TheTechGuide Forum
General Category => Tech Clinic => Topic started by: ixjerryxi on January 23, 2008, 08:46:21 AM
-
I just found a vundo trojan on my computer and I was wondering if anyone knows how I can get rid of it. Thanks in advance.
Trojan.vundo
C:\\windows\system32\jkhhe.dll
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:48:23 AM, on 1/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc .exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET .EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML .exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML .exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Winamp\winampa .exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect .exe
C:\Program Files\ATI Multimedia\main\ATIDtct .EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\SEC\MagicTune 2.5\GammaTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.Email Removed.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = forbin.qc.edu:3128
F3 - REG:win.ini: load=C:\WINDOWS\system32\jkhhe.exe
O1 - Hosts: comments (such as these) may be inserted on individual
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm .exe"
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Color Calibration.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program (http://\"http://file://C:Program\") Files\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab (http://\"http://upload.facebook.com/controls/FacebookPhotoUploader3.cab\")
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab (http://\"http://upload.facebook.com/controls/FacebookPhotoUploader.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095300908968 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095300908968\")
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab (http://\"http://go.divx.com/plugin/DivXBrowserPlugin.cab\")
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab (http://\"http://offers.e-centives.com/cif/download/bin/actxcab.cab\")
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab (http://\"http://cdn.digitalcity.com/_media/dalaillama/ampx.cab\")
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
--
End of file - 12032 bytes
-
Can you do the following please
Do a "System scan only" with Hijackthis and put a check next to these entries:
F3 - REG:win.ini: load=C:\WINDOWS\system32\jkhhe.exe
O1 - Hosts: comments (such as these) may be inserted on individual
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab (http://\"http://offers.e-centives.com/cif/download/bin/actxcab.cab\")
After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Download HostsXpert [color=\"red\"]Here[/color] (http://\"http://www.funkytoad.com/download/HostsXpert.zip\") and unzip it to your desktop.
Next, open HostsXpert - Make sure that the "make hosts writable?" button in the upper left corner is checked>>Should read 'Make Readonly'
- Now, click on 'Backup/Restore'
- Click 'Create Backup'>>OK>>OK
- then click on 'Restore MS host files'>>OK
- Finally, close HostsXpert.
Temporarily disable Avast's protections so it won't interfere
Right click the Avast icon by the clock and Stop on access protections>>OK the prompt
Afterwards
Download [color=\"blue\"]VundoFix.exe[/color] (http://\"http://www.atribune.org/ccount/click.php?id=4\")
to your desktop.- Double-click VundoFix.exe to run it.
- Click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button."
I'll need to see this report from Vundofix later>>C:\Vundofix.txt
Ensure Avast's protections are still disabled
Afterwards:
Download this file - Combofix.exe (http://\"http://download.bleepingcomputer.com/sUBs/ComboFix.exe\") and save it ONLY to your desktop
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Post back all the following after the above is done, even if it takes more than one reply to do so
1. Post the log from Combofix, it's default location is >>C:\Combofix.txt
2. Post the log from Vundofix, it's default location is >>C:\Vundofix.txt
3. Run a fresh Scan>Save logfile with Hijackthis and post it's log also
-
Combofix Log
ComboFix 08-01-23.2 - Administrator 2008-01-23 19:32:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.490 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
[color=\"red\"]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\80avp08.com
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashDisp .exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\ATI Multimedia\main\ATIDtct .EXE
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW .exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Roxio Shared\System\EngUtil .exe
C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect .exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML .exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET .EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon .exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc .exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Winamp\winampa .exe
C:\Program Files\Winamp\winampa.exe
C:\semo2x.exe
C:\u.bat
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo1.dll
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\ehhkj.ini
C:\WINDOWS\system32\ehhkj.ini2
C:\WINDOWS\system32\jkhhe.dll
C:\WINDOWS\system32\jkhhe.exe
C:\WINDOWS\system32\NeroCheck .exe
C:\WINDOWS\system32\NeroCheck.exe
C:\WINDOWS\UpdReg .EXE
C:\WINDOWS\UpdReg.EXE
F:\80avp08.com
F:\semo2x.exe
F:\u.bat
<pre>
C:\Program Files\Alwil Software\Avast4\ashDisp .exe ---> QooBox
C:\Program Files\ATI Multimedia\main\ATIDtct .EXE ---> QooBox
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW .exe ---> QooBox
C:\Program Files\Common Files\Real\Update_OB\realsched .exe ---> QooBox
C:\Program Files\Common Files\Roxio Shared\System\EngUtil .exe ---> QooBox
C:\Program Files\Creative\MediaSource\Detector\CTDetect .exe ---> QooBox
C:\Program Files\Creative\Shared Files\Module Loader\DLLML .exe ---> QooBox
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET .EXE ---> QooBox
C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe ---> QooBox
C:\Program Files\HP\hpcoretech\hpcmpmgr .exe ---> QooBox
C:\Program Files\iTunes\iTunesHelper .exe ---> QooBox
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe ---> QooBox
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe ---> QooBox
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon .exe ---> QooBox
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc .exe ---> QooBox
C:\Program Files\Winamp\winampa .exe ---> QooBox
C:\WINDOWS\UpdReg .EXE ---> QooBox
C:\WINDOWS\system32\ctfmon .exe ---> QooBox
C:\WINDOWS\system32\NeroCheck .exe ---> QooBox
</pre>.
.
((((((((((((((((((((((((( Files Created from 2007-12-24 to 2008-01-24 )))))))))))))))))))))))))))))))
.
2008-01-23 19:30 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-23 15:21 . 2008-01-23 15:20 107,528 -r-hs---- C:\awda2.exe
2008-01-23 00:45 . 2008-01-23 00:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-22 22:02 . 2008-01-22 22:02 435 --a------ C:\WINDOWS\system32\Shortcut to system32.lnk
2008-01-22 22:00 . 2008-01-22 23:55 289 --a------ C:\WINDOWS\wininit.ini
2008-01-22 20:40 . 2008-01-22 20:40 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-21 13:37 . 2008-01-23 08:55 443,904 -r-hs---- C:\xn1i9x.com
2008-01-17 08:15 . 2008-01-17 08:14 105,525 -r-hs---- C:\m1t8ta.com
2008-01-15 13:56 . 2008-01-16 19:35 104,863 -r-hs---- C:\juok3st.bat
2008-01-11 18:07 . 2008-01-11 18:07 <DIR> d-------- C:\Program Files\Jabra
2008-01-10 11:30 . 2008-01-15 07:22 104,451 -r-hs---- C:\d.com
2008-01-09 12:50 . 2008-01-09 12:49 104,392 -r-hs---- C:\tio8x6.cmd
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-24 00:38 --------- d-----w C:\Program Files\Winamp
2008-01-24 00:37 --------- d-----w C:\Program Files\QuickTime
2008-01-24 00:37 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-24 00:37 --------- d-----w C:\Program Files\iTunes
2008-01-15 23:41 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-01-03 02:22 --------- d-----w C:\Program Files\Creative
2008-01-03 02:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-24 12:52 124,370 --sh--r C:\usdeiect.com
2007-12-21 19:24 121,918 --sh--r C:\uxdeiect.com
2007-12-18 20:22 123,873 --sh--r C:\n1deiect.com
2007-12-16 23:27 --------- d-----w C:\Program Files\mIRC
2007-12-15 23:51 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-10 15:21 123,223 --sh--r C:\nideiect.com
2007-12-06 22:19 --------- d-----w C:\Program Files\iPod
2007-12-06 03:36 --------- d-----w C:\Program Files\Viewpoint
2007-12-06 03:36 --------- d-----w C:\Program Files\AIM6
2007-12-01 17:56 98,620 --sh--r C:\ntde1ect.com
2007-11-26 19:04 --------- d-----w C:\Program Files\Java
2005-01-14 06:28 0 -c-h--w C:\Program Files\ENYOLINK Settings
2004-11-19 05:05 3,546 -c--a-w C:\Program Files\uninstal.log
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD4C3CF0-4B15-11D1-ABED-709549C10000}]
C:\Program Files\Go!Zilla\GoIEHlp.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="" []
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [ ]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [ ]
"ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [ ]
"ATI Launchpad"="" []
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [ ]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm .exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DXDllRegExe"="dxdllreg.exe" []
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [ ]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [ ]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [ ]
"RoxioAudioCentral"="C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [ ]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-11-30 12:19 4628480]
"nwiz"="nwiz.exe" [2004-11-30 12:19 921600 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2004-11-30 12:19 86016]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-12-10 11:45 49152 C:\WINDOWS\KHALMNPR.Exe]
"CTDVDDET"="C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [ ]
"RCSystem"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [ ]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [ ]
"CTHelper"="CTHELPER.EXE" [2005-08-07 17:10 16384 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2005-08-07 17:10 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [ ]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [ ]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [ ]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-07-22 15:50:16 577597]
Color Calibration.lnk - C:\Program Files\SEC\MagicTune 2.5\GammaTray.exe [2005-01-17 21:40:40 36864]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 05:19:24 237568]
Logitech Desktop Messenger.lnk - C:\QooBox\Quarantine\C\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe.vir [2007-02-26 23:01:24 433152]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2005-10-08 19:34:22 434176]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
NaturalColorLoad.lnk - C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe [2005-01-17 21:40:17 155715]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R3 ATIDACXX;ATI DTV Wonder Analog Audio Capture Device;C:\WINDOWS\system32\drivers\atidacxx.sys [2005-09-26 20:21]
R3 ATIDDCXX;ATI DTV Wonder Digital BDA Capture Device;C:\WINDOWS\system32\drivers\atiddcxx.sys [2005-09-26 20:20]
R3 ATIDTUXX;ATI DTV Wonder Digital And Analog Tuner Device;C:\WINDOWS\system32\drivers\atidtuxx.sys [2005-09-26 20:21]
R3 ATIDVCXX;ATI DTV Wonder Analog AV Capture Device;C:\WINDOWS\system32\drivers\atidvcxx.sys [2005-09-26 20:20]
R3 ATIDXBXX;ATI DTV Wonder Analog AV Crossbar Device;C:\WINDOWS\system32\drivers\atidxbxx.sys [2005-09-26 20:20]
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2005-08-07 16:54]
S1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\OVSound2.sys [2001-08-17 09:05]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2006-12-14 09:27]
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-02-27 13:31]
S3 QCEmerald;Logitech QuickCam Web;C:\WINDOWS\system32\DRIVERS\OVCE.sys [2001-08-17 09:05]
S3 S3SAV2K;S3SAV2K;C:\WINDOWS\system32\DRIVERS\s3sav2km.sys [2004-09-25 21:43]
.
Contents of the 'Scheduled Tasks' folder
"2007-12-13 19:21:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2008-01-23 19:42:59
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\Program Files\Logitech\SetPoint\GameHook.dll
.
-
Vundofix Log
Symantec Trojan.Vundo Removal Tool 1.5.0
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\194AVJPD\homead;arena=nfl;arena=home;type=psa;team=HOME;user=Anonymous;seg=nonaol;ct
ype=lan;lang=en-us;lang=en-us;vpmp=yes;adv=b;dpart=1;adid=23532491;cust=no;vip=no;u=;sz=1x1;ti[1] (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\194AVJPD\homead;arena=nfl;arena=home;type=psa;team=HOME;user=Anonymous;seg=nonaol;ct
ype=lan;lang=en-us;lang=en-us;vpmp=yes;adv=b;dpart=1;cust=no;vip=no;u=;sz=230x75;tile=7;ord=61[1] (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\194AVJPD\homead;arena=nfl;arena=home;type=psa;team=HOME;user=Anonymous;seg=nonaol;ct
ype=lan;lang=en-us;lang=en-us;vpmp=yes;adv=b;dpart=1;cust=no;vip=no;u=;sz=985x40;tile=6;ord=46[1] (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\194AVJPD\players;arena=nfl;feat=players;type=psa;page=index;user=Anonymous;seg=nonao
l;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;adv=b;cust=no;vip=no;u=Q7txegq0Dr4AAGU1cNs;sz=160x6[1] (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\194AVJPD\players;arena=nfl;feat=players;type=psa;team=NE;playr=187741;user=Anonymous
;seg=nonaol;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;adv=b;cust=no;vip=no;u=Q7txegq0Dr4AAGU1cN[1] (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\194OHH6I\CAI3OPGP.com%26scx%3D1280%26scy%3D1024%26scc%3D32%26sta%3D%2C%2C%2C1%2C%2C%2C%2C%2C%2C%2C0%2C5%2C0%2C19679%2C19579%2C14659%2C15477%2C501%26iid%3D218218%26bid%3D804224%26datne%3D (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\2NWRYPW7\Directions;MN=93206399;wm=o;city=brooklyn;st=ny;dma=newyork;co=usa;abr=%21ec;!c=d-fls;!c=d-htm;!c=d-jav;!c=d-dxp;!c=d-pxp;sz=300x250;tile=1;dcove=d;ord=185230333[1] (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\2TSB4RS5\site=cs&pagepos=3&city=newyork&market_id=66&adsize=160x600&adsize=120x600&guide=cityguide&context=generic&brand=citysearch&Params.richmedia=yes&Params[1].htm (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\4Z6BY5UX\Directions;MN=93206399;wm=o;city=brooklyn;st=ny;dma=newyork;co=usa;abr=%21ec;!c=d-fls;!c=d-htm;!c=d-jav;!c=d-dxp;!c=d-pxp;sz=300x250;tile=1;dcove=d;ord=185277880[1] (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\6Y3IEP2Y\Burton-12_W0QQcatrefZC6QQcoactionZcompareQQcoentrypageZsearchQQcopagenumZ1QQfromZR10QQf
rtsZ50QQfsooZ1QQfsopZ1QQfstypeZ1QQftrtZ1QQftrvZ1QQsacatZQ2d1QQsaprchiZQQsaprcloZ[
1].htm (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\6Y3IEP2Y\Burton-mission_W0QQcatrefZC6QQcoactionZcompareQQcoentrypageZsearchQQcopagenumZ1QQfromZR
10QQfrtsZ50QQfsooZ1QQfsopZ1QQfstypeZ1QQftrtZ1QQftrvZ1QQsacatZQ2d1QQsaprchiZQQsapr
c[1].htm (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\DWKVOFZ5\Burton-Cartel_W0QQcatrefZC6QQcoactionZcompareQQcoentrypageZsearchQQcopagenumZ1QQfromZR1
0QQfrtsZ50QQfsooZ1QQfsopZ1QQftrtZ1QQftrvZ1QQsacatZQ2d1QQsaprchiZQQsaprcloZ[1].htm (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\DWKVOFZ5\Burton-freestyle_W0QQcatrefZC6QQcoactionZcompareQQcoentrypageZsearchQQcopagenumZ1QQfrom
ZR10QQfrtsZ50QQfsooZ1QQfsopZ1QQftrtZ1QQftrvZ1QQsacatZQ2d1QQsaprchiZQQsaprcloZ[1].
htm (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\DWKVOFZ5\CAUZ0P25.com%26scx%3D1280%26scy%3D1024%26scc%3D32%26sta%3D%2C%2C%2C1%2C%2C%2C%2C%2C%2C%2C0%2C5%2C0%2C19679%2C19579%2C14659%2C15477%2C501%26iid%3D218218%26bid%3D804224%26datne%3D (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\EX4ZQ1GX\.nu%2F&color_bg=FFFFFF&color_text=000000&color_link=3C5E92&color_url=3C5E92&color_border=FFFFFF&cc=100&u_h=1024&u_w=1280&u_ah=994&u_aw=1280&u_cd=32&u_tz=-300&u_his=2&u_java=true (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\H1LMRNPQ\CAC9AD4N.583&kw_type=broad&kw=Lipstick%20%26%20Dynamite%2C%20Piss%20%26%20Vinegar&ad_type=text&u_h=1024&u_w=1280&u_ah=994&u_aw=1280&u_cd=32&u_tz=-240&u_his=8&u_java=true (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\H1LMRNPQ\players;arena=nfl;feat=players;type=psa;page=index;user=Anonymous;seg=nonao
l;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;adv=b;cust=no;vip=no;dcopt=ist;u=Q7txegq0Dr4AAGU1cN[1] (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\H1LMRNPQ\players;arena=nfl;feat=players;type=psa;page=index;user=Anonymous;seg=nonao
l;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;adv=b;cust=no;vip=no;dcopt=ist;u=Q7txegq0Dr4AAGU1cN[2] (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\MVYD290H\site=cs&pagepos=7&city=newyork&market_id=66&adsize=160x125&adsize=125x125&guide=cityguide&context=generic&brand=cit[1].styles=csalign_html,csalign_img&topic_id=1214&page=search (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\NHDFEEQ9\Directions;MN=93206399;wm=o;city=brooklyn;st=ny;dma=newyork;co=usa;abr=%21ec;!c=d-fls;!c=d-htm;!c=d-jav;!c=d-dxp;!c=d-pxp;sz=300x250;tile=1;dcove=d;ord=363783018[1] (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\NHDFEEQ9\homead;arena=nfl;arena=home;type=psa;team=HOME;user=Anonymous;seg=nonaol;ct
ype=lan;lang=en-us;lang=en-us;vpmp=yes;adv=b;dpart=1;adid=22079287;cust=no;vip=no;u=;sz=1x1;ti[1] (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\NHDFEEQ9\players;arena=nfl;feat=players;type=psa;page=index;user=Anonymous;seg=nonao
l;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;adv=b;cust=no;vip=no;u=Q7txegq0Dr4AAGU1cNs;sz=150x3[1] (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\NHDFEEQ9\players;arena=nfl;feat=players;type=psa;page=index;user=Anonymous;seg=nonao
l;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;adv=b;cust=no;vip=no;u=Q7txegq0Dr4AAGU1cNs;sz=160x6[1] (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\NHDFEEQ9\players;arena=nfl;feat=players;type=psa;team=NE;playr=187741;user=Anonymous
;seg=nonaol;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;adv=b;cust=no;vip=no;dcopt=ist;u=Q7txegq0[1] (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\UYB318R3\Directions;MN=93206399;wm=o;city=brooklyn;st=ny;dma=newyork;co=usa;abr=%21ec;!c=d-fls;!c=d-htm;!c=d-jav;!c=d-dxp;!c=d-pxp;sz=300x250;tile=1;dcove=d;ord=363678299[1] (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\UYB318R3\homead;arena=nfl;arena=home;type=psa;team=HOME;user=Anonymous;seg=nonaol;ct
ype=lan;lang=en-us;lang=en-us;vpmp=yes;adv=b;dpart=1;adid=22079287;cust=no;vip=no;u=;sz=1x1;ti[1] (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\UYB318R3\homead;arena=nfl;arena=home;type=psa;team=HOME;user=Anonymous;seg=nonaol;ct
ype=lan;lang=en-us;lang=en-us;vpmp=yes;adv=b;dpart=1;adid=23532491;cust=no;vip=no;u=;sz=1x1;ti[1] (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\UYB318R3\homead;arena=nfl;arena=home;type=psa;team=HOME;user=Anonymous;seg=nonaol;ct
ype=lan;lang=en-us;lang=en-us;vpmp=yes;adv=b;dpart=1;cust=no;vip=no;u=;sz=230x75;tile=7;ord=46[1] (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\UYB318R3\players;arena=nfl;feat=players;type=psa;page=index;user=Anonymous;seg=nonao
l;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;adv=b;cust=no;vip=no;u=Q7txegq0Dr4AAGU1cNs;sz=150x3[1] (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\XHKTXUB5\Burton-ion_W0QQcatrefZC6QQcoactionZcompareQQcoentrypageZsearchQQcopagenumZ1QQfromZR10QQ
frtsZ50QQfsooZ1QQfsopZ1QQfstypeZ1QQftrtZ1QQftrvZ1QQsacatZQ2d1QQsaprchiZQQsaprcloZ
[1].htm (WARNING: not scanned, path to long)
C:\System Volume Information: (not scanned)
F:\System Volume Information: (not scanned)
Trojan.Vundo has not been found on your computer.
