Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91734 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Help to remove tavo.exe, kavo.exe, cc.exe, ff.exe


  • Please log in to reply
16 replies to this topic

#1 Vadim

Vadim

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 30 March 2008 - 07:21 AM

I cought Trojan horse virus and now I have kavo.exe, tavo.exe, cc.exe, ff.exe poping up at every boot. Please help to remove it. I've run Hijackthis and below is my file: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:10:41 AM, on 3/30/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\stsystra.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe D:\HP\HP Software Update\HPWuSchd2.exe C:\WINDOWS\system32\igfxsrvc.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\Skype\Phone\Skype.exe C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\Messenger\msmsgs.exe D:\HP\Digital Imaging\bin\hpqtra08.exe C:\WINDOWS\TEMP\BRE3C.EXE C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe D:\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow O4 - HKLM\..\Run: [HP Software Update] D:\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe O4 - HKCU\..\Run: [tava] C:\WINDOWS\system32\tavo.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\HP\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = techview.com.tw O17 - HKLM\Software\..\Telephony: DomainName = techview.com.tw O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = techview.com.tw O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = techview.com.tw O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 7036 bytes

    Advertisements

Register to Remove


#2 DFW

DFW

    Authentic Member

  • Visiting Fellow
  • PipPip
  • 170 posts

Posted 30 March 2008 - 01:01 PM

Hello and wecome, My name is DFW and I will be assisting you with your malware issues .

Please be patient as I need some time to review your Hijackthis log and i will post back recommendations for repairs.
As I am still on training, everything that I post to you, must be checked by an Admin or Moderator. Thus, there may be a tiny bit of a delay between posts, but it shouldn't be too long.
  • Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • Continue to respond to this thread until I give you the All Clean! If you have any question or you're stuck in there please reply it to me. I will try my best to help you!
  • Please bookmark or favourite this page. In case you need it as reference or etc.

Member of UNITE and ASAP

#3 Vadim

Vadim

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 30 March 2008 - 02:37 PM

DFW, Thanks for your reply. I am standing by.

#4 DFW

DFW

    Authentic Member

  • Visiting Fellow
  • PipPip
  • 170 posts

Posted 31 March 2008 - 03:18 AM

Hi Vadim


You are infected with password-stealing Trojan for the online games Lineage, and other online games

http://www.lineage2....ity_faq.html#02

If you use this online game, or any other online games I would use a clean computer to change your passwords, dont
do it on the system you posted the HJT from untill it's clean.





1.Download and Run combofix

For information regarding Combofix, please visit this webpage:
http://www.bleepingc...to-use-combofix
Please ensure you install the Recovery Console

Download this file from one of the three below listed places and place it at your DESKTOP

Link 1
Link 2
Link 3

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note: Combofix should not be used without supervision



Post back

A new HJT Log
Combofix Log

Member of UNITE and ASAP

#5 Vadim

Vadim

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 31 March 2008 - 06:51 AM

dfw,

I am not a gamer at all but I guess I know when I get this virus. I was on biz trip and in order to connect to internet from hotel I had to dissable my firewall. It is totally my fault. Below is reports that you've asked me to run.

HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:40, on 2008-03-31
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
D:\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
D:\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [HP Software Update] D:\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = techview.com.tw
O17 - HKLM\Software\..\Telephony: DomainName = techview.com.tw
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = techview.com.tw
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = techview.com.tw
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 7032 bytes


Combofix Log:

ComboFix 08-03-30.3 - 96111201 2008-03-31 8:37:38.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.538 [GMT -4:00]
Running from: C:\Documents and Settings\96111201\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\system32\kavo.exe
C:\WINDOWS\system32\kavo0.dll
C:\WINDOWS\system32\kavo1.dll
C:\WINDOWS\system32\tavo.exe
C:\WINDOWS\system32\tavo1.dll
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://tvisus
.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-31 )))))))))))))))))))))))))))))))
.

2008-03-30 09:25 . 2008-03-30 09:24 117,092 -r-hs---- C:\l9dwu8.bat
2008-03-28 14:27 . 2008-03-28 14:28 <DIR> d-------- C:\Documents and Settings\Administrator.T96111201\Application Data\AVG7
2008-03-28 13:07 . 2008-03-28 13:07 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-03-28 11:18 . 2008-03-28 13:00 <DIR> d-------- C:\Program Files\Filseclab
2008-03-28 11:18 . 2008-03-28 13:41 <DIR> d-------- C:\Program Files\Common Files\Filseclab
2008-03-28 11:18 . 2008-03-28 11:18 <DIR> d-------- C:\Documents and Settings\96111201\Application Data\InstallShield
2008-03-27 20:57 . 2008-03-27 20:56 116,748 -r-hs---- C:\k08aww.bat
2008-03-27 11:00 . 2008-03-27 11:12 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-25 09:55 . 2008-03-25 09:55 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-25 09:55 . 2008-03-25 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-25 09:55 . 2008-03-30 09:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-25 09:55 . 2008-03-25 11:11 <DIR> d-------- C:\Documents and Settings\96111201\Application Data\AVG7
2008-03-25 09:52 . 2008-03-25 09:54 35,960,792 --a------ C:\avg75free_519a1276.exe
2008-03-24 08:05 . 2008-03-25 08:02 113,971 -r-hs---- C:\ekf6dbg0.com
2008-03-23 15:45 . 2008-03-31 08:05 81,408 -r-hs---- C:\WINDOWS\system32\tavo0.dll
2008-03-21 12:17 . 2008-03-21 12:17 115,665 -r-hs---- C:\dyr2j6mv.exe
2008-03-13 13:12 . 2008-03-13 13:12 <DIR> d-------- C:\Program Files\MSECache
2008-02-14 14:09 . 2008-02-14 14:14 <DIR> d-------- C:\WINDOWS\SxsCaPendDel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-31 12:06 --------- d-----w C:\Documents and Settings\96111201\Application Data\Skype
2008-03-31 12:05 --------- d-----w C:\Documents and Settings\96111201\Application Data\skypePM
2008-03-30 13:08 --------- d-----w C:\Program Files\Trend Micro
2008-03-28 15:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-25 13:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\oleaut32.dll
2007-11-15 16:27 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-11-12 03:48 21760296]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 05:30 282624 C:\WINDOWS\stsystra.exe]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-27 23:55 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-27 23:56 602182]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 05:44 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 05:41 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 05:45 118784]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2006-05-09 02:36 356352]
"HP Software Update"="D:\HP\HP Software Update\HPWuSchd2.exe" [2006-02-18 14:41 49152]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-25 09:55 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-25 09:55 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2007-11-06 03:08:00 1385400]
HP Digital Imaging Monitor.lnk - D:\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-18 16:21:22 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S3 PortTalk;PortTalk;C:\WINDOWS\system32\Drivers\PortTalk.sys [2007-11-15 11:39]
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys [2002-10-01 01:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{37acd81b-f99b-11dc-bd61-00059a3c7800}]
\Shell\AutoRun\command - F:\ekf6dbg0.com
\Shell\explore\Command - F:\ekf6dbg0.com
\Shell\open\Command - F:\ekf6dbg0.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d6f80cce-f038-11dc-bd46-0015c578b075}]
\Shell\AutoRun\command - F:\kqsr.exe
\Shell\explore\Command - F:\kqsr.exe
\Shell\open\Command - F:\kqsr.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-31 08:38:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-31 8:39:07
ComboFix-quarantined-files.txt 2008-03-31 12:38:58
Pre-Run: 14,390,210,560 bytes free
Post-Run: 14,382,792,704 bytes free
.
2008-03-20 02:20:35 --- E O F ---

#6 Vadim

Vadim

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 31 March 2008 - 07:19 AM

DFW, My AVG just found l9dwu8.bat, kavo.exe.vir, A0011671.exe as another Trojan horse programs.

#7 DFW

DFW

    Authentic Member

  • Visiting Fellow
  • PipPip
  • 170 posts

Posted 31 March 2008 - 02:21 PM

I would like you to scan a file online please.


Go to http://virusscan.jotti.org
Copy the following line into the white textbox:
C:\Documents and Settings\All Users\Application Data\ezsid.dat
Click Submit.



Please post the results of this scan into your next post.


Please connect your external hard drive/flash drive before running Combofix



  • Now please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    File:: 
    F:\kqsr.exe
    F:\ekf6dbg0.com
    C:\k08aww.bat
    C:\ekf6dbg0.com
    C:\WINDOWS\system32\tavo0.dll
    C:\dyr2j6mv.exe
    C:\l9dwu8.bat
    
    DirLook::
    C:\WINDOWS\SxsCaPendDel
    
    Registry::
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{37acd81b-f99b-11dc-bd61-00059a3c7800}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d6f80cce-f038-11dc-bd46-0015c578b075}]

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


    Posted Image


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



  • Please download Malwarebytes' Anti-Malware and save it to a convenient location.
  • Double click on mbam-setup.exe to install it.
  • Before clicking the Finish button, make sure that these 2 boxes are checked (ticked):
    • Update Malwarebytes' Anti-Malware
      Launch Malwarebytes' Anti-Malware
  • Malwarebytes' Anti-Malware will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update Mirror, select one of the websites and click on Check for Updates.
  • Select the Scanner tab. Click on Perform full scan, then click on Scan.
  • Leave the default options as it is and click on Start Scan.
  • When done, you will be prompted. Click OK, then click on Show Results.
  • Checked (ticked) all items and click on Remove Selected.
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.





