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-08-04 20:55 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-08-04 20:55 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-08-04 20:55 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-08-04 20:55 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-08-03 12:21 . 2008-08-03 12:21 2,108,504 --a------ C:\Temp\GPSMAP60CSx_370.exe
2008-08-03 12:13 . 2007-03-08 17:18 18,432 --a------ C:\WINDOWS\system32\drivers\grmngen.sys
2008-08-03 12:13 . 2006-02-20 11:25 17,536 --a------ C:\WINDOWS\system32\drivers\grmn0200.sys
2008-08-03 12:13 . 2006-04-11 12:51 16,512 --a------ C:\WINDOWS\system32\drivers\grmn0400.sys
2008-08-03 12:13 . 2006-07-11 12:50 11,776 --a------ C:\WINDOWS\system32\drivers\grmn1200.sys
2008-08-03 12:13 . 2007-03-08 17:18 8,320 --a------ C:\WINDOWS\system32\drivers\grmnusb.sys
2008-08-03 12:12 . 2008-08-03 21:28 <DIR> d-------- C:\Garmin
2008-07-29 11:10 . 2008-07-29 11:10 <DIR> d-------- C:\Program Files\Tech-Pro World Clock 2
2008-07-29 11:10 . 2008-02-04 02:10 237,776 --a------ C:\WINDOWS\system32\tpuninst.exe
2008-07-29 11:08 . 2008-07-29 11:08 2,428,088 --a------ C:\Temp\wc2setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-22 17:05 --------- d-----w C:\Documents and Settings\Mike\Application Data\Skype
2008-08-22 17:01 --------- d-----w C:\Program Files\Java
2008-08-22 16:34 --------- d-----w C:\Documents and Settings\Mike\Application Data\D-Link Media Server
2008-08-22 16:13 --------- d-----w C:\Program Files\Azureus
2008-08-21 19:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-17 03:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-17 02:20 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-16 02:09 --------- d-----w C:\Documents and Settings\Mike\Application Data\dvdcss
2008-08-15 14:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\MediaMall
2008-08-15 00:24 --------- d-----w C:\Documents and Settings\Mike\Application Data\Apple Computer
2008-08-14 19:57 --------- d-----w C:\Program Files\Apple Software Update
2008-08-14 15:55 --------- d-----w C:\Documents and Settings\Mike\Application Data\Azureus
2008-08-12 18:28 --------- d-----w C:\Program Files\QuickTime
2008-08-10 20:41 --------- d-----w C:\Program Files\Internet Radio Recorder
2008-08-06 23:20 --------- d-----w C:\Program Files\Google
2008-08-03 20:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-27 00:05 --------- d-----w C:\Documents and Settings\Mike\Application Data\MediaServerDump
2008-07-21 03:16 --------- d-----w C:\Program Files\Picasa2
2008-07-21 02:59 --------- d-----w C:\Program Files\Sun
2008-07-08 02:58 --------- d-----w C:\Program Files\D-Link Media Server
2008-07-08 02:22 --------- d-----w C:\Documents and Settings\Mike\Application Data\AdobeUM
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-25 01:38 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-04-30 18:49 92,064 -c--a-w C:\Documents and Settings\Mike\mqdmmdm.sys
2008-04-30 18:49 9,232 -c--a-w C:\Documents and Settings\Mike\mqdmmdfl.sys
2008-04-30 18:49 79,328 -c--a-w C:\Documents and Settings\Mike\mqdmserd.sys
2008-04-30 18:49 66,656 -c--a-w C:\Documents and Settings\Mike\mqdmbus.sys
2008-04-30 18:49 6,208 -c--a-w C:\Documents and Settings\Mike\mqdmcmnt.sys
2008-04-30 18:49 5,936 -c--a-w C:\Documents and Settings\Mike\mqdmwhnt.sys
2008-04-30 18:49 4,048 -c--a-w C:\Documents and Settings\Mike\mqdmcr.sys
2008-04-30 18:49 25,600 -c--a-w C:\Documents and Settings\Mike\usbsermptxp.sys
2008-04-30 18:49 22,768 -c--a-w C:\Documents and Settings\Mike\usbsermpt.sys
2007-05-29 05:17 81,920 ----a-w C:\Documents and Settings\Mike\Application Data\ezpinst.exe
2007-05-29 05:17 47,360 ----a-w C:\Documents and Settings\Mike\Application Data\pcouffin.sys
2006-03-19 16:36 13,824 -c--a-w C:\Documents and Settings\Mike\atwbxdet.dll
.

((((((((((((((((((((((((((((( snapshot@2008-08-21_12.25.29.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-21 19:18:21 225,097 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-08-22 18:00:06 225,098 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
- 2008-06-10 08:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2006-08-03 21:56:49 49,248 ----a-w C:\WINDOWS\system32\java.exe
- 2008-06-10 08:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2006-08-03 21:56:49 49,250 ----a-w C:\WINDOWS\system32\javaw.exe
- 2008-06-10 09:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2006-08-03 21:56:49 127,078 ----a-w C:\WINDOWS\system32\javaws.exe
- 2008-08-21 19:10:16 76,266 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-22 18:04:04 76,266 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-21 19:10:17 443,916 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-22 18:04:04 443,916 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 20:42 32768]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 02:08 483328]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-10-08 11:52 221184]
"USIUDF_Eject_Monitor"="C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe" [2004-12-23 18:27 81920]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-01-18 17:07 196608]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-06 12:43 23165736]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 13:22 86016]
"RegClean"="C:\Program Files\RegClean\RegClean.exe" [2007-03-30 16:45 10065392]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 20:42 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-08-27 12:09 698864]
"SunJavaUpdateSched"="c:\program files\timingtool\jre\bin\jusched.exe" [2006-08-03 14:56 36975]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 17:12 110592 C:\WINDOWS\system32\bthprops.cpl]

C:\Documents and Settings\Mike\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-06-21 17:13:51 113664]
D-Link Media Server.lnk - C:\Program Files\D-Link Media Server\MediaGUI.exe [2008-07-07 19:58:32 1523831]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2005-03-13 19:02:09 25214]
HPAiODevice(hp officejet g series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 17:15:00 151552]
Logitech Harmony Remote V5.lnk - C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe [2006-02-22 15:47:44 94295]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytoosl"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogOff"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wcnotify]
2007-08-09 17:16 14656 C:\WINDOWS\system32\WcNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"C:\\Program Files\\Logitech\\Harmony Remote\\HarmonyClient.exe"=
"C:\\Program Files\\Logitech\\Harmony Remote\\PatchHelper.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MediaMall\\MediaMallServer.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP

xpsp2res.dll,-22009

R0 iteraid;ITERAID_Service_Install;C:\WINDOWS\system32\DRIVERS\iteraid.sys [2004-10-28 20:21]
R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2008-08-16 12:17]
R1 BeTwinSystem;BeTwinSystem;C:\WINDOWS\system32\Drivers\BeTwinSystem.sys [2007-08-09 17:15]
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2000-01-07 10:00]
R2 MediaMall Server;MediaMall Server;C:\Program Files\MediaMall\MediaMallServer.exe [2007-10-09 16:57]
R3 cmudax;C-Media High Definition Audio Interface;C:\WINDOWS\system32\drivers\cmudax.sys [2004-10-21 03:56]
S3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
NativeTS

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-08-14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-08-22 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job
- C:\Program Files\RegClean\RegClean.exe [2007-03-30 16:45]

2008-08-22 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job
- C:\Program Files\RegClean [2007-04-18 22:17]

2008-08-22 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe [2007-08-02 09:20]

2008-02-21 C:\WINDOWS\Tasks\RegCure.job
- C:\Program Files\RegCure\RegCure.exe [2007-08-02 09:20]

2008-08-21 C:\WINDOWS\Tasks\User_Feed_Synchronization-{C34135C4-C5CE-440A-B981-1BFF8E5F71A9}.job
- C:\WINDOWS\system32\msfeedssync.exe [2006-10-17 12:58]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\xx0vemed.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - about:blank
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-22 11:05:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
.
**************************************************************************
.
Completion time: 2008-08-22 11:07:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-22 18:07:52
ComboFix2.txt 2008-08-21 22:49:53
ComboFix3.txt 2008-08-21 21:26:04
ComboFix4.txt 2008-08-21 19:29:36

Pre-Run: 118,988,935,168 bytes free
Post-Run: 118,902,054,912 bytes free

437
-------------------------------------

HJT Log
---------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:30:28 AM, on 8/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\MediaMall\MediaMallServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Temp\HiJackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\inetsrv\DavCData.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
O4 - HKLM\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKLM\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKLM\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RegClean] "C:\Program Files\RegClean\RegClean.exe" -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: D-Link Media Server.lnk = C:\Program Files\D-Link Media Server\MediaGUI.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Logitech Harmony Remote V5.lnk = C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.kaspersky.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1217908534546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1217908520187
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://12.30.180.135/activex/AxisCamControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://juniper.provigent.com/dana-cached/setup/JuniperSetupSP1.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: vskype - (no CLSID) - (no file)
O20 - Winlogon Notify: wcnotify - C:\WINDOWS\SYSTEM32\wcnotify.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MediaMall Server - MediaMall Technologies, Inc. - C:\Program Files\MediaMall\MediaMallServer.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 10183 bytes
------------------------------------

Uninstall list
------------------------------------

Abexo Registry Cleaner
Ad-Aware SE Personal
Adobe Acrobat 7.1.0 Professional
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player ActiveX
Adobe Help Center 1.0
Adobe Stock Photos 1.0
Apple Mobile Device Support
Apple Software Update
Avanquest update
Avi2Dvd 0.4.3 beta
AviSynth 2.5
Bonjour
Calculator Powertoy for Windows XP
CCleaner (remove only)
C-Media High Definition Audio Driver
Combined Community Codec Pack 2007-07-22
Creative Jukebox Driver
D-Link Media Server 1.10
DVArchive V3.1
DVD Ripper 4
Filter Design 3.0
Garmin Trip and Waypoint Manager v4
Garmin WebUpdater
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Updater
GrabIt 1.7.1 Beta (build 960)
GSplit 2.1
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
hp instant support
hp officejet g series
Image Resizer Powertoy for Windows XP
Internet Radio Recorder
iTunes
Java(TM) 6 Update 7
Logitech Harmony Remote Software V5
Logitech QuickCam Software
Logitech® Camera Driver
Malwarebytes' Anti-Malware
MapSource
MapSource - City Select
MapSource - North American City Select v5 Update
Mathcad 14
Mathcad 14 Help
Mathcad 14 Resource Center
MATLAB 6.5
MATLAB 7.0.4
MediaMall
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Office Visio Professional 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
MotoKit 1.06
Motorola Phone Tools
Motorola PST
Mozilla Firefox (2.0)
MSXML 4.0 SP2 (KB936181)
Nero OEM
NetBeans IDE 4.1
Nikon Scan
NI-Reports
NOMAD Explorer
NVIDIA Drivers
OpenOffice.org Installer 1.0
Picasa 2
PowerDVD
PowerQuest BootMagic 8.0
PowerQuest PartitionMagic 8.0
QuickPar 0.9
QuickTime
RealPlayer
RegClean 2.6
RegCure 1.5.0.0
Registry Mechanic 5.0
RSD_LITE_2_5
Safari
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Skype™ 3.5
SmartFTP Client
SmartFTP Client
SmartFTP Client 2.0 Setup Files (remove only)
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
Tech-Pro World Clock 2
TimingTool Editor
Ulead Data-Add 2.0
Ulead DVD MovieFactory 4.0 Disc Creator
Ulead DVD Player 2.0
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
UUDeview for Windows
VideoLAN VLC media player 0.8.1
Visual SlickEdit 7.0
VX-6 Programmer
WebEx
WIBU-KEY Setup (WIBU-KEY Remove)
WinAVIVideoConverter
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
WinZip 11.1
XviD MPEG-4 Video Codec

mhamilton · Aug 22, 2008

kasper

I downloaded Kaspersky trial version and installed without seeing the trojan loader getting started. (Kaspersky seems to be happy wiht CounterSpy running, but not Spybot 1.2)

running scan now. Will post logs in a few hours.

mhamilton · Aug 22, 2008

Kaspersky Report ready

I executed Kaspersky without ever opening Iexplore.

