trojan.agent infection

lonomatik · Aug 19, 2009

Tashi instructed me to post a new topic in this forum accompanied by a HJT log.

shortly after i posted to this forum i lost my internet connection and panicked. i attempted to fix my problem with HJT as well as COMBOFIX. i also ran MALWARE BYTES along with SOPHOS a number of times in both safe and normal mode from a DVD with little success. i say "little" because i have gotten back online and it appears that MALWARE BYTES despite not finding anything in my scans DETECTED an infection in passive mode (?) and quarantined some TROJAN.AGENT(?) tmp files numbered 1-6.

i dont consider myself an expert by any means but i have handled previous infections, however this one has me stumped. please help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:47:11 AM, on 8/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1218053295500
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233702376765
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Issicpmkcsvs - S3/Diamond Multimedia Systems - C:\WINDOWS\System32\drivers\RIODRV.SYS
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Conexant - (no file)

--
End of file - 4758 bytes

Blade81 · Aug 21, 2009

Hi,

Do you have Malwarebytes' Anti-Malware report still around?

Post contents of c:\ComboFix.txt file, please.

lonomatik · Aug 22, 2009

thanks for the response! heres the Combofix log:

ComboFix 09-08-10.06 - Lonny Chant 08/18/2009 8:52.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1671 [GMT -4:00]
Running from: c:\documents and settings\Lonny Chant\Desktop\ComboFix.exe
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Lonny Chant\Application Data\inst.exe
c:\windows\box boat blue.ico
c:\windows\Installer\10bf4a.msi
c:\windows\Installer\10d63d.msp
c:\windows\Installer\10d643.msp
c:\windows\Installer\1fdcf13.msi
c:\windows\Installer\22224.msp
c:\windows\Installer\2988ef.msp
c:\windows\Installer\2cb62f2.msi
c:\windows\Installer\4a9e8.msp
c:\windows\Installer\4a9ef.msp
c:\windows\Installer\4aa0b.msp
c:\windows\Installer\4aa22.msp
c:\windows\Installer\85469.msi
c:\windows\Installer\aee550.msp
c:\windows\Installer\aee559.msp
c:\windows\Installer\aee56c.msp
c:\windows\Installer\aee575.msp
c:\windows\Installer\aee57e.msp
c:\windows\Installer\aee599.msp
c:\windows\Installer\aee59f.msp
c:\windows\Installer\aee5a7.msp
c:\windows\Installer\aee5ad.msp
c:\windows\Installer\be6630.msp
c:\windows\Installer\be6648.msp
c:\windows\Installer\be6651.msp
c:\windows\Installer\be6658.msp
c:\windows\Installer\be6661.msp
c:\windows\Installer\be6667.msp
c:\windows\Installer\be667f.msp
c:\windows\Installer\be6685.msp
c:\windows\Installer\be668e.msp
c:\windows\Installer\be66a9.msp
c:\windows\Installer\be66af.msp
c:\windows\Installer\f9a51e.msp
c:\windows\patch.exe
c:\windows\Readme.txt
c:\windows\system32\ad020326.de
c:\windows\system32\drivers\SKYNETnktlirns.sys
c:\windows\system32\open.ico
c:\windows\system32\SKYNETomdbwfoo.dat
c:\windows\system32\SKYNETpfwkkpba.dll
c:\windows\system32\SKYNETtnyymfmc.dat
c:\windows\system32\SKYNETyxumoavk.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETxeoawvbl
-------\Legacy_SKYNETxeoawvbl
-------\Legacy_VDMT16
-------\Legacy_WINLOW
-------\Service_npf

((((((((((((((((((((((((( Files Created from 2009-07-18 to 2009-08-18 )))))))))))))))))))))))))))))))
.

2009-08-18 12:06 . 2009-08-18 12:06 -------- d-----w- C:\rsit
2009-08-18 12:02 . 2009-08-18 12:02 -------- d-----w- c:\documents and settings\Lonny Chant\.SunDownloadManager
2009-08-16 00:47 . 2009-08-16 00:47 -------- d-----w- c:\program files\Trend Micro
2009-08-14 14:28 . 2009-08-14 14:45 -------- d-----w- c:\documents and settings\Lonny Chant\Application Data\IObit
2009-08-14 14:28 . 2009-08-14 14:28 -------- d-----w- c:\program files\IObit
2009-08-14 11:40 . 2009-08-14 11:40 3942047 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-14 11:40 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-14 11:40 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-12 18:49 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-21 21:31 . 2009-07-21 21:31 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-17 10:34 . 2005-02-16 15:00 48622851 -c--a-w- c:\windows\Internet Logs\tvDebug.zip
2009-08-15 23:50 . 2002-10-04 20:51 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-15 22:29 . 2009-08-15 22:29 104618 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_08_15_18_24_23_small.dmp.zip
2009-08-15 22:29 . 2009-08-15 22:29 77703 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_08_15_18_24_22_small.dmp.zip
2009-08-15 22:24 . 2009-08-15 22:24 3391488 ----a-w- c:\windows\Internet Logs\xDB9A.tmp
2009-08-15 22:24 . 2009-08-15 22:24 25600 ----a-w- c:\windows\Internet Logs\xDB99.tmp
2009-08-15 20:53 . 2009-08-15 20:53 98332 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_08_15_16_48_11_small.dmp.zip
2009-08-15 20:53 . 2009-08-15 20:53 75976 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_08_15_16_48_10_small.dmp.zip
2009-08-15 20:48 . 2009-08-15 20:48 3390976 ----a-w- c:\windows\Internet Logs\xDB72.tmp
2009-08-15 20:48 . 2009-08-15 20:48 3000832 ----a-w- c:\windows\Internet Logs\xDB71.tmp
2009-08-14 14:44 . 2008-06-10 18:33 -------- d-----w- c:\program files\RightMark Memory Analyzer
2009-08-14 14:44 . 2008-03-04 14:35 -------- d-----w- c:\documents and settings\Lonny Chant\Application Data\Vso
2009-08-14 14:44 . 2007-12-24 15:30 -------- d-----w- c:\program files\EarthLink TotalAccess
2009-08-14 14:44 . 2007-07-04 00:46 -------- d-----w- c:\program files\Steam
2009-08-14 14:44 . 2007-05-24 22:58 -------- d-----w- c:\documents and settings\Lonny Chant\Application Data\Azureus
2009-08-14 14:44 . 2003-03-07 23:56 -------- d-----w- c:\program files\DivX
2009-08-14 14:44 . 2002-10-04 20:52 -------- d-----w- c:\program files\MUSICMATCH
2009-08-14 11:41 . 2009-05-30 11:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-05 09:01 . 2009-02-05 03:27 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-21 21:40 . 2007-10-27 18:03 -------- d-----w- c:\program files\iTunes
2009-07-21 21:40 . 2006-04-09 21:36 -------- d-----w- c:\program files\iPod
2009-07-21 21:40 . 2009-02-19 21:10 -------- d-----w- c:\program files\Common Files\Apple
2009-07-17 19:01 . 2009-02-05 03:28 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 2004-09-22 23:46 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-05 07:01 . 2009-07-05 07:01 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-07-05 07:01 . 2009-07-05 07:01 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-06-29 16:12 . 2009-02-05 03:27 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2009-02-05 03:28 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-29 16:12 . 2004-08-04 07:56 78336 ------w- c:\windows\system32\ieencode.dll
2009-06-18 16:52 . 2009-06-18 16:52 76453 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_06_18_12_00_12_small.dmp.zip
2009-06-18 15:56 . 2009-06-18 15:56 422 ----a-w- c:\documents and settings\Lonny Chant\Application Data\Adobe\socks32.exe
2009-06-18 15:56 . 2009-06-18 15:56 16141 ----a-w- c:\documents and settings\Lonny Chant\Application Data\Ahead\megalon.exe
2009-06-18 15:56 . 2009-06-18 15:56 145131 ----a-w- c:\documents and settings\Lonny Chant\Application Data\AdobeUM\horsi.exe
2009-06-18 15:56 . 2009-06-18 15:56 13221 ----a-w- c:\documents and settings\Lonny Chant\Application Data\acccore\reniga.dll
2009-06-18 15:56 . 2009-06-18 15:56 11232 ----a-w- c:\documents and settings\Lonny Chant\Application Data\.BitTornado\moha.exe
2009-06-16 14:36 . 2004-08-29 21:19 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2001-08-18 11:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2009-02-05 03:27 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-11 15:44 . 2002-11-21 21:00 209440 -c--a-w- c:\documents and settings\Lonny Chant\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-11 15:33 . 2009-06-11 15:33 36864 ----a-w- c:\documents and settings\All Users\Application Data\TEMP\{80E158EA-7181-40FE-A701-301CE6BE64AB}\PostBuild.exe
2009-06-10 14:13 . 2009-02-05 03:28 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2009-02-05 03:27 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2009-02-05 03:27 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 15:42 . 2009-05-13 19:15 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-05 15:42 . 2009-02-19 21:11 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-03 19:09 . 2009-02-05 03:27 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2006-01-20 00:23 . 2006-01-20 00:23 3072 ----a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2006-01-20 00:23 . 2006-01-20 00:23 245408 ----a-w- c:\program files\mozilla firefox\plugins\unicows.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-08-03 419088]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0SsiEfr.e\0smrgdf c:\program files\iolo\System Mechanic Professional 6\\0iolobtdfg c:\windows\system32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=2 (0x2)
"ATI Smart"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SMSystemAnalyzer"="c:\program files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"Microsoft Works Update Detection"=c:\program files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HPWITOOLBOX"=c:\program files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\HPWITBX.exe "-i"
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"Microsoft Works Update Detection"=c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"ioloDelayModule"=c:\program files\iolo\System Mechanic Professional 6\delay.exe
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\SYSTEM32\DRIVERS\ppa.sys [2/7/2003 12:37 PM 17792]
R1 atitray;atitray;c:\program files\Ray Adams\ATI Tray Tools\atitray.sys [5/22/2007 5:04 AM 18088]
R1 ATMhelpr;ATMhelpr;c:\windows\SYSTEM32\DRIVERS\ATMHELPR.SYS [10/9/2002 10:36 AM 4064]
R2 CachemanXPService;CachemanXP;c:\progra~1\CACHEM~1\CachemanXP.exe [6/10/2008 2:28 PM 243200]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/14/2009 7:40 AM 232720]
R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [8/14/2009 7:40 AM 19096]
S2 FCKYZQSL;FCKYZQSL;\??\c:\windows\System32\fckyzqsl.tcg --> c:\windows\System32\fckyzqsl.tcg [?]
S3 Aastrams;Aastrams; [x]
S3 ADSFilter;ADSFilter - (Aluria Filter Driver);c:\windows\system32\DRIVERS\ADSFilter.sys --> c:\windows\system32\DRIVERS\ADSFilter.sys [?]
S3 ati2mpaa;ati2mpaa;c:\windows\system32\DRIVERS\ati2mpaa.sys --> c:\windows\system32\DRIVERS\ati2mpaa.sys [?]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]
S3 RTCore32;RTCore32;c:\program files\RightMark Memory Analyzer\RTCore32.sys [6/10/2008 2:33 PM 4608]
.
Contents of the 'Scheduled Tasks' folder