Please post

The results from scanning the 1 file.
the new Combofix Log
Malwarebytes' Anti-Malware Log

Edited by dfw, 31 March 2008 - 02:25 PM.

Member of UNITE and ASAP

#8 Vadim

Vadim

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 31 March 2008 - 05:02 PM

DFW,

Below are the logs:

On line scan result:

Scan taken on 31 Mar 2008 21:34:03 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


Combofix log:

ComboFix 08-03-30.3 - 96111201 2008-03-31 18:03:08.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.471 [GMT -4:00]
Running from: C:\Documents and Settings\96111201\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\96111201\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\dyr2j6mv.exe
C:\ekf6dbg0.com
C:\k08aww.bat
C:\l9dwu8.bat
C:\WINDOWS\system32\tavo0.dll
F:\ekf6dbg0.com
F:\kqsr.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\dyr2j6mv.exe
C:\ekf6dbg0.com
C:\k08aww.bat
C:\WINDOWS\system32\tavo0.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-31 )))))))))))))))))))))))))))))))
.

2008-03-28 14:27 . 2008-03-28 14:28 <DIR> d-------- C:\Documents and Settings\Administrator.T96111201\Application Data\AVG7
2008-03-28 13:07 . 2008-03-28 13:07 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-03-28 11:18 . 2008-03-28 13:00 <DIR> d-------- C:\Program Files\Filseclab
2008-03-28 11:18 . 2008-03-28 13:41 <DIR> d-------- C:\Program Files\Common Files\Filseclab
2008-03-28 11:18 . 2008-03-28 11:18 <DIR> d-------- C:\Documents and Settings\96111201\Application Data\InstallShield
2008-03-27 11:00 . 2008-03-27 11:12 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-25 09:55 . 2008-03-25 09:55 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-25 09:55 . 2008-03-25 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-25 09:55 . 2008-03-31 09:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-25 09:55 . 2008-03-25 11:11 <DIR> d-------- C:\Documents and Settings\96111201\Application Data\AVG7
2008-03-25 09:52 . 2008-03-25 09:54 35,960,792 --a------ C:\avg75free_519a1276.exe
2008-03-13 13:12 . 2008-03-13 13:12 <DIR> d-------- C:\Program Files\MSECache
2008-02-14 14:09 . 2008-02-14 14:14 <DIR> d-------- C:\WINDOWS\SxsCaPendDel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-31 21:54 --------- d-----w C:\Documents and Settings\96111201\Application Data\Skype
2008-03-31 21:27 --------- d-----w C:\Documents and Settings\96111201\Application Data\skypePM
2008-03-30 13:08 --------- d-----w C:\Program Files\Trend Micro
2008-03-28 15:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-25 13:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\oleaut32.dll
2007-11-15 16:27 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\SxsCaPendDel ----



((((((((((((((((((((((((((((( snapshot@2008-03-31_ 8.38.52.62 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-31 12:10:01 41,238 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-31 21:57:39 41,238 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-31 12:10:01 315,076 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-31 21:57:39 315,076 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-11-12 03:48 21760296]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 05:30 282624 C:\WINDOWS\stsystra.exe]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-27 23:55 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-27 23:56 602182]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 05:44 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 05:41 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 05:45 118784]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2006-05-09 02:36 356352]
"HP Software Update"="D:\HP\HP Software Update\HPWuSchd2.exe" [2006-02-18 14:41 49152]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-25 09:55 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-25 09:55 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2007-11-06 03:08:00 1385400]
HP Digital Imaging Monitor.lnk - D:\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-18 16:21:22 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S3 PortTalk;PortTalk;C:\WINDOWS\system32\Drivers\PortTalk.sys [2007-11-15 11:39]
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys [2002-10-01 01:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{121c5330-ff1f-11dc-bd81-00059a3c7800}]
\Shell\AutoRun\command - F:\ekf6dbg0.com
\Shell\explore\Command - F:\ekf6dbg0.com
\Shell\open\Command - F:\ekf6dbg0.com

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-31 18:09:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-31 18:11:55
ComboFix-quarantined-files.txt 2008-03-31 22:11:40
ComboFix2.txt 2008-03-31 21:47:35
ComboFix3.txt 2008-03-31 12:39:08
Pre-Run: 14,506,012,672 bytes free
Post-Run: 14,494,736,384 bytes free
.
2008-03-20 02:20:35 --- E O F ---

Malwarebytes' Anti-Malware Log:

Malwarebytes' Anti-Malware 1.09
Database version: 574

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 65521
Time elapsed: 22 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 50

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{50ccd00a-66b6-4d95-aaef-8ee959498f92} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\stfngdvw.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\k08aww.bat.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\kavo0.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP103\A0010212.bat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP103\A0010216.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP104\A0010239.bat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP104\A0011210.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP104\A0011218.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP104\A0011226.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP104\A0011228.bat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP105\A0011241.bat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP106\A0011261.bat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP106\A0011293.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP106\A0011297.bat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP107\A0011365.bat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP107\A0011429.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP107\A0011431.bat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP107\A0011442.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP107\A0011445.bat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP107\A0011470.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP107\A0011472.bat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP107\A0011489.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP107\A0011490.bat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP107\A0011515.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP107\A0011519.bat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP107\A0011531.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP107\A0011533.bat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP107\A0011552.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP107\A0011554.bat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP107\A0011568.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP107\A0011569.bat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP107\A0011584.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP107\A0011585.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP108\A0011672.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP109\A0011822.bat (Trojan.Agent) -> Quarantined and deleted successfully.
D:\k08aww.bat (Trojan.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP103\A0010214.bat (Trojan.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP104\A0010241.bat (Trojan.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP104\A0011230.bat (Trojan.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP105\A0011243.bat (Trojan.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP106\A0011263.bat (Trojan.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP106\A0011295.bat (Trojan.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP107\A0011367.bat (Trojan.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP107\A0011433.bat (Trojan.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP107\A0011447.bat (Trojan.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP107\A0011474.bat (Trojan.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP107\A0011492.bat (Trojan.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP107\A0011521.bat (Trojan.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP107\A0011535.bat (Trojan.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP107\A0011556.bat (Trojan.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP107\A0011571.bat (Trojan.Agent) -> Quarantined and deleted successfully.

#9 DFW

DFW

    Authentic Member

  • Visiting Fellow
  • PipPip
  • 170 posts

Posted 01 April 2008 - 06:47 AM

Please connect your all your external hard drive/flash drive before running Combofix again.


Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".



  • Now please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    File:: 
    F:\ekf6dbg0.com
    
    Folder::
    C:\WINDOWS\SxsCaPendDel
    
    Registry::
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{121c5330-ff1f-11dc-bd81-00059a3c7800}]

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


    Posted Image


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.





DownLoad CCleaner and run it on each user acount before the online scan

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder,
back it up or move it to a permanent folder prior to running CCleaner!


Download CCleaner to clean temp files from your computer.

http://www.ccleaner....ownloading-slim


Double click on the file to start the installation of the program.
Select your language and click OK, then next.
Read the license agreement and click I Agree.
Click next to use the default install location. Click Install then finish to complete installation.
Double click the CCleaner shortcut on the desktop to start the program.
On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted.
(If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
Click on the "Options" icon at the left side of the window, then click on "Advanced."
deselect "Only delete files in Windows Temp folders older than 48 hours."
Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.

  • Click the "Run Cleaner" button.
  • A pop up box will appear advising this process will permanently delete files from your system.
  • Click "OK"
  • CCleaner will scan and clean your system.
  • When cleaning is complete:
  • Click "Exit".
  • Repeat for all usernames.





1 - Kaspersky Online Scan
With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
Please do an online scan with >Kaspersky Online Scanner<. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    o Scan using the following Anti-Virus database:
    + Extended (If available otherwise Standard)
    o Scan Options:
    + Scan Archives
    + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run.
  • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As... button (see red arrow below)

    Posted Image
  • In the Save as... prompt, select Desktop
  • In the File name box, name the file KasScan-ddmmyy (or similar)
  • In the Save as type prompt, select Text file (see below)

    Posted Image
  • Copy and paste the report in your next post.
Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.




Please post

A new HJT LOg
New Combofix Log
Kaspersky Online Scan Log

Member of UNITE and ASAP

#10 Vadim

Vadim

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 01 April 2008 - 09:10 AM

DFW,

Please find the latest logs below:

HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:58, on 2008-04-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\FY3F34.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
D:\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\userinit.exe
D:\HP\Digital Imaging\bin\hpqtra08.exe
D:\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [HP Software Update] D:\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = techview.com.tw
O17 - HKLM\Software\..\Telephony: DomainName = techview.com.tw
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = techview.com.tw
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = techview.com.tw
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 7360 bytes


Combofix Log:

ComboFix 08-03-30.3 - 96111201 2008-04-01 9:06:02.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.487 [GMT -4:00]
Running from: C:\Documents and Settings\96111201\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\96111201\Desktop\CFScript.txt
* Created a new restore point

FILE ::
F:\ekf6dbg0.com
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SxsCaPendDel

.
((((((((((((((((((((((((( Files Created from 2008-03-01 to 2008-04-01 )))))))))))))))))))))))))))))))
.