I have not exectued any clean up of the detected items.
What to do next?
-----------------------------------------

Full Scan: completed 8/22/2008 2:30:59 PM (events: 190, objects: 722494, time: 02:32:48)
8/22/2008 11:58:10 AM Task started
8/22/2008 11:59:18 AM Detected: http://www.viruslist.com/en/advisories/28506 c:\program files\microsoft office\office11\excel.exe
8/22/2008 11:59:21 AM Detected: http://www.viruslist.com/en/advisories/29320 c:\program files\microsoft office\office11\outlook.exe
8/22/2008 11:59:33 AM Detected: http://www.viruslist.com/en/advisories/30143 c:\program files\microsoft office\office11\winword.exe
8/22/2008 12:00:39 PM Detected: http://www.viruslist.com/en/advisories/30761 c:\program files\mozilla firefox\firefox.exe
8/22/2008 12:01:08 PM Detected: http://www.viruslist.com/en/advisories/27361 c:\program files\real\realplayer\realplay.exe
8/22/2008 12:01:15 PM Detected: http://www.viruslist.com/en/advisories/31010 c:\windows\java.exe
8/22/2008 12:02:38 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP16\A0003961.exe
8/22/2008 12:02:38 PM Untreated: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP16\A0003961.exe Postponed
8/22/2008 12:02:39 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP16\A0003963.exe
8/22/2008 12:02:39 PM Untreated: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP16\A0003963.exe Postponed
8/22/2008 12:02:39 PM Detected: Trojan-Downloader.Win32.Bagle.vj c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP16\A0003955.sys
8/22/2008 12:02:39 PM Untreated: Trojan-Downloader.Win32.Bagle.vj c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP16\A0003955.sys Postponed
8/22/2008 12:02:51 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004021.exe
8/22/2008 12:02:52 PM Untreated: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004021.exe Postponed
8/22/2008 12:02:53 PM Detected: Email-Worm.Win32.Bagle.vr c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004018.exe
8/22/2008 12:02:53 PM Untreated: Email-Worm.Win32.Bagle.vr c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004018.exe Postponed
8/22/2008 12:02:57 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004034.exe
8/22/2008 12:02:57 PM Untreated: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004034.exe Postponed
8/22/2008 12:02:58 PM Detected: Email-Worm.Win32.Bagle.vr c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004016.exe
8/22/2008 12:02:58 PM Untreated: Email-Worm.Win32.Bagle.vr c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004016.exe Postponed
8/22/2008 12:02:58 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004038.exe
8/22/2008 12:02:58 PM Untreated: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004038.exe Postponed
8/22/2008 12:02:59 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004042.exe
8/22/2008 12:02:59 PM Untreated: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004042.exe Postponed
8/22/2008 12:02:59 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004043.exe
8/22/2008 12:02:59 PM Untreated: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004043.exe Postponed
8/22/2008 12:03:02 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004047.exe
8/22/2008 12:03:02 PM Untreated: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004047.exe Postponed
8/22/2008 12:03:02 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004048.exe
8/22/2008 12:03:02 PM Untreated: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004048.exe Postponed
8/22/2008 12:03:06 PM Detected: Email-Worm.Win32.Bagle.vr c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004028.exe
8/22/2008 12:03:06 PM Untreated: Email-Worm.Win32.Bagle.vr c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004028.exe Postponed
8/22/2008 12:03:06 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004052.exe
8/22/2008 12:03:06 PM Untreated: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004052.exe Postponed
8/22/2008 12:03:07 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004060.exe
8/22/2008 12:03:07 PM Untreated: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004060.exe Postponed
8/22/2008 12:03:08 PM Detected: Email-Worm.Win32.Bagle.vr c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004045.exe
8/22/2008 12:03:08 PM Untreated: Email-Worm.Win32.Bagle.vr c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004045.exe Postponed
8/22/2008 12:03:08 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004064.exe
8/22/2008 12:03:08 PM Untreated: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004064.exe Postponed
8/22/2008 12:03:10 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004066.exe
8/22/2008 12:03:10 PM Untreated: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004066.exe Postponed
8/22/2008 12:03:10 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004067.exe
8/22/2008 12:03:11 PM Untreated: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004067.exe Postponed
8/22/2008 12:03:17 PM Detected: Trojan-Downloader.Win32.Bagle.vj c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004065.sys
8/22/2008 12:03:17 PM Untreated: Trojan-Downloader.Win32.Bagle.vj c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004065.sys Postponed
8/22/2008 12:03:18 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004072.exe
8/22/2008 12:03:18 PM Untreated: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004072.exe Postponed
8/22/2008 12:03:21 PM Detected: Email-Worm.Win32.Bagle.vr c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004062.exe
8/22/2008 12:03:21 PM Untreated: Email-Worm.Win32.Bagle.vr c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004062.exe Postponed
8/22/2008 12:08:46 PM Detected: http://www.viruslist.com/en/advisories/31010 c:\Documents and Settings\All Users\Documents\Matlab 7\Matlab 1\java\jre\win32\jre\bin\eula.dll
8/22/2008 12:28:49 PM Detected: http://www.viruslist.com/en/advisories/31010 c:\Documents and Settings\All Users\Documents\Software\matlab704\java\jre\win32\jre\bin\java.exe
8/22/2008 12:49:24 PM Detected: http://www.viruslist.com/en/advisories/25023 c:\program files\Adobe\Adobe Photoshop CS2\Plug-Ins\File Formats\BMP.8BI
8/22/2008 12:55:31 PM Detected: http://www.viruslist.com/en/advisories/31010 c:\program files\Logitech\Harmony Remote\JRE\bin\eula.dll
8/22/2008 12:56:47 PM Detected: http://www.viruslist.com/en/advisories/31010 c:\program files\MATLAB704\sys\java\jre\win32\jre1.5.0\bin\java.exe
8/22/2008 1:04:26 PM Detected: http://www.viruslist.com/en/advisories/31010 c:\program files\MATLAB704\uninstall\java\jre\win32\jre\bin\java.exe
8/22/2008 1:04:47 PM Detected: http://www.viruslist.com/en/advisories/28506 c:\program files\microsoft office\office11\excel.exe
8/22/2008 1:04:52 PM Detected: http://www.viruslist.com/en/advisories/29320 c:\program files\microsoft office\office11\outlook.exe
8/22/2008 1:04:55 PM Detected: http://www.viruslist.com/en/advisories/30143 c:\program files\microsoft office\office11\winword.exe
8/22/2008 1:06:20 PM Detected: http://www.viruslist.com/en/advisories/30761 c:\program files\mozilla firefox\firefox.exe
8/22/2008 1:08:05 PM Detected: http://www.viruslist.com/en/advisories/27361 c:\program files\real\realplayer\realplay.exe
8/22/2008 1:09:15 PM Detected: http://www.viruslist.com/en/advisories/31010 c:\program files\TimingTool\jre\bin\java.exe
8/22/2008 1:09:56 PM Detected: http://www.viruslist.com/en/advisories/28083 c:\program files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator\Ulead DMF Launcher 2.0\Flash.ocx
8/22/2008 1:11:28 PM Detected: http://www.viruslist.com/en/advisories/28083 c:\program files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator\Ulead Quick-Drop 1.0\Flash.ocx
8/22/2008 1:13:45 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\flec006.exe.vir
8/22/2008 1:13:45 PM Untreated: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\flec006.exe.vir Postponed
8/22/2008 1:16:13 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\mdelk.exe.vir
8/22/2008 1:16:14 PM Untreated: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\mdelk.exe.vir Postponed
8/22/2008 1:16:14 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\wintems.exe.vir
8/22/2008 1:16:14 PM Untreated: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\wintems.exe.vir Postponed
8/22/2008 1:16:31 PM Detected: Trojan-Downloader.Win32.Bagle.vj c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\srosa.sys.vir
8/22/2008 1:16:31 PM Detected: Email-Worm.Win32.Bagle.vr c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\1331109.exe.vir
8/22/2008 1:16:31 PM Untreated: Email-Worm.Win32.Bagle.vr c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\1331109.exe.vir Postponed
8/22/2008 1:16:31 PM Untreated: Trojan-Downloader.Win32.Bagle.vj c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\srosa.sys.vir Postponed
8/22/2008 1:16:31 PM Detected: Email-Worm.Win32.Bagle.vr c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\1283890.exe.vir
8/22/2008 1:16:32 PM Untreated: Email-Worm.Win32.Bagle.vr c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\1283890.exe.vir Postponed
8/22/2008 1:16:32 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\1382906.exe.vir
8/22/2008 1:16:32 PM Untreated: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\1382906.exe.vir Postponed
8/22/2008 1:16:36 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4180859.exe.vir
8/22/2008 1:16:36 PM Untreated: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4180859.exe.vir Postponed
8/22/2008 1:16:37 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4269546.exe.vir
8/22/2008 1:16:37 PM Untreated: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4269546.exe.vir Postponed
8/22/2008 1:16:38 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4337218.exe.vir
8/22/2008 1:16:39 PM Untreated: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4337218.exe.vir Postponed
8/22/2008 1:16:39 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4339718.exe.vir
8/22/2008 1:16:39 PM Untreated: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4339718.exe.vir Postponed
8/22/2008 1:16:40 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4375906.exe.vir
8/22/2008 1:16:41 PM Untreated: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4375906.exe.vir Postponed
8/22/2008 1:16:41 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4381171.exe.vir