2009-08-16 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Lonny Chant.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-08-14 17:36]

2009-08-16 c:\windows\Tasks\Malwarebytes' Scheduled Update for Lonny Chant.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-08-14 17:36]

2009-06-18 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2005-12-09 19:45]

2009-08-16 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-03-09 18:39]
.
.
------- Supplementary Scan -------
.
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Lonny Chant\Application Data\Mozilla\Firefox\Profiles\h5abj7co.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - plugin: c:\documents and settings\Lonny Chant\Application Data\Mozilla\Firefox\Profiles\h5abj7co.default\extensions\{0C7E3F01-99E9-4095-9BDC-F84724960B57}\plugins\NPCpnMgr.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRACtrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-18 09:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\FCKYZQSL]
"ImagePath"="\??\c:\windows\System32\fckyzqsl.tcg"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\LP*]
"DisplayName"="?\13?\13"
"DeviceDesc"="?\13?\13"
"ProviderName"=""
"MFG"="???\\"
"ReinstallString"="c:\\WINDOWS\\System32\\ReinstallBackups\\?\13\\DriverFiles\\.INF"
"DeviceInstanceIds"=multi:"nf\\cx_08948.inf\00"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\}›õw”¶*]
"DisplayName"="\09"
"DeviceDesc"="\09"
"ProviderName"=""
"MFG"="?"
"ReinstallString"="2002, 6.13.10.5004"
"DeviceInstanceIds"=multi:"\00"

[HKEY_LOCAL_MACHINE\software\swearware\backup\winsock2]
@DACL=(02 0000)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(2656)
c:\windows\system32\WININET.dll
c:\windows\system32\wuaucpl.old.cpl
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\windows\SYSTEM32\taskmgr.exe
c:\windows\SYSTEM32\ZoneLabs\vsmon.exe
c:\windows\SYSTEM32\dwwin.exe
c:\windows\SYSTEM32\ZoneLabs\vsmon.exe
c:\windows\SYSTEM32\ZoneLabs\vsmon.exe
c:\windows\SYSTEM32\ZoneLabs\vsmon.exe
.
**************************************************************************
.
Completion time: 2009-08-18 9:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-18 13:17

Pre-Run: 14,085,390,336 bytes free
Post-Run: 13,873,573,888 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

Current=5 Default=5 Failed=4 LastKnownGood=7 Sets=1,2,3,4,5,6,7
286 --- E O F --- 2009-08-13 03:40

lonomatik · Aug 22, 2009

a Malwarebytes log from the same day:

Malwarebytes' Anti-Malware 1.40
Database version: 2648
Windows 5.1.2600 Service Pack 3

8/18/2009 11:12:39 AM
mbam-log-2009-08-18 (11-12-34).txt

Scan type: Full Scan (C:\|)
Objects scanned: 222948
Time elapsed: 1 hour(s), 15 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\SKYNETnktlirns.sys.vir (Trojan.TDSS) -> No action taken.
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP914\A0237590.sys (Trojan.TDSS) -> No action taken.

Blade81 · Aug 22, 2009

Hi,

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

Azureus

I'd like you to read this thread.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

After that:

Generate an Uninstall List

* Open HijackThis
* Click on Open Misc Tools Section
* Click on Open Uninstall Manager
* Click on Save list
* Save it to your Desktop
* Post it on your next reply.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

Driver::
FCKYZQSL
Aastrams

Folder::
c:\documents and settings\Lonny Chant\Application Data\Azureus

File::
c:\documents and settings\Lonny Chant\Application Data\Adobe\socks32.exe
c:\documents and settings\Lonny Chant\Application Data\Ahead\megalon.exe
c:\documents and settings\Lonny Chant\Application Data\AdobeUM\horsi.exe
c:\documents and settings\Lonny Chant\Application Data\acccore\reniga.dll
c:\documents and settings\Lonny Chant\Application Data\.BitTornado\moha.exe
c:\windows\System32\fckyzqsl.tcg

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\drivers\\svchost.exe"=-

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe (let ComboFix update itself if asked for a permission).
Then post the resultant log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.

Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.

lonomatik · Aug 24, 2009

alright, heres the Uninstall log you requested. i had actually already uninstalled the requested program but i guess there were some lingering files.

Active@ DVD Eraser v 1.1
Adobe Anchor Service CS4
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Drive CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Illustrator 10.0.3
Adobe InDesign CS4
Adobe InDesign CS4
Adobe InDesign CS4 Application Feature Set Files (Roman)
Adobe InDesign CS4 Common Base Files
Adobe InDesign CS4 Icon Handler
Adobe Linguistics CS4
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Reader 7.1.0
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Setup
Adobe SGM CS4
Adobe SING CS4
Adobe SVG Viewer 3.0
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Apple Mobile Device Support
Apple Software Update
ATI Catalyst Control Center
ATI Display Driver
Bonjour
CCleaner (remove only)
Conexant HSF V92 56K RTAD Speakerphone PCI Modem
Connect
ConvertXtoDVD 3.1.3.40c
CyberLink MediaShow
CyberLink MediaShow
Dell | Support
Dell Digital Jukebox Driver
Dell Modem-On-Hold
Dell ResourceCD
Digital Line Detect
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Web Player
DriverAgent by eSupport.com
Duplicate Cleaner 1.2
EarthLink Software
Easy CD Creator 5 Basic
ERUNT 1.1j
Half-Life 2
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
hp deskjet 9600 series
Internet Explorer Q903235
iolo technologies' System Mechanic Professional 6
iTunes
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 2
Java(TM) 6 Update 15
kuler
Learn2 Player (Uninstall Only)
Local Port Scanner v1.2.2
Macromedia Dreamweaver MX
Macromedia Extension Manager
Macromedia Fireworks 4
Macromedia Flash MX 2004
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Word 2002
Microsoft Works 2002 Setup Launcher
Microsoft Works 6.0
Microsoft Works Suite Add-in for Microsoft Word
MobileMe Control Panel
Mozilla Firefox (3.0.13)
MSN Music Assistant
MultiRes (remove only)
OpenMG AAC Add-on Module 1.0.00
OpenMG Secure Module 4.6.01
PDF Settings CS4
Photoshop Camera Raw
Picasa 2
QuickTime
Ray Adams ATI Tray Tools
RealPlayer
Realtek RTL8139 Diagnostics Program
Secure Delivery
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
SketchUp 4.0
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
Steam
Suite Shared Configuration CS4
Sun Download Manager 2.0 (web)
TaxCut Basic 2006
UnzipThemAll 1.3
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB973815)
VC 9.0 Runtime
VC 9.0 Runtime
VC80CRTRedist - 8.0.50727.762
VideoLAN VLC media player 0.8.6h
Winamp
Winamp Remote
Windows Backup Utility
Windows Genuine Advantage v1.3.0254.0
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows XP Service Pack 3
WinRAR archiver
XP Codec Pack
ZoneAlarm
Zune Desktop Theme

lonomatik · Aug 24, 2009

the Combofix log:

ComboFix 09-08-22.06 - Lonny Chant 08/23/2009 11:01.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1610 [GMT -4:00]
Running from: c:\documents and settings\Lonny Chant\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Lonny Chant\Desktop\CFScript.txt
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
"c:\documents and settings\Lonny Chant\Application Data\.BitTornado\moha.exe"
"c:\documents and settings\Lonny Chant\Application Data\acccore\reniga.dll"
"c:\documents and settings\Lonny Chant\Application Data\Adobe\socks32.exe"
"c:\documents and settings\Lonny Chant\Application Data\AdobeUM\horsi.exe"
"c:\documents and settings\Lonny Chant\Application Data\Ahead\megalon.exe"
"c:\windows\System32\fckyzqsl.tcg"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Lonny Chant\Application Data\.BitTornado\moha.exe
c:\documents and settings\Lonny Chant\Application Data\acccore\reniga.dll
c:\documents and settings\Lonny Chant\Application Data\Adobe\socks32.exe
c:\documents and settings\Lonny Chant\Application Data\AdobeUM\horsi.exe
c:\documents and settings\Lonny Chant\Application Data\Ahead\megalon.exe
c:\documents and settings\Lonny Chant\Application Data\Azureus
c:\documents and settings\Lonny Chant\Application Data\Azureus\.certs
c:\documents and settings\Lonny Chant\Application Data\Azureus\.keystore
c:\documents and settings\Lonny Chant\Application Data\Azureus\.lock
c:\documents and settings\Lonny Chant\Application Data\Azureus\active\3ABA38C3B576DE59531F45B332CCA4442BB129FA.dat
c:\documents and settings\Lonny Chant\Application Data\Azureus\active\3C2BA09E1624D7C14AAEE5ED004269311A98B512.dat
c:\documents and settings\Lonny Chant\Application Data\Azureus\active\4438AF41E59C98EED6CDE27F5CC4D3E355F73063.dat
c:\documents and settings\Lonny Chant\Application Data\Azureus\active\6B317A643211A899233B451452BFB4F551038E3E.dat
c:\documents and settings\Lonny Chant\Application Data\Azureus\active\A948D818834E3F34896A61EEE2361871704C1968.dat
c:\documents and settings\Lonny Chant\Application Data\Azureus\active\cache.dat
c:\documents and settings\Lonny Chant\Application Data\Azureus\azureus.config
c:\documents and settings\Lonny Chant\Application Data\Azureus\azureus.statistics
c:\documents and settings\Lonny Chant\Application Data\Azureus\banips.config
c:\documents and settings\Lonny Chant\Application Data\Azureus\cnetworks.config
c:\documents and settings\Lonny Chant\Application Data\Azureus\devices.config
c:\documents and settings\Lonny Chant\Application Data\Azureus\dht\addresses.dat
c:\documents and settings\Lonny Chant\Application Data\Azureus\dht\contacts.dat
c:\documents and settings\Lonny Chant\Application Data\Azureus\dht\diverse.dat
c:\documents and settings\Lonny Chant\Application Data\Azureus\dht\general.dat
c:\documents and settings\Lonny Chant\Application Data\Azureus\dht\version.dat
c:\documents and settings\Lonny Chant\Application Data\Azureus\downloads.config
c:\documents and settings\Lonny Chant\Application Data\Azureus\filters.config
c:\documents and settings\Lonny Chant\Application Data\Azureus\friends.config
c:\documents and settings\Lonny Chant\Application Data\Azureus\ipfilter.cache
c:\documents and settings\Lonny Chant\Application Data\Azureus\logs\MetaSearch_Engine_3.txt
c:\documents and settings\Lonny Chant\Application Data\Azureus\metasearch.config
c:\documents and settings\Lonny Chant\Application Data\Azureus\net\pm_22773.dat
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_1.7.4.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_1.7.4.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_1.9.0.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_1.9.0.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_1.9.10.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_1.9.10.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_1.9.11.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_1.9.11.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_1.9.6.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_1.9.6.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_2.0.11.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_2.0.11.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_2.0.14.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_2.0.14.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_2.0.16.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_2.0.16.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_2.0.30.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_2.0.30.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_2.0.32.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_2.0.32.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_2.0.34.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_2.0.34.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_2.1.02.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azemp_2.1.02.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\azmplay.exe
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\cp1250-a.raw
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\cp1250-b.raw
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\font.desc
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\libInfoGetter.dll
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\osd-mplayer-a.raw
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\osd-mplayer-b.raw
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\plugin.properties
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\plugin.properties_1.7.4
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\plugin.properties_1.9.0
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\plugin.properties_1.9.10
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\plugin.properties_1.9.11
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\plugin.properties_1.9.6
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\plugin.properties_2.0.11
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\plugin.properties_2.0.14
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\plugin.properties_2.0.16
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\plugin.properties_2.0.30
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\plugin.properties_2.0.32
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\plugin.properties_2.0.34
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azemp\plugin.properties_2.1.02
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azump\azump_1.2.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azump\azump_1.2.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azump\azump_1.3.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azump\azump_1.3.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azump\mplayer.exe
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azump\mplayer\config
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\azupnpav_0.1.2.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\azupnpav_0.1.2.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\azupnpav_0.1.3.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\azupnpav_0.1.3.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\azupnpav_0.1.6.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\azupnpav_0.1.6.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\azupnpav_0.1.7.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\azupnpav_0.1.7.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\azupnpav_0.2.0.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\azupnpav_0.2.0.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\azupnpav_0.2.1.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\azupnpav_0.2.1.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\azupnpav_0.2.17.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\azupnpav_0.2.17.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\azupnpav_0.2.2.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\azupnpav_0.2.2.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\azupnpav_0.2.5.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\azupnpav_0.2.5.zip
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\cd.dat
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\plugin.properties
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\plugin.properties_0.1.2
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\plugin.properties_0.1.3
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\plugin.properties_0.1.6
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\plugin.properties_0.1.7
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\plugin.properties_0.2.0
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\plugin.properties_0.2.1
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\plugin.properties_0.2.17
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\plugin.properties_0.2.2
c:\documents and settings\Lonny Chant\Application Data\Azureus\plugins\azupnpav\plugin.properties_0.2.5
c:\documents and settings\Lonny Chant\Application Data\Azureus\sidebarauto.config
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\01FE0E4954FEEB299706.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\0208EEB906A1C63F97E2.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\0FE2857420B40A53BB77.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\12533BF9649105ABA27A.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\1603EF58DAA24E05E927.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\1D2D9FBC3F4BE8AA689D.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\24DB0521CDEC3ACE7E8C.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\28CF14B604BFE173EEFF.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\292D07370EA3783CDCAC.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\29A2E7CB5E7A69DBBE14.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\2DCFAB8F832477D02694.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\2F7D51E79B34BE84F742.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\3C1C33756A83CC05D595.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\487A4B88740420E32C87.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\4964C136A88C465A6B48.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\4B713E793017BE7BA43A.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\4CD6D96573CE7093FB98.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\4F2AA8C2D919E9835A62.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\52C6D09A02BBB590C252.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\59A6E5D794A9DFCD6CDF.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\62E0DD046B0A2450A807.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\632A20E73961F1C133F2.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\65CE3C46ACE1B29F7AF8.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\6F5910EA3FFE2EA04ABF.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\71C6685E772F650EA387.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\72D2F5BA4A68FA6F677A.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\743517466E51A760F1BF.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\74F7267F1BCBC66CB79C.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\79D82923B992917F8430.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\79E766BACEC15D14BEA9.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\7D80FF0229178E1AD2BD.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\8208605FEAE769DF8C5B.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\829E59C40EFFE22EB406.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\83F9D7CFBA5E7496ACC5.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\88DA602C72BB0AB9CEE8.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\8A8138032CEB4BAFDDBC.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\8BF158E23CC6F3B41DF9.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\93B716386602D52C6EB7.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\95985978467DA9688755.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\9E68932BDE46973BFAD5.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\A36AB2DCB4226BA0F649.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\A37CED700C6A8093072F.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\A4C4F5D3B481321E52AF.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\A7EF32FC85BCF1692DDB.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\A8C1F452C6DA7C51AA2B.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\B23FF1607C78876627F3.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\B9F9824CB0A991DE3AC4.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\BA42C1C871ADA5B254DA.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\BAD9AC808DA5DC699651.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\C04565C3BABED3846AE4.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\C61A720916E29A0837B2.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\C868FF325124E3D0D58F.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\CE275B7D9043458D6329.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\D2D5ED50888A83E4C5DD.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\D2FC0BF3FD78ED958712.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\D36FC2A487705C854BDA.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\D5B735BDEA2EE95A3DFF.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\DB8EBA0A8243FAC1DD16.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\DCD20AB6684A16AA1475.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\E143495E02618735CB40.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\E267584D36198A287181.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\E32C595A861BADB257CC.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\E7CE62A3124A6E9AD402.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\F37F1C2264BA31BFB3E3.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subs\FC5CC391DA4BA78C3961.vuze
c:\documents and settings\Lonny Chant\Application Data\Azureus\subscriptions.config
c:\documents and settings\Lonny Chant\Application Data\Azureus\tables.config
c:\documents and settings\Lonny Chant\Application Data\Azureus\tmp\AZU36328.tmp\patch.jar
c:\documents and settings\Lonny Chant\Application Data\Azureus\torrents\Angel_complete_seasons_1_through_5.3351072.TPB [mininova].torrent
c:\documents and settings\Lonny Chant\Application Data\Azureus\torrents\Enchanted__2007__DVDRip-1.torrent
c:\documents and settings\Lonny Chant\Application Data\Azureus\torrents\Firefly_Series_200_2_DVDRip_x264.torrent
c:\documents and settings\Lonny Chant\Application Data\Azureus\torrents\Macromedia Flash 5 + Serial.zip [mininova].torrent
c:\documents and settings\Lonny Chant\Application Data\Azureus\torrents\NIN_-_THE_UNRELEASED_________________BEHIND_THE_SCENES_OF_CLOSER.4226814.TPB-1.torrent
c:\documents and settings\Lonny Chant\Application Data\Azureus\torrents\sims_2_all_expansions__november_9_2007_630462484091_913.torrent
c:\documents and settings\Lonny Chant\Application Data\Azureus\torrents\This.Film.Has.Not.Yet.Been.Rated.2006.DvdRip.eng.avi.4078123.TPB.torrent
c:\documents and settings\Lonny Chant\Application Data\Azureus\tracker.config
c:\documents and settings\Lonny Chant\Application Data\Azureus\unsentdata.config
c:\documents and settings\Lonny Chant\Application Data\Azureus\update.properties
c:\documents and settings\Lonny Chant\Application Data\Azureus\v3.Friends.dat
c:\documents and settings\Lonny Chant\Application Data\Azureus\VuzeActivities.config
c:\windows\Fonts\FRE3OF9X.TTF
c:\windows\Fonts\FREE3OF9.TTF
c:\windows\Fonts\GUNSHIP2.TTF
c:\windows\smproflt.dll
c:\windows\wpd99.drv

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AASTRAMS
-------\Legacy_FCKYZQSL
-------\Service_Aastrams
-------\Service_FCKYZQSL

((((((((((((((((((((((((( Files Created from 2009-07-23 to 2009-08-23 )))))))))))))))))))))))))))))))
.