2008-03-31 18:24 . 2008-03-31 18:24 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-31 18:24 . 2008-03-31 18:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-31 18:24 . 2008-03-31 18:24 <DIR> d-------- C:\Documents and Settings\96111201\Application Data\Malwarebytes
2008-03-28 14:27 . 2008-03-28 14:28 <DIR> d-------- C:\Documents and Settings\Administrator.T96111201\Application Data\AVG7
2008-03-28 13:07 . 2008-03-28 13:07 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-03-28 11:18 . 2008-03-28 13:00 <DIR> d-------- C:\Program Files\Filseclab
2008-03-28 11:18 . 2008-03-28 13:41 <DIR> d-------- C:\Program Files\Common Files\Filseclab
2008-03-28 11:18 . 2008-03-28 11:18 <DIR> d-------- C:\Documents and Settings\96111201\Application Data\InstallShield
2008-03-27 11:00 . 2008-03-27 11:12 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-25 09:55 . 2008-03-25 09:55 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-25 09:55 . 2008-03-25 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-25 09:55 . 2008-03-31 09:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-25 09:55 . 2008-03-25 11:11 <DIR> d-------- C:\Documents and Settings\96111201\Application Data\AVG7
2008-03-25 09:52 . 2008-03-25 09:54 35,960,792 --a------ C:\avg75free_519a1276.exe
2008-03-13 13:12 . 2008-03-13 13:12 <DIR> d-------- C:\Program Files\MSECache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-01 13:00 --------- d-----w C:\Documents and Settings\96111201\Application Data\Skype
2008-04-01 12:11 --------- d-----w C:\Documents and Settings\96111201\Application Data\skypePM
2008-03-30 13:08 --------- d-----w C:\Program Files\Trend Micro
2008-03-28 15:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-25 13:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-15 16:27 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((( snapshot@2008-03-31_ 8.38.52.62 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-27 12:35:12 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-01 12:10:05 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-03-27 12:35:12 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-01 12:10:05 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-03-27 12:35:12 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-01 12:10:05 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-03-31 12:10:01 41,238 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-01 12:47:49 41,238 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-31 12:10:01 315,076 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-01 12:47:49 315,076 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-11-12 03:48 21760296]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 05:30 282624 C:\WINDOWS\stsystra.exe]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-27 23:55 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-27 23:56 602182]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 05:44 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 05:41 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 05:45 118784]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2006-05-09 02:36 356352]
"HP Software Update"="D:\HP\HP Software Update\HPWuSchd2.exe" [2006-02-18 14:41 49152]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-25 09:55 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-25 09:55 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2007-11-06 03:08:00 1385400]
HP Digital Imaging Monitor.lnk - D:\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-18 16:21:22 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S3 PortTalk;PortTalk;C:\WINDOWS\system32\Drivers\PortTalk.sys [2007-11-15 11:39]
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys [2002-10-01 01:12]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-01 09:09:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-01 9:11:13
ComboFix-quarantined-files.txt 2008-04-01 13:11:02
ComboFix2.txt 2008-03-31 22:11:58
ComboFix3.txt 2008-03-31 21:47:35
ComboFix4.txt 2008-03-31 12:39:08
Pre-Run: 14,470,680,576 bytes free
Post-Run: 14,460,932,096 bytes free
.
2008-03-20 02:20:35 --- E O F ---


Kaspersky Log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, April 01, 2008 10:52:43 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/04/2008
Kaspersky Anti-Virus database records: 675855
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 38301
Number of viruses found: 18
Number of infected objects: 108
Number of suspicious objects: 0
Duration of the scan process: 00:42:16