8/22/2008 1:16:42 PM Untreated: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4381171.exe.vir Postponed
8/22/2008 1:16:43 PM Detected: Email-Worm.Win32.Bagle.vr c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\3964390.exe.vir
8/22/2008 1:16:44 PM Untreated: Email-Worm.Win32.Bagle.vr c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\3964390.exe.vir Postponed
8/22/2008 1:16:45 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4431593.exe.vir
8/22/2008 1:16:45 PM Untreated: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4431593.exe.vir Postponed
8/22/2008 1:16:46 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4742078.exe.vir
8/22/2008 1:16:47 PM Untreated: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4742078.exe.vir Postponed
8/22/2008 1:16:47 PM Detected: Email-Worm.Win32.Bagle.vr c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4361921.exe.vir
8/22/2008 1:16:47 PM Untreated: Email-Worm.Win32.Bagle.vr c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4361921.exe.vir Postponed
8/22/2008 1:16:48 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4784343.exe.vir
8/22/2008 1:16:49 PM Untreated: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4784343.exe.vir Postponed
8/22/2008 1:16:52 PM Detected: Email-Worm.Win32.Bagle.vr c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4756078.exe.vir
8/22/2008 1:16:52 PM Untreated: Email-Worm.Win32.Bagle.vr c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4756078.exe.vir Postponed
8/22/2008 1:17:16 PM Detected: http://www.viruslist.com/en/advisories/31010 c:\windows\java.exe
8/22/2008 1:23:02 PM Detected: http://www.viruslist.com/en/advisories/25570 c:\windows\Downloaded Program Files\vete.dll
8/22/2008 1:36:22 PM Detected: http://www.viruslist.com/en/advisories/31010 G:\IEGD\IEGD_6_1_Gold\jre\bin\javaws.exe
8/22/2008 1:59:42 PM Detected: http://www.viruslist.com/en/advisories/31010 G:\Temp\matlab704\java\jre\win32\jre\bin\java.exe
8/22/2008 2:29:10 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\flec006.exe.vir
8/22/2008 2:30:25 PM Deleted: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\flec006.exe.vir
8/22/2008 2:30:28 PM Detected: Email-Worm.Win32.Bagle.vr c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\1283890.exe.vir
8/22/2008 2:30:28 PM Deleted: Email-Worm.Win32.Bagle.vr c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\1283890.exe.vir
8/22/2008 2:30:30 PM Detected: Email-Worm.Win32.Bagle.vr c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\1331109.exe.vir
8/22/2008 2:30:30 PM Deleted: Email-Worm.Win32.Bagle.vr c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\1331109.exe.vir
8/22/2008 2:30:30 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\1382906.exe.vir
8/22/2008 2:30:30 PM Deleted: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\1382906.exe.vir
8/22/2008 2:30:32 PM Detected: Email-Worm.Win32.Bagle.vr c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\3964390.exe.vir
8/22/2008 2:30:32 PM Deleted: Email-Worm.Win32.Bagle.vr c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\3964390.exe.vir
8/22/2008 2:30:33 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4180859.exe.vir
8/22/2008 2:30:33 PM Deleted: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4180859.exe.vir
8/22/2008 2:30:33 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4269546.exe.vir
8/22/2008 2:30:33 PM Deleted: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4269546.exe.vir
8/22/2008 2:30:33 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4337218.exe.vir
8/22/2008 2:30:33 PM Deleted: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4337218.exe.vir
8/22/2008 2:30:33 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4339718.exe.vir
8/22/2008 2:30:33 PM Deleted: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4339718.exe.vir
8/22/2008 2:30:35 PM Detected: Email-Worm.Win32.Bagle.vr c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4361921.exe.vir
8/22/2008 2:30:35 PM Deleted: Email-Worm.Win32.Bagle.vr c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4361921.exe.vir
8/22/2008 2:30:36 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4375906.exe.vir
8/22/2008 2:30:36 PM Deleted: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4375906.exe.vir
8/22/2008 2:30:36 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4381171.exe.vir
8/22/2008 2:30:36 PM Deleted: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4381171.exe.vir
8/22/2008 2:30:36 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4431593.exe.vir
8/22/2008 2:30:36 PM Deleted: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4431593.exe.vir
8/22/2008 2:30:36 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4742078.exe.vir
8/22/2008 2:30:36 PM Deleted: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4742078.exe.vir
8/22/2008 2:30:38 PM Detected: Email-Worm.Win32.Bagle.vr c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4756078.exe.vir
8/22/2008 2:30:38 PM Deleted: Email-Worm.Win32.Bagle.vr c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4756078.exe.vir
8/22/2008 2:30:39 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4784343.exe.vir
8/22/2008 2:30:39 PM Deleted: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\4784343.exe.vir
8/22/2008 2:30:41 PM Detected: Trojan-Downloader.Win32.Bagle.vj c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\srosa.sys.vir
8/22/2008 2:30:41 PM Deleted: Trojan-Downloader.Win32.Bagle.vj c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\srosa.sys.vir
8/22/2008 2:30:41 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\mdelk.exe.vir
8/22/2008 2:30:41 PM Deleted: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\mdelk.exe.vir
8/22/2008 2:30:41 PM Detected: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\wintems.exe.vir
8/22/2008 2:30:41 PM Deleted: Email-Worm.Win32.Bagle.of c:\QooBox\Quarantine\C\WINDOWS\system32\wintems.exe.vir
8/22/2008 2:30:43 PM Detected: Trojan-Downloader.Win32.Bagle.vj c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP16\A0003955.sys
8/22/2008 2:30:43 PM Deleted: Trojan-Downloader.Win32.Bagle.vj c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP16\A0003955.sys
8/22/2008 2:30:44 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP16\A0003961.exe
8/22/2008 2:30:44 PM Deleted: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP16\A0003961.exe
8/22/2008 2:30:44 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP16\A0003963.exe
8/22/2008 2:30:44 PM Deleted: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP16\A0003963.exe
8/22/2008 2:30:46 PM Detected: Email-Worm.Win32.Bagle.vr c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004016.exe
8/22/2008 2:30:46 PM Deleted: Email-Worm.Win32.Bagle.vr c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004016.exe
8/22/2008 2:30:48 PM Detected: Email-Worm.Win32.Bagle.vr c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004018.exe
8/22/2008 2:30:48 PM Deleted: Email-Worm.Win32.Bagle.vr c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004018.exe
8/22/2008 2:30:48 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004021.exe
8/22/2008 2:30:48 PM Deleted: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004021.exe
8/22/2008 2:30:51 PM Detected: Email-Worm.Win32.Bagle.vr c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004028.exe
8/22/2008 2:30:51 PM Deleted: Email-Worm.Win32.Bagle.vr c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004028.exe
8/22/2008 2:30:51 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004034.exe
8/22/2008 2:30:51 PM Deleted: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004034.exe
8/22/2008 2:30:51 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004038.exe
8/22/2008 2:30:51 PM Deleted: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004038.exe
8/22/2008 2:30:51 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004042.exe
8/22/2008 2:30:51 PM Deleted: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004042.exe
8/22/2008 2:30:51 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004043.exe
8/22/2008 2:30:51 PM Deleted: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004043.exe
8/22/2008 2:30:53 PM Detected: Email-Worm.Win32.Bagle.vr c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004045.exe
8/22/2008 2:30:53 PM Deleted: Email-Worm.Win32.Bagle.vr c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004045.exe
8/22/2008 2:30:53 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004047.exe
8/22/2008 2:30:53 PM Deleted: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004047.exe
8/22/2008 2:30:54 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004048.exe
8/22/2008 2:30:54 PM Deleted: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004048.exe
8/22/2008 2:30:54 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004052.exe
8/22/2008 2:30:54 PM Deleted: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004052.exe
8/22/2008 2:30:54 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004060.exe
8/22/2008 2:30:54 PM Deleted: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004060.exe
8/22/2008 2:30:56 PM Detected: Email-Worm.Win32.Bagle.vr c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004062.exe
8/22/2008 2:30:56 PM Deleted: Email-Worm.Win32.Bagle.vr c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004062.exe
8/22/2008 2:30:56 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004064.exe
8/22/2008 2:30:56 PM Deleted: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004064.exe
8/22/2008 2:30:58 PM Detected: Trojan-Downloader.Win32.Bagle.vj c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004065.sys
8/22/2008 2:30:58 PM Deleted: Trojan-Downloader.Win32.Bagle.vj c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004065.sys
8/22/2008 2:30:58 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004066.exe
8/22/2008 2:30:59 PM Deleted: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004066.exe
8/22/2008 2:30:59 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004067.exe
8/22/2008 2:30:59 PM Deleted: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004067.exe
8/22/2008 2:30:59 PM Detected: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004072.exe
8/22/2008 2:30:59 PM Deleted: Email-Worm.Win32.Bagle.of c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004072.exe
8/22/2008 2:30:59 PM Task completed