-
Hijackthis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:55, on 2008-01-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\SEC\MagicTune 2.5\GammaTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.Email Removed.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = forbin.qc.edu:3128
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: IEHlprObj Class - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Go!Zilla\GoIEHlp.dll (file missing)
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm .exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Color Calibration.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\QooBox\Quarantine\C\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe.vir
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program (http://\"http://file://C:Program\") Files\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab (http://\"http://upload.facebook.com/controls/FacebookPhotoUploader3.cab\")
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab (http://\"http://upload.facebook.com/controls/FacebookPhotoUploader.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095300908968 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095300908968\")
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab (http://\"http://go.divx.com/plugin/DivXBrowserPlugin.cab\")
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab (http://\"http://offers.e-centives.com/cif/download/bin/actxcab.cab\")
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab (http://\"http://cdn.digitalcity.com/_media/dalaillama/ampx.cab\")
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
--
End of file - 10321 bytes
-
Also on startup a window popped up saying "Windows cannot open this file"
LogitechDesktopMessenger.exe.vir
and it asks me to choose an option either use web service to find a program or choose manually.
-
[quote name=\'ixjerryxi\' post=\'419692\' date=\'Jan 23 2008, 07:55 PM\']Also on startup a window popped up saying "Windows cannot open this file"
LogitechDesktopMessenger.exe.vir
and it asks me to choose an option either use web service to find a program or choose manually.[/quote]
Also I forgot to mention my printer driver always reinstalls at startup too.
-
Very sorry for the delay
If you still need a hand, can you do the following
DELETE your version of Combofix, and then let's redo it
Download this file - Combofix.exe (http://\"http://download.bleepingcomputer.com/sUBs/ComboFix.exe\") and save it ONLY to your desktop
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Post the fresh log from combofix>>C:/Combofix.txt as well as a fresh hijackthis log
Keep me informed how things are running please
NOTE: Symantec Trojan.Vundo Removal Tool 1.5.0
That IS NOT the Vundofix I linked you too above, please keep with the instructions
Can you run the one I linked to and post it's log also
-
On startup it say "Windows cannot open this file" LogitechDesktopMessenger.exe.vir
My printer driver no longer comes up.
Here is Combofix log
ComboFix 08-01-29.3 - Administrator 2008-01-28 21:08:05.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.611 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
[color=\"red\"]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.
-
I hope that's not all your planning on posting??
First, you didn't post the Whole combofix log?
You didn't post the Hijackthis log?
You didn't run Vundofix from what I linked to earlier and post the log?
If you are having problems copying>>pasting
In the log select EDIT>>SELECT ALL
EDIT>>COPY
-
[quote name=\'guestolo\' post=\'420270\' date=\'Jan 28 2008, 09:38 PM\']I hope that's not all your planning on posting??
First, you didn't post the Whole combofix log?
You didn't post the Hijackthis log?
You didn't run Vundofix from what I linked to earlier and post the log?
If you are having problems copying>>pasting
In the log select EDIT>>SELECT ALL
EDIT>>COPY[/quote]
sorry about that...
the combofix log was all I had on combofix.txt
this is the vundofix log
VundoFix V6.7.7
Checking Java version...
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.
Scan started at 21:18:04 2008-01-28
Listing files found while scanning....
C:\WINDOWS\system32\NCTAudioCDGrabber2.dll
C:\WINDOWS\system32\NCTAudioFile2.dll
C:\WINDOWS\system32\NCTAudioPlayer2.dll
C:\WINDOWS\system32\NCTAudioRecord2.dll
C:\WINDOWS\system32\NCTAVIFile.dll
C:\WINDOWS\system32\NCTQuickTimeFile.dll
C:\WINDOWS\system32\NCTVideoCoreM.dll
C:\WINDOWS\system32\NCTWMAFile2.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\NCTAudioCDGrabber2.dll
C:\WINDOWS\system32\NCTAudioCDGrabber2.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\NCTAudioFile2.dll
C:\WINDOWS\system32\NCTAudioFile2.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\NCTAudioPlayer2.dll
C:\WINDOWS\system32\NCTAudioPlayer2.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\NCTAudioRecord2.dll
C:\WINDOWS\system32\NCTAudioRecord2.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\NCTAVIFile.dll
C:\WINDOWS\system32\NCTAVIFile.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\NCTQuickTimeFile.dll
C:\WINDOWS\system32\NCTQuickTimeFile.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\NCTVideoCoreM.dll
C:\WINDOWS\system32\NCTVideoCoreM.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\NCTWMAFile2.dll
C:\WINDOWS\system32\NCTWMAFile2.dll Has been deleted!
Performing Repairs to the registry.
Done!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:01, on 2008-01-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SEC\MagicTune 2.5\GammaTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.Email Removed.com/ (http://\"http://www.Email%20Removed.com/\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = forbin.qc.edu:3128
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Color Calibration.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\QooBox\Quarantine\C\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe.vir
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab (http://\"http://upload.facebook.com/controls/FacebookPhotoUploader3.cab\")
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab (http://\"http://upload.facebook.com/controls/FacebookPhotoUploader.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095300908968 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095300908968\")
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab (http://\"http://go.divx.com/plugin/DivXBrowserPlugin.cab\")
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab (http://\"http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab\")
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab (http://\"http://cdn.digitalcity.com/_media/dalaillama/ampx.cab\")
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 7584 bytes
-
That shouldn't be all from Combofix, did you follow all the prompts properly?
Also, go look for this file
C:\Combofix.txt
Open it and post the contents if different than above
-
[quote name=\'guestolo\' post=\'420275\' date=\'Jan 28 2008, 10:55 PM\']That shouldn't be all from Combofix, did you follow all the prompts properly?
Also, go look for this file
C:\Combofix.txt
Open it and post the contents if different than above[/quote]
yeah it ran thru all the processes and then it rebooted. Should I run it again?
-
Can you manually look for this file
C:\Combofix.txt
If you open it is that the whole contents that you posted earlier?
-
[quote name=\'guestolo\' post=\'420282\' date=\'Jan 29 2008, 12:28 AM\']Can you manually look for this file
C:\Combofix.txt
If you open it is that the whole contents that you posted earlier?[/quote]
ComboFix 08-01-29.3 - Administrator 2008-01-29 0:27:31.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.647 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[color=\"red\"]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-29 )))))))))))))))))))))))))))))))
.
2008-01-28 18:00 . 2008-01-28 17:59 104,734 -r-hs---- C:\ylr.exe
2008-01-25 09:12 . 2008-01-28 17:58 443,904 -r-hs---- C:\xo8wr9.exe
2008-01-25 09:11 . 2008-01-28 17:58 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-25 02:29 . 2008-01-25 09:11 443,392 -r-hs---- C:\qd.cmd
2008-01-24 04:16 . 2008-01-24 04:16 <DIR> d-------- C:\Program Files\Abexo
2008-01-24 00:38 . 2004-08-04 03:56 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-01-24 00:38 . 2001-08-17 22:37 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2008-01-24 00:38 . 2004-08-04 07:00 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls
2008-01-24 00:38 . 2001-08-17 22:37 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-01-24 00:38 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-01-24 00:38 . 2001-08-17 22:36 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-01-24 00:38 . 2001-08-17 12:11 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
2008-01-24 00:38 . 2001-08-17 22:37 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-01-24 00:36 . 2001-08-17 13:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2008-01-24 00:35 . 2001-08-17 22:36 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll
2008-01-24 00:34 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-01-24 00:33 . 2004-08-04 01:31 132,695 --a--c--- C:\WINDOWS\system32\dllcache\netwlan5.sys
2008-01-24 00:32 . 2001-08-17 13:28 802,683 --a--c--- C:\WINDOWS\system32\dllcache\ltsm.sys
2008-01-24 00:31 . 2001-08-17 13:28 907,456 --a--c--- C:\WINDOWS\system32\dllcache\hcf_msft.sys
2008-01-24 00:30 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-01-24 00:29 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2008-01-24 00:28 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-01-24 00:27 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-01-24 00:26 . 2001-08-17 14:56 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-01-23 23:01 . 2008-01-28 22:17 <DIR> d-------- C:\VundoFix Backups
2008-01-23 15:21 . 2008-01-23 22:27 107,528 -r-hs---- C:\awda2.exe
2008-01-23 00:45 . 2008-01-23 00:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-22 22:02 . 2008-01-22 22:02 435 --a------ C:\WINDOWS\system32\Shortcut to system32.lnk
2008-01-22 22:00 . 2008-01-22 23:55 289 --a------ C:\WINDOWS\wininit.ini
2008-01-22 20:40 . 2008-01-22 20:40 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-21 13:37 . 2008-01-23 08:55 443,904 -r-hs---- C:\xn1i9x.com
2008-01-17 08:15 . 2008-01-17 08:14 105,525 -r-hs---- C:\m1t8ta.com
2008-01-15 13:56 . 2008-01-16 19:35 104,863 -r-hs---- C:\juok3st.bat
2008-01-11 18:07 . 2008-01-11 18:07 <DIR> d-------- C:\Program Files\Jabra
2008-01-11 18:07 . 2008-01-11 18:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jabra
2008-01-10 11:30 . 2008-01-15 07:22 104,451 -r-hs---- C:\d.com
2008-01-09 12:50 . 2008-01-09 12:49 104,392 -r-hs---- C:\tio8x6.cmd
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-27 18:25 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-25 07:25 --------- d-----w C:\Program Files\HP
2008-01-24 08:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-24 00:38 --------- d-----w C:\Program Files\Winamp
2008-01-24 00:37 --------- d-----w C:\Program Files\QuickTime
2008-01-24 00:37 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-24 00:37 --------- d-----w C:\Program Files\iTunes
2008-01-17 04:49 --------- d-----w C:\Documents and Settings\Administrator\Application Data\U3
2008-01-16 02:24 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-01-15 23:41 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-01-03 05:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Creative
2008-01-03 02:22 --------- d-----w C:\Program Files\Creative
2008-01-03 02:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-24 12:52 124,370 --sh--r C:\usdeiect.com
2007-12-21 19:24 121,918 --sh--r C:\uxdeiect.com
2007-12-18 20:22 123,873 --sh--r C:\n1deiect.com
2007-12-16 23:27 --------- d-----w C:\Program Files\mIRC
2007-12-16 21:52 32,419 --sha-r C:\WINDOWS\system32\avpo0.dll
2007-12-15 23:51 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-14 22:03 44,564 --sha-r C:\WINDOWS\system32\amvo2.dll
2007-12-10 15:21 123,223 --sh--r C:\nideiect.com
2007-12-07 22:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-06 22:19 --------- d-----w C:\Program Files\iPod
2007-12-06 03:36 --------- d-----w C:\Program Files\Viewpoint
2007-12-06 03:36 --------- d-----w C:\Program Files\AIM6
2007-12-06 03:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-12-02 21:11 22,528 ----a-w C:\WINDOWS\system32\wsock32.dll
2007-12-01 17:56 98,620 --sha-r C:\WINDOWS\system32\avpo.exe
2007-12-01 17:56 98,620 --sh--r C:\ntde1ect.com
2007-12-01 17:56 32,419 --sha-r C:\WINDOWS\system32\avpo1.dll
2007-11-28 18:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-09-19 01:07 20,688 -c--a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-04-12 04:41 92,064 ----a-w C:\Documents and Settings\Administrator\mqdmmdm.sys
2007-04-12 04:41 9,232 ----a-w C:\Documents and Settings\Administrator\mqdmmdfl.sys
2007-04-12 04:41 79,328 ----a-w C:\Documents and Settings\Administrator\mqdmserd.sys
2007-04-12 04:41 66,656 ----a-w C:\Documents and Settings\Administrator\mqdmbus.sys
2007-04-12 04:41 6,208 ----a-w C:\Documents and Settings\Administrator\mqdmcmnt.sys
2007-04-12 04:41 5,936 ----a-w C:\Documents and Settings\Administrator\mqdmwhnt.sys
2007-04-12 04:41 4,048 ----a-w C:\Documents and Settings\Administrator\mqdmcr.sys
2007-04-12 04:41 25,600 ----a-w C:\Documents and Settings\Administrator\usbsermptxp.sys
2007-04-12 04:41 22,768 ----a-w C:\Documents and Settings\Administrator\usbsermpt.sys
2005-01-14 06:28 0 -c-h--w C:\Program Files\ENYOLINK Settings
2004-11-19 05:05 3,546 -c--a-w C:\Program Files\uninstal.log
.
<pre>
----a-w 15,360 2008-01-28 22:58:43 C:\WINDOWS\system32\ctfmon .exe
</pre>
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-11-30 12:19 4628480]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2004-11-30 12:19 86016]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-12-10 11:45 49152 C:\WINDOWS\KHALMNPR.Exe]
"CTHelper"="CTHELPER.EXE" [2005-08-07 17:10 16384 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2005-08-07 17:10 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-07-22 15:50:16 577597]
Color Calibration.lnk - C:\Program Files\SEC\MagicTune 2.5\GammaTray.exe [2005-01-17 21:40:40 36864]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 05:19:24 237568]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2004-11-30 12:19 921600 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"x10nets"=3 (0x3)
"IDriverT"=3 (0x3)
"Pml Driver HPZ12"=2 (0x2)
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R3 ATIDACXX;ATI DTV Wonder Analog Audio Capture Device;C:\WINDOWS\system32\drivers\atidacxx.sys [2005-09-26 20:21]
R3 ATIDDCXX;ATI DTV Wonder Digital BDA Capture Device;C:\WINDOWS\system32\drivers\atiddcxx.sys [2005-09-26 20:20]
R3 ATIDTUXX;ATI DTV Wonder Digital And Analog Tuner Device;C:\WINDOWS\system32\drivers\atidtuxx.sys [2005-09-26 20:21]
R3 ATIDVCXX;ATI DTV Wonder Analog AV Capture Device;C:\WINDOWS\system32\drivers\atidvcxx.sys [2005-09-26 20:20]
R3 ATIDXBXX;ATI DTV Wonder Analog AV Crossbar Device;C:\WINDOWS\system32\drivers\atidxbxx.sys [2005-09-26 20:20]
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2005-08-07 16:54]
S1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\OVSound2.sys [2001-08-17 09:05]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2006-12-14 09:27]
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-02-27 13:31]
S3 QCEmerald;Logitech QuickCam Web;C:\WINDOWS\system32\DRIVERS\OVCE.sys [2001-08-17 09:05]
S3 S3SAV2K;S3SAV2K;C:\WINDOWS\system32\DRIVERS\s3sav2km.sys [2004-09-25 21:43]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{32bbff80-58c7-11dc-b00f-0011110d0680}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{32bbff87-58c7-11dc-b00f-0011110d0680}]
\Shell\AutoRun\command - H:\qd.cmd
\Shell\explore\Command - H:\qd.cmd
\Shell\open\Command - H:\qd.cmd
.
Contents of the 'Scheduled Tasks' folder
"2008-01-24 19:21:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2008-01-29 00:31:45
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\Program Files\Logitech\SetPoint\GameHook.dll
.
Completion time: 2008-01-29 0:32:41
ComboFix-quarantined-files.txt 2008-01-29 05:32:11
.