2009-08-19 13:23 . 2009-08-19 13:23 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-19 13:23 . 2009-08-19 13:23 152576 ----a-w- c:\documents and settings\Lonny Chant\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-19 12:42 . 2009-08-19 12:42 -------- d-----w- c:\program files\ERUNT
2009-08-19 10:33 . 2009-08-19 10:33 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-08-19 02:30 . 2009-08-19 02:32 -------- d-----w- c:\program files\Malwar
2009-08-18 21:03 . 2009-08-18 21:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-18 17:25 . 2009-08-18 17:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-18 12:06 . 2009-08-18 12:06 -------- d-----w- C:\rsit
2009-08-18 12:02 . 2009-08-18 12:02 -------- d-----w- c:\documents and settings\Lonny Chant\.SunDownloadManager
2009-08-16 00:47 . 2009-08-16 00:47 -------- d-----w- c:\program files\Trend Micro
2009-08-14 14:28 . 2009-08-14 14:45 -------- d-----w- c:\documents and settings\Lonny Chant\Application Data\IObit
2009-08-14 14:28 . 2009-08-14 14:28 -------- d-----w- c:\program files\IObit
2009-08-14 11:40 . 2009-08-14 11:40 3942047 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-14 11:40 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-14 11:40 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-12 18:49 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-23 15:08 . 2008-03-07 08:49 -------- d-----w- c:\documents and settings\Lonny Chant\Application Data\Ahead
2009-08-23 15:08 . 2005-03-08 19:14 -------- d-----w- c:\documents and settings\Lonny Chant\Application Data\AdobeUM
2009-08-23 15:08 . 2007-03-13 20:47 -------- d-----w- c:\documents and settings\Lonny Chant\Application Data\acccore
2009-08-23 15:08 . 2005-03-22 17:02 -------- d-----w- c:\documents and settings\Lonny Chant\Application Data\.BitTornado
2009-08-23 13:26 . 2006-05-29 23:24 -------- d-----w- c:\program files\bl
2009-08-19 13:23 . 2005-03-14 03:19 -------- d-----w- c:\program files\Java
2009-08-19 13:17 . 2007-07-04 00:46 -------- d-----w- c:\program files\Steam
2009-08-18 20:43 . 2004-01-03 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-18 20:42 . 2008-03-11 11:54 -------- d-----w- c:\program files\CCleaner
2009-08-18 20:23 . 2005-02-16 04:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-08-18 15:15 . 2009-08-18 15:56 11264 ----a-w- c:\windows\Internet Logs\xDB5.tmp
2009-08-18 15:15 . 2009-08-18 15:56 3396608 ----a-w- c:\windows\Internet Logs\xDB6.tmp
2009-08-18 13:21 . 2009-08-18 13:52 13824 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2009-08-18 13:21 . 2009-08-18 13:52 3396096 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2009-08-18 13:08 . 2009-08-18 13:21 3396096 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2009-08-18 13:08 . 2009-08-18 13:21 44032 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-08-17 10:34 . 2005-02-16 15:00 48622851 -c--a-w- c:\windows\Internet Logs\tvDebug.zip
2009-08-15 23:50 . 2002-10-04 20:51 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-15 22:24 . 2009-08-15 22:24 3391488 ----a-w- c:\windows\Internet Logs\xDB9A.tmp
2009-08-15 22:24 . 2009-08-15 22:24 25600 ----a-w- c:\windows\Internet Logs\xDB99.tmp
2009-08-15 20:48 . 2009-08-15 20:48 3390976 ----a-w- c:\windows\Internet Logs\xDB72.tmp
2009-08-15 20:48 . 2009-08-15 20:48 3000832 ----a-w- c:\windows\Internet Logs\xDB71.tmp
2009-08-14 14:44 . 2008-06-10 18:33 -------- d-----w- c:\program files\RightMark Memory Analyzer
2009-08-14 14:44 . 2008-03-04 14:35 -------- d-----w- c:\documents and settings\Lonny Chant\Application Data\Vso
2009-08-14 14:44 . 2007-12-24 15:30 -------- d-----w- c:\program files\EarthLink TotalAccess
2009-08-14 14:44 . 2003-03-07 23:56 -------- d-----w- c:\program files\DivX
2009-08-14 14:44 . 2002-10-04 20:52 -------- d-----w- c:\program files\MUSICMATCH
2009-08-14 11:41 . 2009-05-30 11:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-05 09:01 . 2009-02-05 03:27 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-21 21:40 . 2007-10-27 18:03 -------- d-----w- c:\program files\iTunes
2009-07-21 21:40 . 2006-04-09 21:36 -------- d-----w- c:\program files\iPod
2009-07-21 21:40 . 2009-02-19 21:10 -------- d-----w- c:\program files\Common Files\Apple
2009-07-21 21:31 . 2009-07-21 21:31 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-07-17 19:01 . 2009-02-05 03:28 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 2004-09-22 23:46 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-05 07:01 . 2009-07-05 07:01 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-07-05 07:01 . 2009-07-05 07:01 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-06-29 16:12 . 2009-02-05 03:27 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2009-02-05 03:28 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-29 16:12 . 2004-08-04 07:56 78336 ------w- c:\windows\system32\ieencode.dll
2009-06-16 14:36 . 2004-08-29 21:19 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2001-08-18 11:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2009-02-05 03:27 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-11 15:44 . 2002-11-21 21:00 209440 -c--a-w- c:\documents and settings\Lonny Chant\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-11 15:33 . 2009-06-11 15:33 36864 ----a-w- c:\documents and settings\All Users\Application Data\TEMP\{80E158EA-7181-40FE-A701-301CE6BE64AB}\PostBuild.exe
2009-06-10 14:13 . 2009-02-05 03:28 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2009-02-05 03:27 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2009-02-05 03:27 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 15:42 . 2009-05-13 19:15 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-05 15:42 . 2009-02-19 21:11 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-03 19:09 . 2009-02-05 03:27 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2006-01-20 00:23 . 2006-01-20 00:23 3072 ----a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2006-01-20 00:23 . 2006-01-20 00:23 245408 ----a-w- c:\program files\mozilla firefox\plugins\unicows.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-08-03 419088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-19 149280]

c:\documents and settings\Lonny Chant\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0SsiEfr.e\0smrgdf c:\program files\iolo\System Mechanic Professional 6\\0iolobtdfg c:\windows\system32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=2 (0x2)
"ATI Smart"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SMSystemAnalyzer"="c:\program files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"Microsoft Works Update Detection"=c:\program files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HPWITOOLBOX"=c:\program files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\HPWITBX.exe "-i"
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"Microsoft Works Update Detection"=c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
"ioloDelayModule"=c:\program files\iolo\System Mechanic Professional 6\delay.exe
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\SYSTEM32\DRIVERS\ppa.sys [2/7/2003 12:37 PM 17792]
R1 atitray;atitray;c:\program files\Ray Adams\ATI Tray Tools\atitray.sys [5/22/2007 5:04 AM 18088]
R1 ATMhelpr;ATMhelpr;c:\windows\SYSTEM32\DRIVERS\ATMHELPR.SYS [10/9/2002 10:36 AM 4064]
R2 CachemanXPService;CachemanXP;c:\progra~1\CACHEM~1\CachemanXP.exe [6/10/2008 2:28 PM 243200]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/14/2009 7:40 AM 232720]
R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [8/14/2009 7:40 AM 19096]
S3 ADSFilter;ADSFilter - (Aluria Filter Driver);c:\windows\system32\DRIVERS\ADSFilter.sys --> c:\windows\system32\DRIVERS\ADSFilter.sys [?]
S3 ati2mpaa;ati2mpaa;c:\windows\system32\DRIVERS\ati2mpaa.sys --> c:\windows\system32\DRIVERS\ati2mpaa.sys [?]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\6.tmp --> c:\windows\system32\6.tmp [?]
S3 RTCore32;RTCore32;c:\program files\RightMark Memory Analyzer\RTCore32.sys [6/10/2008 2:33 PM 4608]
.
Contents of the 'Scheduled Tasks' folder

2009-06-18 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2005-12-09 19:45]

2009-08-16 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-03-09 18:39]
.
.
------- Supplementary Scan -------
.
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Lonny Chant\Application Data\Mozilla\Firefox\Profiles\h5abj7co.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRACtrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-23 11:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\6.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\LP*]
"DisplayName"="?\13?\13"
"DeviceDesc"="?\13?\13"
"ProviderName"=""
"MFG"="???\\"
"ReinstallString"="c:\\WINDOWS\\System32\\ReinstallBackups\\?\13\\DriverFiles\\.INF"
"DeviceInstanceIds"=multi:"nf\\cx_08948.inf\00"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\}›õw”¶*]
"DisplayName"="\09"
"DeviceDesc"="\09"
"ProviderName"=""
"MFG"="?"
"ReinstallString"="2002, 6.13.10.5004"
"DeviceInstanceIds"=multi:"\00"

[HKEY_LOCAL_MACHINE\software\swearware\backup\winsock2]
@DACL=(02 0000)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(3040)
c:\windows\system32\WININET.dll
c:\windows\system32\wuaucpl.old.cpl
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\windows\SYSTEM32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-08-23 11:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-23 15:22
ComboFix2.txt 2009-08-18 13:17

Pre-Run: 13,385,707,520 bytes free
Post-Run: 13,315,846,144 bytes free

Current=5 Default=5 Failed=4 LastKnownGood=7 Sets=1,2,3,4,5,6,7
421 --- E O F --- 2009-08-13 03:40

lonomatik · Aug 24, 2009

the KAS log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, August 23, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, August 23, 2009 18:15:43
Records in database: 2681285
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Objects scanned: 117936
Threats found: 10
Infected objects found: 52
Suspicious objects found: 0
Scan duration: 06:24:26