mhamilton · Aug 23, 2008

Another pass - new logs

While waiting around I decided to try to download the backup disk from Kaspersky. This launched IEXPLORER and the trojan Started up again.

So I re-ran CF, Kaspersky and HJT. New logs follow.

I don't see what it is that is connected to IEXPLORER that is getting activated.

-------------------
CF Log
-------------------
ComboFix 08-08-21.02 - Mike 2008-08-22 16:58:13.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.627 [GMT -7:00]
Running from: C:\Documents and Settings\Mike\Desktop\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\downld
C:\WINDOWS\system32\drivers\mdelk.exe

.
((((((((((((((((((((((((( Files Created from 2008-07-23 to 2008-08-23 )))))))))))))))))))))))))))))))
.

2008-08-22 11:50 . 2008-08-22 17:35 96,976 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-08-22 11:50 . 2008-08-22 11:50 87,855 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-08-22 11:49 . 2008-08-22 11:49 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-08-22 11:49 . 2008-08-22 19:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-08-22 11:49 . 2008-08-22 17:27 7,526,432 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-22 11:49 . 2008-08-22 19:04 270,368 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-08-22 11:49 . 2008-08-22 17:27 60,928 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-22 11:49 . 2008-08-22 19:04 2,004 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-08-22 11:46 . 2008-08-22 11:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-08-22 11:46 . 2008-08-22 11:44 33,138,928 --a------ C:\Temp\kav8.0.0.454en.exe
2008-08-22 11:15 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-22 11:14 . 2008-08-22 11:14 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-22 11:13 . 2008-08-22 10:58 15,984,024 --a------ C:\Temp\jre-6u7-windows-i586-p-s.exe
2008-08-22 09:37 . 2008-08-22 11:30 <DIR> d-------- C:\Temp\backups
2008-08-16 19:03 . 2008-08-16 19:03 231,999 --a------ C:\Temp\Beagled.exe
2008-08-16 18:54 . 2008-08-16 18:58 <DIR> d-------- C:\ComboFix
2008-08-16 18:02 . 2008-08-16 18:16 250 --a------ C:\WINDOWS\gmer.ini
2008-08-16 18:01 . 2008-08-16 18:01 747,873 --a------ C:\Temp\gmer.zip
2008-08-16 17:54 . 2008-08-16 17:54 0 --a------ C:\WINDOWS\system32\SBRC.dat
2008-08-16 17:54 . 2008-08-16 17:54 0 --a------ C:\WINDOWS\system32\SBFC.dat
2008-08-16 15:53 . 2008-08-16 15:53 401,720 --a------ C:\Temp\HiJackThis.exe
2008-08-16 15:52 . 2008-08-16 15:53 716,539 --a------ C:\Temp\HJTInstall.exe
2008-08-16 15:31 . 2006-04-25 08:01 704,520 --a------ C:\WINDOWS\system32\RunDll32 cmicnfg.cpl,CMICtrlWnd
2008-08-16 13:50 . 2008-08-22 10:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-08-16 12:45 . 2008-08-16 16:28 15,083,520 --a------ C:\Temp\spybotsd160.exe
2008-08-16 12:17 . 2008-08-16 12:17 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2008-08-16 08:48 . 2008-08-16 08:48 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Sunbelt Software
2008-08-16 08:48 . 2008-08-16 08:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2008-08-16 08:47 . 2008-08-16 08:47 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-08-16 08:45 . 2008-08-16 08:42 45,935,776 --a------ C:\Temp\counterspy.exe
2008-08-15 18:02 . 2008-08-15 18:02 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Malwarebytes
2008-08-15 18:01 . 2008-08-16 15:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-15 18:01 . 2008-08-15 18:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-15 18:01 . 2008-08-06 21:59 1,885,120 --a------ C:\Temp\mbam-setup.exe
2008-08-15 18:01 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-15 18:01 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-15 17:49 . 2008-08-15 19:14 <DIR> d-------- C:\Documents and Settings\Mike\.housecall6.6
2008-08-15 07:48 . 2008-04-11 12:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-15 07:48 . 2008-05-01 07:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-14 12:57 . 2008-08-14 12:57 <DIR> d-------- C:\Program Files\Safari
2008-08-12 11:30 . 2008-08-12 11:30 <DIR> d-------- C:\Program Files\iPod
2008-08-12 11:29 . 2008-08-12 11:30 <DIR> d-------- C:\Program Files\iTunes
2008-08-12 11:28 . 2008-08-12 11:28 <DIR> d-------- C:\Program Files\Bonjour
2008-08-12 11:22 . 2008-08-12 11:22 63,530,280 --a------ C:\Temp\iTunesSetup.exe
2008-08-04 22:46 . 2008-08-04 22:46 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-08-04 22:35 . 2008-08-04 22:35 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-04 22:02 . 2008-08-04 22:02 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-04 21:33 . 2004-08-03 22:29 701,440 --------- C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-08-04 20:55 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-08-04 20:55 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-08-04 20:55 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-08-04 20:55 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-08-03 12:21 . 2008-08-03 12:21 2,108,504 --a------ C:\Temp\GPSMAP60CSx_370.exe
2008-08-03 12:13 . 2007-03-08 17:18 18,432 --a------ C:\WINDOWS\system32\drivers\grmngen.sys
2008-08-03 12:13 . 2006-02-20 11:25 17,536 --a------ C:\WINDOWS\system32\drivers\grmn0200.sys
2008-08-03 12:13 . 2006-04-11 12:51 16,512 --a------ C:\WINDOWS\system32\drivers\grmn0400.sys
2008-08-03 12:13 . 2006-07-11 12:50 11,776 --a------ C:\WINDOWS\system32\drivers\grmn1200.sys
2008-08-03 12:13 . 2007-03-08 17:18 8,320 --a------ C:\WINDOWS\system32\drivers\grmnusb.sys
2008-08-03 12:12 . 2008-08-03 21:28 <DIR> d-------- C:\Garmin
2008-07-29 20:21 . 2008-07-29 20:21 218,376 --a------ C:\WINDOWS\system32\klogon.dll
2008-07-29 20:20 . 2008-07-29 20:20 24,774 --a------ C:\WINDOWS\system32\drivers\klopp.dat
2008-07-29 11:10 . 2008-07-29 11:10 <DIR> d-------- C:\Program Files\Tech-Pro World Clock 2
2008-07-29 11:10 . 2008-02-04 02:10 237,776 --a------ C:\WINDOWS\system32\tpuninst.exe
2008-07-29 11:08 . 2008-07-29 11:08 2,428,088 --a------ C:\Temp\wc2setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-23 02:05 --------- d-----w C:\Documents and Settings\Mike\Application Data\Skype
2008-08-23 02:04 --------- d-----w C:\Documents and Settings\Mike\Application Data\D-Link Media Server
2008-08-22 20:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-22 18:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-22 18:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-22 18:15 --------- d-----w C:\Program Files\Java
2008-08-22 16:13 --------- d-----w C:\Program Files\Azureus
2008-08-16 02:09 --------- d-----w C:\Documents and Settings\Mike\Application Data\dvdcss
2008-08-15 14:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\MediaMall
2008-08-15 00:24 --------- d-----w C:\Documents and Settings\Mike\Application Data\Apple Computer
2008-08-14 19:57 --------- d-----w C:\Program Files\Apple Software Update
2008-08-14 15:55 --------- d-----w C:\Documents and Settings\Mike\Application Data\Azureus
2008-08-12 18:28 --------- d-----w C:\Program Files\QuickTime
2008-08-10 20:41 --------- d-----w C:\Program Files\Internet Radio Recorder
2008-08-06 23:20 --------- d-----w C:\Program Files\Google
2008-08-03 20:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-27 00:05 --------- d-----w C:\Documents and Settings\Mike\Application Data\MediaServerDump
2008-07-22 01:34 121,872 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-07-21 03:16 --------- d-----w C:\Program Files\Picasa2
2008-07-21 02:59 --------- d-----w C:\Program Files\Sun
2008-07-08 02:58 --------- d-----w C:\Program Files\D-Link Media Server
2008-07-08 02:22 --------- d-----w C:\Documents and Settings\Mike\Application Data\AdobeUM
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-25 01:38 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-04-30 18:49 92,064 -c--a-w C:\Documents and Settings\Mike\mqdmmdm.sys
2008-04-30 18:49 9,232 -c--a-w C:\Documents and Settings\Mike\mqdmmdfl.sys
2008-04-30 18:49 79,328 -c--a-w C:\Documents and Settings\Mike\mqdmserd.sys
2008-04-30 18:49 66,656 -c--a-w C:\Documents and Settings\Mike\mqdmbus.sys
2008-04-30 18:49 6,208 -c--a-w C:\Documents and Settings\Mike\mqdmcmnt.sys
2008-04-30 18:49 5,936 -c--a-w C:\Documents and Settings\Mike\mqdmwhnt.sys
2008-04-30 18:49 4,048 -c--a-w C:\Documents and Settings\Mike\mqdmcr.sys
2008-04-30 18:49 25,600 -c--a-w C:\Documents and Settings\Mike\usbsermptxp.sys
2008-04-30 18:49 22,768 -c--a-w C:\Documents and Settings\Mike\usbsermpt.sys
2007-05-29 05:17 81,920 ----a-w C:\Documents and Settings\Mike\Application Data\ezpinst.exe
2007-05-29 05:17 47,360 ----a-w C:\Documents and Settings\Mike\Application Data\pcouffin.sys
2006-03-19 16:36 13,824 -c--a-w C:\Documents and Settings\Mike\atwbxdet.dll
.

((((((((((((((((((((((((((((( snapshot@2008-08-21_12.25.29.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-05 05:12:58 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-08-23 00:30:05 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-08-05 05:12:58 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-23 00:30:05 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-08-21 19:18:12 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-23 00:29:53 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-30 01:29:38 32,784 ----a-w C:\WINDOWS\system32\drivers\klbg.sys
+ 2008-08-22 18:48:55 213,008 ----a-w C:\WINDOWS\system32\drivers\klif.sys
+ 2008-05-01 01:06:48 24,592 ----a-w C:\WINDOWS\system32\drivers\klim5.sys
- 2008-08-21 19:18:21 225,097 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-08-23 00:29:58 225,103 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
- 2008-08-21 19:10:16 76,266 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-23 00:34:07 76,266 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-21 19:10:17 443,916 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-23 00:34:07 443,916 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 20:42 32768]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 02:08 483328]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-10-08 11:52 221184]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-01-18 17:07 196608]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-06 12:43 23165736]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 13:22 86016]
"RegClean"="C:\Program Files\RegClean\RegClean.exe" [2007-03-30 16:45 10065392]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 20:42 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-08-27 12:09 698864]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2008-07-29 20:20 206088]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 17:12 110592 C:\WINDOWS\system32\bthprops.cpl]

C:\Documents and Settings\Mike\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-06-21 17:13:51 113664]
D-Link Media Server.lnk - C:\Program Files\D-Link Media Server\MediaGUI.exe [2008-07-07 19:58:32 1523831]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2005-03-13 19:02:09 25214]
HPAiODevice(hp officejet g series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 17:15:00 151552]
Logitech Harmony Remote V5.lnk - C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe [2006-02-22 15:47:44 94295]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytoosl"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogOff"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wcnotify]
2007-08-09 17:16 14656 C:\WINDOWS\system32\WcNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"C:\\Program Files\\Logitech\\Harmony Remote\\HarmonyClient.exe"=
"C:\\Program Files\\Logitech\\Harmony Remote\\PatchHelper.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MediaMall\\MediaMallServer.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP

xpsp2res.dll,-22009

R0 iteraid;ITERAID_Service_Install;C:\WINDOWS\system32\DRIVERS\iteraid.sys [2004-10-28 20:21]
R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 18:29]
R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2008-08-16 12:17]
R1 BeTwinSystem;BeTwinSystem;C:\WINDOWS\system32\Drivers\BeTwinSystem.sys [2007-08-09 17:15]
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2000-01-07 10:00]
R2 MediaMall Server;MediaMall Server;C:\Program Files\MediaMall\MediaMallServer.exe [2007-10-09 16:57]
R3 cmudax;C-Media High Definition Audio Interface;C:\WINDOWS\system32\drivers\cmudax.sys [2004-10-21 03:56]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-04-30 18:06]
R3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
NativeTS

*Newly Created Service* - SBAPIFS
.
Contents of the 'Scheduled Tasks' folder

2008-08-14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-08-23 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job
- C:\Program Files\RegClean\RegClean.exe [2007-03-30 16:45]

2008-08-23 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job
- C:\Program Files\RegClean [2007-04-18 22:17]

2008-08-23 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe [2007-08-02 09:20]

2008-02-21 C:\WINDOWS\Tasks\RegCure.job
- C:\Program Files\RegCure\RegCure.exe [2007-08-02 09:20]

2008-08-23 C:\WINDOWS\Tasks\User_Feed_Synchronization-{C34135C4-C5CE-440A-B981-1BFF8E5F71A9}.job
- C:\WINDOWS\system32\msfeedssync.exe [2006-10-17 12:58]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\xx0vemed.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - about:blank
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-22 19:04:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\D-Link Media Server\MediaServer.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\Bin\hposts07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\Bin\hpofxm07.exe
.
**************************************************************************
.
Completion time: 2008-08-22 19:17:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-23 02:16:59
ComboFix2.txt 2008-08-22 18:07:58
ComboFix3.txt 2008-08-21 22:49:53
ComboFix4.txt 2008-08-21 21:26:04
ComboFix5.txt 2008-08-22 23:55:52

Pre-Run: 118,557,425,664 bytes free
Post-Run: 118,497,886,208 bytes free

280

mhamilton · Aug 23, 2008

Another pass - new logs

While waiting around I decided to try to download the recovery disk from Kaspersky. This process activated IEXPLORER and the Trojan started up again.

I reran CF, Kaspersky, and HJT. Logs follow.

I don't see what it is that is connected to IEXPLOER that is getting activated each time. It is Not being removed by any of the cleaners.

----------------------------
CF log
---------------------------

ComboFix 08-08-21.02 - Mike 2008-08-22 16:58:13.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.627 [GMT -7:00]
Running from: C:\Documents and Settings\Mike\Desktop\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\downld
C:\WINDOWS\system32\drivers\mdelk.exe

.
((((((((((((((((((((((((( Files Created from 2008-07-23 to 2008-08-23 )))))))))))))))))))))))))))))))
.