2008-01-13 01:42:12 --- E O F ---
-
Can you temporarily disable Avast's protections
Right click on the AVAST icon by the clock and select "Stop on Access protections"
I suggest that you access your add/remove programs and remove anything related to
ViewPoint
It usually get's unknowingly installed
You may have more than one entry
Do a System Scan only with Hijackthis and put a tick beside this entry
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\QooBox\Quarantine\C\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe.vir
With all other windows closed, including this one
click FIX CHECKED
Ok the prompts then exit Hijackthis
Afterwards:
Download the Flash_Disinfector.exe from here and save to desktop
http://www.techsupportforum.com/sectools/s...Disinfector.exe (http://\"http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe\")
Run Flash_Disinfector.exe, Follow the prompts
Insert any removable flash drives you may have when prompted
Leave any flash drive inserted
Then do the following:
==Open notepad and copy/paste the text in the quotebox below into it:
Don't use anything else than notepad or the script will not work
RenV::
C:\WINDOWS\system32\ctfmon .exe
File::
C:\ylr.exe
C:\xo8wr9.exe
C:\qd.cmd
C:\awda2.exe
C:\xn1i9x.com
C:\m1t8ta.com
C:\juok3st.bat
C:\d.com
C:\tio8x6.cmd
C:\usdeiect.com
C:\uxdeiect.com
C:\n1deiect.com
C:\WINDOWS\system32\avpo0.dll
C:\WINDOWS\system32\amvo2.dll
C:\nideiect.com
C:\WINDOWS\system32\avpo.exe
C:\ntde1ect.com
C:\WINDOWS\system32\avpo1.dll
C:\qd.cmd
H:\qd.cmd
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{32bbff87-58c7-11dc-b00f-0011110d0680}]
Save this as txtfile on your desktop
CFScript
(http://img.photobucket.com/albums/v666/sUBs/CFScript.gif)
Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts
Don't mouse click on it, let it complete
When finished, it shall produce a log for you again, with the same name C:\ComboFix.txt..
Post back all the following
1. Post the log from combofix >>C:\Combofix.txt
2. Run a fresh Scan>>save logfile with Hijackthis and post it's log too
-
My printer driver installed after the combofix rebooted and started up windows.
ComboFix 08-01-29.3 - Administrator 2008-01-29 1:30:57.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.610 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
[color=\"red\"]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
FILE
C:\awda2.exe
C:\d.com
C:\juok3st.bat
C:\m1t8ta.com
C:\n1deiect.com
C:\nideiect.com
C:\ntde1ect.com
C:\qd.cmd
C:\tio8x6.cmd
C:\usdeiect.com
C:\uxdeiect.com
C:\WINDOWS\system32\amvo2.dll
C:\WINDOWS\system32\avpo.exe
C:\WINDOWS\system32\avpo0.dll
C:\WINDOWS\system32\avpo1.dll
C:\xn1i9x.com
C:\xo8wr9.exe
C:\ylr.exe
H:\qd.cmd
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\awda2.exe
C:\d.com
C:\juok3st.bat
C:\m1t8ta.com
C:\n1deiect.com
C:\nideiect.com
C:\ntde1ect.com
C:\qd.cmd
C:\tio8x6.cmd
C:\usdeiect.com
C:\uxdeiect.com
C:\xn1i9x.com
C:\xo8wr9.exe
C:\ylr.exe
C:\awda2.exe
C:\d.com
C:\juok3st.bat
C:\m1t8ta.com
C:\n1deiect.com
C:\nideiect.com
C:\ntde1ect.com
C:\qd.cmd
C:\tio8x6.cmd
C:\usdeiect.com
C:\uxdeiect.com
C:\WINDOWS\system32\amvo2.dll
C:\WINDOWS\system32\avpo.exe
C:\WINDOWS\system32\avpo0.dll
C:\WINDOWS\system32\avpo1.dll
C:\xn1i9x.com
C:\xo8wr9.exe
C:\ylr.exe
H:\qd.cmd . . . . failed to delete
.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-29 )))))))))))))))))))))))))))))))
.
2008-01-25 09:11 . 2008-01-28 17:58 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-25 09:11 . 2008-01-28 17:58 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-24 04:16 . 2008-01-24 04:16 <DIR> d-------- C:\Program Files\Abexo
2008-01-24 00:38 . 2004-08-04 03:56 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-01-24 00:38 . 2001-08-17 22:37 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2008-01-24 00:38 . 2004-08-04 07:00 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls
2008-01-24 00:38 . 2001-08-17 22:37 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-01-24 00:38 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-01-24 00:38 . 2001-08-17 22:36 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-01-24 00:38 . 2001-08-17 12:11 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
2008-01-24 00:38 . 2001-08-17 22:37 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-01-24 00:36 . 2001-08-17 13:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2008-01-24 00:35 . 2001-08-17 22:36 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll
2008-01-24 00:34 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-01-24 00:33 . 2004-08-04 01:31 132,695 --a--c--- C:\WINDOWS\system32\dllcache\netwlan5.sys
2008-01-24 00:32 . 2001-08-17 13:28 802,683 --a--c--- C:\WINDOWS\system32\dllcache\ltsm.sys
2008-01-24 00:31 . 2001-08-17 13:28 907,456 --a--c--- C:\WINDOWS\system32\dllcache\hcf_msft.sys
2008-01-24 00:30 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-01-24 00:29 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2008-01-24 00:28 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-01-24 00:27 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-01-24 00:26 . 2001-08-17 14:56 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-01-23 23:01 . 2008-01-28 22:17 <DIR> d-------- C:\VundoFix Backups
2008-01-23 00:45 . 2008-01-23 00:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-22 22:02 . 2008-01-22 22:02 435 --a------ C:\WINDOWS\system32\Shortcut to system32.lnk
2008-01-22 22:00 . 2008-01-22 23:55 289 --a------ C:\WINDOWS\wininit.ini
2008-01-22 20:40 . 2008-01-22 20:40 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-11 18:07 . 2008-01-11 18:07 <DIR> d-------- C:\Program Files\Jabra
2008-01-11 18:07 . 2008-01-11 18:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jabra
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-27 18:25 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-25 07:25 --------- d-----w C:\Program Files\HP
2008-01-24 08:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-24 00:38 --------- d-----w C:\Program Files\Winamp
2008-01-24 00:37 --------- d-----w C:\Program Files\QuickTime
2008-01-24 00:37 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-24 00:37 --------- d-----w C:\Program Files\iTunes
2008-01-17 04:49 --------- d-----w C:\Documents and Settings\Administrator\Application Data\U3
2008-01-16 02:24 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-01-15 23:41 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-01-03 05:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Creative
2008-01-03 02:22 --------- d-----w C:\Program Files\Creative
2008-01-03 02:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-16 23:27 --------- d-----w C:\Program Files\mIRC
2007-12-15 23:51 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-07 22:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-06 22:19 --------- d-----w C:\Program Files\iPod
2007-12-06 03:36 --------- d-----w C:\Program Files\Viewpoint
2007-12-06 03:36 --------- d-----w C:\Program Files\AIM6
2007-12-06 03:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-11-28 18:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2007-09-19 01:07 20,688 -c--a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-04-12 04:41 92,064 ----a-w C:\Documents and Settings\Administrator\mqdmmdm.sys
2007-04-12 04:41 9,232 ----a-w C:\Documents and Settings\Administrator\mqdmmdfl.sys
2007-04-12 04:41 79,328 ----a-w C:\Documents and Settings\Administrator\mqdmserd.sys
2007-04-12 04:41 66,656 ----a-w C:\Documents and Settings\Administrator\mqdmbus.sys
2007-04-12 04:41 6,208 ----a-w C:\Documents and Settings\Administrator\mqdmcmnt.sys
2007-04-12 04:41 5,936 ----a-w C:\Documents and Settings\Administrator\mqdmwhnt.sys
2007-04-12 04:41 4,048 ----a-w C:\Documents and Settings\Administrator\mqdmcr.sys
2007-04-12 04:41 25,600 ----a-w C:\Documents and Settings\Administrator\usbsermptxp.sys
2007-04-12 04:41 22,768 ----a-w C:\Documents and Settings\Administrator\usbsermpt.sys
2005-01-14 06:28 0 -c-h--w C:\Program Files\ENYOLINK Settings
2004-11-19 05:05 3,546 -c--a-w C:\Program Files\uninstal.log
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-28 17:58 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-11-30 12:19 4628480]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2004-11-30 12:19 86016]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-12-10 11:45 49152 C:\WINDOWS\KHALMNPR.Exe]
"CTHelper"="CTHELPER.EXE" [2005-08-07 17:10 16384 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2005-08-07 17:10 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-07-22 15:50:16 577597]
Color Calibration.lnk - C:\Program Files\SEC\MagicTune 2.5\GammaTray.exe [2005-01-17 21:40:40 36864]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 05:19:24 237568]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2005-10-08 19:34:22 434176]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
NaturalColorLoad.lnk - C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe [2005-01-17 21:40:17 155715]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2004-11-30 12:19 921600 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"x10nets"=3 (0x3)
"IDriverT"=3 (0x3)
"Pml Driver HPZ12"=2 (0x2)
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R3 ATIDACXX;ATI DTV Wonder Analog Audio Capture Device;C:\WINDOWS\system32\drivers\atidacxx.sys [2005-09-26 20:21]
R3 ATIDDCXX;ATI DTV Wonder Digital BDA Capture Device;C:\WINDOWS\system32\drivers\atiddcxx.sys [2005-09-26 20:20]
R3 ATIDTUXX;ATI DTV Wonder Digital And Analog Tuner Device;C:\WINDOWS\system32\drivers\atidtuxx.sys [2005-09-26 20:21]
R3 ATIDVCXX;ATI DTV Wonder Analog AV Capture Device;C:\WINDOWS\system32\drivers\atidvcxx.sys [2005-09-26 20:20]
R3 ATIDXBXX;ATI DTV Wonder Analog AV Crossbar Device;C:\WINDOWS\system32\drivers\atidxbxx.sys [2005-09-26 20:20]
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2005-08-07 16:54]
S1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\OVSound2.sys [2001-08-17 09:05]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2006-12-14 09:27]
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-02-27 13:31]
S3 QCEmerald;Logitech QuickCam Web;C:\WINDOWS\system32\DRIVERS\OVCE.sys [2001-08-17 09:05]
S3 S3SAV2K;S3SAV2K;C:\WINDOWS\system32\DRIVERS\s3sav2km.sys [2004-09-25 21:43]
.
Contents of the 'Scheduled Tasks' folder
"2008-01-24 19:21:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2008-01-29 01:34:26
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\Program Files\Logitech\SetPoint\GameHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\SEC\MagicTune 2.5\GammaTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2008-01-29 1:39:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-29 06:39:51
ComboFix2.txt 2008-01-29 05:32:42
.
2008-01-13 01:42:12 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:42:13 AM, on 1/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\SEC\MagicTune 2.5\GammaTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = <a href="http://www.Email Removed.com/" target="_blank" rel="nofollow">http://www.Email Removed.com/</a>
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = forbin.qc.edu:3128
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Color Calibration.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab (http://\"http://upload.facebook.com/controls/FacebookPhotoUploader3.cab\")
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab (http://\"http://upload.facebook.com/controls/FacebookPhotoUploader.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095300908968 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095300908968\")
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab (http://\"http://go.divx.com/plugin/DivXBrowserPlugin.cab\")
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab (http://\"http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab\")
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab (http://\"http://cdn.digitalcity.com/_media/dalaillama/ampx.cab\")
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 7420 bytes
-
I see you opted to keep Viewpoint installed, that is your option
use the Internet Explorer browser (or FireFox with IETab), and do an online scan with [color=\"blue\"]Kaspersky Online Scanner[/color] (http://\"http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html\")
Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component
Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet [color=\"#3333FF\"]Explorer 7[/color] users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%[/i].)
The program launches and downloads the latest definition files. - Once the files are downloaded click on Next
- Click on Scan Settings and configure as follows:
- Scan using the following Anti-Virus database:[color=\"#6666CC\"]Extended[/color]
- Scan Options:[color=\"#6666CC\"]Scan Archives[/color]
[color=\"#6666CC\"]Scan Mail Bases[/color]
[/list]
[/list]
- Click OK and, under select a target to scan, select My Computer
When the scan is done, in the [color=\"Navy\"]Scan is completed [/color]window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
(http://img.photobucket.com/albums/v666/sUBs/Kas-SaveReport-1.gif)
(http://img.photobucket.com/albums/v666/sUBs/Kas-Savetxt.gif)
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the [color=\"Navy\"]Save as [/color]prompt, [color=\"navy\"]Save in[/color] area, select: Desktop
In the [color=\"navy\"]File name[/color] area, use KScan, or something similar
In [color=\"navy\"]Save as type[/color], click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the [color=\"Navy\"]Kaspersky Online Scanner Report [/color]in your reply.
-
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, January 29, 2008 8:16:22 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/01/2008
Kaspersky Anti-Virus database records: 535353
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
F:\
G:\
H:\
Scan Statistics:
Total number of scanned objects: 109208
Number of viruses found: 79
Number of infected objects: 804
Number of suspicious objects: 0
Duration of the scan process: 01:43:33
Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\8y9vh.dll Infected: Trojan-PSW.Win32.OnLineGames.nnq skipped
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\MVYD290H\new3[1].htm Infected: Constructor.Perl.Msdds.b skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-2cd22d5b/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-2cd22d5b ZIP: infected - 1 skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\34\63206922-5a358be2/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\34\63206922-5a358be2 ZIP: infected - 1 skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-63f0439f/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-63f0439f ZIP: infected - 1 skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\49\49820371-5f4b50bb/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\49\49820371-5f4b50bb ZIP: infected - 1 skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-2f7699e9/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-2f7699e9 ZIP: infected - 1 skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-74206b0c.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-74206b0c.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-42399452.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-42399452.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-1dadae47.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-1dadae47.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-15327e32.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-15327e32.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-b825669-6c9447f2.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-b825669-6c9447f2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012008012920080130\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZOPNRGNC\bind[1].htm Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\Apache Group\Apache\logs\access.log Object is locked skipped
C:\Program Files\Apache Group\Apache\logs\error.log Object is locked skipped
C:\Program Files\Apache Group\Apache\logs\ssl.log Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\amvo2.dll.vir Infected: Trojan-PSW.Win32.WOW.agx skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\avpo.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\avpo0.dll.vir Infected: Packed.Win32.NSAnti.r skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\avpo1.dll.vir Infected: Packed.Win32.NSAnti.r skipped
C:\QooBox\Quarantine\catchme2008-01-29_ 03142.29.zip/jkhhe.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dyx skipped
C:\QooBox\Quarantine\catchme2008-01-29_ 03142.29.zip ZIP: infected - 1 skipped
C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip/awda2.exe Infected: Worm.Win32.AutoRun.ccs skipped
C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip/d.com Infected: Worm.Win32.AutoRun.bua skipped
C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip/juok3st.bat Infected: Worm.Win32.AutoRun.bur skipped
C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip/m1t8ta.com Infected: Trojan-PSW.Win32.OnLineGames.oob skipped
C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip/n1deiect.com Infected: Trojan-PSW.Win32.OnLineGames.lfi skipped
C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip/nideiect.com Infected: Trojan-PSW.Win32.OnLineGames.knb skipped
C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip/ntde1ect.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip/qd.cmd Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip/tio8x6.cmd Infected: Worm.Win32.AutoRun.bpn skipped
C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip/usdeiect.com Infected: Worm.Win32.AutoRun.bep skipped
C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip/uxdeiect.com Infected: Trojan-PSW.Win32.OnLineGames.lsy skipped
C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip/xn1i9x.com Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip/xo8wr9.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip/ylr.exe Infected: Trojan-PSW.Win32.OnLineGames.psv skipped
C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip/qd.cmd.1 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip ZIP: infected - 15 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000785.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000802.dll Infected: Packed.Win32.NSAnti.r skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000804.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000815.dll Infected: Packed.Win32.NSAnti.r skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000817.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000828.dll Infected: Packed.Win32.NSAnti.r skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000830.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000841.dll Infected: Packed.Win32.NSAnti.r skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000843.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000857.dll Infected: Packed.Win32.NSAnti.r skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000859.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000870.dll Infected: Packed.Win32.NSAnti.r skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000872.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000883.dll Infected: Packed.Win32.NSAnti.r skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000885.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP11\A0000888.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002405.dll Infected: Packed.Win32.NSAnti.r skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002409.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002413.exe Infected: Trojan-PSW.Win32.OnLineGames.kan skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002427.dll Infected: Virus.Win32.AutoRun.akr skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002428.dll Infected: Packed.Win32.NSAnti.r skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002430.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002431.com Infected: Trojan-PSW.Win32.OnLineGames.kan skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002436.exe Infected: Trojan-PSW.Win32.OnLineGames.kan skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002437.dll Infected: Virus.Win32.AutoRun.akr skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002438.exe Infected: Trojan-PSW.Win32.OnLineGames.kan skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002455.dll Infected: Packed.Win32.NSAnti.r skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002456.dll Infected: Virus.Win32.AutoRun.akr skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002459.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002460.com Infected: Trojan-PSW.Win32.OnLineGames.kan skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002463.exe Infected: Trojan-PSW.Win32.OnLineGames.kan skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002464.exe Infected: Trojan-PSW.Win32.OnLineGames.kan skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002489.dll Infected: Virus.Win32.AutoRun.akr skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002490.dll Infected: Packed.Win32.NSAnti.r skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002492.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002493.com Infected: Trojan-PSW.Win32.OnLineGames.kan skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002498.exe Infected: Trojan-PSW.Win32.OnLineGames.kan skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002499.dll Infected: Virus.Win32.AutoRun.akr skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002513.dll Infected: Virus.Win32.AutoRun.akr skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002515.dll Infected: Packed.Win32.NSAnti.r skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002516.com Infected: Trojan-PSW.Win32.OnLineGames.kan skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002518.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002521.exe Infected: Trojan-PSW.Win32.OnLineGames.kan skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP13\A0002524.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP13\A0002554.dll Infected: Packed.Win32.NSAnti.r skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP13\A0002556.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP13\A0002557.com Infected: Trojan-PSW.Win32.OnLineGames.kan skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP13\A0002561.dll Infected: Virus.Win32.AutoRun.akr skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP14\A0002582.dll Infected: Packed.Win32.NSAnti.r skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP14\A0002584.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP14\A0002585.com Infected: Trojan-PSW.Win32.OnLineGames.kdp skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP14\A0002589.exe Infected: Trojan-PSW.Win32.OnLineGames.kdp skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP14\A0002590.dll Infected: Trojan-PSW.Win32.OnLineGames.kow skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP14\A0002664.dll Infected: Worm.Win32.AutoRun.ci skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP14\A0002665.dll Infected: Packed.Win32.NSAnti.r skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP14\A0002667.com Infected: Worm.Win32.AutoRun.ci skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP14\A0002669.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP14\A0002673.exe Infected: Worm.Win32.AutoRun.ci skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP14\A0002674.dll Infected: Worm.Win32.AutoRun.ci skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP15\A0002687.com Infected: Trojan-PSW.Win32.OnLineGames.knb skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP15\A0002689.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP15\A0002715.dll Infected: Packed.Win32.NSAnti.r skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP15\A0002716.dll Infected: Trojan-PSW.Win32.WOW.hu skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP15\A0002718.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP15\A0002720.com Infected: Trojan-PSW.Win32.OnLineGames.knb skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP15\A0002724.exe Infected: Trojan-PSW.Win32.OnLineGames.knb skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP15\A0002725.dll Infected: Trojan-PSW.Win32.WOW.hu skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP15\A0002741.dll Infected: Packed.Win32.NSAnti.r skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP15\A0002745.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP16\A0002765.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP17\A0002874.dll Infected: Packed.Win32.NSAnti.r skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP17\A0002879.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP17\A0002899.dll Infected: Packed.Win32.NSAnti.r skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP17\A0002901.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP17\A0002927.dll Infected: Packed.Win32.NSAnti.r skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP17\A0002929.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP17\A0002951.dll Infected: Trojan-PSW.Win32.WOW.agt skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP17\A0002952.dll Infected: Packed.Win32.NSAnti.r skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP17\A0002954.com Infected: Trojan-PSW.Win32.OnLineGames.ksh skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP17\A0002955.