File name / Threat / Threats count
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018463.dll.bac_a01676 Infected: Hoax.Win32.VB.l 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018464.exe.bac_a01676 Infected: Trojan-Downloader.Win32.Adload.aq 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018465.dll.bac_a01676 Infected: Trojan-Downloader.Win32.VB.aan 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018466.exe.bac_a01676 Infected: Trojan-Downloader.Win32.VB.aan 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018467.exe.bac_a01676 Infected: Hoax.Win32.VB.l 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018468.exe.bac_a01676 Infected: Packed.Win32.Tibs 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018469.exe.bac_a01676 Infected: Packed.Win32.Tibs 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018470.exe.bac_a01676 Infected: Packed.Win32.Tibs 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018471.exe.bac_a01676 Infected: Packed.Win32.Tibs 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018472.exe.bac_a01676 Infected: Packed.Win32.Tibs 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc10.dll.bac_a00192 Infected: Hoax.Win32.VB.l 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc11.exe.bac_a00192 Infected: Trojan-Downloader.Win32.Adload.aq 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc12.dll.bac_a00192 Infected: Trojan-Downloader.Win32.VB.aan 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc6.exe.bac_a01256 Infected: Trojan-Downloader.Win32.Small.dkt 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc67.exe.bac_a01920 Infected: Trojan-Downloader.Win32.Small.dam 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc8.exe.bac_a00192 Infected: Trojan-Downloader.Win32.VB.aan 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc9.exe.bac_a00192 Infected: Hoax.Win32.VB.l 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\internetoloper.exe.bac_a00192 Infected: Packed.Win32.Tibs 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\mwtanowo.exe.bac_a00192 Infected: Packed.Win32.Tibs 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\phqghume.exe.bac_a00192 Infected: Packed.Win32.Tibs 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\qdmbbqec.exe.bac_a00192 Infected: Packed.Win32.Tibs 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\vtcalhel.exe.bac_a01280 Infected: Trojan-Downloader.Win32.Small.dam 1
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\yunfyiwe.exe.bac_a00192 Infected: Packed.Win32.Tibs 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018463.dll.bac_a01676 Infected: Hoax.Win32.VB.l 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018464.exe.bac_a01676 Infected: Trojan-Downloader.Win32.Adload.aq 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018465.dll.bac_a01676 Infected: Trojan-Downloader.Win32.VB.aan 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018466.exe.bac_a01676 Infected: Trojan-Downloader.Win32.VB.aan 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018467.exe.bac_a01676 Infected: Hoax.Win32.VB.l 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018468.exe.bac_a01676 Infected: Packed.Win32.Tibs 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018469.exe.bac_a01676 Infected: Packed.Win32.Tibs 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018470.exe.bac_a01676 Infected: Packed.Win32.Tibs 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018471.exe.bac_a01676 Infected: Packed.Win32.Tibs 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018472.exe.bac_a01676 Infected: Packed.Win32.Tibs 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc10.dll.bac_a00192 Infected: Hoax.Win32.VB.l 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc11.exe.bac_a00192 Infected: Trojan-Downloader.Win32.Adload.aq 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc12.dll.bac_a00192 Infected: Trojan-Downloader.Win32.VB.aan 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc6.exe.bac_a01256 Infected: Trojan-Downloader.Win32.Small.dkt 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc67.exe.bac_a01920 Infected: Trojan-Downloader.Win32.Small.dam 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc8.exe.bac_a00192 Infected: Trojan-Downloader.Win32.VB.aan 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc9.exe.bac_a00192 Infected: Hoax.Win32.VB.l 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\internetoloper.exe.bac_a00192 Infected: Packed.Win32.Tibs 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\mwtanowo.exe.bac_a00192 Infected: Packed.Win32.Tibs 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\phqghume.exe.bac_a00192 Infected: Packed.Win32.Tibs 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\qdmbbqec.exe.bac_a00192 Infected: Packed.Win32.Tibs 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\vtcalhel.exe.bac_a01280 Infected: Trojan-Downloader.Win32.Small.dam 1
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\yunfyiwe.exe.bac_a00192 Infected: Packed.Win32.Tibs 1
C:\Program Files\Common Files\Real\Toolbar\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETpfwkkpba.dll.vir Infected: Trojan.Win32.Tdss.anus 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETyxumoavk.dll.vir Infected: Trojan.Win32.Tdss.anuv 1
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP914\A0237591.dll Infected: Trojan.Win32.Tdss.anus 1
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP914\A0237592.dll Infected: Trojan.Win32.Tdss.anuv 1
F:\torrents\!Nero 8 ULTRA Edition with Keygen Working and Tested!\!Nero 8 ULTRA Edition with Keygen Working and Tested!\keymakers 1.exe Infected: Trojan-Downloader.Win32.VB.gix 1

Selected area has been scanned.

---and the fresh HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:39:05 PM, on 8/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1218053295500
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233702376765
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Issicpmkcsvs - S3/Diamond Multimedia Systems - C:\WINDOWS\System32\drivers\RIODRV.SYS
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Conexant - (no file)

--
End of file - 5177 bytes

Blade81 · Aug 24, 2009

Uninstall old Adobe Reader versions and get the latest one (9.1 + updates 9.1.2 & 9.1.3) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.

Check here to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here. Fresh version can be obtained here.

Uninstall these vulnerable Javas:
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 2

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018463.dll.bac_a01676
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018464.exe.bac_a01676
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018465.dll.bac_a01676
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018466.exe.bac_a01676
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018467.exe.bac_a01676
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018468.exe.bac_a01676
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018469.exe.bac_a01676
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018470.exe.bac_a01676
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018471.exe.bac_a01676
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018472.exe.bac_a01676
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc10.dll.bac_a00192
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc11.exe.bac_a00192
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc12.dll.bac_a00192
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc6.exe.bac_a01256
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc67.exe.bac_a01920
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc8.exe.bac_a00192
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc9.exe.bac_a00192
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\internetoloper.exe.bac_a00192
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\mwtanowo.exe.bac_a00192
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\phqghume.exe.bac_a00192
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\qdmbbqec.exe.bac_a00192
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\vtcalhel.exe.bac_a01280
C:\Documents and Settings\Lonny Chant\.housecall\Quarantine\yunfyiwe.exe.bac_a00192
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018463.dll.bac_a01676
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018464.exe.bac_a01676
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018465.dll.bac_a01676
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018466.exe.bac_a01676
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018467.exe.bac_a01676
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018468.exe.bac_a01676
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018469.exe.bac_a01676
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018470.exe.bac_a01676
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018471.exe.bac_a01676
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018472.exe.bac_a01676
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc10.dll.bac_a00192
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc11.exe.bac_a00192
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc12.dll.bac_a00192
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc6.exe.bac_a01256
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc67.exe.bac_a01920
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc8.exe.bac_a00192
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc9.exe.bac_a00192
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\internetoloper.exe.bac_a00192
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\mwtanowo.exe.bac_a00192
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\phqghume.exe.bac_a00192
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\qdmbbqec.exe.bac_a00192
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\vtcalhel.exe.bac_a01280
C:\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\yunfyiwe.exe.bac_a00192
Folder::
F:\torrents\!Nero 8 ULTRA Edition with Keygen Working and Tested!
FixCSet::

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & fresh hjt log. How's the system running?

lonomatik · Aug 24, 2009

the system has been running reasonably well. malwarebytes continues to notify me of a detected infection (just got one now!) but there have been no google redirects. however i really havent done any google searches and not much browsing since this problem occurred. heres the combofix log:

ComboFix 09-08-23.01 - Lonny Chant 08/24/2009 8:12.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1639 [GMT -4:00]
Running from: c:\documents and settings\Lonny Chant\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Lonny Chant\Desktop\CFScript.txt
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\A0018463.dll.bac_a01676"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\A0018464.exe.bac_a01676"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\A0018465.dll.bac_a01676"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\A0018466.exe.bac_a01676"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\A0018467.exe.bac_a01676"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\A0018468.exe.bac_a01676"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\A0018469.exe.bac_a01676"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\A0018470.exe.bac_a01676"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\A0018471.exe.bac_a01676"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\A0018472.exe.bac_a01676"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\Dc10.dll.bac_a00192"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\Dc11.exe.bac_a00192"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\Dc12.dll.bac_a00192"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\Dc6.exe.bac_a01256"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\Dc67.exe.bac_a01920"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\Dc8.exe.bac_a00192"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\Dc9.exe.bac_a00192"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\internetoloper.exe.bac_a00192"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\mwtanowo.exe.bac_a00192"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\phqghume.exe.bac_a00192"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\qdmbbqec.exe.bac_a00192"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\vtcalhel.exe.bac_a01280"
"c:\documents and settings\Lonny Chant\.housecall\Quarantine\yunfyiwe.exe.bac_a00192"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\A0018463.dll.bac_a01676"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\A0018464.exe.bac_a01676"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\A0018465.dll.bac_a01676"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\A0018466.exe.bac_a01676"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\A0018467.exe.bac_a01676"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\A0018468.exe.bac_a01676"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\A0018469.exe.bac_a01676"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\A0018470.exe.bac_a01676"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\A0018471.exe.bac_a01676"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\A0018472.exe.bac_a01676"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\Dc10.dll.bac_a00192"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\Dc11.exe.bac_a00192"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\Dc12.dll.bac_a00192"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\Dc6.exe.bac_a01256"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\Dc67.exe.bac_a01920"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\Dc8.exe.bac_a00192"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\Dc9.exe.bac_a00192"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\internetoloper.exe.bac_a00192"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\mwtanowo.exe.bac_a00192"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\phqghume.exe.bac_a00192"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\qdmbbqec.exe.bac_a00192"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\vtcalhel.exe.bac_a01280"
"c:\documents and settings\Lonny Chant\.housecall6.6\Quarantine\yunfyiwe.exe.bac_a00192"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

f:\torrents\!Nero 8 ULTRA Edition with Keygen Working and Tested!
f:\torrents\!Nero 8 ULTRA Edition with Keygen Working and Tested!\!Nero 8 ULTRA Edition with Keygen Working and Tested!\keymakers 1.exe
f:\torrents\!Nero 8 ULTRA Edition with Keygen Working and Tested!\!Nero 8 ULTRA Edition with Keygen Working and Tested!\Nero-8.3.2.1_eng_trial_2.exe
f:\torrents\!Nero 8 ULTRA Edition with Keygen Working and Tested!\!Nero 8 ULTRA Edition with Keygen Working and Tested!\Serials.txt

.
((((((((((((((((((((((((( Files Created from 2009-07-24 to 2009-08-24 )))))))))))))))))))))))))))))))
.