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\96111201\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.82801 Infected: Worm.Win32.AutoRun.ddb skipped
C:\Documents and Settings\Administrator.T96111201\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator.T96111201\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator.T96111201\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator.T96111201\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator.T96111201\Local Settings\History\History.IE5\MSHist012008040120080402\index.dat Object is locked skipped
C:\Documents and Settings\Administrator.T96111201\Local Settings\temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\Administrator.T96111201\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator.T96111201\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator.T96111201\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8a774fe375e9d8bd89de40c1b1402780_a84585d5-2cc7-4d8b-a09f-66f20f9fcaa4 Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Trend Micro\OfficeScan Client\ConnLog\Conn_20080401.log Object is locked skipped
C:\QooBox\Quarantine\C\autorun.inf.vir Infected: Trojan-PSW.Win32.OnLineGames.ysc skipped
C:\QooBox\Quarantine\C\ekf6dbg0.com.vir Infected: Trojan-PSW.Win32.OnLineGames.wlc skipped
C:\QooBox\Quarantine\C\f.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.ysc skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kavo.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.ysc skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kavo1.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.yrz skipped
C:\QooBox\Quarantine\D\autorun.inf.vir Infected: Trojan-PSW.Win32.OnLineGames.ysc skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP100\A0009871.com Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP100\A0009872.inf Infected: Trojan-PSW.Win32.OnLineGames.wlc skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP100\A0009892.com Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP100\A0009893.inf Infected: Trojan-PSW.Win32.OnLineGames.wlc skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP100\A0009896.exe Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP100\A0009897.dll Infected: Trojan-PSW.Win32.OnLineGames.wld skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP100\A0009898.exe Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP100\A0009899.dll Infected: Trojan-PSW.Win32.OnLineGames.wlc skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP100\A0009909.dll Infected: Trojan-PSW.Win32.OnLineGames.wlc skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP100\A0009910.dll Infected: Trojan-PSW.Win32.OnLineGames.wld skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP100\A0009911.com Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP100\A0009912.inf Infected: Trojan-PSW.Win32.OnLineGames.wlc skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP100\A0009915.exe Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP100\A0009916.dll Infected: Trojan-PSW.Win32.OnLineGames.wld skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP100\A0009924.dll Infected: Trojan-PSW.Win32.OnLineGames.wld skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP100\A0009925.dll Infected: Trojan-PSW.Win32.OnLineGames.wlc skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP100\A0009926.com Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP100\A0009927.inf Infected: Trojan-PSW.Win32.OnLineGames.wlc skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP100\A0009930.exe Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP100\A0009931.dll Infected: Trojan-PSW.Win32.OnLineGames.wlc skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP100\A0009940.dll Infected: Trojan-PSW.Win32.OnLineGames.wld skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP100\A0009941.com Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP100\A0009942.inf Infected: Trojan-PSW.Win32.OnLineGames.wlc skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP100\A0009945.exe Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP100\A0009946.dll Infected: Trojan-PSW.Win32.OnLineGames.wld skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP100\A0009954.dll Infected: Trojan-PSW.Win32.OnLineGames.wld skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP100\A0009955.dll Infected: Trojan-PSW.Win32.OnLineGames.wlc skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP100\A0009957.com Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP100\A0009958.inf Infected: Trojan-PSW.Win32.OnLineGames.wlc skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP100\A0009961.dll Infected: Trojan-PSW.Win32.OnLineGames.wld skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP102\A0010153.exe Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP102\A0010154.dll Infected: Trojan-PSW.Win32.OnLineGames.wlc skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP102\A0010155.com Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP102\A0010156.inf Infected: Trojan-PSW.Win32.OnLineGames.wlc skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP102\A0010159.exe Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP102\A0010160.dll Infected: Trojan-PSW.Win32.OnLineGames.wld skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP102\A0010161.dll Infected: Trojan-PSW.Win32.OnLineGames.wlc skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP103\A0010162.bat Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP103\A0010190.dll Infected: Trojan-PSW.Win32.OnLineGames.xjk skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP103\A0010191.dll Infected: Trojan-PSW.Win32.OnLineGames.wlc skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP103\A0010192.bat Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP103\A0010198.exe Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP103\A0010199.dll Infected: Trojan-PSW.Win32.OnLineGames.wld skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP103\A0010200.exe Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP103\A0010201.dll Infected: Worm.Win32.AutoRun.dda skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP103\A0010209.dll Infected: Trojan-PSW.Win32.OnLineGames.xjk skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP103\A0010210.dll Infected: Worm.Win32.AutoRun.dda skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP104\A0011217.exe Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP104\A0011232.exe Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP106\A0011298.exe Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP107\A0011449.exe Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP107\A0011494.exe Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP107\A0011523.exe Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP107\A0011537.exe Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP107\A0011558.exe Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP108\A0011673.dll Infected: Trojan-PSW.Win32.OnLineGames.yop skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP108\A0011674.exe Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP108\A0011676.inf Infected: Trojan-PSW.Win32.OnLineGames.yop skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP108\A0011721.bat Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP108\A0011732.com Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP108\A0011768.exe Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP108\A0011769.dll Infected: Trojan-PSW.Win32.OnLineGames.yrz skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP108\A0011770.exe Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP108\A0011771.inf Infected: Trojan-PSW.Win32.OnLineGames.ysc skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP108\A0011773.exe Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP109\A0011820.exe Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP109\A0011821.com Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP110\change.log Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP92\A0008087.dll Infected: Packed.Win32.PolyCrypt.h skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP92\A0008107.dll Infected: Packed.Win32.PolyCrypt.h skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP95\A0008260.dll Infected: Packed.Win32.PolyCrypt.h skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP95\A0009259.dll Infected: Packed.Win32.PolyCrypt.h skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP95\A0009285.dll Infected: Packed.Win32.PolyCrypt.h skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP95\A0009290.exe Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP95\A0009298.dll Infected: Trojan-PSW.Win32.OnLineGames.uqu skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP95\A0009305.dll Infected: Trojan-PSW.Win32.OnLineGames.uqu skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP95\A0009313.dll Infected: Trojan-PSW.Win32.OnLineGames.uqu skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP95\A0009328.dll Infected: Trojan-PSW.Win32.OnLineGames.uqu skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP95\A0009333.exe Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP95\A0009346.dll Infected: Trojan-PSW.Win32.OnLineGames.uqu skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP95\A0009352.exe Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP95\A0009353.dll Infected: Trojan-PSW.Win32.OnLineGames.urf skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP96\A0009403.dll Infected: Trojan-PSW.Win32.OnLineGames.uqu skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP96\A0009415.dll Infected: Trojan-PSW.Win32.OnLineGames.urf skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP96\A0009416.dll Infected: Trojan-PSW.Win32.OnLineGames.uqu skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP96\A0009421.exe Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP96\A0009422.dll Infected: Trojan-PSW.Win32.OnLineGames.urf skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP96\A0009434.dll Infected: Trojan-PSW.Win32.OnLineGames.urf skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP96\A0009435.dll Infected: Trojan-PSW.Win32.OnLineGames.uqu skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP96\A0009442.dll Infected: Trojan-PSW.Win32.OnLineGames.uqu skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP97\A0009486.dll Infected: Trojan-PSW.Win32.OnLineGames.urf skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP97\A0009487.dll Infected: Trojan-PSW.Win32.OnLineGames.uqu skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP97\A0009493.dll Infected: Packed.Win32.PolyCrypt.h skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP97\A0009494.exe Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP97\A0009495.dll Infected: Trojan-PSW.Win32.OnLineGames.urf skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP97\A0009511.exe Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP97\A0009512.dll Infected: Trojan-PSW.Win32.OnLineGames.wfq skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP97\A0009514.dll Infected: Trojan-PSW.Win32.OnLineGames.wfo skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP97\A0009524.dll Infected: Trojan-PSW.Win32.OnLineGames.wfo skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP97\A0009547.dll Infected: Trojan-PSW.Win32.OnLineGames.wfq skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP97\A0009548.dll Infected: Trojan-PSW.Win32.OnLineGames.wfo skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP98\A0009585.dll Infected: Trojan-PSW.Win32.OnLineGames.wfq skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP98\A0009586.dll Infected: Trojan-PSW.Win32.OnLineGames.wfo skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP98\A0009592.dll Infected: Trojan-PSW.Win32.OnLineGames.wfo skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP98\A0009610.dll Infected: Trojan-PSW.Win32.OnLineGames.wfo skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP98\A0009611.dll Infected: Trojan-PSW.Win32.OnLineGames.wfq skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP98\A0009618.dll Infected: Trojan-PSW.Win32.OnLineGames.vkf skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP98\A0009619.exe Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP98\A0009620.dll Infected: Trojan-PSW.Win32.OnLineGames.wfq skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP99\A0009653.dll Infected: Trojan-PSW.Win32.OnLineGames.wfq skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP99\A0009654.dll Infected: Trojan-PSW.Win32.OnLineGames.vkf skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP99\A0009659.exe Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP99\A0009660.dll Infected: Trojan-PSW.Win32.OnLineGames.vki skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP99\A0009662.dll Infected: Trojan-PSW.Win32.OnLineGames.vkf skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP99\A0009674.dll Infected: Trojan-PSW.Win32.OnLineGames.vkf skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP99\A0009675.dll Infected: Trojan-PSW.Win32.OnLineGames.vki skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP99\A0009677.inf Infected: Trojan-PSW.Win32.OnLineGames.vos skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP99\A0009693.dll Infected: Trojan-PSW.Win32.OnLineGames.vun skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP99\A0009694.dll Infected: Trojan-PSW.Win32.OnLineGames.vos skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP99\A0009697.inf Infected: Trojan-PSW.Win32.OnLineGames.vos skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP99\A0009700.exe Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP99\A0009701.dll Infected: Trojan-PSW.Win32.OnLineGames.vun skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP99\A0009717.dll Infected: Trojan-PSW.Win32.OnLineGames.vun skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP99\A0009718.dll Infected: Trojan-PSW.Win32.OnLineGames.vos skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP99\A0009720.inf Infected: Trojan-PSW.Win32.OnLineGames.vos skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP99\A0009723.exe Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP99\A0009725.dll Infected: Trojan-PSW.Win32.OnLineGames.vos skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP99\A0009752.exe Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP99\A0009756.exe Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP99\A0009757.dll Infected: Trojan-PSW.Win32.OnLineGames.vun skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP99\A0009771.exe Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP99\A0009775.exe Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP99\A0009777.exe Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP99\A0009792.inf Infected: Trojan-PSW.Win32.OnLineGames.wla skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP99\A0009795.exe Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP99\A0009806.inf Infected: Trojan-PSW.Win32.OnLineGames.wla skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP99\A0009809.exe Object is locked skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP99\A0009818.inf Infected: Trojan-PSW.Win32.OnLineGames.wla skipped
C:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP99\A0009821.exe Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\dyr2j6mv.exe Object is locked skipped
D:\ekf6dbg0.com Object is locked skipped
D:\f.exe Object is locked skipped
D:\h1ahxi.bat Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP100\A0009873.com Object is locked skipped
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP100\A0009874.inf Infected: Trojan-PSW.Win32.OnLineGames.wlc skipped
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP100\A0009894.com Object is locked skipped
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP100\A0009895.inf Infected: Trojan-PSW.Win32.OnLineGames.wlc skipped
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP100\A0009913.com Object is locked skipped
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP100\A0009914.inf Infected: Trojan-PSW.Win32.OnLineGames.wlc skipped
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP100\A0009928.com Object is locked skipped
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP100\A0009929.inf Infected: Trojan-PSW.Win32.OnLineGames.wlc skipped
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP100\A0009943.com Object is locked skipped
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP100\A0009944.inf Infected: Trojan-PSW.Win32.OnLineGames.wlc skipped
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP100\A0009959.com Object is locked skipped
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP100\A0009960.inf Infected: Trojan-PSW.Win32.OnLineGames.wlc skipped
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP102\A0010157.com Object is locked skipped
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP102\A0010158.inf Infected: Trojan-PSW.Win32.OnLineGames.wlc skipped
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP103\A0010164.bat Object is locked skipped
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP103\A0010194.bat Object is locked skipped
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP108\A0011677.inf Infected: Trojan-PSW.Win32.OnLineGames.yop skipped
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP108\A0011722.bat Object is locked skipped
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP108\A0011733.com Object is locked skipped
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP108\A0011772.inf Infected: Trojan-PSW.Win32.OnLineGames.ysc skipped
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP109\A0011864.bat Object is locked skipped
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP110\change.log Object is locked skipped
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP99\A0009679.inf Infected: Trojan-PSW.Win32.OnLineGames.vos skipped
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP99\A0009699.inf Infected: Trojan-PSW.Win32.OnLineGames.vos skipped
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP99\A0009722.inf Infected: Trojan-PSW.Win32.OnLineGames.vos skipped
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP99\A0009754.exe Object is locked skipped
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP99\A0009773.exe Object is locked skipped
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP99\A0009794.inf Infected: Trojan-PSW.Win32.OnLineGames.wla skipped
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP99\A0009808.inf Infected: Trojan-PSW.Win32.OnLineGames.wla skipped
D:\System Volume Information\_restore{A3903B9C-587A-40B6-B91B-F7BC00691491}\RP99\A0009820.inf Infected: Trojan-PSW.Win32.OnLineGames.wla skipped

Scan process completed.

    Advertisements

Register to Remove


#11 DFW

DFW

    Authentic Member

  • Visiting Fellow
  • PipPip
  • 170 posts

Posted 01 April 2008 - 11:27 AM

All of the items found in the Kaspersky Online Scan log are in the tools quarantine folders and system restore.
Your HJT log and Combofix logs are now clean, we now need to clean out the tools quarantine folders and system restore



Click Start then Run....


Type Combofix /u in the runbox and click OK. (Note: The space between the x and the /u needs to be there)



Posted Image
When shown the disclaimer, select 2.




Please go to your C Drive and make sure the C:\QooBox Folder is gone, also delete any Combofix logs there



Double click the Malwarebytes Anti-Malware icon on your desktop, select the quarantine tab, and delete all.






Clean System restore for all drives.



Make sure all your external hard drive/flash drive are connected

Go To Start Menu > Programs > Accessories >System Tools and click on System Restore,

Click on system restore settings on the left hand side, the system properties box wil pop up,

now put a tick in "turn off system restore" click apply, then click yes to confirm.

Restart your system.

Go To Start Menu > Programs > Accessories >System Tools and click on System Restore, a box will
pop up asking you to turn on System restore, click yes,

now untick "turn off system restore" click apply, then click yes to confirm.

Close all windows.


I would keep CCleaner and Malwarebytes Anti-Malware for furture use.




Update Adobe Reader to 8.1.2

  • Please uninstall Adobe Reader 8 before installing the latest version by going to Start > Control Panel and double clicking on Add/Remove Programs. Locate Adobe Reader 8 and click on Change/Remove to uninstall it.
  • Click here to download the latest version of Adobe Acrobat Reader.
  • Select your Windows version and click on Download. If you are using Internet Explorer, you will receive prompts. Allow the installation to be ran and it will be installed automatically for you.