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP17\A0002961.exe Infected: Trojan-PSW.Win32.OnLineGames.ksh skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0002985.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0002987.com Infected: Trojan-PSW.Win32.OnLineGames.ksh skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0003003.dll Infected: Trojan-PSW.Win32.WOW.agt skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0003004.dll Infected: Packed.Win32.NSAnti.r skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0003006.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0003007.com Infected: Trojan-PSW.Win32.OnLineGames.ksh skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0003012.exe Infected: Trojan-PSW.Win32.OnLineGames.ksh skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0003029.dll Infected: Trojan-PSW.Win32.WOW.agt skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0003030.dll Infected: Packed.Win32.NSAnti.r skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0003032.com Infected: Trojan-PSW.Win32.OnLineGames.ksh skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0003034.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0003037.exe Infected: Trojan-PSW.Win32.OnLineGames.ksh skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0003038.dll Infected: Trojan-PSW.Win32.WOW.agt skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0003054.dll Infected: Packed.Win32.NSAnti.r skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0003057.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0003062.dll Infected: Trojan-PSW.Win32.OnLineGames.kuo skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP19\A0003077.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP19\A0003100.dll Infected: Packed.Win32.NSAnti.r skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP19\A0003102.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP19\A0003120.dll Infected: Trojan-PSW.Win32.OnLineGames.kuo skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP19\A0003173.dll Infected: Trojan-PSW.Win32.WOW.agx skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP19\A0003174.dll Infected: Packed.Win32.NSAnti.r skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP19\A0003176.com Infected: Trojan-PSW.Win32.Nilage.bvu skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP19\A0003177.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP19\A0003182.exe Infected: Trojan-PSW.Win32.Nilage.bvu skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP20\A0003195.com Infected: Trojan-PSW.Win32.OnLineGames.kxk skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP20\A0003213.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP21\A0003217.com Infected: Trojan-PSW.Win32.OnLineGames.kxk skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP21\A0003254.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP22\A0003264.com Infected: Trojan-PSW.Win32.OnLineGames.kxk skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP22\A0003266.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP23\A0003268.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP23\A0003270.com Infected: Trojan-PSW.Win32.OnLineGames.kxk skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP23\A0003430.dll Infected: Packed.Win32.NSAnti.r skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP23\A0003431.dll Infected: Trojan-PSW.Win32.OnLineGames.kxk skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP23\A0003434.exe Infected: Trojan-PSW.Win32.OnLineGames.kxk skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP23\A0003435.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP23\A0003439.com Infected: Trojan-PSW.Win32.OnLineGames.kxk skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP23\A0003443.dll Infected: Trojan-PSW.Win32.WOW.agx skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP24\A0003472.dll Infected: Trojan-PSW.Win32.OnLineGames.kxk skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP24\A0003473.dll Infected: Packed.Win32.NSAnti.r skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP24\A0003477.com Infected: Trojan-PSW.Win32.OnLineGames.kxk skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP24\A0003479.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP24\A0003483.exe Infected: Trojan-PSW.Win32.OnLineGames.kxk skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP24\A0003484.dll Infected: Trojan-PSW.Win32.OnLineGames.kxk skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP24\A0003564.dll Infected: Packed.Win32.NSAnti.r skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP24\A0003565.dll Infected: Trojan-PSW.Win32.OnLineGames.kxk skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP24\A0003569.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP24\A0003573.dll Infected: Trojan-PSW.Win32.OnLineGames.lff skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003795.dll Infected: Trojan-PSW.Win32.OnLineGames.lff skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003801.dll Infected: Trojan-PSW.Win32.OnLineGames.lff skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003814.com Infected: Trojan-PSW.Win32.Nilage.bvw skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003817.exe Infected: Trojan-PSW.Win32.Nilage.bvw skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003828.com Infected: Trojan-PSW.Win32.OnLineGames.lfi skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003841.dll Infected: Trojan-PSW.Win32.WOW.ahe skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003843.com Infected: Trojan-PSW.Win32.OnLineGames.lfi skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003846.exe Infected: Trojan-PSW.Win32.OnLineGames.lfi skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003847.dll Infected: Trojan-PSW.Win32.WOW.ahe skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003857.com Infected: Trojan-PSW.Win32.OnLineGames.llw skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003862.exe Infected: Trojan-PSW.Win32.OnLineGames.llw skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003863.dll Infected: Trojan-PSW.Win32.OnLineGames.pjp skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003874.com Infected: Trojan-PSW.Win32.OnLineGames.lov skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003887.dll Infected: Trojan-PSW.Win32.WOW.aho skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003889.com Infected: Trojan-PSW.Win32.OnLineGames.lov skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003892.exe Infected: Trojan-PSW.Win32.OnLineGames.lov skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003893.dll Infected: Trojan-PSW.Win32.WOW.aho skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003931.com Infected: Worm.Win32.AutoRun.bcw skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003940.dll Infected: Trojan-PSW.Win32.WOW.ahs skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003942.sys Infected: Rootkit.Win32.Vanti.gz skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003943.com Infected: Worm.Win32.AutoRun.bcw skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003947.exe Infected: Worm.Win32.AutoRun.bcw skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003948.dll Infected: Trojan-PSW.Win32.WOW.ahs skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP26\A0003951.com Infected: Worm.Win32.AutoRun.bdg skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP26\A0003970.dll Infected: Trojan-PSW.Win32.WOW.ahs skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP26\A0003972.com Infected: Worm.Win32.AutoRun.bdg skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP26\A0003976.exe Infected: Worm.Win32.AutoRun.bdg skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP26\A0003977.dll Infected: Trojan-PSW.Win32.OnLineGames.lwp skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP27\A0003996.com Infected: Trojan-PSW.Win32.OnLineGames.lsy skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP27\A0004008.dll Infected: Trojan-PSW.Win32.OnLineGames.ons skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP27\A0004010.com Infected: Trojan-PSW.Win32.OnLineGames.lsy skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP27\A0004014.exe Infected: Trojan-PSW.Win32.OnLineGames.lsy skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP27\A0004015.dll Infected: Trojan-PSW.Win32.OnLineGames.ons skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP27\A0004025.com Infected: Trojan-PSW.Win32.OnLineGames.lvs skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP27\A0004039.dll Infected: Trojan-PSW.Win32.OnLineGames.lvs skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP27\A0004041.com Infected: Trojan-PSW.Win32.OnLineGames.lvs skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP28\A0004045.com Infected: Trojan-PSW.Win32.OnLineGames.lvs skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP28\A0004061.dll Infected: Trojan-PSW.Win32.OnLineGames.lvs skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP28\A0004063.com Infected: Trojan-PSW.Win32.OnLineGames.lvs skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP29\A0004068.com Infected: Trojan-PSW.Win32.OnLineGames.lvs skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP29\A0004085.dll Infected: Trojan-PSW.Win32.OnLineGames.lvs skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP29\A0004087.com Infected: Trojan-PSW.Win32.OnLineGames.lvs skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP29\A0004093.exe Infected: Trojan-PSW.Win32.OnLineGames.lvs skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP29\A0004094.dll Infected: Trojan-PSW.Win32.OnLineGames.lvs skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP29\A0004105.dll Infected: Trojan-PSW.Win32.OnLineGames.lvs skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP29\A0004107.com Infected: Worm.Win32.AutoRun.bep skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP30\A0004114.com Infected: Worm.Win32.AutoRun.bep skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP30\A0004130.dll Infected: Worm.Win32.AutoRun.bep skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP30\A0004132.com Infected: Worm.Win32.AutoRun.bep skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP30\A0004136.exe Infected: Worm.Win32.AutoRun.bep skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP30\A0004149.dll Infected: Trojan-PSW.Win32.OnLineGames.mqw skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP30\A0004151.com Infected: Trojan-PSW.Win32.OnLineGames.mqw skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP31\A0004163.com Infected: Trojan-PSW.Win32.OnLineGames.mqw skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP31\A0005151.dll Infected: Trojan-PSW.Win32.OnLineGames.mqw skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP31\A0005154.com Infected: Trojan-PSW.Win32.OnLineGames.mqw skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP31\A0005160.exe Infected: Trojan-PSW.Win32.OnLineGames.mqw skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP31\A0005161.dll Infected: Worm.Win32.AutoRun.bep skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP31\A0005170.dll Infected: Trojan-PSW.Win32.OnLineGames.mqw skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP31\A0005172.com Infected: Trojan-PSW.Win32.OnLineGames.mrq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP31\A0005176.exe Infected: Trojan-PSW.Win32.OnLineGames.mrq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP31\A0005177.dll Infected: Trojan-PSW.Win32.OnLineGames.mrq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP32\A0005182.com Infected: Worm.Win32.AutoRun.bld skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP32\A0005200.dll Infected: Trojan-PSW.Win32.OnLineGames.mrq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP32\A0005202.com Infected: Worm.Win32.AutoRun.bld skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP32\A0005218.dll Infected: Worm.Win32.AutoRun.bld skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP32\A0005220.com Infected: Worm.Win32.AutoRun.bld skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP32\A0005224.exe Infected: Worm.Win32.AutoRun.bld skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP32\A0005225.dll Infected: Worm.Win32.AutoRun.bld skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP33\A0005226.exe Infected: Trojan-PSW.Win32.OnLineGames.muu skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP34\A0005232.exe Infected: Trojan-PSW.Win32.OnLineGames.muu skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP36\A0005236.exe Infected: Trojan-PSW.Win32.OnLineGames.muu skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP38\A0005240.exe Infected: Trojan-PSW.Win32.OnLineGames.muu skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP39\A0005248.exe Infected: Trojan-PSW.Win32.OnLineGames.muu skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP40\A0005251.exe Infected: Trojan-PSW.Win32.OnLineGames.muu skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP40\A0005285.exe Infected: Trojan-PSW.Win32.OnLineGames.muu skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP40\A0005315.dll Infected: Trojan-PSW.Win32.OnLineGames.mwc skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP40\A0005317.exe Infected: Trojan-PSW.Win32.OnLineGames.muu skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP40\A0005319.exe Infected: Trojan-PSW.Win32.OnLineGames.muu skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP41\A0005325.bat Infected: Worm.Win32.AutoRun.bmz skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP41\A0005344.dll Infected: Worm.Win32.AutoRun.bmz skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP41\A0005346.bat Infected: Worm.Win32.AutoRun.bmz skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP41\A0005349.exe Infected: Worm.Win32.AutoRun.bmz skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP41\A0005350.dll Infected: Trojan-PSW.Win32.OnLineGames.mwc skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP42\A0005354.bat Infected: Worm.Win32.AutoRun.bnq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP42\A0005381.bat Infected: Worm.Win32.AutoRun.bnq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP42\A0005385.exe Infected: Worm.Win32.AutoRun.bnq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP42\A0005386.dll Infected: Worm.Win32.AutoRun.bnq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP43\A0005407.dll Infected: Worm.Win32.AutoRun.bnq skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP43\A0005430.cmd Infected: Worm.Win32.AutoRun.bpn skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP43\A0005455.dll Infected: Worm.Win32.AutoRun.bpn skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP43\A0005457.cmd Infected: Worm.Win32.AutoRun.bpn skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP43\A0005461.dll Infected: Worm.Win32.AutoRun.bpn skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP43\A0005475.cmd Infected: Worm.Win32.AutoRun.bpn skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP43\A0005489.dll Infected: Worm.Win32.AutoRun.bpn skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP43\A0005491.cmd Infected: Worm.Win32.AutoRun.bpn skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP43\A0005495.exe Infected: Worm.Win32.AutoRun.bpn skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP43\A0005496.dll Infected: Trojan-PSW.Win32.WOW.aiy skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP43\A0005497.com Infected: Worm.Win32.AutoRun.bpn skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP44\A0005501.com Infected: Trojan-PSW.Win32.OnLineGames.nqv skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP44\A0005528.com Infected: Trojan-PSW.Win32.OnLineGames.nqv skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP44\A0005532.exe Infected: Trojan-PSW.Win32.OnLineGames.nqv skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP44\A0005533.dll Infected: Trojan-PSW.Win32.OnLineGames.nqv skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP45\A0005666.com Infected: Worm.Win32.AutoRun.brz skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP45\A0005670.exe Infected: Worm.Win32.AutoRun.brz skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP45\A0005671.dll Infected: Trojan-PSW.Win32.OnLineGames.nwl skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP45\A0005685.dll Infected: Trojan-PSW.Win32.OnLineGames.nwl skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP45\A0005687.com Infected: Worm.Win32.AutoRun.bss skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP45\A0005691.dll Infected: Trojan-PSW.Win32.OnLineGames.okv skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP46\A0005695.com Infected: Worm.Win32.AutoRun.bss skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP46\A0005717.com Infected: Worm.Win32.AutoRun.bss skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP46\A0005729.dll Infected: Trojan-PSW.Win32.OnLineGames.okv skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP46\A0005731.com Infected: Worm.Win32.AutoRun.bss skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP46\A0005745.dll Infected: Trojan-PSW.Win32.OnLineGames.okv skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP46\A0005747.com Infected: Worm.Win32.AutoRun.bss skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP46\A0005751.exe Infected: Worm.Win32.AutoRun.bss skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP46\A0005752.dll Infected: Trojan-PSW.Win32.OnLineGames.oby skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP46\A0005772.com Infected: Worm.Win32.AutoRun.btv skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP46\A0005776.exe Infected: Worm.Win32.AutoRun.btv skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP46\A0005777.dll Infected: Trojan-PSW.Win32.OnLineGames.ojg skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP46\A0005787.com Infected: Worm.Win32.AutoRun.bua skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP46\A0005791.exe Infected: Worm.Win32.AutoRun.bua skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP46\A0005792.dll Infected: Worm.Win32.AutoRun.bua skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP46\A0005806.bat Infected: Worm.Win32.AutoRun.bun skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP46\A0005818.dll Infected: Trojan-PSW.Win32.OnLineGames.pbf skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP46\A0005820.bat Infected: Worm.Win32.AutoRun.bun skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP47\A0005882.bat Infected: Worm.Win32.AutoRun.bun skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP47\A0005956.exe Infected: Worm.Win32.AutoRun.bun skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP47\A0005957.dll Infected: Trojan-PSW.Win32.OnLineGames.pbf skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP47\A0005958.dll Infected: Trojan-PSW.Win32.OnLineGames.pbf skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP47\A0005959.bat Infected: Worm.Win32.AutoRun.bun skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP48\A0005961.bat Infected: Worm.Win32.AutoRun.bur skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP48\A0005996.bat Infected: Worm.Win32.AutoRun.bur skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP48\A0006000.exe Infected: Worm.Win32.AutoRun.bur skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP48\A0006001.dll Infected: Worm.Win32.AutoRun.bur skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP48\A0006011.dll Infected: Worm.Win32.AutoRun.bur skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP48\A0006012.com Infected: Trojan-PSW.Win32.OnLineGames.oob skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP48\A0006024.dll Infected: Trojan-PSW.Win32.OnLineGames.oob skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP48\A0006026.com Infected: Trojan-PSW.Win32.OnLineGames.oob skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP48\A0006042.dll Infected: Trojan-PSW.Win32.OnLineGames.oob skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP48\A0006044.com Infected: Trojan-PSW.Win32.OnLineGames.oob skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP48\A0006050.exe Infected: Trojan-PSW.Win32.OnLineGames.oob skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP48\A0006051.dll Infected: Trojan-PSW.Win32.OnLineGames.oob skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP49\A0006053.com Infected: Worm.Win32.AutoRun.bvz skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP49\A0006072.dll Infected: Trojan-PSW.Win32.OnLineGames.oob skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP49\A0006073.com Infected: Worm.Win32.AutoRun.bvz skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP49\A0006077.exe Infected: Worm.Win32.AutoRun.bvz skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP49\A0006078.dll Infected: Trojan-PSW.Win32.OnLineGames.oti skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP49\A0006088.com Infected: Worm.Win32.AutoRun.byx skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP5\A0000184.dll Infected: Packed.Win32.NSAnti.r skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP5\A0000370.dll Infected: Packed.Win32.NSAnti.r skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP5\A0000387.dll Infected: Packed.Win32.NSAnti.r skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP5\A0000439.dll Infected: Packed.Win32.NSAnti.r skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP5\A0000461.dll Infected: Packed.Win32.NSAnti.r skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP50\A0006092.com Infected: Worm.Win32.AutoRun.byx skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP50\A0006108.dll Infected: Trojan-PSW.Win32.OnLineGames.owi skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP50\A0006110.com Infected: Worm.Win32.AutoRun.byx skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP50\A0006114.dll Infected: Trojan-PSW.Win32.OnLineGames.owi skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP50\A0006124.com Infected: Worm.Win32.AutoRun.byx skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP50\A0006140.dll Infected: Trojan-PSW.Win32.OnLineGames.owi skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP50\A0006142.com Infected: Worm.Win32.AutoRun.byx skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP51\A0006148.com Infected: Worm.Win32.AutoRun.byx skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP51\A0006164.dll Infected: Trojan-PSW.Win32.OnLineGames.owi skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP51\A0006166.com Infected: Worm.Win32.AutoRun.byx skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP51\A0006170.exe Infected: Worm.Win32.AutoRun.byx skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP51\A0006171.dll Infected: Worm.Win32.AutoRun.cag skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP51\A0006186.com Infected: Worm.Win32.AutoRun.cas skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP51\A0006189.dll Infected: Trojan-PSW.Win32.OnLineGames.pcf skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP52\A0006191.com Infected: Worm.Win32.AutoRun.cas skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP52\A0006208.com Infected: Worm.Win32.AutoRun.cas skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP52\A0006210.exe Infected: Worm.Win32.AutoRun.cas skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP52\A0006211.dll Infected: Worm.Win32.AutoRun.cbi skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP52\A0006225.com Infected: Trojan-PSW.Win32.OnLineGames.pfm skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP52\A0006237.exe Infected: Trojan-PSW.Win32.OnLineGames.pfm skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006253.com Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006270.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006271.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006273.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006274.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006276.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006277.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006278.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006279.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006280.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006281.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006282.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006283.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006284.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006285.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006286.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006287.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006288.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006289.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006290.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006291.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006292.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006293.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006294.dll Infected: Trojan-PSW.Win32.OnLineGames.pfm
-
Looks as if Kaspersky's still found bad guys in your F:\ and H:\ drives
What drives do those letters represent?