2008-08-22 11:50 . 2008-08-22 17:35 96,976 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-08-22 11:50 . 2008-08-22 11:50 87,855 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-08-22 11:49 . 2008-08-22 11:49 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-08-22 11:49 . 2008-08-22 19:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-08-22 11:49 . 2008-08-22 17:27 7,526,432 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-22 11:49 . 2008-08-22 19:04 270,368 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-08-22 11:49 . 2008-08-22 17:27 60,928 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-22 11:49 . 2008-08-22 19:04 2,004 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-08-22 11:46 . 2008-08-22 11:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-08-22 11:46 . 2008-08-22 11:44 33,138,928 --a------ C:\Temp\kav8.0.0.454en.exe
2008-08-22 11:15 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-22 11:14 . 2008-08-22 11:14 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-22 11:13 . 2008-08-22 10:58 15,984,024 --a------ C:\Temp\jre-6u7-windows-i586-p-s.exe
2008-08-22 09:37 . 2008-08-22 11:30 <DIR> d-------- C:\Temp\backups
2008-08-16 19:03 . 2008-08-16 19:03 231,999 --a------ C:\Temp\Beagled.exe
2008-08-16 18:54 . 2008-08-16 18:58 <DIR> d-------- C:\ComboFix
2008-08-16 18:02 . 2008-08-16 18:16 250 --a------ C:\WINDOWS\gmer.ini
2008-08-16 18:01 . 2008-08-16 18:01 747,873 --a------ C:\Temp\gmer.zip
2008-08-16 17:54 . 2008-08-16 17:54 0 --a------ C:\WINDOWS\system32\SBRC.dat
2008-08-16 17:54 . 2008-08-16 17:54 0 --a------ C:\WINDOWS\system32\SBFC.dat
2008-08-16 15:53 . 2008-08-16 15:53 401,720 --a------ C:\Temp\HiJackThis.exe
2008-08-16 15:52 . 2008-08-16 15:53 716,539 --a------ C:\Temp\HJTInstall.exe
2008-08-16 15:31 . 2006-04-25 08:01 704,520 --a------ C:\WINDOWS\system32\RunDll32 cmicnfg.cpl,CMICtrlWnd
2008-08-16 13:50 . 2008-08-22 10:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-08-16 12:45 . 2008-08-16 16:28 15,083,520 --a------ C:\Temp\spybotsd160.exe
2008-08-16 12:17 . 2008-08-16 12:17 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2008-08-16 08:48 . 2008-08-16 08:48 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Sunbelt Software
2008-08-16 08:48 . 2008-08-16 08:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2008-08-16 08:47 . 2008-08-16 08:47 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-08-16 08:45 . 2008-08-16 08:42 45,935,776 --a------ C:\Temp\counterspy.exe
2008-08-15 18:02 . 2008-08-15 18:02 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Malwarebytes
2008-08-15 18:01 . 2008-08-16 15:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-15 18:01 . 2008-08-15 18:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-15 18:01 . 2008-08-06 21:59 1,885,120 --a------ C:\Temp\mbam-setup.exe
2008-08-15 18:01 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-15 18:01 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-15 17:49 . 2008-08-15 19:14 <DIR> d-------- C:\Documents and Settings\Mike\.housecall6.6
2008-08-15 07:48 . 2008-04-11 12:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-15 07:48 . 2008-05-01 07:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-14 12:57 . 2008-08-14 12:57 <DIR> d-------- C:\Program Files\Safari
2008-08-12 11:30 . 2008-08-12 11:30 <DIR> d-------- C:\Program Files\iPod
2008-08-12 11:29 . 2008-08-12 11:30 <DIR> d-------- C:\Program Files\iTunes
2008-08-12 11:28 . 2008-08-12 11:28 <DIR> d-------- C:\Program Files\Bonjour
2008-08-12 11:22 . 2008-08-12 11:22 63,530,280 --a------ C:\Temp\iTunesSetup.exe
2008-08-04 22:46 . 2008-08-04 22:46 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-08-04 22:35 . 2008-08-04 22:35 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-04 22:04 . 2008-08-04 22:04 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-04 22:02 . 2008-08-04 22:02 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-04 21:33 . 2004-08-03 22:29 701,440 --------- C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-08-04 20:55 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-08-04 20:55 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-08-04 20:55 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-08-04 20:55 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-08-03 12:21 . 2008-08-03 12:21 2,108,504 --a------ C:\Temp\GPSMAP60CSx_370.exe
2008-08-03 12:13 . 2007-03-08 17:18 18,432 --a------ C:\WINDOWS\system32\drivers\grmngen.sys
2008-08-03 12:13 . 2006-02-20 11:25 17,536 --a------ C:\WINDOWS\system32\drivers\grmn0200.sys
2008-08-03 12:13 . 2006-04-11 12:51 16,512 --a------ C:\WINDOWS\system32\drivers\grmn0400.sys
2008-08-03 12:13 . 2006-07-11 12:50 11,776 --a------ C:\WINDOWS\system32\drivers\grmn1200.sys
2008-08-03 12:13 . 2007-03-08 17:18 8,320 --a------ C:\WINDOWS\system32\drivers\grmnusb.sys
2008-08-03 12:12 . 2008-08-03 21:28 <DIR> d-------- C:\Garmin
2008-07-29 20:21 . 2008-07-29 20:21 218,376 --a------ C:\WINDOWS\system32\klogon.dll
2008-07-29 20:20 . 2008-07-29 20:20 24,774 --a------ C:\WINDOWS\system32\drivers\klopp.dat
2008-07-29 11:10 . 2008-07-29 11:10 <DIR> d-------- C:\Program Files\Tech-Pro World Clock 2
2008-07-29 11:10 . 2008-02-04 02:10 237,776 --a------ C:\WINDOWS\system32\tpuninst.exe
2008-07-29 11:08 . 2008-07-29 11:08 2,428,088 --a------ C:\Temp\wc2setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-23 02:05 --------- d-----w C:\Documents and Settings\Mike\Application Data\Skype
2008-08-23 02:04 --------- d-----w C:\Documents and Settings\Mike\Application Data\D-Link Media Server
2008-08-22 20:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-22 18:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-22 18:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-22 18:15 --------- d-----w C:\Program Files\Java
2008-08-22 16:13 --------- d-----w C:\Program Files\Azureus
2008-08-16 02:09 --------- d-----w C:\Documents and Settings\Mike\Application Data\dvdcss
2008-08-15 14:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\MediaMall
2008-08-15 00:24 --------- d-----w C:\Documents and Settings\Mike\Application Data\Apple Computer
2008-08-14 19:57 --------- d-----w C:\Program Files\Apple Software Update
2008-08-14 15:55 --------- d-----w C:\Documents and Settings\Mike\Application Data\Azureus
2008-08-12 18:28 --------- d-----w C:\Program Files\QuickTime
2008-08-10 20:41 --------- d-----w C:\Program Files\Internet Radio Recorder
2008-08-06 23:20 --------- d-----w C:\Program Files\Google
2008-08-03 20:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-27 00:05 --------- d-----w C:\Documents and Settings\Mike\Application Data\MediaServerDump
2008-07-22 01:34 121,872 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-07-21 03:16 --------- d-----w C:\Program Files\Picasa2
2008-07-21 02:59 --------- d-----w C:\Program Files\Sun
2008-07-08 02:58 --------- d-----w C:\Program Files\D-Link Media Server
2008-07-08 02:22 --------- d-----w C:\Documents and Settings\Mike\Application Data\AdobeUM
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-25 01:38 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-04-30 18:49 92,064 -c--a-w C:\Documents and Settings\Mike\mqdmmdm.sys
2008-04-30 18:49 9,232 -c--a-w C:\Documents and Settings\Mike\mqdmmdfl.sys
2008-04-30 18:49 79,328 -c--a-w C:\Documents and Settings\Mike\mqdmserd.sys
2008-04-30 18:49 66,656 -c--a-w C:\Documents and Settings\Mike\mqdmbus.sys
2008-04-30 18:49 6,208 -c--a-w C:\Documents and Settings\Mike\mqdmcmnt.sys
2008-04-30 18:49 5,936 -c--a-w C:\Documents and Settings\Mike\mqdmwhnt.sys
2008-04-30 18:49 4,048 -c--a-w C:\Documents and Settings\Mike\mqdmcr.sys
2008-04-30 18:49 25,600 -c--a-w C:\Documents and Settings\Mike\usbsermptxp.sys
2008-04-30 18:49 22,768 -c--a-w C:\Documents and Settings\Mike\usbsermpt.sys
2007-05-29 05:17 81,920 ----a-w C:\Documents and Settings\Mike\Application Data\ezpinst.exe
2007-05-29 05:17 47,360 ----a-w C:\Documents and Settings\Mike\Application Data\pcouffin.sys
2006-03-19 16:36 13,824 -c--a-w C:\Documents and Settings\Mike\atwbxdet.dll
.

((((((((((((((((((((((((((((( snapshot@2008-08-21_12.25.29.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-05 05:12:58 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-08-23 00:30:05 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-08-05 05:12:58 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-23 00:30:05 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-08-21 19:18:12 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-23 00:29:53 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-30 01:29:38 32,784 ----a-w C:\WINDOWS\system32\drivers\klbg.sys
+ 2008-08-22 18:48:55 213,008 ----a-w C:\WINDOWS\system32\drivers\klif.sys
+ 2008-05-01 01:06:48 24,592 ----a-w C:\WINDOWS\system32\drivers\klim5.sys
- 2008-08-21 19:18:21 225,097 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-08-23 00:29:58 225,103 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
- 2008-08-21 19:10:16 76,266 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-23 00:34:07 76,266 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-21 19:10:17 443,916 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-23 00:34:07 443,916 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 20:42 32768]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 02:08 483328]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-10-08 11:52 221184]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-01-18 17:07 196608]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-06 12:43 23165736]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 13:22 86016]
"RegClean"="C:\Program Files\RegClean\RegClean.exe" [2007-03-30 16:45 10065392]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 20:42 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-08-27 12:09 698864]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2008-07-29 20:20 206088]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 17:12 110592 C:\WINDOWS\system32\bthprops.cpl]

C:\Documents and Settings\Mike\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-06-21 17:13:51 113664]
D-Link Media Server.lnk - C:\Program Files\D-Link Media Server\MediaGUI.exe [2008-07-07 19:58:32 1523831]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2005-03-13 19:02:09 25214]
HPAiODevice(hp officejet g series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 17:15:00 151552]
Logitech Harmony Remote V5.lnk - C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe [2006-02-22 15:47:44 94295]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytoosl"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogOff"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wcnotify]
2007-08-09 17:16 14656 C:\WINDOWS\system32\WcNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"C:\\Program Files\\Logitech\\Harmony Remote\\HarmonyClient.exe"=
"C:\\Program Files\\Logitech\\Harmony Remote\\PatchHelper.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MediaMall\\MediaMallServer.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP

xpsp2res.dll,-22009

R0 iteraid;ITERAID_Service_Install;C:\WINDOWS\system32\DRIVERS\iteraid.sys [2004-10-28 20:21]
R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 18:29]
R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2008-08-16 12:17]
R1 BeTwinSystem;BeTwinSystem;C:\WINDOWS\system32\Drivers\BeTwinSystem.sys [2007-08-09 17:15]
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2000-01-07 10:00]
R2 MediaMall Server;MediaMall Server;C:\Program Files\MediaMall\MediaMallServer.exe [2007-10-09 16:57]
R3 cmudax;C-Media High Definition Audio Interface;C:\WINDOWS\system32\drivers\cmudax.sys [2004-10-21 03:56]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-04-30 18:06]
R3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
NativeTS