    If you are using other browsers, it will prompt you to save a file. Save this file to your desktop and run it to install the latest version of Adobe Reader.
  • Close your Internet browser and open it again.




Once you have done all the above your clean. :thumbup:


A few tools and information to help you stay clean.


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware



Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software



Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Please check out Tony Klein's article "How did I get infected in the first place?"

Read some information here how to prevent Malware.



Do you have anymore questions ???

.
Member of UNITE and ASAP

#12 Vadim

Vadim

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 01 April 2008 - 01:57 PM

DFW, Thanks for all of your help. I've followed your latest instruction. However, I've run AVG again and it found 4 more Trojan Hourse malware: D:\dyr2j6mv.exe D:\ekf6dbg0.com D:\f.exe D:\h1ahxi.bat It seems like they all on my second partition. Could you help me little more to get rid of those as well?

#13 DFW

DFW

    Authentic Member

  • Visiting Fellow
  • PipPip
  • 170 posts

Posted 01 April 2008 - 02:54 PM

  • Please download OTScanIt.exe from Bleeping Computer by OldTimer and save it to your desktop.
  • Double click on OTScanIt.exe to run it.
  • Click on Extract. Once done, you will be prompted. Click OK and click Close.
  • Double click on the OTScanIt folder. Double click on OTScanIt.exe to run it.
  • Under Drivers section, select Non-Microsoft.
  • Click on the Run Scan button at the top left hand corner.
  • OTScanIt will start running. Once done, Notepad will open. Please post the contents of this Notepad file in your next reply.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Member of UNITE and ASAP

#14 Vadim

Vadim

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 01 April 2008 - 03:06 PM

DFW,

Please find OTScan log below:

OTScanIt logfile created on: 2008-04-01 16:59:25
OTScanIt by OldTimer - Version 1.0.8.0	 Folder = C:\Documents and Settings\96111201\Desktop\OTScanIt
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: yyyy-MM-dd
 
1014.37 Mb Total Physical Memory | 338.00 Mb Available Physical Memory | 33.32% Memory free
2.38 Gb Paging File | 1.84 Gb Available in Paging File | 77.18% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048;
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 20.00 Gb Total Space | 14.27 Gb Free Space | 71.35% Space Free | Partition Type: NTFS
Drive D: | 91.78 Gb Total Space | 89.03 Gb Free Space | 97.00% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: T96111201
Current User Name: 96111201
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user

[Processes - Non-Microsoft Only]
evteng.exe -> %ProgramFiles%\Intel\Wireless\Bin\EvtEng.exe -> Intel Corporation [Ver = 10, 1, 0, 1 | Size = 114753 bytes | Modified Date = 2005-12-27 23:45:02 | Attr =	]
s24evmon.exe -> %ProgramFiles%\Intel\Wireless\Bin\S24EvMon.exe -> Intel Corporation  [Ver = 10, 1, 0, 33 | Size = 540745 bytes | Modified Date = 2005-12-27 23:47:10 | Attr =	]
wlkeeper.exe -> %ProgramFiles%\Intel\Wireless\Bin\WLKEEPER.exe -> Intel(R) Corporation [Ver = 10, 1, 0, 27 | Size = 262217 bytes | Modified Date = 2005-12-28 00:04:56 | Attr =	]
avgamsvr.exe -> %ProgramFiles%\Grisoft\AVG7\avgamsvr.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.496 | Size = 418816 bytes | Modified Date = 2008-03-25 09:55:14 | Attr =	]
avgupsvc.exe -> %ProgramFiles%\Grisoft\AVG7\avgupsvc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.420 | Size = 49664 bytes | Modified Date = 2008-03-25 09:55:17 | Attr =	]
cvpnd.exe -> %ProgramFiles%\Cisco Systems\VPN Client\cvpnd.exe -> Cisco Systems, Inc. [Ver = 4.7.00.0533 | Size = 1504256 bytes | Modified Date = 2005-08-12 05:37:50 | Attr =	]
ntrtscan.exe -> %ProgramFiles%\Trend Micro\OfficeScan Client\NTRtScan.exe -> Trend Micro Inc. [Ver = 7.3.0.1074 | Size = 491520 bytes | Modified Date = 2006-05-09 02:21:06 | Attr =	]
regsrvc.exe -> %ProgramFiles%\Intel\Wireless\Bin\RegSrvc.exe -> Intel Corporation [Ver = 10, 1, 0, 1 | Size = 217164 bytes | Modified Date = 2005-12-27 23:44:24 | Attr =	]
tmlisten.exe -> %ProgramFiles%\Trend Micro\OfficeScan Client\TmListen.exe -> Trend Micro Inc. [Ver = 7.3.0.1074 | Size = 618584 bytes | Modified Date = 2006-05-09 02:20:48 | Attr =	]
ofcpfwsvc.exe -> %ProgramFiles%\Trend Micro\OfficeScan Client\OfcPfwSvc.exe -> Trend Micro Inc. [Ver = 7.3.0.1074 | Size = 233552 bytes | Modified Date = 2006-05-09 02:32:04 | Attr =	]
aa9ffa.exe -> %SystemRoot%\TEMP\AA9FFA.EXE ->  [Ver =  | Size = 172099 bytes | Modified Date = 2006-05-09 02:31:46 | Attr =	]
stsystra.exe -> %SystemRoot%\stsystra.exe -> SigmaTel, Inc. [Ver = 1.0.4995.1  nd446 cp1 | Size = 282624 bytes | Modified Date = 2006-03-24 05:30:44 | Attr =	]
zcfgsvc.exe -> %ProgramFiles%\Intel\Wireless\Bin\ZCfgSvc.exe -> Intel Corporation [Ver = 10, 1, 0, 42 | Size = 667718 bytes | Modified Date = 2005-12-27 23:55:40 | Attr =	]
ifrmewrk.exe -> %ProgramFiles%\Intel\Wireless\Bin\iFrmewrk.exe -> Intel Corporation [Ver = 10, 1, 0, 17 | Size = 602182 bytes | Modified Date = 2005-12-27 23:56:16 | Attr =	]
hkcmd.exe -> %SystemRoot%\system32\hkcmd.exe -> Intel Corporation [Ver = 3.0.0.4446 | Size = 77824 bytes | Modified Date = 2005-12-13 05:41:08 | Attr =	]
igfxpers.exe -> %SystemRoot%\system32\igfxpers.exe -> Intel Corporation [Ver = 3.0.0.4446 | Size = 118784 bytes | Modified Date = 2005-12-13 05:45:00 | Attr =	]
pccntmon.exe -> %ProgramFiles%\Trend Micro\OfficeScan Client\PccNTMon.exe -> Trend Micro Inc. [Ver = 7.3.0.1074 | Size = 356352 bytes | Modified Date = 2006-05-09 02:36:20 | Attr =	]
hpwuschd2.exe -> D:\HP\HP Software Update\hpwuSchd2.exe -> Hewlett-Packard Development Company, L.P. [Ver = 70.0.170.000 | Size = 49152 bytes | Modified Date = 2006-02-18 14:41:10 | Attr =	]
avgcc.exe -> %ProgramFiles%\Grisoft\AVG7\avgcc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.504 | Size = 579072 bytes | Modified Date = 2008-03-25 09:55:14 | Attr =	]
igfxsrvc.exe -> %SystemRoot%\system32\igfxsrvc.exe -> Intel Corporation [Ver = 3.0.0.4446 | Size = 159744 bytes | Modified Date = 2005-12-13 05:41:00 | Attr =	]
skype.exe -> %ProgramFiles%\Skype\Phone\Skype.exe -> Skype Technologies S.A. [Ver = 3.6.0.216 | Size = 21760296 bytes | Modified Date = 2007-11-12 03:48:02 | Attr = R  ]
hpqtra08.exe -> D:\HP\Digital Imaging\bin\hpqtra08.exe -> Hewlett-Packard Development Company, L.P. [Ver = 70.0.170.000 | Size = 288472 bytes | Modified Date = 2006-02-18 16:21:22 | Attr =	]
dot1xcfg.exe -> %ProgramFiles%\Intel\Wireless\Bin\Dot1XCfg.exe -> Intel Corporation [Ver = 10, 1, 0, 79 | Size = 397381 bytes | Modified Date = 2005-12-27 23:52:32 | Attr =	]
hpqste08.exe -> D:\HP\Digital Imaging\bin\hpqste08.exe -> Hewlett-Packard Development Company, L.P. [Ver = 70.0.170.000 | Size = 239320 bytes | Modified Date = 2006-02-18 17:24:52 | Attr =	]
skypepm.exe -> %ProgramFiles%\Skype\Plugin Manager\skypePM.exe -> Skype Technologies [Ver = 1.5.0.32 | Size = 2051016 bytes | Modified Date = 2007-11-12 03:48:02 | Attr = R  ]
vpngui.exe -> %ProgramFiles%\Cisco Systems\VPN Client\vpngui.exe -> Cisco Systems, Inc. [Ver = 4.7.00.0533 | Size = 1385400 bytes | Modified Date = 2005-08-12 05:37:56 | Attr =	]
winpatrol.exe -> %ProgramFiles%\BillP Studios\WinPatrol\WinPatrol.exe -> BillP Studios [Ver = 14, 0, 2007, 1 | Size = 316728 bytes | Modified Date = 2008-01-27 01:38:16 | Attr =	]
otscanit.exe -> %UserProfile%\Desktop\OTScanIt\OTScanIt.exe -> OldTimer Tools [Ver = 1.0.8.0 | Size = 370176 bytes | Modified Date = 2008-03-29 17:10:10 | Attr =	]