eg... Such as an External harddrive
-
[quote name=\'guestolo\' post=\'420380\' date=\'Jan 29 2008, 07:12 PM\']Looks as if Kaspersky's still found bad guys in your F:\ and H:\ drives
What drives do those letters represent?
eg... Such as an External harddrive[/quote]
The F: drive is my secondary internal HD
The H: drive is my usb flash drive
-
Did you plug the USB Flash drive in when you did fixes with Flash_Disinfector and Combofix?
-
[quote name=\'guestolo\' post=\'420403\' date=\'Jan 29 2008, 09:29 PM\']Did you plug the USB Flash drive in when you did fixes with Flash_Disinfector and Combofix?[/quote]
yes
-
Open the Windows Control panel and open the Java icon
Clear the temp files
Exit
Your flash drive still has infected files, DO NOT share this with other infected computers in your household till the other computers are clean and this machine also
Insert the Usb drive into the computer
If it wants to autostart, just close the prompt
Afterwards:
Delete cfscript.txt on desktop, we're going to redo this step
==Open notepad and copy/paste the text in the quotebox below into it:
Don't use anything else than notepad or the script will not work
File::
F:\awda2.exe
F:\d.com
F:\juok3st.bat
F:\m1t8ta.com
F:\n1deiect.com
F:\nideiect.com
F:\ntde1ect.com
F:\qd.cmd
F:\tio8x6.cmd
F:\usdeiect.com
F:\uxdeiect.com
F:\xn1i9x.com
F:\xo8wr9.exe
F:\ylr.exe
H:\juok3st.bat
H:\autorun.inf
H:\xn1i9x.com
H:\awda2.exe
H:\d.com
H:\qd.cmd
H:\m1t8ta.com
Save this as txtfile on your desktop
CFScript
(http://img.photobucket.com/albums/v666/sUBs/CFScript.gif)
Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts
Don't mouse click on it, let it complete
When finished, it shall produce a log for you again, with the same name C:\ComboFix.txt..
Post that log back here
-
[quote name=\'guestolo\' post=\'420406\' date=\'Jan 29 2008, 09:45 PM\']Open the Windows Control panel and open the Java icon
Clear the temp files
Exit
Your flash drive still has infected files, DO NOT share this with other infected computers in your household till the other computers are clean and this machine also
Insert the Usb drive into the computer
If it wants to autostart, just close the prompt
Afterwards:
Delete cfscript.txt on desktop, we're going to redo this step
==Open notepad and copy/paste the text in the quotebox below into it:
Don't use anything else than notepad or the script will not work
Save this as txtfile on your desktop
CFScript
(http://img.photobucket.com/albums/v666/sUBs/CFScript.gif)
Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts
Don't mouse click on it, let it complete
When finished, it shall produce a log for you again, with the same name C:\ComboFix.txt..
Post that log back here[/quote]
ComboFix 08-01-29.3 - Administrator 2008-01-29 22:08:02.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.637 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
[color=\"red\"]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
FILE
F:\awda2.exe
F:\d.com
F:\juok3st.bat
F:\m1t8ta.com
F:\n1deiect.com
F:\nideiect.com
F:\ntde1ect.com
F:\qd.cmd
F:\tio8x6.cmd
F:\usdeiect.com
F:\uxdeiect.com
F:\xn1i9x.com
F:\xo8wr9.exe
F:\ylr.exe
H:\autorun.inf
H:\awda2.exe
H:\d.com
H:\juok3st.bat
H:\m1t8ta.com
H:\qd.cmd
H:\xn1i9x.com
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
F:\awda2.exe
F:\d.com
F:\juok3st.bat
F:\m1t8ta.com
F:\n1deiect.com
F:\nideiect.com
F:\ntde1ect.com
F:\qd.cmd
F:\tio8x6.cmd
F:\usdeiect.com
F:\uxdeiect.com
F:\xn1i9x.com
F:\xo8wr9.exe
F:\ylr.exe
F:\awda2.exe
F:\d.com
F:\juok3st.bat
F:\m1t8ta.com
F:\n1deiect.com
F:\nideiect.com
F:\ntde1ect.com
F:\qd.cmd
F:\tio8x6.cmd
F:\usdeiect.com
F:\uxdeiect.com
F:\xn1i9x.com
F:\xo8wr9.exe
F:\ylr.exe
H:\autorun.inf . . . . failed to delete
H:\awda2.exe . . . . failed to delete
H:\d.com . . . . failed to delete
H:\juok3st.bat . . . . failed to delete
H:\m1t8ta.com . . . . failed to delete
H:\qd.cmd . . . . failed to delete
H:\xn1i9x.com . . . . failed to delete
H:\autorun.inf . . . . failed to delete
H:\awda2.exe . . . . failed to delete
H:\d.com . . . . failed to delete
H:\juok3st.bat . . . . failed to delete
H:\m1t8ta.com . . . . failed to delete
H:\qd.cmd . . . . failed to delete
H:\xn1i9x.com . . . . failed to delete
.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 )))))))))))))))))))))))))))))))
.
2008-01-29 02:45 . 2008-01-29 02:45 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-29 02:45 . 2008-01-29 02:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-25 09:11 . 2008-01-28 17:58 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-25 09:11 . 2008-01-28 17:58 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-24 04:16 . 2008-01-24 04:16 <DIR> d-------- C:\Program Files\Abexo
2008-01-24 00:38 . 2004-08-04 03:56 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-01-24 00:38 . 2001-08-17 22:37 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2008-01-24 00:38 . 2004-08-04 07:00 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls
2008-01-24 00:38 . 2001-08-17 22:37 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-01-24 00:38 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-01-24 00:38 . 2001-08-17 22:36 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-01-24 00:38 . 2001-08-17 12:11 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
2008-01-24 00:38 . 2001-08-17 22:37 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-01-24 00:36 . 2001-08-17 13:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2008-01-24 00:35 . 2001-08-17 22:36 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll
2008-01-24 00:34 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-01-24 00:33 . 2004-08-04 01:31 132,695 --a--c--- C:\WINDOWS\system32\dllcache\netwlan5.sys
2008-01-24 00:32 . 2001-08-17 13:28 802,683 --a--c--- C:\WINDOWS\system32\dllcache\ltsm.sys
2008-01-24 00:31 . 2001-08-17 13:28 907,456 --a--c--- C:\WINDOWS\system32\dllcache\hcf_msft.sys
2008-01-24 00:30 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-01-24 00:29 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2008-01-24 00:28 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-01-24 00:27 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-01-24 00:26 . 2001-08-17 14:56 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-01-23 23:01 . 2008-01-28 22:17 <DIR> d-------- C:\VundoFix Backups
2008-01-23 00:45 . 2008-01-23 00:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-22 22:02 . 2008-01-22 22:02 435 --a------ C:\WINDOWS\system32\Shortcut to system32.lnk
2008-01-22 22:00 . 2008-01-22 23:55 289 --a------ C:\WINDOWS\wininit.ini
2008-01-22 20:40 . 2008-01-22 20:40 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-11 18:07 . 2008-01-11 18:07 <DIR> d-------- C:\Program Files\Jabra
2008-01-11 18:07 . 2008-01-11 18:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jabra
2007-12-16 16:52 . 2007-12-16 16:52 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2007-12-16 16:52 . 2007-12-16 16:52 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2007-12-15 18:51 . 2007-12-15 18:51 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-12-15 18:49 . 2007-12-15 18:49 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-12-15 18:49 . 2007-12-15 18:50 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-12-06 17:20 . 2008-01-23 15:20 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-06 17:20 . 2007-12-06 17:20 1,409 --a------ C:\WINDOWS\QTFont.for
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 07:47 --------- d-----w C:\Program Files\Viewpoint
2008-01-29 07:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-29 07:47 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Viewpoint
2008-01-27 18:25 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-25 07:25 --------- d-----w C:\Program Files\HP
2008-01-24 08:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-24 00:38 --------- d-----w C:\Program Files\Winamp
2008-01-24 00:37 --------- d-----w C:\Program Files\QuickTime
2008-01-24 00:37 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-24 00:37 --------- d-----w C:\Program Files\iTunes
2008-01-17 04:49 --------- d-----w C:\Documents and Settings\Administrator\Application Data\U3
2008-01-16 02:24 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-01-15 23:41 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-01-03 05:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Creative
2008-01-03 02:22 --------- d-----w C:\Program Files\Creative
2008-01-03 02:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-16 23:27 --------- d-----w C:\Program Files\mIRC
2007-12-07 22:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-06 22:19 --------- d-----w C:\Program Files\iPod
2007-12-06 03:36 --------- d-----w C:\Program Files\AIM6
2007-12-06 03:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-11-28 18:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2007-09-19 01:07 20,688 -c--a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-04-12 04:41 92,064 ----a-w C:\Documents and Settings\Administrator\mqdmmdm.sys
2007-04-12 04:41 9,232 ----a-w C:\Documents and Settings\Administrator\mqdmmdfl.sys
2007-04-12 04:41 79,328 ----a-w C:\Documents and Settings\Administrator\mqdmserd.sys
2007-04-12 04:41 66,656 ----a-w C:\Documents and Settings\Administrator\mqdmbus.sys
2007-04-12 04:41 6,208 ----a-w C:\Documents and Settings\Administrator\mqdmcmnt.sys
2007-04-12 04:41 5,936 ----a-w C:\Documents and Settings\Administrator\mqdmwhnt.sys
2007-04-12 04:41 4,048 ----a-w C:\Documents and Settings\Administrator\mqdmcr.sys
2007-04-12 04:41 25,600 ----a-w C:\Documents and Settings\Administrator\usbsermptxp.sys
2007-04-12 04:41 22,768 ----a-w C:\Documents and Settings\Administrator\usbsermpt.sys
2005-01-14 06:28 0 -c-h--w C:\Program Files\ENYOLINK Settings
2004-11-19 05:05 3,546 -c--a-w C:\Program Files\uninstal.log
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-28 17:58 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-11-30 12:19 4628480]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2004-11-30 12:19 86016]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-12-10 11:45 49152 C:\WINDOWS\KHALMNPR.Exe]
"CTHelper"="CTHELPER.EXE" [2005-08-07 17:10 16384 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2005-08-07 17:10 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-07-22 15:50:16 577597]
Color Calibration.lnk - C:\Program Files\SEC\MagicTune 2.5\GammaTray.exe [2005-01-17 21:40:40 36864]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 05:19:24 237568]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2005-10-08 19:34:22 434176]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
NaturalColorLoad.lnk - C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe [2005-01-17 21:40:17 155715]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2004-11-30 12:19 921600 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"x10nets"=3 (0x3)
"IDriverT"=3 (0x3)
"Pml Driver HPZ12"=2 (0x2)
R3 ATIDACXX;ATI DTV Wonder Analog Audio Capture Device;C:\WINDOWS\system32\drivers\atidacxx.sys [2005-09-26 20:21]
R3 ATIDDCXX;ATI DTV Wonder Digital BDA Capture Device;C:\WINDOWS\system32\drivers\atiddcxx.sys [2005-09-26 20:20]
R3 ATIDTUXX;ATI DTV Wonder Digital And Analog Tuner Device;C:\WINDOWS\system32\drivers\atidtuxx.sys [2005-09-26 20:21]
R3 ATIDVCXX;ATI DTV Wonder Analog AV Capture Device;C:\WINDOWS\system32\drivers\atidvcxx.sys [2005-09-26 20:20]
R3 ATIDXBXX;ATI DTV Wonder Analog AV Crossbar Device;C:\WINDOWS\system32\drivers\atidxbxx.sys [2005-09-26 20:20]
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2005-08-07 16:54]
S1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\OVSound2.sys [2001-08-17 09:05]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2006-12-14 09:27]
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-02-27 13:31]
S3 QCEmerald;Logitech QuickCam Web;C:\WINDOWS\system32\DRIVERS\OVCE.sys [2001-08-17 09:05]
S3 S3SAV2K;S3SAV2K;C:\WINDOWS\system32\DRIVERS\s3sav2km.sys [2004-09-25 21:43]
.
Contents of the 'Scheduled Tasks' folder
"2008-01-24 19:21:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2008-01-29 22:16:24
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\Program Files\Logitech\SetPoint\GameHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\SEC\MagicTune 2.5\GammaTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2008-01-29 22:21:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-30 03:21:53
ComboFix2.txt 2008-01-29 06:39:54
ComboFix3.txt 2008-01-29 05:32:42
.
2008-01-13 01:42:12 --- E O F ---
-
Does the flash drive have write protection enabled, locked down?
Can you try the following
download the [color=\"red\"]OTMoveIt2 by OldTimer[/color] (http://\"http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe\")[/url].
- Save it to your desktop.
- Double-click OTMoveIt2.exe to run it.
- Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
==============================================================================
H:\awda2.exe
H:\d.com
H:\juok3st.bat
H:\m1t8ta.com
H:\qd.cmd
H:\xn1i9x.com
H:\autorun.inf
H:\awda2.exe
H:\d.com
H:\juok3st.bat
H:\m1t8ta.com
H:\qd.cmd
H:\xn1i9x.com
==============================================================================
- Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window and choose Paste.
- Click the red [color=\"red\"]Moveit![/color] button.
- Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
OTMoveIt would of created a log at this location
C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log
Post that log please
-
[quote name=\'guestolo\' post=\'420416\' date=\'Jan 29 2008, 11:06 PM\']Does the flash drive have write protection enabled, locked down?
Can you try the following
download the [color=\"red\"]OTMoveIt2 by OldTimer[/color] (http://\"http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe\")[/url].
- Save it to your desktop.
- Double-click OTMoveIt2.exe to run it.
- Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
==============================================================================
H:\awda2.exe
H:\d.com
H:\juok3st.bat
H:\m1t8ta.com
H:\qd.cmd
H:\xn1i9x.com
H:\autorun.inf
H:\awda2.exe
H:\d.com
H:\juok3st.bat
H:\m1t8ta.com
H:\qd.cmd
H:\xn1i9x.com
==============================================================================
- Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window and choose Paste.
- Click the red [color=\"red\"]Moveit![/color] button.
- Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
OTMoveIt would of created a log at this location
C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log
Post that log please[/quote]
The write protect is not enabled
[Custom Input]
< H:\awda2.exe >
File/Folder H:\awda2.exe not found.
< H:\d.com >
File/Folder H:\d.com not found.
< H:\juok3st.bat >
File/Folder H:\juok3st.bat not found.
< H:\m1t8ta.com >
File/Folder H:\m1t8ta.com not found.
< H:\qd.cmd >
File/Folder H:\qd.cmd not found.
< H:\xn1i9x.com >
File/Folder H:\xn1i9x.com not found.