*Newly Created Service* - SBAPIFS
.
Contents of the 'Scheduled Tasks' folder

2008-08-14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-08-23 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job
- C:\Program Files\RegClean\RegClean.exe [2007-03-30 16:45]

2008-08-23 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job
- C:\Program Files\RegClean [2007-04-18 22:17]

2008-08-23 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe [2007-08-02 09:20]

2008-02-21 C:\WINDOWS\Tasks\RegCure.job
- C:\Program Files\RegCure\RegCure.exe [2007-08-02 09:20]

2008-08-23 C:\WINDOWS\Tasks\User_Feed_Synchronization-{C34135C4-C5CE-440A-B981-1BFF8E5F71A9}.job
- C:\WINDOWS\system32\msfeedssync.exe [2006-10-17 12:58]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\xx0vemed.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - about:blank
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-22 19:04:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\D-Link Media Server\MediaServer.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\Bin\hposts07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\Bin\hpofxm07.exe
.
**************************************************************************
.
Completion time: 2008-08-22 19:17:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-23 02:16:59
ComboFix2.txt 2008-08-22 18:07:58
ComboFix3.txt 2008-08-21 22:49:53
ComboFix4.txt 2008-08-21 21:26:04
ComboFix5.txt 2008-08-22 23:55:52

Pre-Run: 118,557,425,664 bytes free
Post-Run: 118,497,886,208 bytes free

280

mhamilton · Aug 23, 2008

Kaspersky log part 1

details of the first scan deleted from log to save space.... I don't know why it puts the second report in reverse order? This is the end chronologically.
----------------------------------------
2008-08-22 21:57 Task completed
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Yes_AntiVirus-Tool_Netsky-P_3.0.zip.vir/Yes_AntiVirus-Tool_Netsky-P_3.0.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Yes_AntiVirus-Tool_Netsky-P_3.0.zip.vir/Yes_AntiVirus-Tool_Netsky-P_3.0.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Xteq_URL_Bandit_1.2.zip.vir/Xteq_URL_Bandit_1.2.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Xteq_URL_Bandit_1.2.zip.vir/Xteq_URL_Bandit_1.2.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\XLPoints_Plus_1.3_(With_Crack).zip.vir/XLPoints_Plus_1.3_(With_Crack).exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\XLPoints_Plus_1.3_(With_Crack).zip.vir/XLPoints_Plus_1.3_(With_Crack).exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Xceed_Chart_for_ASP.NET_3.0.zip.vir/Xceed_Chart_for_ASP.NET_3.0.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Xceed_Chart_for_ASP.NET_3.0.zip.vir/Xceed_Chart_for_ASP.NET_3.0.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Wwhois_2.1.zip.vir/Wwhois_2.1.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Wwhois_2.1.zip.vir/Wwhois_2.1.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Word_Blaster_3.5.zip.vir/Word_Blaster_3.5.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Word_Blaster_3.5.zip.vir/Word_Blaster_3.5.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Woize_2.5.0.32959.zip.vir/Woize_2.5.0.32959.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Woize_2.5.0.32959.zip.vir/Woize_2.5.0.32959.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Windows_&_Internet_Cleaner_Pro_3.22_(Patch).zip.vir/Windows_&_Internet_Cleaner_Pro_3.22_(Patch).exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Windows_&_Internet_Cleaner_Pro_3.22_(Patch).zip.vir/Windows_&_Internet_Cleaner_Pro_3.22_(Patch).exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Web_Log_Explorer_3.31_Crack.zip.vir/Web_Log_Explorer_3.31_Crack.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Web_Log_Explorer_3.31_Crack.zip.vir/Web_Log_Explorer_3.31_Crack.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Virtual_Hypnotist_5.551.zip.vir/Virtual_Hypnotist_5.551.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Virtual_Hypnotist_5.551.zip.vir/Virtual_Hypnotist_5.551.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\VideoShotMaker_1.00.zip.vir/VideoShotMaker_1.00.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\VideoShotMaker_1.00.zip.vir/VideoShotMaker_1.00.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Video_Matrix_Screensaver_1.0.zip.vir/Video_Matrix_Screensaver_1.0.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Video_Matrix_Screensaver_1.0.zip.vir/Video_Matrix_Screensaver_1.0.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\US_meteo_by_sat_1.1.zip.vir/US_meteo_by_sat_1.1.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\US_meteo_by_sat_1.1.zip.vir/US_meteo_by_sat_1.1.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Unreal_Tournament_2004_Judge_Judy_Voice_Pack.zip.vir/Unreal_Tournament_2004_Judge_Judy_Voice_Pack.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Unreal_Tournament_2004_Judge_Judy_Voice_Pack.zip.vir/Unreal_Tournament_2004_Judge_Judy_Voice_Pack.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Unreal_Tournament_2003_-_Vertical_deathmatch_map.zip.vir/Unreal_Tournament_2003_-_Vertical_deathmatch_map.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Unreal_Tournament_2003_-_Vertical_deathmatch_map.zip.vir/Unreal_Tournament_2003_-_Vertical_deathmatch_map.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\TIFF_To_PDF_ActiveX_Component_2.0.2007.718_KeyGen.zip.vir/TIFF_To_PDF_ActiveX_Component_2.0.2007.718_KeyGen.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\TIFF_To_PDF_ActiveX_Component_2.0.2007.718_KeyGen.zip.vir/TIFF_To_PDF_ActiveX_Component_2.0.2007.718_KeyGen.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\ThePlayground_1.0.zip.vir/ThePlayground_1.0.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\ThePlayground_1.0.zip.vir/ThePlayground_1.0.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\The_Quiz_Press_1.8_Crack.zip.vir/The_Quiz_Press_1.8_Crack.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\The_Quiz_Press_1.8_Crack.zip.vir/The_Quiz_Press_1.8_Crack.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Text_Mnemonic_Generator_3.4.zip.vir/Text_Mnemonic_Generator_3.4.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Text_Mnemonic_Generator_3.4.zip.vir/Text_Mnemonic_Generator_3.4.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Tele-Cap_Professional_3.0.1.zip.vir/Tele-Cap_Professional_3.0.1.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Tele-Cap_Professional_3.0.1.zip.vir/Tele-Cap_Professional_3.0.1.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\SunGlance_1.0_Serial.zip.vir/SunGlance_1.0_Serial.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\SunGlance_1.0_Serial.zip.vir/SunGlance_1.0_Serial.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\StormWarn_1.2.zip.vir/StormWarn_1.2.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\StormWarn_1.2.zip.vir/StormWarn_1.2.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\SQLWays_3.9.zip.vir/SQLWays_3.9.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\SQLWays_3.9.zip.vir/SQLWays_3.9.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\SpyCatcher_Express_2006_4.4.6.zip.vir/SpyCatcher_Express_2006_4.4.6.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\SpyCatcher_Express_2006_4.4.6.zip.vir/SpyCatcher_Express_2006_4.4.6.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\SpaceMan_99_3.1.zip.vir/SpaceMan_99_3.1.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\SpaceMan_99_3.1.zip.vir/SpaceMan_99_3.1.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Source_Explorer_VS.NET_2003_plugin_1.0.zip.vir/Source_Explorer_VS.NET_2003_plugin_1.0.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Source_Explorer_VS.NET_2003_plugin_1.0.zip.vir/Source_Explorer_VS.NET_2003_plugin_1.0.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Snail_Mail_1.0.zip.vir/Snail_Mail_1.0.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Snail_Mail_1.0.zip.vir/Snail_Mail_1.0.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\ShowFont_-_Windows_Font_Lister_1.12.zip.vir/ShowFont_-_Windows_Font_Lister_1.12.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\ShowFont_-_Windows_Font_Lister_1.12.zip.vir/ShowFont_-_Windows_Font_Lister_1.12.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Shadow_Professional_2.7_(Crack).zip.vir/Shadow_Professional_2.7_(Crack).exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Shadow_Professional_2.7_(Crack).zip.vir/Shadow_Professional_2.7_(Crack).exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\SGadget_1.2_Cracked.zip.vir/SGadget_1.2_Cracked.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\SGadget_1.2_Cracked.zip.vir/SGadget_1.2_Cracked.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Serial_Port_Monitor_3.zip.vir/Serial_Port_Monitor_3.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Serial_Port_Monitor_3.zip.vir/Serial_Port_Monitor_3.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Sea_Bounty_1.1.zip.vir/Sea_Bounty_1.1.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Sea_Bounty_1.1.zip.vir/Sea_Bounty_1.1.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Robot_Shut_Down_5.0.zip.vir/Robot_Shut_Down_5.0.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Robot_Shut_Down_5.0.zip.vir/Robot_Shut_Down_5.0.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Rmvb_Rm_Fix_Repair_Joiner_3.23_Cracked.zip.vir/Rmvb_Rm_Fix_Repair_Joiner_3.23_Cracked.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Rmvb_Rm_Fix_Repair_Joiner_3.23_Cracked.zip.vir/Rmvb_Rm_Fix_Repair_Joiner_3.23_Cracked.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\ProTarot_Reader_2.0.58_(Patch).zip.vir/ProTarot_Reader_2.0.58_(Patch).exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\ProTarot_Reader_2.0.58_(Patch).zip.vir/ProTarot_Reader_2.0.58_(Patch).exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\PrintPictures_1.0.zip.vir/PrintPictures_1.0.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\PrintPictures_1.0.zip.vir/PrintPictures_1.0.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\PlugAdmin_Windows_1.0_Crack.zip.vir/PlugAdmin_Windows_1.0_Crack.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\PlugAdmin_Windows_1.0_Crack.zip.vir/PlugAdmin_Windows_1.0_Crack.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Playtonium_Jigsaw_Patterns_in_Nature_1.0.zip.vir/Playtonium_Jigsaw_Patterns_in_Nature_1.0.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Playtonium_Jigsaw_Patterns_in_Nature_1.0.zip.vir/Playtonium_Jigsaw_Patterns_in_Nature_1.0.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\PHPRunner_4.0_Build_265.zip.vir/PHPRunner_4.0_Build_265.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\PHPRunner_4.0_Build_265.zip.vir/PHPRunner_4.0_Build_265.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\PhotoLine_32_12.02.zip.vir/PhotoLine_32_12.02.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\PhotoLine_32_12.02.zip.vir/PhotoLine_32_12.02.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\PhotoElf_4.0.18_[With_Crack].zip.vir/PhotoElf_4.0.18_[With_Crack].exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\PhotoElf_4.0.18_[With_Crack].zip.vir/PhotoElf_4.0.18_[With_Crack].exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\PDB_Creator_Pro_1.0.2.zip.vir/PDB_Creator_Pro_1.0.2.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\PDB_Creator_Pro_1.0.2.zip.vir/PDB_Creator_Pro_1.0.2.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\PC_Recent_1.1.0_Key.zip.vir/PC_Recent_1.1.0_Key.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\PC_Recent_1.1.0_Key.zip.vir/PC_Recent_1.1.0_Key.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Patterns_of_Nature_Screensaver_2.0.zip.vir/Patterns_of_Nature_Screensaver_2.0.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Patterns_of_Nature_Screensaver_2.0.zip.vir/Patterns_of_Nature_Screensaver_2.0.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Password_Recovery_Software_2.1.zip.vir/Password_Recovery_Software_2.1.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Password_Recovery_Software_2.1.zip.vir/Password_Recovery_Software_2.1.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Panzer_Elite_Action_Fields_of_Glory_multiplayer_demo.zip.vir/Panzer_Elite_Action_Fields_of_Glory_multiplayer_demo.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Panzer_Elite_Action_Fields_of_Glory_multiplayer_demo.zip.vir/Panzer_Elite_Action_Fields_of_Glory_multiplayer_demo.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Paintball_Office_Pro_2.0.zip.vir/Paintball_Office_Pro_2.0.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Paintball_Office_Pro_2.0.zip.vir/Paintball_Office_Pro_2.0.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\OutlookFIX_Repair_and_Undelete_2.09_[Serial].zip.vir/OutlookFIX_Repair_and_Undelete_2.09_[Serial].exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\OutlookFIX_Repair_and_Undelete_2.09_[Serial].zip.vir/OutlookFIX_Repair_and_Undelete_2.09_[Serial].exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\OutClock_1.1.zip.vir/OutClock_1.1.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\OutClock_1.1.zip.vir/OutClock_1.1.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Neo_Pro_3.1.374.zip.vir/Neo_Pro_3.1.374.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Neo_Pro_3.1.374.zip.vir/Neo_Pro_3.1.374.exe