[Win32 Services - Non-Microsoft Only]
(Avg7Alrt) AVG7 Alert Manager Server [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG7\avgamsvr.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.496 | Size = 418816 bytes | Modified Date = 2008-03-25 09:55:14 | Attr =	]
(Avg7UpdSvc) AVG7 Update Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG7\avgupsvc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.420 | Size = 49664 bytes | Modified Date = 2008-03-25 09:55:17 | Attr =	]
(CVPND) Cisco Systems, Inc. VPN Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Cisco Systems\VPN Client\cvpnd.exe -> Cisco Systems, Inc. [Ver = 4.7.00.0533 | Size = 1504256 bytes | Modified Date = 2005-08-12 05:37:50 | Attr =	]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %SystemRoot%\system32\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 2004-08-04 08:00:00 | Attr =	]
(EvtEng) Intel(R) PROSet/Wireless Event Log [Win32_Own | Auto | Running] -> %ProgramFiles%\Intel\Wireless\Bin\EvtEng.exe -> Intel Corporation [Ver = 10, 1, 0, 1 | Size = 114753 bytes | Modified Date = 2005-12-27 23:45:02 | Attr =	]
(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> Google [Ver = 2.0.734.29932.beta | Size = 138168 bytes | Modified Date = 2007-11-22 12:25:51 | Attr =	]
(ntrtscan) OfficeScanNT RealTime Scan [Win32_Own | Auto | Running] -> %ProgramFiles%\Trend Micro\OfficeScan Client\NTRtScan.exe -> Trend Micro Inc. [Ver = 7.3.0.1074 | Size = 491520 bytes | Modified Date = 2006-05-09 02:21:06 | Attr =	]
(OfcPfwSvc) OfficeScanNT Personal Firewall [Win32_Own | Auto | Running] -> %ProgramFiles%\Trend Micro\OfficeScan Client\OfcPfwSvc.exe -> Trend Micro Inc. [Ver = 7.3.0.1074 | Size = 233552 bytes | Modified Date = 2006-05-09 02:32:04 | Attr =	]
(Pml Driver HPZ12) Pml Driver HPZ12 [Win32_Own | Unknown | Stopped] ->  -> File not found
(RegSrvc) Intel(R) PROSet/Wireless Registry Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Intel\Wireless\Bin\RegSrvc.exe -> Intel Corporation [Ver = 10, 1, 0, 1 | Size = 217164 bytes | Modified Date = 2005-12-27 23:44:24 | Attr =	]
(S24EventMonitor) Intel(R) PROSet/Wireless Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Intel\Wireless\Bin\S24EvMon.exe -> Intel Corporation  [Ver = 10, 1, 0, 33 | Size = 540745 bytes | Modified Date = 2005-12-27 23:47:10 | Attr =	]
(tmlisten) OfficeScanNT Listener [Win32_Own | Auto | Running] -> %ProgramFiles%\Trend Micro\OfficeScan Client\TmListen.exe -> Trend Micro Inc. [Ver = 7.3.0.1074 | Size = 618584 bytes | Modified Date = 2006-05-09 02:20:48 | Attr =	]
(WLANKEEPER) Intel(R) PROSet/Wireless SSO Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Intel\Wireless\Bin\WLKEEPER.exe -> Intel(R) Corporation [Ver = 10, 1, 0, 27 | Size = 262217 bytes | Modified Date = 2005-12-28 00:04:56 | Attr =	]

[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
Adobe Reader Speed Launcher -> %ProgramFiles%\Adobe\Reader 8.0\Reader\reader_sl.exe -> Adobe Systems Incorporated [Ver = 8.0.0.0 | Size = 39792 bytes | Modified Date = 2008-01-11 22:16:38 | Attr =	]
AVG7_CC -> %ProgramFiles%\Grisoft\AVG7\avgcc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.504 | Size = 579072 bytes | Modified Date = 2008-03-25 09:55:14 | Attr =	]
HP Software Update -> D:\HP\HP Software Update\hpwuSchd2.exe -> Hewlett-Packard Development Company, L.P. [Ver = 70.0.170.000 | Size = 49152 bytes | Modified Date = 2006-02-18 14:41:10 | Attr =	]
igfxhkcmd -> %SystemRoot%\system32\hkcmd.exe -> Intel Corporation [Ver = 3.0.0.4446 | Size = 77824 bytes | Modified Date = 2005-12-13 05:41:08 | Attr =	]
igfxpers -> %SystemRoot%\system32\igfxpers.exe -> Intel Corporation [Ver = 3.0.0.4446 | Size = 118784 bytes | Modified Date = 2005-12-13 05:45:00 | Attr =	]
igfxtray -> %SystemRoot%\system32\igfxtray.exe -> Intel Corporation [Ver = 3.0.0.4446 | Size = 98304 bytes | Modified Date = 2005-12-13 05:44:18 | Attr =	]
IntelWireless -> %ProgramFiles%\Intel\Wireless\Bin\iFrmewrk.exe -> Intel Corporation [Ver = 10, 1, 0, 17 | Size = 602182 bytes | Modified Date = 2005-12-27 23:56:16 | Attr =	]
IntelZeroConfig -> %ProgramFiles%\Intel\Wireless\Bin\ZCfgSvc.exe -> Intel Corporation [Ver = 10, 1, 0, 42 | Size = 667718 bytes | Modified Date = 2005-12-27 23:55:40 | Attr =	]
OfficeScanNT Monitor -> %ProgramFiles%\Trend Micro\OfficeScan Client\PccNTMon.exe -> Trend Micro Inc. [Ver = 7.3.0.1074 | Size = 356352 bytes | Modified Date = 2006-05-09 02:36:20 | Attr =	]
SigmatelSysTrayApp -> %SystemRoot%\stsystra.exe -> SigmaTel, Inc. [Ver = 1.0.4995.1  nd446 cp1 | Size = 282624 bytes | Modified Date = 2006-03-24 05:30:44 | Attr =	]
WinPatrol -> %ProgramFiles%\BillP Studios\WinPatrol\WinPatrol.exe -> BillP Studios [Ver = 14, 0, 2007, 1 | Size = 316728 bytes | Modified Date = 2008-01-27 01:38:16 | Attr =	]
< OptionalComponents [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ -> 
IMAIL-> Installed = 1 -> 
MAPI-> Installed = 1 -> 
MSFS-> Installed = 1 -> 
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
Skype -> %ProgramFiles%\Skype\Phone\Skype.exe -> Skype Technologies S.A. [Ver = 3.6.0.216 | Size = 21760296 bytes | Modified Date = 2007-11-12 03:48:02 | Attr = R  ]
< 96111201 Startup Folder > -> C:\Documents and Settings\96111201\Start Menu\Programs\Startup -> 
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup -> 
%AllUsersProfile%\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk -> %ProgramFiles%\Cisco Systems\VPN Client\vpngui.exe -> Cisco Systems, Inc. [Ver = 4.7.00.0533 | Size = 1385400 bytes | Modified Date = 2005-08-12 05:37:56 | Attr =	]
%AllUsersProfile%\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk -> D:\HP\Digital Imaging\bin\hpqtra08.exe -> Hewlett-Packard Development Company, L.P. [Ver = 70.0.170.000 | Size = 288472 bytes | Modified Date = 2006-02-18 16:21:22 | Attr =	]
< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders -> 
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ -> 
igfxcui -> %SystemRoot%\system32\igfxdev.dll -> Intel Corporation [Ver = 3.0.0.4446 | Size = 139264 bytes | Modified Date = 2005-12-13 05:40:12 | Attr =	]
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun -> 67108863 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 255 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\DisableRegistryTools -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\HideLegacyLogonScripts -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\HideLogoffScripts -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\RunLogonScriptSync -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\RunStartupScriptSync -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\HideStartupScripts -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ -> -> 
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\HideLegacyLogonScripts -> 0 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\HideLogoffScripts -> 0 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\RunLogonScriptSync -> 1 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\RunStartupScriptSync -> 1 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\HideStartupScripts -> 0 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\disableregistrytools -> 0 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ -> -> 
< HOSTS File > (229611 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts -> 
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
HKEY_LOCAL_MACHINE\: Main\\Default_Page_URL -> http://go.microsoft.com/fwlink/?LinkId=69157 -> 
HKEY_LOCAL_MACHINE\: Main\\Default_Search_URL -> http://go.microsoft.com/fwlink/?LinkId=54896 -> 
HKEY_LOCAL_MACHINE\: Main\\Local Page -> %SystemRoot%\system32\blank.htm -> 
HKEY_LOCAL_MACHINE\: Main\\Search Page -> http://go.microsoft.com/fwlink/?LinkId=54896 -> 
HKEY_LOCAL_MACHINE\: Main\\Start Page -> http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home -> 
HKEY_LOCAL_MACHINE\: Search\\CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm -> 
HKEY_LOCAL_MACHINE\: Search\\SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm -> 
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> -> 
HKEY_CURRENT_USER\: Main\\Local Page -> C:\WINDOWS\system32\blank.htm -> 
HKEY_CURRENT_USER\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKEY_CURRENT_USER\: Main\\Start Page -> http://www.google.com/ -> 
HKEY_CURRENT_USER\: ProxyEnable -> 0 -> 
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 4267 domain(s) found. -> 
33 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. -> 
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 4031 domain(s) found. -> 
32 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. -> 
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKEY_LOCAL_MACHINE] -> %CommonProgramFiles%\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 8.0.0.2006102200 | Size = 62080 bytes | Modified Date = 2006-10-22 23:08:42 | Attr =	]
{22BF413B-C6D2-4d91-82A9-A0F997BA588C} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [Skype add-on (mastermind)] -> Skype Technologies S.A. [Ver = 2, 2, 0, 145 | Size = 1377576 bytes | Modified Date = 2007-11-12 03:48:02 | Attr =	]
{53707962-6F74-2D53-2644-206D7942484F} [HKEY_LOCAL_MACHINE] -> D:\Spybot - Search & Destroy\SDHelper.dll [Spybot-S&D IE Protection] -> Safer Networking Limited [Ver = 1, 5, 0, 8 | Size = 1122128 bytes | Modified Date = 2007-08-31 04:46:14 | Attr =	]
{AA58ED58-01DD-4d91-8333-CF10577473F7} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Google\GoogleToolbar1.dll [Google Toolbar Helper] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 2007-11-22 12:25:51 | Attr = R  ]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar -> 
{2318C2B1-4965-11d4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Google\GoogleToolbar1.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 2007-11-22 12:25:51 | Attr = R  ]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ -> 
ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Google\GoogleToolbar1.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 2007-11-22 12:25:51 | Attr = R  ]
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Google\GoogleToolbar1.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 2007-11-22 12:25:51 | Attr = R  ]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 
{77BF5300-1474-4EC7-9980-D32B190E9B07}:{77BF5300-1474-4EC7-9980-D32B190E9B07} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [Skype] -> Skype Technologies S.A. [Ver = 2, 2, 0, 145 | Size = 1377576 bytes | Modified Date = 2007-11-12 03:48:02 | Attr =	]
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}:{53707962-6F74-2D53-2644-206D7942484F} [HKEY_LOCAL_MACHINE] -> D:\Spybot - Search & Destroy\SDHelper.dll [Spybot - Search & Destroy Configuration] -> Safer Networking Limited [Ver = 1, 5, 0, 8 | Size = 1122128 bytes | Modified Date = 2007-08-31 04:46:14 | Attr =	]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ -> 
CmdMapping\\{77BF5300-1474-4EC7-9980-D32B190E9B07} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [Skype add-on (button)] -> Skype Technologies S.A. [Ver = 2, 2, 0, 145 | Size = 1377576 bytes | Modified Date = 2007-11-12 03:48:02 | Attr =	]
CmdMapping\\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKEY_LOCAL_MACHINE] -> D:\Spybot - Search & Destroy\SDHelper.dll [Spybot - Search & Destroy Configuration] -> Safer Networking Limited [Ver = 1, 5, 0, 8 | Size = 1122128 bytes | Modified Date = 2007-08-31 04:46:14 | Attr =	]
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 
PluginsPageFriendlyName -> Microsoft ActiveX Gallery -> 
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s -> 
< User Agent Post Platform [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform -> 
SV1 ->  -> 
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
{5A9695EF-794F-4D3E-9C88-E6CE4AFCEB96} ->	(1394 Net Adapter) -> 
{AA484AEA-45A3-4365-9730-D45EFCD27C4B} ->	(Broadcom 440x 10/100 Integrated Controller) -> 
{BCB0A971-B8E3-429C-AA25-7CB0A9A4CD78} -> 192.168.62.1   () -> 
{BDFE3B9F-9EF4-4198-A93E-A5A82B7B6F67} ->	(Intel(R) PRO/Wireless 3945ABG Network Connection) -> 
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ -> 
ipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
msdaipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
skype4com:{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} [HKEY_LOCAL_MACHINE] -> %CommonProgramFiles%\Skype\Skype4COM.dll[IEProtocolHandler Class] -> Skype Technologies [Ver = 1, 0, 28, 2 | Size = 1934672 bytes | Modified Date = 2007-11-12 03:48:02 | Attr = R  ]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75}[HKEY_LOCAL_MACHINE] -> http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab[CKAVWebScan Object] -> 
{CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}[HKEY_LOCAL_MACHINE] -> http://www.adobe.com/products/acrobat/nos/gp.cab[get_atlcom Class] -> 
< Module Usage Keys [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/gp.ocx\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/gp.ocx\\.Owner -> {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/gp.ocx\\{CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/atl.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/atl.dll\\.Owner -> Unknown Owner -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/atl.dll\\{CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} ->  -> 