< H:\autorun.inf >
File delete failed. H:\autorun.inf\lpt3.This folder was created by Flash_Disinfector scheduled to be deleted on reboot.
Folder move failed. H:\autorun.inf scheduled to be moved on reboot.
< H:\awda2.exe >
File/Folder H:\awda2.exe not found.
< H:\d.com >
File/Folder H:\d.com not found.
< H:\juok3st.bat >
File/Folder H:\juok3st.bat not found.
< H:\m1t8ta.com >
File/Folder H:\m1t8ta.com not found.
< H:\qd.cmd >
File/Folder H:\qd.cmd not found.
< H:\xn1i9x.com >
File/Folder H:\xn1i9x.com not found.
OTMoveIt2 v1.0.16 log created on 01302008_203737
-
Just want to let you know that everytime I reboot my printer driver installation boots up also and when I open certain programs the Roxio Easy CD creator starts installing itself again.
-
I'm more worried about your flash drive right now
Can you insert it to the computer and hold down the SHIFT key as you do so
so it wont autostart
Navigate to MyComputer, it you have nothing to save on it
Right click on it and FORMAT it
What printer do you have, there's thousand's out there
Give me a clue as to the one that's not working for you
-
[quote name=\'guestolo\' post=\'420538\' date=\'Jan 31 2008, 01:05 AM\']I'm more worried about your flash drive right now
Can you insert it to the computer and hold down the SHIFT key as you do so
so it wont autostart
Navigate to MyComputer, it you have nothing to save on it
Right click on it and FORMAT it
What printer do you have, there's thousand's out there
Give me a clue as to the one that's not working for you[/quote]
I have HP PSC 2400 it's working fine but it'll reinstall itself once I put in the flashdrive or sometimes when I restart my computer. It hasn't done that since you told me to do all those scans, but once I put in the flashdrive it popped up again. I'm thinking it has something to do with the trojan on my computer. There's not way to save the date on the flashdrive?
Also when I right click on the flashdrive from my computer it starts installing Roxio Easy CD Creator and when I plug in the flashdrive I held down shift the printer driver installation popped up again.
-
Unfortunately, some files that were infected earlier were related to your Printer and Roxio
I don't know what happened to those files, unless you had a scanner delete them or you used combofix more than the times I had you use it
Let's try the following
Delete your version of combofix
Then redownload it
Before doing anything else
Insert your Flash drive to the computer, hold down the Shift key so it won't autostart
Then transfer any files you want to keep on it to your computer harddrive
Then format it
Afterwards:
Do the following
Delete cfscript.txt as we're going to redo it and see if it's some help
==Open notepad and copy/paste the text in the quotebox below into it:
Don't use anything else than notepad or the script will not work
RenV::
C:\Program Files\Alwil Software\Avast4\ashDisp .exe
C:\Program Files\ATI Multimedia\main\ATIDtct .EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW .exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Common Files\Roxio Shared\System\EngUtil .exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect .exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML .exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET .EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon .exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc .exe
C:\Program Files\Winamp\winampa .exe
C:\WINDOWS\UpdReg .EXE
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\NeroCheck .exe
Save this as txtfile on your desktop
CFScript
(http://img.photobucket.com/albums/v666/sUBs/CFScript.gif)
Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts
Don't mouse click on it, let it complete
When finished, it shall produce a log for you again, with the same name C:\ComboFix.txt..
Post back all the following
1. Post the log from combofix >>C:\Combofix.txt
2. Run a fresh Scan>>save logfile with Hijackthis and post it's log too
-
ComboFix 08-02.01.2 - Administrator 2008-01-31 21:56:37.10 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.628 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
[color=\"red\"]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.
((((((((((((((((((((((((( Files Created from 2008-01-01 to 2008-02-01 )))))))))))))))))))))))))))))))
.
2008-01-30 20:14 . 2008-01-30 20:14 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-30 20:14 . 2008-01-30 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-25 09:11 . 2008-01-28 17:58 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-25 09:11 . 2008-01-28 17:58 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-24 04:16 . 2008-01-24 04:16 <DIR> d-------- C:\Program Files\Abexo
2008-01-24 00:38 . 2004-08-04 03:56 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-01-24 00:38 . 2001-08-17 22:37 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2008-01-24 00:38 . 2004-08-04 07:00 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls
2008-01-24 00:38 . 2001-08-17 22:37 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-01-24 00:38 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-01-24 00:38 . 2001-08-17 22:36 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-01-24 00:38 . 2001-08-17 12:11 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
2008-01-24 00:38 . 2001-08-17 22:37 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-01-24 00:36 . 2001-08-17 13:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2008-01-24 00:35 . 2001-08-17 22:36 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll
2008-01-24 00:34 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-01-24 00:33 . 2004-08-04 01:31 132,695 --a--c--- C:\WINDOWS\system32\dllcache\netwlan5.sys
2008-01-24 00:32 . 2001-08-17 13:28 802,683 --a--c--- C:\WINDOWS\system32\dllcache\ltsm.sys
2008-01-24 00:31 . 2001-08-17 13:28 907,456 --a--c--- C:\WINDOWS\system32\dllcache\hcf_msft.sys
2008-01-24 00:30 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-01-24 00:29 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2008-01-24 00:28 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-01-24 00:27 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-01-24 00:26 . 2001-08-17 14:56 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-01-23 23:01 . 2008-01-28 22:17 <DIR> d-------- C:\VundoFix Backups
2008-01-23 00:45 . 2008-01-23 00:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-22 22:02 . 2008-01-22 22:02 435 --a------ C:\WINDOWS\system32\Shortcut to system32.lnk
2008-01-22 22:00 . 2008-01-22 23:55 289 --a------ C:\WINDOWS\wininit.ini
2008-01-22 20:40 . 2008-01-22 20:40 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-11 18:07 . 2008-01-11 18:07 <DIR> d-------- C:\Program Files\Jabra
2008-01-11 18:07 . 2008-01-11 18:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jabra
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-31 07:04 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-01-31 01:24 --------- d-----w C:\Documents and Settings\Administrator\Application Data\U3
2008-01-29 07:47 --------- d-----w C:\Program Files\Viewpoint
2008-01-29 07:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-29 07:47 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Viewpoint
2008-01-27 18:25 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-25 07:25 --------- d-----w C:\Program Files\HP
2008-01-24 08:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-24 00:38 --------- d-----w C:\Program Files\Winamp
2008-01-24 00:37 --------- d-----w C:\Program Files\QuickTime
2008-01-24 00:37 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-24 00:37 --------- d-----w C:\Program Files\iTunes
2008-01-16 02:24 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-01-03 05:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Creative
2008-01-03 02:22 --------- d-----w C:\Program Files\Creative
2008-01-03 02:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-16 23:27 --------- d-----w C:\Program Files\mIRC
2007-12-15 23:51 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-07 22:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-06 22:19 --------- d-----w C:\Program Files\iPod
2007-12-06 03:36 --------- d-----w C:\Program Files\AIM6
2007-12-06 03:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-12-02 21:11 22,528 ----a-w C:\WINDOWS\system32\wsock32.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-09-19 01:07 20,688 -c--a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-04-12 04:41 92,064 ----a-w C:\Documents and Settings\Administrator\mqdmmdm.sys
2007-04-12 04:41 9,232 ----a-w C:\Documents and Settings\Administrator\mqdmmdfl.sys
2007-04-12 04:41 79,328 ----a-w C:\Documents and Settings\Administrator\mqdmserd.sys
2007-04-12 04:41 66,656 ----a-w C:\Documents and Settings\Administrator\mqdmbus.sys
2007-04-12 04:41 6,208 ----a-w C:\Documents and Settings\Administrator\mqdmcmnt.sys
2007-04-12 04:41 5,936 ----a-w C:\Documents and Settings\Administrator\mqdmwhnt.sys
2007-04-12 04:41 4,048 ----a-w C:\Documents and Settings\Administrator\mqdmcr.sys
2007-04-12 04:41 25,600 ----a-w C:\Documents and Settings\Administrator\usbsermptxp.sys
2007-04-12 04:41 22,768 ----a-w C:\Documents and Settings\Administrator\usbsermpt.sys
2005-01-14 06:28 0 -c-h--w C:\Program Files\ENYOLINK Settings
2004-11-19 05:05 3,546 -c--a-w C:\Program Files\uninstal.log
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-28 17:58 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-11-30 12:19 4628480]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2004-11-30 12:19 86016]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-12-10 11:45 49152 C:\WINDOWS\KHALMNPR.Exe]
"CTHelper"="CTHELPER.EXE" [2005-08-07 17:10 16384 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2005-08-07 17:10 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-07-22 15:50:16 577597]
Color Calibration.lnk - C:\Program Files\SEC\MagicTune 2.5\GammaTray.exe [2005-01-17 21:40:40 36864]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 05:19:24 237568]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2005-10-08 19:34:22 434176]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
NaturalColorLoad.lnk - C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe [2005-01-17 21:40:17 155715]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2004-11-30 12:19 921600 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"x10nets"=3 (0x3)
"IDriverT"=3 (0x3)
"Pml Driver HPZ12"=2 (0x2)
R3 ATIDACXX;ATI DTV Wonder Analog Audio Capture Device;C:\WINDOWS\system32\drivers\atidacxx.sys [2005-09-26 20:21]
R3 ATIDDCXX;ATI DTV Wonder Digital BDA Capture Device;C:\WINDOWS\system32\drivers\atiddcxx.sys [2005-09-26 20:20]
R3 ATIDTUXX;ATI DTV Wonder Digital And Analog Tuner Device;C:\WINDOWS\system32\drivers\atidtuxx.sys [2005-09-26 20:21]
R3 ATIDVCXX;ATI DTV Wonder Analog AV Capture Device;C:\WINDOWS\system32\drivers\atidvcxx.sys [2005-09-26 20:20]
R3 ATIDXBXX;ATI DTV Wonder Analog AV Crossbar Device;C:\WINDOWS\system32\drivers\atidxbxx.sys [2005-09-26 20:20]
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2005-08-07 16:54]
S1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\OVSound2.sys [2001-08-17 09:05]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2006-12-14 09:27]
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-02-27 13:31]
S3 QCEmerald;Logitech QuickCam Web;C:\WINDOWS\system32\DRIVERS\OVCE.sys [2001-08-17 09:05]
S3 S3SAV2K;S3SAV2K;C:\WINDOWS\system32\DRIVERS\s3sav2km.sys [2004-09-25 21:43]
.
Contents of the 'Scheduled Tasks' folder
"2008-01-24 19:21:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2008-01-31 22:00:42
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\Program Files\Logitech\SetPoint\GameHook.dll
.
Completion time: 2008-01-31 22:01:35
ComboFix-quarantined-files.txt 2008-02-01 03:01:06
ComboFix2.txt 2008-01-31 07:16:08
ComboFix3.txt 2008-01-31 06:54:00
ComboFix4.txt 2008-01-31 01:35:23
ComboFix5.txt 2008-01-30 03:21:56
.
2008-01-13 01:42:12 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:03:59 PM, on 1/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\SEC\MagicTune 2.5\GammaTray.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.Email Removed.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = forbin.qc.edu:3128
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Color Calibration.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab (http://\"http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab\")
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab (http://\"http://upload.facebook.com/controls/FacebookPhotoUploader3.cab\")
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab (http://\"http://upload.facebook.com/controls/FacebookPhotoUploader.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095300908968 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095300908968\")
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab (http://\"http://go.divx.com/plugin/DivXBrowserPlugin.cab\")
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab (http://\"http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab\")
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab (http://\"http://cdn.digitalcity.com/_media/dalaillama/ampx.cab\")
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 7385 bytes
-
Is AVAST running properly?
If it's realtime protections are disabled can you reenable them and post a fresh hijackthis log
Let me know if it's running ok
Also, can you enter your Windows Control panel and open Printer and Faxes
How many printer do you have installed?
Are they all the same printer?
Can you also post the next log
supply an uninstall list from Hijackthis
Open Hijackthis>>Open MISC TOOLS SECTION>>Open UNINSTALL MANAGER
Click the SAVE LIST... button
Save the list to your desktop then copy>>Paste back here the Whole contents
-
[quote name=\'guestolo\' post=\'420612\' date=\'Jan 31 2008, 10:12 PM\']Is AVAST running properly?
If it's realtime protections are disabled can you reenable them and post a fresh hijackthis log
Let me know if it's running ok
Also, can you enter your Windows Control panel and open Printer and Faxes
How many printer do you have installed?
Are they all the same printer?
Can you also post the next log
supply an uninstall list from Hijackthis
Open Hijackthis>>Open MISC TOOLS SECTION>>Open UNINSTALL MANAGER
Click the SAVE LIST... button
Save the list to your desktop then copy>>Paste back here the Whole contents[/quote]
I can't reenable the resident protection. There's no option for it. I have 4 printers installed one of them is a fax, the 2400 is a printer scanner copier and fax.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:50:32 PM, on 1/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\SEC\MagicTune 2.5\GammaTray.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.Email Removed.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = forbin.qc.edu:3128
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Color Calibration.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program (http://\"http://file://C:Program\") Files\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab (http://\"http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab\")
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab (http://\"http://upload.facebook.com/controls/FacebookPhotoUploader3.cab\")
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab (http://\"http://upload.facebook.com/controls/FacebookPhotoUploader.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095300908968 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095300908968\")
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab (http://\"http://go.divx.com/plugin/DivXBrowserPlugin.cab\")
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab (http://\"http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab\")
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab (http://\"http://cdn.digitalcity.com/_media/dalaillama/ampx.cab\")
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 7418 bytes
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player ActiveX
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 7.0.9
AIM 6
AOL Instant Messenger
Apache HTTP Server 1.3.29
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Decoder
ATI Decoder
ATI Multimedia Center 9.13
ATI Parental Control & Encoder
ATI Remote Wonder 3.0
Avanquest update
avast! Antivirus
AviSynth 2.5
BiAdmin
BitPim 0.9.03
BitTorrent 3.4.2
Blaze Media Pro
BT8010 Control Center version 1.3
Combined Community Codec Pack 2007-02-22
Commandos 3 - Destination Berlin
Cool Edit Pro 2.0
Creative Jukebox Driver
Creative MediaSource
Creative Removable Disk Manager
Creative System Information
Creative Zen Micro
DAO
Data Lifeguard Tools
DivX Web Player
DVD Shrink 3.2
Easy CD & DVD Creator 6
Free CD Ripper 3.1
GdiplusUpgrade
Ghost Recon
Google Talk (remove only)
Hauppauge English Help Files and Resources
Hauppauge WinTV Infrared Remote
Hauppauge WinTV IR Blaster
Hauppauge WinTV Scheduler
Hauppauge WinTV2000
Hauppauge WinTV-PVR 150 Drivers
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB909394)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HP Image Zone 3.5
HP Product Detection
HP PSC & OfficeJet 3.5
HP Update
Intel® PRO Network Adapters and Drivers
InterVideo FilterSDK for Hauppauge
InterVideo WinDVD 4
iPod for Windows 2005-10-12
iPod for Windows 2006-01-10
IrfanView (remove only)
iTunes
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
Java(tm) 6 Update 3
Kaspersky Online Scanner
LimeWire PRO 4.8.1
Logitech Desktop Messenger
Logitech SetPoint
MagicTune 2.5
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft ActiveSync
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
mIRC
Motorola Driver Installation
Motorola Phone Tools
Motorola PST
Mozilla Firefox (2.0.0.11)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Natural Color
Nero 6 Ultra Edition
NVIDIA Drivers
overland
PHP 4.3.9
Print Server Driver
QuickTime
RealPlayer
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Sniffy Pro For Windows
Sound Blaster X-Fi
SPSS 8.0 for Windows
SSH Secure Shell
Steam
TeamSpeak 2 RC2
TitanTV Client components for ATI
TVUPlayer 2.2.0
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Ventrilo Client
VideoLAN VLC media player 0.8.2
Videora iPod Converter 0.91
WIBU-KEY Setup (WIBU-KEY Remove)
WIDCOMM Bluetooth Software
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB894476
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinMX
WinRAR archiver
WinZip
XviD MPEG-4 Video Codec
-
Let's try a couple steps
Avast need replacing and also appears Sun Java
Go to the following link and redownload Avast
and save too desktop for now
http://www.avast.com/eng/download-avast-home.html (http://\"http://www.avast.com/eng/download-avast-home.html\")
Go to the next link and save the latest version of Sun Java to desktop
http://java.sun.com/javase/downloads/?intcmp=1281 (http://\"http://java.sun.com/javase/downloads/?intcmp=1281\")
At the link click on DOWNLOAD beside>>Java Runtime Environment (JRE) 6 Update 4
Select WINDOWS platform and then put a tick in "I agree to the Java SE Runtime Environment 6 License Agreement"
Then select CONTINUE
Next page select the Windows Offline Installation >>15.12 MB
jre-6u4-windows-i586-p.exe
Access your add/remove programs and remove all older versions of Sun Java
This includes
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
Javaâ„¢ 6 Update 3
Afterwards: Remove your version of avast! Antivirus
Reboot the computer afterwards
If you have trouble removing Avast
Download and run their uninstaller
http://www.avast.com/eng/avast-uninstall-utility.html (http://\"http://www.avast.com/eng/avast-uninstall-utility.html\")
After the above has been uninstalled and you have restarted
Go ahead and install the latest version of Sun Java and Avast again
Don't forget to reregister Avast
Run a complete scan with Avast rebooting afterwards
Come back and let me know how things are running and we'll take it from there
-
[quote name=\'guestolo\' post=\'420701\' date=\'Feb 1 2008, 08:08 PM\']Let's try a couple steps
Avast need replacing and also appears Sun Java
Go to the following link and redownload Avast
and save too desktop for now
http://www.avast.com/eng/download-avast-home.html (http://\"http://www.avast.com/eng/download-avast-home.html\")
Go to the next link and save the latest version of Sun Java to desktop
http://java.sun.com/javase/downloads/?intcmp=1281 (http://\"http://java.sun.com/javase/downloads/?intcmp=1281\")
At the link click on DOWNLOAD beside>>Java Runtime Environment (JRE) 6 Update 4
Select WINDOWS platform and then put a tick in "I agree to the Java SE Runtime Environment 6 License Agreement"
Then select CONTINUE
Next page select the Windows Offline Installation >>15.12 MB
jre-6u4-windows-i586-p.exe
Access your add/remove programs and remove all older versions of Sun Java
This includes
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
Javaâ„¢ 6 Update 3
Afterwards: Remove your version of avast! Antivirus
Reboot the computer afterwards
If you have trouble removing Avast
Download and run their uninstaller
http://www.avast.com/eng/avast-uninstall-utility.html (http://\"http://www.avast.com/eng/avast-uninstall-utility.html\")
After the above has been uninstalled and you have restarted
Go ahead and install the latest version of Sun Java and Avast again
Don't forget to reregister Avast
Run a complete scan with Avast rebooting afterwards
Come back and let me know how things are running and we'll take it from there[/quote]
Avast found a lot of trojans and viruses. I try to move it to the chest but it says error.