2008-08-22 21:57 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MyJgui_0.5.3.zip.vir/MyJgui_0.5.3.exe
2008-08-22 21:57 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MyJgui_0.5.3.zip.vir/MyJgui_0.5.3.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\My_Downloads_1.4.zip.vir/My_Downloads_1.4.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\My_Downloads_1.4.zip.vir/My_Downloads_1.4.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Multiplayer_Championship_Poker_(Pocket_PC)_4.zip.vir/Multiplayer_Championship_Poker_(Pocket_PC)_4.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Multiplayer_Championship_Poker_(Pocket_PC)_4.zip.vir/Multiplayer_Championship_Poker_(Pocket_PC)_4.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MSN_Webcam_Recorder_9.1.zip.vir/MSN_Webcam_Recorder_9.1.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MSN_Webcam_Recorder_9.1.zip.vir/MSN_Webcam_Recorder_9.1.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MSN_Cartoon_Avatar_Display_Pack_1.0.zip.vir/MSN_Cartoon_Avatar_Display_Pack_1.0.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MSN_Cartoon_Avatar_Display_Pack_1.0.zip.vir/MSN_Cartoon_Avatar_Display_Pack_1.0.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MouseMeter_0.1.3.zip.vir/MouseMeter_0.1.3.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MouseMeter_0.1.3.zip.vir/MouseMeter_0.1.3.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MouseClock_3.2_[Patch].zip.vir/MouseClock_3.2_[Patch].exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MouseClock_3.2_[Patch].zip.vir/MouseClock_3.2_[Patch].exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Minister_Scheduler_Pro_1.0.zip.vir/Minister_Scheduler_Pro_1.0.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Minister_Scheduler_Pro_1.0.zip.vir/Minister_Scheduler_Pro_1.0.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MindVisualizer_Standard_1.4.4.0_(Serial).zip.vir/MindVisualizer_Standard_1.4.4.0_(Serial).exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MindVisualizer_Standard_1.4.4.0_(Serial).zip.vir/MindVisualizer_Standard_1.4.4.0_(Serial).exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MindStudio_Vocab_1.0.zip.vir/MindStudio_Vocab_1.0.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MindStudio_Vocab_1.0.zip.vir/MindStudio_Vocab_1.0.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Meteor_1.1.zip.vir/Meteor_1.1.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Meteor_1.1.zip.vir/Meteor_1.1.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Medal_of_Honor_Allied_Assault_Spearhead_-_Southern_France_map.zip.vir/Medal_of_Honor_Allied_Assault_Spearhead_-_Southern_France_map.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Medal_of_Honor_Allied_Assault_Spearhead_-_Southern_France_map.zip.vir/Medal_of_Honor_Allied_Assault_Spearhead_-_Southern_France_map.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\McAfee.VirusScan.10.0.zip.vir/McAfee.VirusScan.10.0.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\McAfee.VirusScan.10.0.zip.vir/McAfee.VirusScan.10.0.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Mcafee.Virus.Scan.Professional.Edition.8.0-Ita.zip.vir/Mcafee.Virus.Scan.Professional.Edition.8.0-Ita.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Mcafee.Virus.Scan.Professional.Edition.8.0-Ita.zip.vir/Mcafee.Virus.Scan.Professional.Edition.8.0-Ita.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MarsEdit_1.0.zip.vir/MarsEdit_1.0.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\MarsEdit_1.0.zip.vir/MarsEdit_1.0.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Live_Search_Podcast_1.1.zip.vir/Live_Search_Podcast_1.1.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Live_Search_Podcast_1.1.zip.vir/Live_Search_Podcast_1.1.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Link_Folder_1.0.zip.vir/Link_Folder_1.0.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Link_Folder_1.0.zip.vir/Link_Folder_1.0.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Libcurl.NET_1.3.zip.vir/Libcurl.NET_1.3.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Libcurl.NET_1.3.zip.vir/Libcurl.NET_1.3.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Klinzter_Script_4.2.zip.vir/Klinzter_Script_4.2.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Klinzter_Script_4.2.zip.vir/Klinzter_Script_4.2.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\IPComboBox_OCX_1.0.0.1.zip.vir/IPComboBox_OCX_1.0.0.1.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\IPComboBox_OCX_1.0.0.1.zip.vir/IPComboBox_OCX_1.0.0.1.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\IP_Monitor_5.1.zip.vir/IP_Monitor_5.1.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\IP_Monitor_5.1.zip.vir/IP_Monitor_5.1.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Internet_Explorer_Password_Recovery_Master_1.4.zip.vir/Internet_Explorer_Password_Recovery_Master_1.4.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Internet_Explorer_Password_Recovery_Master_1.4.zip.vir/Internet_Explorer_Password_Recovery_Master_1.4.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\imeem_2.4.38.2476.zip.vir/imeem_2.4.38.2476.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\imeem_2.4.38.2476.zip.vir/imeem_2.4.38.2476.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\HSLAB_Logger_3.4.28.124_With_Crack.zip.vir/HSLAB_Logger_3.4.28.124_With_Crack.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\HSLAB_Logger_3.4.28.124_With_Crack.zip.vir/HSLAB_Logger_3.4.28.124_With_Crack.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Hawaii_Screensaver_4.0.zip.vir/Hawaii_Screensaver_4.0.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Hawaii_Screensaver_4.0.zip.vir/Hawaii_Screensaver_4.0.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Greek_Formulae_1.0.zip.vir/Greek_Formulae_1.0.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Greek_Formulae_1.0.zip.vir/Greek_Formulae_1.0.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\GrabJPG_1.12.zip.vir/GrabJPG_1.12.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\GrabJPG_1.12.zip.vir/GrabJPG_1.12.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Go_Game_Hamete_and_Overplay_for_Smartphone_1.1.zip.vir/Go_Game_Hamete_and_Overplay_for_Smartphone_1.1.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Go_Game_Hamete_and_Overplay_for_Smartphone_1.1.zip.vir/Go_Game_Hamete_and_Overplay_for_Smartphone_1.1.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Ghost_MP3_CD_Maker_2.0.zip.vir/Ghost_MP3_CD_Maker_2.0.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Ghost_MP3_CD_Maker_2.0.zip.vir/Ghost_MP3_CD_Maker_2.0.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\FotoTime_FotoAlbum_Pro_5.3.1.4_Cracked.zip.vir/FotoTime_FotoAlbum_Pro_5.3.1.4_Cracked.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\FotoTime_FotoAlbum_Pro_5.3.1.4_Cracked.zip.vir/FotoTime_FotoAlbum_Pro_5.3.1.4_Cracked.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\FirePanel_XP_2.2.0.0_(Patch).zip.vir/FirePanel_XP_2.2.0.0_(Patch).exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\FirePanel_XP_2.2.0.0_(Patch).zip.vir/FirePanel_XP_2.2.0.0_(Patch).exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\FastPhpInsert_News-Slide-Protected_page_1.0_Key+Serial.zip.vir/FastPhpInsert_News-Slide-Protected_page_1.0_Key+Serial.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\FastPhpInsert_News-Slide-Protected_page_1.0_Key+Serial.zip.vir/FastPhpInsert_News-Slide-Protected_page_1.0_Key+Serial.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Fast_Port_Scanner_1.0.zip.vir/Fast_Port_Scanner_1.0.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Fast_Port_Scanner_1.0.zip.vir/Fast_Port_Scanner_1.0.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\F-Prot.Antivirus.for.Windows.v3.16.Retail-DVT.zip.vir/F-Prot.Antivirus.for.Windows.v3.16.Retail-DVT.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\F-Prot.Antivirus.for.Windows.v3.16.Retail-DVT.zip.vir/F-Prot.Antivirus.for.Windows.v3.16.Retail-DVT.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\EZRound_2.1.zip.vir/EZRound_2.1.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\EZRound_2.1.zip.vir/EZRound_2.1.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Express_Tax_Refund_1.0.zip.vir/Express_Tax_Refund_1.0.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Express_Tax_Refund_1.0.zip.vir/Express_Tax_Refund_1.0.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Email_Collector_Lite_1.6.8.zip.vir/Email_Collector_Lite_1.6.8.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Email_Collector_Lite_1.6.8.zip.vir/Email_Collector_Lite_1.6.8.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Egypt_of_David_Roberts_1.0.zip.vir/Egypt_of_David_Roberts_1.0.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Egypt_of_David_Roberts_1.0.zip.vir/Egypt_of_David_Roberts_1.0.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\EF_CheckSum_Manager_4.30_[Crack].zip.vir/EF_CheckSum_Manager_4.30_[Crack].exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\EF_CheckSum_Manager_4.30_[Crack].zip.vir/EF_CheckSum_Manager_4.30_[Crack].exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\EcoKeno_3.74.zip.vir/EcoKeno_3.74.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\EcoKeno_3.74.zip.vir/EcoKeno_3.74.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\E-mail_Redemption_for_Outlook_1.6.zip.vir/E-mail_Redemption_for_Outlook_1.6.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\E-mail_Redemption_for_Outlook_1.6.zip.vir/E-mail_Redemption_for_Outlook_1.6.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\E-Converter_1.50.zip.vir/E-Converter_1.50.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\E-Converter_1.50.zip.vir/E-Converter_1.50.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Dynamic_DBTreeView_1.8.zip.vir/Dynamic_DBTreeView_1.8.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Dynamic_DBTreeView_1.8.zip.vir/Dynamic_DBTreeView_1.8.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\DXMan_1.10.zip.vir/DXMan_1.10.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\DXMan_1.10.zip.vir/DXMan_1.10.