[Files/Folders - Created Within 30 days]
$VAULT$.AVG -> %SystemDrive%\$VAULT$.AVG ->  [Folder | Created Date = 2008-03-25 10:09:44 | Attr = RH ]
avg75free_519a1276.exe -> %SystemDrive%\avg75free_519a1276.exe ->  [Ver =  | Size = 35960792 bytes | Created Date = 2008-03-25 09:52:06 | Attr =	]
@Alternate Data Stream - 26 bytes -> %SystemDrive%\avg75free_519a1276.exe:Zone.Identifier
Boot.bak -> %SystemDrive%\Boot.bak ->  [Ver =  | Size = 211 bytes | Created Date = 2008-03-31 08:27:19 | Attr =	]
cmdcons -> %SystemDrive%\cmdcons ->  [Folder | Created Date = 2008-03-31 08:27:10 | Attr =	]
cmldr -> %SystemDrive%\cmldr ->  [Ver =  | Size = 260272 bytes | Created Date = 2008-03-31 08:27:15 | Attr =	]
ComboFix -> %SystemDrive%\ComboFix ->  [Folder | Created Date = 2008-04-01 14:07:09 | Attr =	]
avg7core.sys -> %SystemRoot%\System32\drivers\avg7core.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.498 | Size = 821856 bytes | Created Date = 2008-03-25 09:55:19 | Attr =	]
avg7rsw.sys -> %SystemRoot%\System32\drivers\avg7rsw.sys -> GRISOFT, s.r.o. [Ver = 7,0,0,340 | Size = 4224 bytes | Created Date = 2008-03-25 09:55:22 | Attr =	]
avg7rsxp.sys -> %SystemRoot%\System32\drivers\avg7rsxp.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.442 | Size = 27776 bytes | Created Date = 2008-03-25 09:55:23 | Attr =	]
avgclean.sys -> %SystemRoot%\System32\drivers\avgclean.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 10760 bytes | Created Date = 2008-03-25 09:55:23 | Attr =	]
avgmfx86.sys -> %SystemRoot%\System32\drivers\avgmfx86.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.510 | Size = 26952 bytes | Created Date = 2008-03-25 09:55:23 | Attr =	]
appmgmt -> %SystemRoot%\System32\appmgmt ->  [Folder | Created Date = 2008-04-01 14:35:58 | Attr =	]
1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> 
Kaspersky Lab -> %SystemRoot%\System32\Kaspersky Lab ->  [Folder | Created Date = 2008-04-01 09:39:05 | Attr =	]
erdnt -> %SystemRoot%\erdnt ->  [Folder | Created Date = 2008-03-31 08:26:28 | Attr =	]
3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> 
LastGood -> %SystemRoot%\LastGood ->  [Folder | Created Date = 2008-04-01 14:53:51 | Attr =	]
Minidump -> %SystemRoot%\Minidump ->  [Folder | Created Date = 2008-03-28 11:20:28 | Attr =	]
pss -> %SystemRoot%\pss ->  [Folder | Created Date = 2008-03-25 09:47:33 | Attr =	]
SxsCaPendDel -> %SystemRoot%\SxsCaPendDel ->  [Folder | Created Date = 2008-04-01 14:51:48 | Attr =	]
TEMP -> %SystemRoot%\TEMP ->  [Folder | Created Date = 2008-04-01 09:11:20 | Attr =	]