-
Can you post the log from Avast?
Right click the Avast icon by the clock you should have an option to view logs
-
2/2/2008 1:27:53 PM Administrator 2156 Function setifaceUpdatePackages() has failed. Return code is 0x2000001A, dwRes is 2000001A.
2/2/2008 1:47:50 PM Administrator 1164 Sign of "Other:Malware-gen" has been found in "C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-42399452.zip\vmain.class" file.
2/2/2008 2:18:53 PM Administrator 1164 Sign of "Other:Malware-gen" has been found in "C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-1dadae47.zip\vmain.class" file.
2/2/2008 2:18:55 PM Administrator 1164 Sign of "Other:Malware-gen" has been found in "C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-b825669-6c9447f2.zip\vmain.class" file.
2/2/2008 3:21:34 PM Administrator 1164 Sign of "Win32:AutoRun-OM [Wrm]" has been found in "C:\QooBox\Quarantine\C\d.com.vir" file.
2/2/2008 3:21:53 PM Administrator 1164 Sign of "Win32:AutoRun-OK [Wrm]" has been found in "C:\QooBox\Quarantine\C\juok3st.bat.vir" file.
2/2/2008 3:21:55 PM Administrator 1164 Sign of "Win32:OnLineGames-CAA [Trj]" has been found in "C:\QooBox\Quarantine\C\m1t8ta.com.vir" file.
2/2/2008 3:21:57 PM Administrator 1164 Sign of "Win32:OnLineGames-BVY [Trj]" has been found in "C:\QooBox\Quarantine\C\n1deiect.com.vir" file.
2/2/2008 3:21:57 PM Administrator 1164 Sign of "Win32:OnLineGames-BVH [Trj]" has been found in "C:\QooBox\Quarantine\C\nideiect.com.vir" file.
2/2/2008 3:21:58 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\QooBox\Quarantine\C\ntde1ect.com.vir" file.
2/2/2008 3:21:59 PM Administrator 1164 Sign of "Win32:Agent-PSG [Drp]" has been found in "C:\QooBox\Quarantine\C\qd.cmd.vir" file.
2/2/2008 3:22:00 PM Administrator 1164 Sign of "Win32:AutoRun-OX [Wrm]" has been found in "C:\QooBox\Quarantine\C\tio8x6.cmd.vir" file.
2/2/2008 3:22:00 PM Administrator 1164 Sign of "Win32:Agent-PSQ [Rtk]" has been found in "C:\QooBox\Quarantine\C\usdeiect.com.vir" file.
2/2/2008 3:22:01 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\QooBox\Quarantine\C\WINDOWS\system32\avpo.exe.vir" file.
2/2/2008 3:22:01 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\QooBox\Quarantine\C\WINDOWS\system32\avpo0.dll.vir" file.
2/2/2008 3:22:02 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\QooBox\Quarantine\C\WINDOWS\system32\avpo1.dll.vir" file.
2/2/2008 3:22:03 PM Administrator 1164 Sign of "Win32:Agent-PSG [Drp]" has been found in "C:\QooBox\Quarantine\C\xn1i9x.com.vir" file.
2/2/2008 3:22:04 PM Administrator 1164 Sign of "Win32:Agent-PSG [Drp]" has been found in "C:\QooBox\Quarantine\C\xo8wr9.exe.vir" file.
2/2/2008 3:22:04 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\QooBox\Quarantine\catchme2008-01-29_ 03142.29.zip\jkhhe.dll" file.
2/2/2008 3:22:05 PM Administrator 1164 Sign of "Win32:AutoRun-OM [Wrm]" has been found in "C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip\d.com" file.
2/2/2008 3:22:06 PM Administrator 1164 Sign of "Win32:AutoRun-OK [Wrm]" has been found in "C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip\juok3st.bat" file.
2/2/2008 3:22:07 PM Administrator 1164 Sign of "Win32:OnLineGames-CAA [Trj]" has been found in "C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip\m1t8ta.com" file.
2/2/2008 3:22:07 PM Administrator 1164 Sign of "Win32:OnLineGames-BVY [Trj]" has been found in "C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip\n1deiect.com" file.
2/2/2008 3:22:08 PM Administrator 1164 Sign of "Win32:OnLineGames-BVH [Trj]" has been found in "C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip\nideiect.com" file.
2/2/2008 3:22:09 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip\ntde1ect.com" file.
2/2/2008 3:22:09 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip\qd.cmd\[Embedded#1a650]" file.
2/2/2008 3:22:10 PM Administrator 1164 Sign of "Win32:Agent-PSG [Drp]" has been found in "C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip\qd.cmd" file.
2/2/2008 3:22:11 PM Administrator 1164 Sign of "Win32:AutoRun-OX [Wrm]" has been found in "C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip\tio8x6.cmd" file.
2/2/2008 3:22:11 PM Administrator 1164 Sign of "Win32:Agent-PSQ [Rtk]" has been found in "C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip\usdeiect.com" file.
2/2/2008 3:22:12 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip\xn1i9x.com\[Embedded#1a7c8]" file.
2/2/2008 3:22:14 PM Administrator 1164 Sign of "Win32:Agent-PSG [Drp]" has been found in "C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip\xn1i9x.com" file.
2/2/2008 3:22:14 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip\xo8wr9.exe\[Embedded#1a828]" file.
2/2/2008 3:22:15 PM Administrator 1164 Sign of "Win32:Agent-PSG [Drp]" has been found in "C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip\xo8wr9.exe" file.
2/2/2008 3:22:16 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip\qd.cmd.1\[Embedded#1a650]" file.
2/2/2008 3:22:16 PM Administrator 1164 Sign of "Win32:Agent-PSG [Drp]" has been found in "C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip\qd.cmd.1" file.
2/2/2008 3:22:17 PM Administrator 1164 Sign of "Win32:AutoRun-OM [Wrm]" has been found in "C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip" file.
2/2/2008 3:22:18 PM Administrator 1164 Sign of "Win32:AutoRun-OM [Wrm]" has been found in "C:\QooBox\Quarantine\catchme2008-01-29_221617.40.zip\d.com" file.
2/2/2008 3:22:19 PM Administrator 1164 Sign of "Win32:AutoRun-OK [Wrm]" has been found in "C:\QooBox\Quarantine\catchme2008-01-29_221617.40.zip\juok3st.bat" file.
2/2/2008 3:22:19 PM Administrator 1164 Sign of "Win32:OnLineGames-CAA [Trj]" has been found in "C:\QooBox\Quarantine\catchme2008-01-29_221617.40.zip\m1t8ta.com" file.
2/2/2008 3:22:21 PM Administrator 1164 Sign of "Win32:OnLineGames-BVY [Trj]" has been found in "C:\QooBox\Quarantine\catchme2008-01-29_221617.40.zip\n1deiect.com" file.
2/2/2008 3:22:22 PM Administrator 1164 Sign of "Win32:OnLineGames-BVH [Trj]" has been found in "C:\QooBox\Quarantine\catchme2008-01-29_221617.40.zip\nideiect.com" file.
2/2/2008 3:22:22 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\QooBox\Quarantine\catchme2008-01-29_221617.40.zip\ntde1ect.com" file.
2/2/2008 3:22:23 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\QooBox\Quarantine\catchme2008-01-29_221617.40.zip\qd.cmd\[Embedded#1a650]" file.
2/2/2008 3:22:24 PM Administrator 1164 Sign of "Win32:Agent-PSG [Drp]" has been found in "C:\QooBox\Quarantine\catchme2008-01-29_221617.40.zip\qd.cmd" file.
2/2/2008 3:22:24 PM Administrator 1164 Sign of "Win32:AutoRun-OX [Wrm]" has been found in "C:\QooBox\Quarantine\catchme2008-01-29_221617.40.zip\tio8x6.cmd" file.
2/2/2008 3:22:25 PM Administrator 1164 Sign of "Win32:Agent-PSQ [Rtk]" has been found in "C:\QooBox\Quarantine\catchme2008-01-29_221617.40.zip\usdeiect.com" file.
2/2/2008 3:22:26 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\QooBox\Quarantine\catchme2008-01-29_221617.40.zip\xn1i9x.com\[Embedded#1a7c8]" file.
2/2/2008 3:22:26 PM Administrator 1164 Sign of "Win32:Agent-PSG [Drp]" has been found in "C:\QooBox\Quarantine\catchme2008-01-29_221617.40.zip\xn1i9x.com" file.
2/2/2008 3:22:27 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\QooBox\Quarantine\catchme2008-01-29_221617.40.zip\xo8wr9.exe\[Embedded#1a828]" file.
2/2/2008 3:22:28 PM Administrator 1164 Sign of "Win32:Agent-PSG [Drp]" has been found in "C:\QooBox\Quarantine\catchme2008-01-29_221617.40.zip\xo8wr9.exe" file.
2/2/2008 3:22:28 PM Administrator 1164 Sign of "Win32:AutoRun-OK [Wrm]" has been found in "C:\QooBox\Quarantine\catchme2008-01-29_221617.40.zip\juok3st.bat.1" file.
2/2/2008 3:22:29 PM Administrator 1164 Sign of "Win32:OnLineGames-CAA [Trj]" has been found in "C:\QooBox\Quarantine\catchme2008-01-29_221617.40.zip\m1t8ta.com.1" file.
2/2/2008 3:22:30 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\QooBox\Quarantine\catchme2008-01-29_221617.40.zip\qd.cmd.1\[Embedded#1a650]" file.
2/2/2008 3:22:30 PM Administrator 1164 Sign of "Win32:Agent-PSG [Drp]" has been found in "C:\QooBox\Quarantine\catchme2008-01-29_221617.40.zip\qd.cmd.1" file.
2/2/2008 3:22:31 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\QooBox\Quarantine\catchme2008-01-29_221617.40.zip\xn1i9x.com.1\[Embedded#1a7c8]" file.
2/2/2008 3:22:31 PM Administrator 1164 Sign of "Win32:Agent-PSG [Drp]" has been found in "C:\QooBox\Quarantine\catchme2008-01-29_221617.40.zip\xn1i9x.com.1" file.
2/2/2008 3:22:32 PM Administrator 1164 Sign of "Win32:AutoRun-OM [Wrm]" has been found in "C:\QooBox\Quarantine\catchme2008-01-29_221617.40.zip" file.
2/2/2008 3:22:38 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000785.com" file.
2/2/2008 3:22:47 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000802.dll" file.
2/2/2008 3:22:51 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000804.com" file.
2/2/2008 3:22:52 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000815.dll" file.
2/2/2008 3:22:53 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000817.com" file.
2/2/2008 3:22:54 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000828.dll" file.
2/2/2008 3:22:55 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000830.com" file.
2/2/2008 3:22:56 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000841.dll" file.
2/2/2008 3:22:57 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000843.com" file.
2/2/2008 3:22:58 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000857.dll" file.
2/2/2008 3:22:58 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000859.com" file.
2/2/2008 3:22:59 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000870.dll" file.
2/2/2008 3:23:00 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000872.com" file.
2/2/2008 3:23:00 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000883.dll" file.
2/2/2008 3:23:01 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000885.com" file.
2/2/2008 3:23:02 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP11\A0000888.com" file.
2/2/2008 3:23:50 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002405.dll" file.
2/2/2008 3:23:57 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002409.com" file.
2/2/2008 3:23:58 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002413.exe" file.
2/2/2008 3:23:59 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002428.dll" file.
2/2/2008 3:23:59 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002430.com" file.
2/2/2008 3:24:00 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002431.com" file.
2/2/2008 3:24:01 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002436.exe" file.
2/2/2008 3:24:01 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002438.exe" file.
2/2/2008 3:24:02 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002455.dll" file.
2/2/2008 3:24:03 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002459.com" file.
2/2/2008 3:24:04 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002460.com" file.
2/2/2008 3:24:04 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002463.exe" file.
2/2/2008 3:24:05 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002464.exe" file.
2/2/2008 3:24:06 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002490.dll" file.
2/2/2008 3:24:07 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002492.com" file.
2/2/2008 3:24:08 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002493.com" file.
2/2/2008 3:24:09 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002498.exe" file.
2/2/2008 3:24:10 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002515.dll" file.
2/2/2008 3:24:11 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002516.com" file.
2/2/2008 3:24:11 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002518.com" file.
2/2/2008 3:24:12 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002521.exe" file.
2/2/2008 3:24:13 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP13\A0002524.com" file.
2/2/2008 3:24:15 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP13\A0002554.dll" file.
2/2/2008 3:24:15 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP13\A0002556.com" file.
2/2/2008 3:24:16 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP13\A0002557.com" file.
2/2/2008 3:24:18 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP14\A0002582.dll" file.
2/2/2008 3:24:18 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP14\A0002584.com" file.
2/2/2008 3:24:19 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP14\A0002585.com" file.
2/2/2008 3:24:20 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP14\A0002589.exe" file.
2/2/2008 3:24:21 PM Administrator 1164 Sign of "Win32:OnLineGames-BRH [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP14\A0002590.dll" file.
2/2/2008 3:24:23 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP14\A0002665.dll" file.
2/2/2008 3:24:24 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP14\A0002669.com" file.
2/2/2008 3:24:25 PM Administrator 1164 Sign of "Win32:OnLineGames-BVH [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP15\A0002687.com" file.
2/2/2008 3:24:26 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP15\A0002689.com" file.
2/2/2008 3:24:27 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP15\A0002715.dll" file.
2/2/2008 3:24:28 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP15\A0002716.dll" file.
2/2/2008 3:24:29 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP15\A0002718.com" file.
2/2/2008 3:24:30 PM Administrator 1164 Sign of "Win32:OnLineGames-BVH [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP15\A0002720.com" file.
2/2/2008 3:24:30 PM Administrator 1164 Sign of "Win32:OnLineGames-BVH [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP15\A0002724.exe" file.
2/2/2008 3:24:31 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP15\A0002725.dll" file.
2/2/2008 3:24:32 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP15\A0002741.dll" file.
2/2/2008 3:24:37 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP15\A0002745.com" file.
2/2/2008 3:24:38 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP16\A0002765.com" file.
2/2/2008 3:24:49 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP17\A0002874.dll" file.
2/2/2008 3:24:56 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP17\A0002879.com" file.
2/2/2008 3:24:59 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP17\A0002899.dll" file.
2/2/2008 3:25:04 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP17\A0002901.com" file.
2/2/2008 3:25:05 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP17\A0002927.dll" file.
2/2/2008 3:25:05 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP17\A0002929.com" file.
2/2/2008 3:25:06 PM Administrator 1164 Sign of "Win32:WOW-FWN [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP17\A0002951.dll" file.
2/2/2008 3:25:07 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP17\A0002952.dll" file.
2/2/2008 3:25:08 PM Administrator 1164 Sign of "Win32:OnLineGames-BRI [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP17\A0002954.com" file.
2/2/2008 3:25:08 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP17\A0002955.com" file.
2/2/2008 3:25:09 PM Administrator 1164 Sign of "Win32:OnLineGames-BRI [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP17\A0002961.exe" file.
2/2/2008 3:25:10 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0002985.com" file.
2/2/2008 3:25:13 PM Administrator 1164 Sign of "Win32:OnLineGames-BRI [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0002987.com" file.
2/2/2008 3:25:14 PM Administrator 1164 Sign of "Win32:WOW-FWN [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0003003.dll" file.
2/2/2008 3:25:14 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0003004.dll" file.
2/2/2008 3:25:15 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0003006.com" file.
2/2/2008 3:25:16 PM Administrator 1164 Sign of "Win32:OnLineGames-BRI [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0003007.com" file.
2/2/2008 3:25:16 PM Administrator 1164 Sign of "Win32:OnLineGames-BRI [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0003012.exe" file.
2/2/2008 3:25:18 PM Administrator 1164 Sign of "Win32:WOW-FWN [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0003029.dll" file.
2/2/2008 3:25:18 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0003030.dll" file.
2/2/2008 3:25:19 PM Administrator 1164 Sign of "Win32:OnLineGames-BRI [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0003032.com" file.
2/2/2008 3:25:20 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0003034.com" file.
2/2/2008 3:25:21 PM Administrator 1164 Sign of "Win32:OnLineGames-BRI [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0003037.exe" file.
2/2/2008 3:25:21 PM Administrator 1164 Sign of "Win32:WOW-FWN [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0003038.dll" file.
2/2/2008 3:25:22 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0003054.dll" file.
2/2/2008 3:25:23 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0003057.com" file.
2/2/2008 3:25:23 PM Administrator 1164 Sign of "Win32:OnLineGames-BVK [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0003062.dll" file.