2009-08-19 13:23 . 2009-08-19 13:23 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-19 13:23 . 2009-08-19 13:23 152576 ----a-w- c:\documents and settings\Lonny Chant\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-19 12:42 . 2009-08-19 12:42 -------- d-----w- c:\program files\ERUNT
2009-08-19 10:33 . 2009-08-19 10:33 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-08-19 02:30 . 2009-08-19 02:32 -------- d-----w- c:\program files\Malwar
2009-08-18 21:03 . 2009-08-18 21:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-18 17:25 . 2009-08-18 17:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-18 12:06 . 2009-08-18 12:06 -------- d-----w- C:\rsit
2009-08-18 12:02 . 2009-08-18 12:02 -------- d-----w- c:\documents and settings\Lonny Chant\.SunDownloadManager
2009-08-16 00:47 . 2009-08-16 00:47 -------- d-----w- c:\program files\Trend Micro
2009-08-14 14:28 . 2009-08-14 14:45 -------- d-----w- c:\documents and settings\Lonny Chant\Application Data\IObit
2009-08-14 14:28 . 2009-08-14 14:28 -------- d-----w- c:\program files\IObit
2009-08-14 11:40 . 2009-08-14 11:40 3942047 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-14 11:40 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-14 11:40 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-12 18:49 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-24 12:00 . 2005-03-14 03:19 -------- d-----w- c:\program files\Java
2009-08-23 15:08 . 2008-03-07 08:49 -------- d-----w- c:\documents and settings\Lonny Chant\Application Data\Ahead
2009-08-23 15:08 . 2005-03-08 19:14 -------- d-----w- c:\documents and settings\Lonny Chant\Application Data\AdobeUM
2009-08-23 15:08 . 2007-03-13 20:47 -------- d-----w- c:\documents and settings\Lonny Chant\Application Data\acccore
2009-08-23 15:08 . 2005-03-22 17:02 -------- d-----w- c:\documents and settings\Lonny Chant\Application Data\.BitTornado
2009-08-23 13:26 . 2006-05-29 23:24 -------- d-----w- c:\program files\bl
2009-08-19 13:17 . 2007-07-04 00:46 -------- d-----w- c:\program files\Steam
2009-08-18 20:43 . 2004-01-03 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-18 20:42 . 2008-03-11 11:54 -------- d-----w- c:\program files\CCleaner
2009-08-18 20:23 . 2005-02-16 04:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-08-18 15:15 . 2009-08-18 15:56 11264 ----a-w- c:\windows\Internet Logs\xDB5.tmp
2009-08-18 15:15 . 2009-08-18 15:56 3396608 ----a-w- c:\windows\Internet Logs\xDB6.tmp
2009-08-18 13:21 . 2009-08-18 13:52 13824 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2009-08-18 13:21 . 2009-08-18 13:52 3396096 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2009-08-18 13:08 . 2009-08-18 13:21 3396096 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2009-08-18 13:08 . 2009-08-18 13:21 44032 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-08-17 10:34 . 2005-02-16 15:00 48622851 -c--a-w- c:\windows\Internet Logs\tvDebug.zip
2009-08-15 23:50 . 2002-10-04 20:51 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-15 22:24 . 2009-08-15 22:24 3391488 ----a-w- c:\windows\Internet Logs\xDB9A.tmp
2009-08-15 22:24 . 2009-08-15 22:24 25600 ----a-w- c:\windows\Internet Logs\xDB99.tmp
2009-08-15 20:48 . 2009-08-15 20:48 3390976 ----a-w- c:\windows\Internet Logs\xDB72.tmp
2009-08-15 20:48 . 2009-08-15 20:48 3000832 ----a-w- c:\windows\Internet Logs\xDB71.tmp
2009-08-14 14:44 . 2008-06-10 18:33 -------- d-----w- c:\program files\RightMark Memory Analyzer
2009-08-14 14:44 . 2008-03-04 14:35 -------- d-----w- c:\documents and settings\Lonny Chant\Application Data\Vso
2009-08-14 14:44 . 2007-12-24 15:30 -------- d-----w- c:\program files\EarthLink TotalAccess
2009-08-14 14:44 . 2003-03-07 23:56 -------- d-----w- c:\program files\DivX
2009-08-14 14:44 . 2002-10-04 20:52 -------- d-----w- c:\program files\MUSICMATCH
2009-08-14 11:41 . 2009-05-30 11:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-05 09:01 . 2009-02-05 03:27 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-21 21:40 . 2007-10-27 18:03 -------- d-----w- c:\program files\iTunes
2009-07-21 21:40 . 2006-04-09 21:36 -------- d-----w- c:\program files\iPod
2009-07-21 21:40 . 2009-02-19 21:10 -------- d-----w- c:\program files\Common Files\Apple
2009-07-21 21:31 . 2009-07-21 21:31 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-07-17 19:01 . 2009-02-05 03:28 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 2004-09-22 23:46 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-05 07:01 . 2009-07-05 07:01 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-07-05 07:01 . 2009-07-05 07:01 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-06-29 16:12 . 2009-02-05 03:27 827392 ------w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2009-02-05 03:28 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-29 16:12 . 2004-08-04 07:56 78336 ------w- c:\windows\system32\ieencode.dll
2009-06-16 14:36 . 2004-08-29 21:19 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2001-08-18 11:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2009-02-05 03:27 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-11 15:44 . 2002-11-21 21:00 209440 -c--a-w- c:\documents and settings\Lonny Chant\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-11 15:33 . 2009-06-11 15:33 36864 ----a-w- c:\documents and settings\All Users\Application Data\TEMP\{80E158EA-7181-40FE-A701-301CE6BE64AB}\PostBuild.exe
2009-06-10 14:13 . 2009-02-05 03:28 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2009-02-05 03:27 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2009-02-05 03:27 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 15:42 . 2009-05-13 19:15 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-05 15:42 . 2009-02-19 21:11 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-03 19:09 . 2009-02-05 03:27 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2006-01-20 00:23 . 2006-01-20 00:23 3072 ----a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2006-01-20 00:23 . 2006-01-20 00:23 245408 ----a-w- c:\program files\mozilla firefox\plugins\unicows.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-08-23_15.13.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-24 12:21 . 2009-08-24 12:21 16384 c:\windows\temp\Perflib_Perfdata_734.dat
+ 2009-08-24 12:21 . 2009-08-24 12:21 16384 c:\windows\temp\Perflib_Perfdata_558.dat
+ 2008-11-14 02:23 . 2009-08-24 12:04 84661 c:\windows\SYSTEM32\Macromed\Flash\uninstall_plugin.exe
- 2008-11-14 02:23 . 2009-03-27 10:53 84661 c:\windows\SYSTEM32\Macromed\Flash\uninstall_plugin.exe
+ 2009-07-18 03:21 . 2009-07-18 03:21 257440 c:\windows\SYSTEM32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2009-08-24 10:36 . 2009-08-24 10:36 266240 c:\windows\ERDNT\AutoBackup\8-24-2009\Users\00000002\UsrClass.dat
+ 2009-08-24 10:36 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\8-24-2009\ERDNT.EXE
+ 2009-07-18 03:21 . 2009-07-18 03:21 3883424 c:\windows\SYSTEM32\Macromed\Flash\NPSWF32.dll
+ 2009-08-24 10:36 . 2009-08-24 10:36 13410304 c:\windows\ERDNT\AutoBackup\8-24-2009\Users\00000001\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-08-03 419088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-19 149280]

c:\documents and settings\Lonny Chant\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0SsiEfr.e\0smrgdf c:\program files\iolo\System Mechanic Professional 6\\0iolobtdfg c:\windows\system32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=2 (0x2)
"ATI Smart"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SMSystemAnalyzer"="c:\program files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"Microsoft Works Update Detection"=c:\program files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HPWITOOLBOX"=c:\program files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\HPWITBX.exe "-i"
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"Microsoft Works Update Detection"=c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
"ioloDelayModule"=c:\program files\iolo\System Mechanic Professional 6\delay.exe
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\SYSTEM32\DRIVERS\ppa.sys [2/7/2003 12:37 PM 17792]
R1 atitray;atitray;c:\program files\Ray Adams\ATI Tray Tools\atitray.sys [5/22/2007 5:04 AM 18088]
R1 ATMhelpr;ATMhelpr;c:\windows\SYSTEM32\DRIVERS\ATMHELPR.SYS [10/9/2002 10:36 AM 4064]
R2 CachemanXPService;CachemanXP;c:\progra~1\CACHEM~1\CachemanXP.exe [6/10/2008 2:28 PM 243200]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/14/2009 7:40 AM 232720]
R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [8/14/2009 7:40 AM 19096]
S3 ADSFilter;ADSFilter - (Aluria Filter Driver);c:\windows\system32\DRIVERS\ADSFilter.sys --> c:\windows\system32\DRIVERS\ADSFilter.sys [?]
S3 ati2mpaa;ati2mpaa;c:\windows\system32\DRIVERS\ati2mpaa.sys --> c:\windows\system32\DRIVERS\ati2mpaa.sys [?]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\6.tmp --> c:\windows\system32\6.tmp [?]
S3 RTCore32;RTCore32;c:\program files\RightMark Memory Analyzer\RTCore32.sys [6/10/2008 2:33 PM 4608]
.
Contents of the 'Scheduled Tasks' folder