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\DNS_Redirector_6.3.1_Crack.zip.vir/DNS_Redirector_6.3.1_Crack.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\DNS_Redirector_6.3.1_Crack.zip.vir/DNS_Redirector_6.3.1_Crack.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\DiskViz_-_Link_Checker_1.0_[Patch].zip.vir/DiskViz_-_Link_Checker_1.0_[Patch].exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\DiskViz_-_Link_Checker_1.0_[Patch].zip.vir/DiskViz_-_Link_Checker_1.0_[Patch].exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\CutePage_CoolText_1.5.zip.vir/CutePage_CoolText_1.5.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\CutePage_CoolText_1.5.zip.vir/CutePage_CoolText_1.5.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Claxa_1.0.zip.vir/Claxa_1.0.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Claxa_1.0.zip.vir/Claxa_1.0.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Christian_Virtual_Hymnal_2.zip.vir/Christian_Virtual_Hymnal_2.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Christian_Virtual_Hymnal_2.zip.vir/Christian_Virtual_Hymnal_2.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\CD_WAVE_Ripper_1.0.zip.vir/CD_WAVE_Ripper_1.0.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\CD_WAVE_Ripper_1.0.zip.vir/CD_WAVE_Ripper_1.0.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\CATLearn_Reader_1.1.zip.vir/CATLearn_Reader_1.1.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\CATLearn_Reader_1.1.zip.vir/CATLearn_Reader_1.1.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Business_Card_Printer_2.0.zip.vir/Business_Card_Printer_2.0.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Business_Card_Printer_2.0.zip.vir/Business_Card_Printer_2.0.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Bukster_Link_Generator_1.0.zip.vir/Bukster_Link_Generator_1.0.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Bukster_Link_Generator_1.0.zip.vir/Bukster_Link_Generator_1.0.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\BT_Engine_4.8_build_0605.zip.vir/BT_Engine_4.8_build_0605.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\BT_Engine_4.8_build_0605.zip.vir/BT_Engine_4.8_build_0605.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Bronze_Sculpture_Jigsaw_Puzzle_45pcs.zip.vir/Bronze_Sculpture_Jigsaw_Puzzle_45pcs.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Bronze_Sculpture_Jigsaw_Puzzle_45pcs.zip.vir/Bronze_Sculpture_Jigsaw_Puzzle_45pcs.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Boombox_Granny_Demo_Screensaver_1.0.zip.vir/Boombox_Granny_Demo_Screensaver_1.0.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Boombox_Granny_Demo_Screensaver_1.0.zip.vir/Boombox_Granny_Demo_Screensaver_1.0.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\BidSolid_1.06.zip.vir/BidSolid_1.06.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\BidSolid_1.06.zip.vir/BidSolid_1.06.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Beta_Program_Bug_&_Feature_Database_1.0_Cracked.zip.vir/Beta_Program_Bug_&_Feature_Database_1.0_Cracked.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Beta_Program_Bug_&_Feature_Database_1.0_Cracked.zip.vir/Beta_Program_Bug_&_Feature_Database_1.0_Cracked.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Backup_Premium_2.5_[Patch].zip.vir/Backup_Premium_2.5_[Patch].exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Backup_Premium_2.5_[Patch].zip.vir/Backup_Premium_2.5_[Patch].exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Backup_Chunker_2.0.zip.vir/Backup_Chunker_2.0.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Backup_Chunker_2.0.zip.vir/Backup_Chunker_2.0.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Avoirdupois_Weight_Measure_Converter_1.zip.vir/Avoirdupois_Weight_Measure_Converter_1.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Avoirdupois_Weight_Measure_Converter_1.zip.vir/Avoirdupois_Weight_Measure_Converter_1.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\AppSpy_2.3_(Key).zip.vir/AppSpy_2.3_(Key).exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\AppSpy_2.3_(Key).zip.vir/AppSpy_2.3_(Key).exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Aplus_DVD_Creator_4.52.zip.vir/Aplus_DVD_Creator_4.52.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Aplus_DVD_Creator_4.52.zip.vir/Aplus_DVD_Creator_4.52.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\ApHeMo_1.5.0.8.zip.vir/ApHeMo_1.5.0.8.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\ApHeMo_1.5.0.8.zip.vir/ApHeMo_1.5.0.8.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\AnyForm_5.0.zip.vir/AnyForm_5.0.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\AnyForm_5.0.zip.vir/AnyForm_5.0.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Anubis_P2P_1.4.zip.vir/Anubis_P2P_1.4.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Anubis_P2P_1.4.zip.vir/Anubis_P2P_1.4.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\AntiVir.PersonalEdition.Premium.v7.+.VDF.v6.34.00.48.+.Lizenz.Key.zip.vir/AntiVir.PersonalEdition.Premium.v7.+.VDF.v6.34.00.48.+.Lizenz.Key.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\AntiVir.PersonalEdition.Premium.v7.+.VDF.v6.34.00.48.+.Lizenz.Key.zip.vir/AntiVir.PersonalEdition.Premium.v7.+.VDF.v6.34.00.48.+.Lizenz.Key.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\AllPeers_0.55.1_Beta.zip.vir/AllPeers_0.55.1_Beta.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\AllPeers_0.55.1_Beta.zip.vir/AllPeers_0.55.1_Beta.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Air_Messenger_Pro_6.7.4.zip.vir/Air_Messenger_Pro_6.7.4.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Air_Messenger_Pro_6.7.4.zip.vir/Air_Messenger_Pro_6.7.4.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Aide_Onlinometer_1.70_Key+Serial.zip.vir/Aide_Onlinometer_1.70_Key+Serial.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Aide_Onlinometer_1.70_Key+Serial.zip.vir/Aide_Onlinometer_1.70_Key+Serial.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Advanced_StartUp_Manager_1.41_With_Crack.zip.vir/Advanced_StartUp_Manager_1.41_With_Crack.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Advanced_StartUp_Manager_1.41_With_Crack.zip.vir/Advanced_StartUp_Manager_1.41_With_Crack.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Advanced_PDF_Generator_1.1.3.0_(Patch).zip.vir/Advanced_PDF_Generator_1.1.3.0_(Patch).exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Advanced_PDF_Generator_1.1.3.0_(Patch).zip.vir/Advanced_PDF_Generator_1.1.3.0_(Patch).exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Adoc2PDF_1.2.zip.vir/Adoc2PDF_1.2.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\Adoc2PDF_1.2.zip.vir/Adoc2PDF_1.2.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\ACA_Capture_Pro_5.50_(KeyGen).zip.vir/ACA_Capture_Pro_5.50_(KeyGen).exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\ACA_Capture_Pro_5.50_(KeyGen).zip.vir/ACA_Capture_Pro_5.50_(KeyGen).exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\ABCUpload_.NET_5.3.0.zip.vir/ABCUpload_.NET_5.3.0.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\ABCUpload_.NET_5.3.0.zip.vir/ABCUpload_.NET_5.3.0.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\[HGame_XP][AVG][jpn_jpn][æ„›ã®ãƒã‚«ãƒ©].zip.vir/[HGame_XP][AVG][jpn_jpn][µä¢pü«pâüpé½pâ¬].exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\[HGame_XP][AVG][jpn_jpn][æ„›ã®ãƒã‚«ãƒ©].zip.vir/[HGame_XP][AVG][jpn_jpn][µä¢pü«pâüpé½pâ¬].exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\3D_Ultra_NASCAR_Pinball_1.0.zip.vir/3D_Ultra_NASCAR_Pinball_1.0.exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\3D_Ultra_NASCAR_Pinball_1.0.zip.vir/3D_Ultra_NASCAR_Pinball_1.0.exe
2008-08-22 21:56 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\3D_Haunting_Halloween_Screensaver_1.0_[Cracked].zip.vir/3D_Haunting_Halloween_Screensaver_1.0_[Cracked].exe
2008-08-22 21:56 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\3D_Haunting_Halloween_Screensaver_1.0_[Cracked].zip.vir/3D_Haunting_Halloween_Screensaver_1.0_[Cracked].exe
2008-08-22 21:55 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\131_Ice_Cream_Maker_Recipes_1.0_Patch.zip.vir/131_Ice_Cream_Maker_Recipes_1.0_Patch.exe
2008-08-22 21:55 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\shared\131_Ice_Cream_Maker_Recipes_1.0_Patch.zip.vir/131_Ice_Cream_Maker_Recipes_1.0_Patch.exe
2008-08-22 21:55 Deleted: Trojan-Downloader.Win32.Bagle.yd c:\windows\system32\RunDll32 cmicnfg.cpl,CMICtrlWnd
2008-08-22 21:55 Detected: Trojan-Downloader.Win32.Bagle.yd c:\windows\system32\RunDll32 cmicnfg.cpl,CMICtrlWnd
2008-08-22 21:55 Deleted: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP2\A0002240.exe
2008-08-22 21:55 Detected: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP2\A0002240.exe
2008-08-22 21:55 Deleted: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP1\A0002223.exe
2008-08-22 21:55 Detected: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP1\A0002223.exe
2008-08-22 21:55 Deleted: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP1\A0002164.exe
2008-08-22 21:55 Detected: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP1\A0002164.exe
2008-08-22 21:55 Deleted: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP1\A0002067.exe
2008-08-22 21:55 Detected: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP1\A0002067.exe
2008-08-22 21:55 Deleted: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004069.exe
2008-08-22 21:55 Detected: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004069.exe
2008-08-22 21:55 Deleted: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004068.exe
2008-08-22 21:55 Detected: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP17\A0004068.exe
2008-08-22 21:55 Deleted: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP16\A0003954.exe
2008-08-22 21:55 Detected: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP16\A0003954.exe
2008-08-22 21:55 Deleted: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP16\A0003953.exe
2008-08-22 21:55 Detected: Trojan-Downloader.Win32.Bagle.yd c:\System Volume Information\_restore{9384D14A-8919-45E0-8D92-F319E956DD83}\RP16\A0003953.exe
2008-08-22 21:55 Deleted: Trojan-Downloader.Win32.Bagle.yd c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\mdelk.exe.vir
2008-08-22 21:55 Detected: Trojan-Downloader.Win32.Bagle.yd c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\mdelk.exe.vir
2008-08-22 21:55 Deleted: Trojan-Downloader.Win32.Bagle.yd c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\hldrrr.exe.vir
2008-08-22 21:55 Detected: Trojan-Downloader.Win32.Bagle.yd c:\QooBox\Quarantine\C\WINDOWS\system32\drivers\hldrrr.exe.vir
2008-08-22 21:55 Deleted: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\data.oct.vir
2008-08-22 21:55 Detected: Trojan-Downloader.Win32.Bagle.yt c:\QooBox\Quarantine\C\Documents and Settings\Mike\Application Data\m\data.oct.vir
2008-08-22 21:55 Deleted: Trojan-Downloader.Win32.Bagle.yd c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
2008-08-22 21:54 Detected: Trojan-Downloader.Win32.Bagle.yd c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
2008-08-22 21:25 Detected: http://www.viruslist.com/en/advisories/31010 G:\Temp\matlab704\java\jre\win32\jre\bin\java.exe
2008-08-22 21:02 Detected: http://www.viruslist.com/en/advisories/31010 G:\IEGD\IEGD_6_1_Gold\jre\bin\javaws.exe
2008-08-22 20:58 Untreated: Trojan-Downloader.Win32.Bagle.yd c:\windows\system32\RunDll32 cmicnfg.cpl,CMICtrlWnd Postponed

starting from beginning. MDELK, Bagle and more

New member

New member

New member

New member

Security Expert: Emeritus

New member

New member

Security Expert: Emeritus

New member

New member

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

New member

New member

New member

New member

New member