2/2/2008 3:25:25 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP19\A0003077.com" file.
2/2/2008 3:25:26 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP19\A0003100.dll" file.
2/2/2008 3:25:26 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP19\A0003102.com" file.
2/2/2008 3:25:27 PM Administrator 1164 Sign of "Win32:OnLineGames-BVK [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP19\A0003120.dll" file.
2/2/2008 3:25:29 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP19\A0003174.dll" file.
2/2/2008 3:25:30 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP19\A0003177.com" file.
2/2/2008 3:25:32 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP20\A0003213.com" file.
2/2/2008 3:25:34 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP21\A0003254.com" file.
2/2/2008 3:25:41 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP22\A0003266.com" file.
2/2/2008 3:25:42 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP23\A0003268.com" file.
2/2/2008 3:25:57 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP23\A0003430.dll" file.
2/2/2008 3:26:02 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP23\A0003431.dll" file.
2/2/2008 3:26:03 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP23\A0003435.com" file.
2/2/2008 3:26:05 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP24\A0003472.dll" file.
2/2/2008 3:26:06 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP24\A0003473.dll" file.
2/2/2008 3:26:09 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP24\A0003479.com" file.
2/2/2008 3:26:10 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP24\A0003484.dll" file.
2/2/2008 3:26:21 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP24\A0003564.dll" file.
2/2/2008 3:26:29 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP24\A0003565.dll" file.
2/2/2008 3:26:29 PM Administrator 1164 Sign of "Win32:OnLineGames-BSQ [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP24\A0003569.com" file.
2/2/2008 3:26:30 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP24\A0003573.dll" file.
2/2/2008 3:26:35 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003795.dll" file.
2/2/2008 3:26:36 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003801.dll" file.
2/2/2008 3:26:36 PM Administrator 1164 Sign of "Win32:Nilage-LK [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003814.com" file.
2/2/2008 3:26:37 PM Administrator 1164 Sign of "Win32:Nilage-LK [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003817.exe" file.
2/2/2008 3:26:38 PM Administrator 1164 Sign of "Win32:OnLineGames-BVY [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003828.com" file.
2/2/2008 3:26:39 PM Administrator 1164 Sign of "Win32:WOW-JT [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003841.dll" file.
2/2/2008 3:26:39 PM Administrator 1164 Sign of "Win32:OnLineGames-BVY [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003843.com" file.
2/2/2008 3:26:40 PM Administrator 1164 Sign of "Win32:OnLineGames-BVY [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003846.exe" file.
2/2/2008 3:26:40 PM Administrator 1164 Sign of "Win32:WOW-JT [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003847.dll" file.
2/2/2008 3:26:41 PM Administrator 1164 Sign of "Win32:OnLineGames-BSV [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003857.com" file.
2/2/2008 3:26:41 PM Administrator 1164 Sign of "Win32:OnLineGames-BSV [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003862.exe" file.
2/2/2008 3:26:42 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003863.dll" file.
2/2/2008 3:26:43 PM Administrator 1164 Sign of "Win32:OnLineGames-BSX [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003874.com" file.
2/2/2008 3:26:43 PM Administrator 1164 Sign of "Win32:WOW-JU [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003887.dll" file.
2/2/2008 3:26:44 PM Administrator 1164 Sign of "Win32:OnLineGames-BSX [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003889.com" file.
2/2/2008 3:26:44 PM Administrator 1164 Sign of "Win32:OnLineGames-BSX [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003892.exe" file.
2/2/2008 3:26:45 PM Administrator 1164 Sign of "Win32:WOW-JU [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003893.dll" file.
2/2/2008 3:26:47 PM Administrator 1164 Sign of "Win32:AutoRun-NP [Wrm]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003931.com" file.
2/2/2008 3:26:48 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003940.dll" file.
2/2/2008 3:26:49 PM Administrator 1164 Sign of "Win32:AutoRun-NP [Wrm]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003943.com" file.
2/2/2008 3:26:50 PM Administrator 1164 Sign of "Win32:AutoRun-NP [Wrm]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003947.exe" file.
2/2/2008 3:26:50 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003948.dll" file.
2/2/2008 3:26:51 PM Administrator 1164 Sign of "Win32:AutoRun-NQ [Wrm]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP26\A0003951.com" file.
2/2/2008 3:26:52 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP26\A0003970.dll" file.
2/2/2008 3:26:52 PM Administrator 1164 Sign of "Win32:AutoRun-NQ [Wrm]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP26\A0003972.com" file.
2/2/2008 3:26:53 PM Administrator 1164 Sign of "Win32:AutoRun-NQ [Wrm]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP26\A0003976.exe" file.
2/2/2008 3:26:57 PM Administrator 1164 Sign of "Win32:Agent-PSQ [Rtk]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP29\A0004107.com" file.
2/2/2008 3:27:00 PM Administrator 1164 Sign of "Win32:Agent-PSQ [Rtk]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP30\A0004114.com" file.
2/2/2008 3:27:01 PM Administrator 1164 Sign of "Win32:Agent-PSQ [Rtk]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP30\A0004132.com" file.
2/2/2008 3:27:01 PM Administrator 1164 Sign of "Win32:Agent-PSQ [Rtk]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP30\A0004136.exe" file.
2/2/2008 3:27:03 PM Administrator 1164 Sign of "Win32:AutoRun-LX [Wrm]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP32\A0005182.com" file.
2/2/2008 3:27:04 PM Administrator 1164 Sign of "Win32:AutoRun-LX [Wrm]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP32\A0005202.com" file.
2/2/2008 3:27:04 PM Administrator 1164 Sign of "Win32:AutoRun-LX [Wrm]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP32\A0005220.com" file.
2/2/2008 3:27:05 PM Administrator 1164 Sign of "Win32:AutoRun-LX [Wrm]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP32\A0005224.exe" file.
2/2/2008 3:27:05 PM Administrator 1164 Sign of "Win32:OnLineGames-BTB [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP33\A0005226.exe" file.
2/2/2008 3:27:06 PM Administrator 1164 Sign of "Win32:OnLineGames-BTB [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP34\A0005232.exe" file.
2/2/2008 3:27:06 PM Administrator 1164 Sign of "Win32:OnLineGames-BTB [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP36\A0005236.exe" file.
2/2/2008 3:27:07 PM Administrator 1164 Sign of "Win32:OnLineGames-BTB [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP38\A0005240.exe" file.
2/2/2008 3:27:07 PM Administrator 1164 Sign of "Win32:OnLineGames-BTB [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP39\A0005248.exe" file.
2/2/2008 3:27:08 PM Administrator 1164 Sign of "Win32:OnLineGames-BTB [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP40\A0005251.exe" file.
2/2/2008 3:27:09 PM Administrator 1164 Sign of "Win32:OnLineGames-BTB [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP40\A0005285.exe" file.
2/2/2008 3:27:10 PM Administrator 1164 Sign of "Win32:OnLineGames-BTB [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP40\A0005317.exe" file.
2/2/2008 3:27:10 PM Administrator 1164 Sign of "Win32:OnLineGames-BTB [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP40\A0005319.exe" file.
2/2/2008 3:27:12 PM Administrator 1164 Sign of "Win32:AutoRun-MH [Wrm]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP42\A0005354.bat" file.
2/2/2008 3:27:12 PM Administrator 1164 Sign of "Win32:AutoRun-MH [Wrm]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP42\A0005381.bat" file.
2/2/2008 3:27:13 PM Administrator 1164 Sign of "Win32:AutoRun-MH [Wrm]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP42\A0005385.exe" file.
2/2/2008 3:27:17 PM Administrator 1164 Sign of "Win32:AutoRun-OX [Wrm]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP43\A0005430.cmd" file.
2/2/2008 3:27:18 PM Administrator 1164 Sign of "Win32:AutoRun-OX [Wrm]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP43\A0005457.cmd" file.
2/2/2008 3:27:19 PM Administrator 1164 Sign of "Win32:AutoRun-OX [Wrm]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP43\A0005475.cmd" file.
2/2/2008 3:27:19 PM Administrator 1164 Sign of "Win32:AutoRun-OX [Wrm]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP43\A0005491.cmd" file.
2/2/2008 3:27:19 PM Administrator 1164 Sign of "Win32:AutoRun-OX [Wrm]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP43\A0005495.exe" file.
2/2/2008 3:27:20 PM Administrator 1164 Sign of "Win32:AutoRun-OX [Wrm]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP43\A0005497.com" file.
2/2/2008 3:27:42 PM Administrator 1164 Sign of "Win32:AutoRun-ON [Wrm]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP45\A0005666.com" file.
2/2/2008 3:27:46 PM Administrator 1164 Sign of "Win32:AutoRun-ON [Wrm]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP45\A0005670.exe" file.
2/2/2008 3:27:50 PM Administrator 1164 Sign of "Win32:OnLineGames-BZN [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP46\A0005752.dll" file.
2/2/2008 3:27:52 PM Administrator 1164 Sign of "Win32:AutoRun-OM [Wrm]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP46\A0005787.com" file.
2/2/2008 3:27:53 PM Administrator 1164 Sign of "Win32:AutoRun-OM [Wrm]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP46\A0005791.exe" file.
2/2/2008 3:27:53 PM Administrator 1164 Sign of "Win32:AutoRun-OW [Wrm]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP46\A0005792.dll" file.
2/2/2008 3:27:59 PM Administrator 1164 Sign of "Win32:AutoRun-OK [Wrm]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP48\A0005961.bat" file.
2/2/2008 3:28:07 PM Administrator 1164 Sign of "Win32:AutoRun-OK [Wrm]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP48\A0005996.bat" file.
2/2/2008 3:28:08 PM Administrator 1164 Sign of "Win32:AutoRun-OK [Wrm]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP48\A0006000.exe" file.
2/2/2008 3:28:08 PM Administrator 1164 Sign of "Win32:AutoRun-PB [Wrm]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP48\A0006001.dll" file.
2/2/2008 3:28:09 PM Administrator 1164 Sign of "Win32:AutoRun-PB [Wrm]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP48\A0006011.dll" file.
2/2/2008 3:28:09 PM Administrator 1164 Sign of "Win32:OnLineGames-CAA [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP48\A0006012.com" file.
2/2/2008 3:28:10 PM Administrator 1164 Sign of "Win32:OnLineGames-CAB [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP48\A0006024.dll" file.
2/2/2008 3:28:10 PM Administrator 1164 Sign of "Win32:OnLineGames-CAA [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP48\A0006026.com" file.
2/2/2008 3:28:11 PM Administrator 1164 Sign of "Win32:OnLineGames-CAB [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP48\A0006042.dll" file.
2/2/2008 3:28:11 PM Administrator 1164 Sign of "Win32:OnLineGames-CAA [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP48\A0006044.com" file.
2/2/2008 3:28:11 PM Administrator 1164 Sign of "Win32:OnLineGames-CAA [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP48\A0006050.exe" file.
2/2/2008 3:28:12 PM Administrator 1164 Sign of "Win32:OnLineGames-CAB [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP48\A0006051.dll" file.
2/2/2008 3:28:13 PM Administrator 1164 Sign of "Win32:OnLineGames-CAB [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP49\A0006072.dll" file.
2/2/2008 3:28:16 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP5\A0000184.dll" file.
2/2/2008 3:28:29 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP5\A0000370.dll" file.
2/2/2008 3:28:34 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP5\A0000387.dll" file.
2/2/2008 3:28:37 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP5\A0000439.dll" file.
2/2/2008 3:28:38 PM Administrator 1164 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP5\A0000461.dll" file.
2/2/2008 3:28:40 PM Administrator 1164 Sign of "Win32:AutoRun-PD [Wrm]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP51\A0006171.dll" file.
2/2/2008 3:28:44 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006253.com\[Embedded#1a83c]" file.
2/2/2008 3:28:45 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006270.exe\[Embedded#11550]" file.
2/2/2008 3:28:46 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006271.exe\[Embedded#19ea0]" file.
2/2/2008 3:28:47 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006273.exe\[Embedded#16b020]" file.
2/2/2008 3:28:47 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006274.EXE\[Embedded#0ef30]" file.
2/2/2008 3:28:48 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006276.exe\[Embedded#13bf68]" file.
2/2/2008 3:28:49 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006277.exe\[Embedded#1a83c]" file.
2/2/2008 3:28:49 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006278.exe\[Embedded#3bde0]" file.
2/2/2008 3:28:50 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006279.exe\[Embedded#11de0]" file.
2/2/2008 3:28:50 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006280.exe\[Embedded#0b9f00]" file.
2/2/2008 3:28:51 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006281.exe\[Embedded#3ef00]" file.
2/2/2008 3:28:51 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006282.exe\[Embedded#26d20]" file.
2/2/2008 3:28:52 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006283.exe\[Embedded#2cd50]" file.
2/2/2008 3:28:52 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006284.exe\[Embedded#213a0]" file.
2/2/2008 3:28:53 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006285.EXE\[Embedded#0bea0]" file.
2/2/2008 3:28:53 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006286.exe\[Embedded#0cd20]" file.
2/2/2008 3:28:54 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006287.EXE\[Embedded#16de0]" file.
2/2/2008 3:28:54 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006288.exe\[Embedded#098e8]" file.
2/2/2008 3:28:55 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006289.exe\[Embedded#0cdb0]" file.
2/2/2008 3:28:55 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006290.exe\[Embedded#144a8]" file.
2/2/2008 3:28:56 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006291.exe\[Embedded#46f60]" file.
2/2/2008 3:28:56 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006292.exe\[Embedded#4220c]" file.
2/2/2008 3:28:56 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006293.exe\[Embedded#00cdc]" file.
2/2/2008 3:28:57 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006296.exe\[Embedded#049b0]" file.
2/2/2008 3:28:57 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006297.com\[Embedded#1a83c]" file.
2/2/2008 3:28:58 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006299.exe\[Embedded#049b0]" file.
2/2/2008 3:28:59 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006319.exe\[Embedded#11550]" file.
2/2/2008 3:28:59 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006321.exe\[Embedded#19ea0]" file.
2/2/2008 3:29:01 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006322.exe\[Embedded#16b020]" file.
2/2/2008 3:29:01 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006323.EXE\[Embedded#0ef30]" file.
2/2/2008 3:29:02 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006326.exe\[Embedded#1a83c]" file.
2/2/2008 3:29:02 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006327.exe\[Embedded#3bde0]" file.
2/2/2008 3:29:03 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006328.exe\[Embedded#11de0]" file.
2/2/2008 3:29:03 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006329.exe\[Embedded#0b9f00]" file.
2/2/2008 3:29:04 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006330.exe\[Embedded#3ef00]" file.
2/2/2008 3:29:04 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006331.exe\[Embedded#26d20]" file.
2/2/2008 3:29:05 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006332.exe\[Embedded#2cd50]" file.
2/2/2008 3:29:05 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006333.exe\[Embedded#213a0]" file.
2/2/2008 3:29:06 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006334.EXE\[Embedded#0bea0]" file.
2/2/2008 3:29:06 PM Administrator 1164 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006335.exe\[Embedded#0cd20]" file.
2/2/2008 3:29:07 PM Administrator 1164 Sign of "Win32:TratBHO [T
-
Most of the files found are harmless for now, unless you try to use System Restore to an infected point
How are things now running to this point?
Did you run Avenger on this computer, possibly advised by someone else to do so?
-
[quote name=\'guestolo\' post=\'420863\' date=\'Feb 4 2008, 08:12 PM\']Most of the files found are harmless for now, unless you try to use System Restore to an infected point
How are things now running to this point?
Did you run Avenger on this computer, possibly advised by someone else to do so?[/quote]
yeah I was told to run avenger by another forum before coming to this forum. Things are running fine now, except that the printer driver still reinstalls itself at startup. Also my roxio easy cd creator and my microsoft active sync when I plug in my cell phone. Other then that my computer is fine. Is it safe to use my computer now? I still haven't solve the problem with my flashdrive. Will I have to format it? Is there anyway to recover the data on it?
-
I still haven't solve the problem with my flashdrive
Did you try my suggestion of holding the Shift key down so it won't autostart
Transfer any needed files, etc from it to your harddisk on your computer then reformat it?
Then you can transfer them back to the flash drive
Let's clear the following
Clear your system restore points
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives" as shown in this illustration:
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
Then reverse the above to enable system restore
Go to START>>Control Panel>>Java
Clear your Temp files under the General tab
These are the programs you may be having a problem with
These programs should be uninstalled and reinstalled, they may have been infected and not working properly
Sound Blaster X-Fi
HP Software Update
iTunes
LogitechDesktopMessenger
Easy CD Creator 6
Winamp
LogitechDesktopMessenger, HP Software Update are not really required unless needed
as well as the others except for Sound Blaster X-Fi
Which may be related to your sound drivers
Are you having any problems with your video driver?
-
No problems with video driver. Everything seems to be running fine. Thank you for your time and patience!
-
Thank you much for the donation
Can you still do the following
Go to START>>RUN>>Copy then paste the next command below in bold
Then hit OK
combofix /u
This will uninstall combofix and it's components
OTMoveit.exe- Please double-click OTMoveIt.exe to run it.
- Click the Cleanup! button
A list will be downloaded>>Allow it Internet access if prompted by your Firewall
Don't change anything in this list
- Select Yes at the prompt
Wait for the confirmation box to open to reboot the computer
Don't mouseclick during the wait as you may cause the tool to stall
- Select Yes to reboot Now
NOTE: This procedure will also delete OTMoveit.exe from desktop and other tools we used for cleaning
I suggest that you add SpywareBlaster to your protection software
SpywareBlaster 3.5.1 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\") *Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates
After updating, select "Protection" on the Left
Then select "Enable all Protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"
Take a look at other safety precautions
Why Did I get Infected in the First Place? (http://\"http://www.wilderssecurity.com/showthread.php?t=27971\")
Take care ixjerryxi