2009-06-18 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2005-12-09 19:45]

2009-08-16 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-03-09 18:39]
.
.
------- Supplementary Scan -------
.
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Lonny Chant\Application Data\Mozilla\Firefox\Profiles\h5abj7co.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRACtrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-24 08:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\6.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\LP*]
"DisplayName"="?\13?\13"
"DeviceDesc"="?\13?\13"
"ProviderName"=""
"MFG"="???\\"
"ReinstallString"="c:\\WINDOWS\\System32\\ReinstallBackups\\?\13\\DriverFiles\\.INF"
"DeviceInstanceIds"=multi:"nf\\cx_08948.inf\00"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\}›õw”¶*]
"DisplayName"="\09"
"DeviceDesc"="\09"
"ProviderName"=""
"MFG"="?"
"ReinstallString"="2002, 6.13.10.5004"
"DeviceInstanceIds"=multi:"\00"

[HKEY_LOCAL_MACHINE\software\swearware\backup\winsock2]
@DACL=(02 0000)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(1980)
c:\windows\system32\WININET.dll
c:\windows\system32\wuaucpl.old.cpl
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\windows\SYSTEM32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-08-24 8:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-24 12:32
ComboFix2.txt 2009-08-23 15:22
ComboFix3.txt 2009-08-18 13:17

Pre-Run: 13,629,009,920 bytes free
Post-Run: 13,654,831,104 bytes free

274 --- E O F --- 2009-08-13 03:40

lonomatik · Aug 24, 2009

the latest HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:42:44 AM, on 8/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_15.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_15.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1218053295500
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233702376765
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Issicpmkcsvs - S3/Diamond Multimedia Systems - C:\WINDOWS\System32\drivers\RIODRV.SYS
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Conexant - (no file)

--
End of file - 5429 bytes

Blade81 · Aug 24, 2009

malwarebytes continues to notify me of a detected infection (just got one now!)

Hi,

In which locations are those detections made?

lonomatik · Aug 24, 2009

the warnings come in the form of popups from the malwarebytes icon in the system tray when firefox is open and online. it provides no other details except for a sequence of 2 digit numbers separated by periods.

Blade81 · Aug 25, 2009

Could you grab a screenshot of those warnings?

lonomatik · Aug 25, 2009

here it is:

the number is obviously an IP address. guess i wasnt paying close attention when i first noticed it. anyways i'm not browsing in any sketchy websites, so i'm not quite sure why this is popping up.

lonomatik · Aug 25, 2009

btw-- if i try to click on it for more info it simply disappears as if it was never there.

Blade81 · Aug 25, 2009

Please take a look at this topic.

lonomatik · Aug 26, 2009

okay, i followed and read the link. i d/l AVIRA and did a scan. the first scan turned up 77 problems/infections! heres the logfile:

Avira AntiVir Personal
Report file date: Tuesday, August 25, 2009 16:32

Scanning for 1660377 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : HPS

Version information:
BUILD.DAT : 9.0.0.407 17961 Bytes 7/29/2009 10:34:00
AVSCAN.EXE : 9.0.3.7 466689 Bytes 7/21/2009 18:36:14
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 15:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 16:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 15:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:36
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 14:21:42
ANTIVIR2.VDF : 7.1.5.146 3087360 Bytes 8/21/2009 15:08:57
ANTIVIR3.VDF : 7.1.5.160 129024 Bytes 8/25/2009 15:08:59
Engineversion : 8.2.1.3
AEVDF.DLL : 8.1.1.1 106868 Bytes 7/28/2009 18:31:50
AESCRIPT.DLL : 8.1.2.25 459130 Bytes 8/25/2009 15:09:14
AESCN.DLL : 8.1.2.4 127348 Bytes 7/23/2009 14:59:39
AERDL.DLL : 8.1.2.4 430452 Bytes 7/23/2009 14:59:39
AEPACK.DLL : 8.1.3.18 401783 Bytes 7/28/2009 18:31:50
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/23/2009 14:59:39
AEHEUR.DLL : 8.1.0.155 1921400 Bytes 8/25/2009 15:09:12
AEHELP.DLL : 8.1.6.0 233846 Bytes 8/25/2009 15:09:02
AEGEN.DLL : 8.1.1.57 356725 Bytes 8/25/2009 15:09:01
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 19:32:40
AECORE.DLL : 8.1.7.6 184694 Bytes 7/23/2009 14:59:39
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 19:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 15:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 19:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 15:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 20:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 15:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 20:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 13:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 15:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 20:39:58
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 15:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, F:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Tuesday, August 25, 2009 16:32

Starting search for hidden objects.
'55865' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'RichVideo.exe' - '1' Module(s) have been scanned
Scan process 'mbamservice.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'CachemanXP.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'mbamgui.exe' - '1' Module(s) have been scanned
Scan process 'ipoint.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
32 processes with 32 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'F:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '46' files ).

Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Qoobox\Quarantine\[4]-Submit_2009-08-24_08.10.42.zip
[0] Archive type: ZIP
--> A0018463.dll.bac_a01676
[1] Archive type: HIDDEN
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
--> A0018464.exe.bac_a01676
[1] Archive type: HIDDEN
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
--> A0018465.dll.bac_a01676
[1] Archive type: HIDDEN
--> MEM\AV00029d15.AV$
[DETECTION] Is the TR/Dldr.VB.aan.1 Trojan
--> A0018466.exe.bac_a01676
[1] Archive type: HIDDEN
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
--> A0018467.exe.bac_a01676
[1] Archive type: HIDDEN
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
--> A0018468.exe.bac_a01676
[1] Archive type: HIDDEN
--> MEM\AV00029d18.AV$
[DETECTION] Is the TR/Dldr.Agent.QO Trojan
--> A0018469.exe.bac_a01676
[1] Archive type: HIDDEN
--> MEM\AV00029d19.AV$
[DETECTION] Is the TR/Tibs.E Trojan
--> A0018470.exe.bac_a01676
[1] Archive type: HIDDEN
--> MEM\AV00029d1a.AV$
[DETECTION] Is the TR/Tibs.E Trojan
--> A0018471.exe.bac_a01676
[1] Archive type: HIDDEN
--> MEM\AV00029d1b.AV$
[DETECTION] Is the TR/Tibs.E Trojan
--> A0018472.exe.bac_a01676
[1] Archive type: HIDDEN
--> MEM\AV00029d1c.AV$
[DETECTION] Is the TR/Tibs.E Trojan
--> Dc10.dll.bac_a00192
[1] Archive type: HIDDEN
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
--> Dc11.exe.bac_a00192
[1] Archive type: HIDDEN
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
--> Dc12.dll.bac_a00192
[1] Archive type: HIDDEN
--> MEM\AV00029d1f.AV$
[DETECTION] Is the TR/Dldr.VB.aan.1 Trojan
--> Dc6.exe.bac_a01256
[1] Archive type: HIDDEN
[DETECTION] Is the TR/Crypt.F.Gen Trojan
--> Dc67.exe.bac_a01920
[1] Archive type: HIDDEN
[DETECTION] Is the TR/Crypt.F.Gen Trojan
--> Dc8.exe.bac_a00192
[1] Archive type: HIDDEN
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
--> Dc9.exe.bac_a00192
[1] Archive type: HIDDEN
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
--> internetoloper.exe.bac_a00192
[1] Archive type: HIDDEN
--> MEM\AV00029d24.AV$
[DETECTION] Is the TR/Dldr.Agent.QO Trojan
--> mwtanowo.exe.bac_a00192
[1] Archive type: HIDDEN
--> MEM\AV00029d25.AV$
[DETECTION] Is the TR/Tibs.E Trojan
--> phqghume.exe.bac_a00192
[1] Archive type: HIDDEN
--> MEM\AV00029d26.AV$
[DETECTION] Is the TR/Tibs.E Trojan
--> qdmbbqec.exe.bac_a00192
[1] Archive type: HIDDEN
--> MEM\AV00029d27.AV$
[DETECTION] Is the TR/Tibs.E Trojan
--> vtcalhel.exe.bac_a01280
[1] Archive type: HIDDEN
--> MEM\AV00029d28.AV$
[DETECTION] Is the TR/Dldr.Botol.C.1 Trojan
--> yunfyiwe.exe.bac_a00192
[1] Archive type: HIDDEN
--> MEM\AV00029d29.AV$
[DETECTION] Is the TR/Tibs.E Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018463.dll.bac_a01676.vir
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018464.exe.bac_a01676.vir
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018465.dll.bac_a01676.vir
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018465.dll.bac_a01676.vir
[DETECTION] Is the TR/Dldr.VB.aan.1 Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018466.exe.bac_a01676.vir
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018467.exe.bac_a01676.vir
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018468.exe.bac_a01676.vir
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018468.exe.bac_a01676.vir
[DETECTION] Is the TR/Dldr.Agent.QO Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018469.exe.bac_a01676.vir
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018469.exe.bac_a01676.vir
[DETECTION] Is the TR/Tibs.E Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018470.exe.bac_a01676.vir
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018470.exe.bac_a01676.vir
[DETECTION] Is the TR/Tibs.E Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018471.exe.bac_a01676.vir
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018471.exe.bac_a01676.vir
[DETECTION] Is the TR/Tibs.E Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018472.exe.bac_a01676.vir
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018472.exe.bac_a01676.vir
[DETECTION] Is the TR/Tibs.E Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc10.dll.bac_a00192.vir
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc11.exe.bac_a00192.vir
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc12.dll.bac_a00192.vir
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc12.dll.bac_a00192.vir
[DETECTION] Is the TR/Dldr.VB.aan.1 Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc6.exe.bac_a01256.vir
[DETECTION] Is the TR/Crypt.F.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc67.exe.bac_a01920.vir
[DETECTION] Is the TR/Crypt.F.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc8.exe.bac_a00192.vir
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc9.exe.bac_a00192.vir
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\internetoloper.exe.bac_a00192.vir
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\internetoloper.exe.bac_a00192.vir
[DETECTION] Is the TR/Dldr.Agent.QO Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\mwtanowo.exe.bac_a00192.vir
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\mwtanowo.exe.bac_a00192.vir
[DETECTION] Is the TR/Tibs.E Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\phqghume.exe.bac_a00192.vir
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\phqghume.exe.bac_a00192.vir
[DETECTION] Is the TR/Tibs.E Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\qdmbbqec.exe.bac_a00192.vir
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\qdmbbqec.exe.bac_a00192.vir
[DETECTION] Is the TR/Tibs.E Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\vtcalhel.exe.bac_a01280.vir
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\vtcalhel.exe.bac_a01280.vir
[DETECTION] Is the TR/Dldr.Botol.C.1 Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\yunfyiwe.exe.bac_a00192.vir
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\yunfyiwe.exe.bac_a00192.vir
[DETECTION] Is the TR/Tibs.E Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018463.dll.bac_a01676.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018464.exe.bac_a01676.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018465.dll.bac_a01676.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018466.exe.bac_a01676.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018467.exe.bac_a01676.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018468.exe.bac_a01676.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018469.exe.bac_a01676.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018470.exe.bac_a01676.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018471.exe.bac_a01676.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018472.exe.bac_a01676.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc10.dll.bac_a00192.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc11.exe.bac_a00192.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc12.dll.bac_a00192.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc6.exe.bac_a01256.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc67.exe.bac_a01920.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc8.exe.bac_a00192.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc9.exe.bac_a00192.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\internetoloper.exe.bac_a00192.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\mwtanowo.exe.bac_a00192.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\phqghume.exe.bac_a00192.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\qdmbbqec.exe.bac_a00192.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\vtcalhel.exe.bac_a01280.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\yunfyiwe.exe.bac_a00192.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\Application Data\.BitTornado\moha.exe.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\Application Data\acccore\reniga.dll.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\Application Data\AdobeUM\horsi.exe.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\Application Data\Ahead\megalon.exe.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETpfwkkpba.dll.vir
[DETECTION] Is the TR/TDss.anus Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETyxumoavk.dll.vir
[DETECTION] Is the TR/TDss.anuv Trojan
C:\WINDOWS\SYSTEM32\DRIVERS\sptd.sys
[WARNING] The file could not be opened!
Begin scan in 'F:\' <New Volume>
F:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
F:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP923\A0238540.exe
[DETECTION] Contains recognition pattern of the DR/Dldr.VB.gix.25 dropper
F:\torrents\VueScan Professional Edition 8.4.06\Keygen.exe
[DETECTION] Is the TR/Packed.25689 Trojan

Beginning disinfection:
C:\Qoobox\Quarantine\[4]-Submit_2009-08-24_08.10.42.zip
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018463.dll.bac_a01676.vir
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018464.exe.bac_a01676.vir
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018465.dll.bac_a01676.vir
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018466.exe.bac_a01676.vir
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018467.exe.bac_a01676.vir
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018468.exe.bac_a01676.vir
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018469.exe.bac_a01676.vir
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018470.exe.bac_a01676.vir
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018471.exe.bac_a01676.vir
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\A0018472.exe.bac_a01676.vir
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc10.dll.bac_a00192.vir
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc11.exe.bac_a00192.vir
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc12.dll.bac_a00192.vir
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc6.exe.bac_a01256.vir
[DETECTION] Is the TR/Crypt.F.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc67.exe.bac_a01920.vir
[DETECTION] Is the TR/Crypt.F.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc8.exe.bac_a00192.vir
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\Dc9.exe.bac_a00192.vir
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\internetoloper.exe.bac_a00192.vir
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\mwtanowo.exe.bac_a00192.vir
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\phqghume.exe.bac_a00192.vir
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\qdmbbqec.exe.bac_a00192.vir
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\vtcalhel.exe.bac_a01280.vir
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall\Quarantine\yunfyiwe.exe.bac_a00192.vir
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018463.dll.bac_a01676.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018464.exe.bac_a01676.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018465.dll.bac_a01676.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018466.exe.bac_a01676.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018467.exe.bac_a01676.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018468.exe.bac_a01676.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018469.exe.bac_a01676.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018470.exe.bac_a01676.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018471.exe.bac_a01676.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\A0018472.exe.bac_a01676.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc10.dll.bac_a00192.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc11.exe.bac_a00192.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc12.dll.bac_a00192.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc6.exe.bac_a01256.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc67.exe.bac_a01920.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc8.exe.bac_a00192.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\Dc9.exe.bac_a00192.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\internetoloper.exe.bac_a00192.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\mwtanowo.exe.bac_a00192.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\phqghume.exe.bac_a00192.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\qdmbbqec.exe.bac_a00192.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\vtcalhel.exe.bac_a01280.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\.housecall6.6\Quarantine\yunfyiwe.exe.bac_a00192.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\Application Data\.BitTornado\moha.exe.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\Application Data\acccore\reniga.dll.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\Application Data\AdobeUM\horsi.exe.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Lonny Chant\Application Data\Ahead\megalon.exe.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETpfwkkpba.dll.vir
[DETECTION] Is the TR/TDss.anus Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETyxumoavk.dll.vir
[DETECTION] Is the TR/TDss.anuv Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
F:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP923\A0238540.exe
[DETECTION] Contains recognition pattern of the DR/Dldr.VB.gix.25 dropper
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
F:\torrents\VueScan Professional Edition 8.4.06\Keygen.exe
[DETECTION] Is the TR/Packed.25689 Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.

End of the scan: Tuesday, August 25, 2009 23:49
Used time: 1:43:24 Hour(s)

The scan has been done completely.

11308 Scanned directories
371051 Files were scanned
77 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
3 Files cannot be scanned
370971 Files not concerned
7537 Archives were scanned
58 Warnings
57 Notes
55865 Objects were scanned with rootkit scan
0 Hidden objects were found

lonomatik · Aug 26, 2009

i used AVIRA again after a reboot and it turned up only 1 problem which was quarantined. heres the log:

Avira AntiVir Personal
Report file date: Tuesday, August 25, 2009 23:56

Scanning for 1662031 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : HPS

Version information:
BUILD.DAT : 9.0.0.407 17961 Bytes 7/29/2009 10:34:00
AVSCAN.EXE : 9.0.3.7 466689 Bytes 7/21/2009 18:36:14
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 15:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 16:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 15:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:36
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 14:21:42
ANTIVIR2.VDF : 7.1.5.146 3087360 Bytes 8/21/2009 15:08:57
ANTIVIR3.VDF : 7.1.5.162 149504 Bytes 8/25/2009 03:55:14
Engineversion : 8.2.1.3
AEVDF.DLL : 8.1.1.1 106868 Bytes 7/28/2009 18:31:50
AESCRIPT.DLL : 8.1.2.25 459130 Bytes 8/25/2009 15:09:14
AESCN.DLL : 8.1.2.4 127348 Bytes 7/23/2009 14:59:39
AERDL.DLL : 8.1.2.4 430452 Bytes 7/23/2009 14:59:39
AEPACK.DLL : 8.1.3.18 401783 Bytes 7/28/2009 18:31:50
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/23/2009 14:59:39
AEHEUR.DLL : 8.1.0.155 1921400 Bytes 8/25/2009 15:09:12
AEHELP.DLL : 8.1.6.0 233846 Bytes 8/25/2009 15:09:02
AEGEN.DLL : 8.1.1.57 356725 Bytes 8/25/2009 15:09:01
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 19:32:40
AECORE.DLL : 8.1.7.6 184694 Bytes 7/23/2009 14:59:39
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 19:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 15:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 19:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 15:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 20:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 15:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 20:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 13:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 15:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 20:39:58
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 15:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, F:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Tuesday, August 25, 2009 23:56

Starting search for hidden objects.
'55984' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'RichVideo.exe' - '1' Module(s) have been scanned
Scan process 'mbamservice.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'CachemanXP.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'ipoint.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
30 processes with 30 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'F:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '46' files ).

Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\WINDOWS\SYSTEM32\DRIVERS\sptd.sys
[WARNING] The file could not be opened!
Begin scan in 'F:\' <New Volume>
F:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
F:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP925\A0238842.exe
[DETECTION] Is the TR/Packed.25689 Trojan

Beginning disinfection:
F:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP925\A0238842.exe
[DETECTION] Is the TR/Packed.25689 Trojan
[NOTE] The file was moved to '4ac716d6.qua'!

End of the scan: Wednesday, August 26, 2009 07:04
Used time: 1:11:45 Hour(s)

The scan has been done completely.

11320 Scanned directories
371114 Files were scanned
1 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
1 Files were moved to quarantine
0 Files were renamed
3 Files cannot be scanned
371110 Files not concerned
7549 Archives were scanned
3 Warnings
3 Notes
55984 Objects were scanned with rootkit scan
0 Hidden objects were found

Blade81 · Aug 26, 2009

Hi,

System restore will be resetted as a final step. Before that and other final things, please post a fresh hjt log.

trojan.agent infection

New member

Security Expert: Emeritus

New member

New member

Security Expert: Emeritus

New member

New member

New member

Security Expert: Emeritus

New member

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

New member

Security Expert: Emeritus

New member

New member

Security Expert: Emeritus