[Files/Folders - Modified Within 30 days]
$VAULT$.AVG -> %SystemDrive%\$VAULT$.AVG ->  [Folder | Modified Date = 2008-04-01 14:05:32 | Attr = RH ]
avg75free_519a1276.exe -> %SystemDrive%\avg75free_519a1276.exe ->  [Ver =  | Size = 35960792 bytes | Modified Date = 2008-03-25 09:54:11 | Attr =	]
@Alternate Data Stream - 26 bytes -> %SystemDrive%\avg75free_519a1276.exe:Zone.Identifier
boot.ini -> %SystemDrive%\boot.ini ->  [Ver =  | Size = 281 bytes | Modified Date = 2008-03-31 08:27:19 | Attr = RHS]
cmdcons -> %SystemDrive%\cmdcons ->  [Folder | Modified Date = 2008-03-31 08:27:18 | Attr =	]
ComboFix -> %SystemDrive%\ComboFix ->  [Folder | Modified Date = 2008-04-01 14:07:32 | Attr =	]
Config.Msi -> %SystemDrive%\Config.Msi ->  [Folder | Modified Date = 2008-04-01 15:05:02 | Attr =  H ]
Documents and Settings -> %SystemDrive%\Documents and Settings ->  [Folder | Modified Date = 2008-03-28 14:27:10 | Attr =	]
Program Files -> %ProgramFiles% ->  [Folder | Modified Date = 2008-04-01 16:21:42 | Attr = R  ]
RECYCLER -> %SystemDrive%\RECYCLER ->  [Folder | Modified Date = 2008-04-01 09:38:02 | Attr =  HS]
System Volume Information -> %SystemDrive%\System Volume Information ->  [Folder | Modified Date = 2008-04-01 14:23:15 | Attr =  HS]
WINDOWS -> %SystemRoot% ->  [Folder | Modified Date = 2008-04-01 14:53:51 | Attr =	]
avg7core.sys -> %SystemRoot%\System32\drivers\avg7core.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.498 | Size = 821856 bytes | Modified Date = 2008-03-25 09:55:19 | Attr =	]
avg7rsw.sys -> %SystemRoot%\System32\drivers\avg7rsw.sys -> GRISOFT, s.r.o. [Ver = 7,0,0,340 | Size = 4224 bytes | Modified Date = 2008-03-25 09:55:22 | Attr =	]
avg7rsxp.sys -> %SystemRoot%\System32\drivers\avg7rsxp.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.442 | Size = 27776 bytes | Modified Date = 2008-03-25 09:55:23 | Attr =	]
avgclean.sys -> %SystemRoot%\System32\drivers\avgclean.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 10760 bytes | Modified Date = 2008-03-25 09:55:23 | Attr =	]
avgmfx86.sys -> %SystemRoot%\System32\drivers\avgmfx86.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.510 | Size = 26952 bytes | Modified Date = 2008-03-25 09:55:23 | Attr =	]
etc -> %SystemRoot%\System32\drivers\etc ->  [Folder | Modified Date = 2008-03-28 14:29:04 | Attr =	]
hosts -> %SystemRoot%\System32\drivers\etc\hosts ->  [Ver =  | Size = 229611 bytes | Modified Date = 2008-03-28 14:29:04 | Attr = R  ]
hosts.20080328-142904.backup -> %SystemRoot%\System32\drivers\etc\hosts.20080328-142904.backup ->  [Ver =  | Size = 213867 bytes | Modified Date = 2008-03-25 09:47:58 | Attr = R  ]
appmgmt -> %SystemRoot%\System32\appmgmt ->  [Folder | Modified Date = 2008-04-01 14:35:58 | Attr =	]
1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> 
CatRoot2 -> %SystemRoot%\System32\CatRoot2 ->  [Folder | Modified Date = 2008-04-01 14:53:50 | Attr =	]
drivers -> %SystemRoot%\System32\drivers ->  [Folder | Modified Date = 2008-04-01 09:09:01 | Attr =	]
FNTCACHE.DAT -> %SystemRoot%\System32\FNTCACHE.DAT ->  [Ver =  | Size = 197752 bytes | Modified Date = 2008-03-14 08:11:45 | Attr =	]
Kaspersky Lab -> %SystemRoot%\System32\Kaspersky Lab ->  [Folder | Modified Date = 2008-04-01 09:39:05 | Attr =	]
perfc009.dat -> %SystemRoot%\System32\perfc009.dat ->  [Ver =  | Size = 41238 bytes | Modified Date = 2008-04-01 14:57:55 | Attr =	]
perfh009.dat -> %SystemRoot%\System32\perfh009.dat ->  [Ver =  | Size = 315076 bytes | Modified Date = 2008-04-01 14:57:55 | Attr =	]
PerfStringBackup.INI -> %SystemRoot%\System32\PerfStringBackup.INI ->  [Ver =  | Size = 360124 bytes | Modified Date = 2008-04-01 14:57:54 | Attr =	]
Restore -> %SystemRoot%\System32\Restore ->  [Folder | Modified Date = 2008-04-01 14:23:15 | Attr =	]
wbem -> %SystemRoot%\System32\wbem ->  [Folder | Modified Date = 2008-03-20 07:01:03 | Attr =	]
wpa.dbl -> %SystemRoot%\System32\wpa.dbl ->  [Ver =  | Size = 2206 bytes | Modified Date = 2008-03-23 15:44:38 | Attr =	]
bootstat.dat -> %SystemRoot%\bootstat.dat ->  [Ver =  | Size = 2048 bytes | Modified Date = 2008-04-01 14:53:00 | Attr =   S]
CSC -> %SystemRoot%\CSC ->  [Folder | Modified Date = 2008-03-28 11:20:29 | Attr =  HS]
3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> 
Debug -> %SystemRoot%\Debug ->  [Folder | Modified Date = 2008-04-01 09:20:37 | Attr =	]
dmw.ini -> %SystemRoot%\dmw.ini ->  [Ver =  | Size = 608 bytes | Modified Date = 2008-04-01 15:42:08 | Attr =	]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files ->  [Folder | Modified Date = 2008-04-01 15:00:03 | Attr =   S]
erdnt -> %SystemRoot%\erdnt ->  [Folder | Modified Date = 2008-04-01 14:07:20 | Attr =	]
Fonts -> %SystemRoot%\Fonts ->  [Folder | Modified Date = 2008-03-13 13:12:45 | Attr = R S]
inf -> %SystemRoot%\inf ->  [Folder | Modified Date = 2008-04-01 15:00:03 | Attr =  H ]
Installer -> %SystemRoot%\Installer ->  [Folder | Modified Date = 2008-04-01 15:05:10 | Attr =  HS]
LastGood -> %SystemRoot%\LastGood ->  [Folder | Modified Date = 2008-04-01 15:00:03 | Attr =	]
Minidump -> %SystemRoot%\Minidump ->  [Folder | Modified Date = 2008-04-01 09:20:37 | Attr =	]
Prefetch -> %SystemRoot%\Prefetch ->  [Folder | Modified Date = 2008-04-01 14:33:46 | Attr =	]
pss -> %SystemRoot%\pss ->  [Folder | Modified Date = 2008-03-25 09:47:33 | Attr =	]
security -> %SystemRoot%\security ->  [Folder | Modified Date = 2008-04-01 14:52:28 | Attr =	]
SxsCaPendDel -> %SystemRoot%\SxsCaPendDel ->  [Folder | Modified Date = 2008-04-01 14:52:57 | Attr =	]
system -> %SystemRoot%\system ->  [Folder | Modified Date = 2008-03-25 09:54:55 | Attr =	]
system.ini -> %SystemRoot%\system.ini ->  [Ver =  | Size = 227 bytes | Modified Date = 2008-04-01 09:09:30 | Attr =	]
system32 -> %SystemRoot%\system32 ->  [Folder | Modified Date = 2008-04-01 16:10:26 | Attr =	]
TEMP -> %SystemRoot%\TEMP ->  [Folder | Modified Date = 2008-04-01 15:41:35 | Attr =	]
win.ini -> %SystemRoot%\win.ini ->  [Ver =  | Size = 608 bytes | Modified Date = 2008-03-19 22:20:22 | Attr =	]
WinSxS -> %SystemRoot%\WinSxS ->  [Folder | Modified Date = 2008-03-13 13:12:47 | Attr =	]
SA.DAT -> %SystemRoot%\tasks\SA.DAT ->  [Ver =  | Size = 6 bytes | Modified Date = 2008-04-01 14:53:02 | Attr =  H ]
opa11.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\opa11.dat ->  [Ver =  | Size = 8206 bytes | Modified Date = 2007-11-06 03:12:12 | Attr =	]
rbSolnUpdateENU.2.6.5.exe -> C:\Documents and Settings\96111201\Local Settings\Temp\rbSolnUpdateENU.2.6.5.exe -> Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 201728 bytes | Modified Date = 2008-04-01 11:59:42 | Attr =	]
18 C:\Documents and Settings\96111201\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\96111201\Local Settings\Temp\*.tmp -> 
Setup.exe -> C:\Documents and Settings\96111201\Local Settings\Temp\Adobe Reader 8\Setup.exe -> Adobe Systems Incorporated [Ver = 3.0.3.2 | Size = 304520 bytes | Modified Date = 2008-01-11 23:45:08 | Attr =	]
Setup.exe -> C:\Documents and Settings\96111201\Local Settings\Temp\Adobe Reader 8_\Setup.exe -> Adobe Systems Incorporated [Ver = 3.0.3.2 | Size = 304520 bytes | Modified Date = 2008-01-11 23:45:08 | Attr =	]
sgc15.exe -> C:\Documents and Settings\96111201\Local Settings\Temp\Adobe_Downloads\sgc15.exe ->  [Ver = 1, 5, 0, 0 | Size = 75376 bytes | Modified Date = 2008-04-01 15:00:10 | Attr =	]
ExchangePerflog_8484fa3130aadce5cfcccd43.dat -> C:\Documents and Settings\96111201\Local Settings\Temp\ExchangePerflog_8484fa3130aadce5cfcccd43.dat ->  [Ver =  | Size = 2216 bytes | Modified Date = 2008-04-01 16:58:25 | Attr =	]
18 C:\Documents and Settings\96111201\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\96111201\Local Settings\Temp\*.tmp -> 
{AC76BA86-7AD7-1033-7B44-A81200000003}.ini -> C:\Documents and Settings\96111201\Local Settings\Temp\{AC76BA86-7AD7-1033-7B44-A81200000003}.ini ->  [Ver =  | Size = 586 bytes | Modified Date = 2008-04-01 15:03:02 | Attr =	]
18 C:\Documents and Settings\96111201\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\96111201\Local Settings\Temp\*.tmp -> 
abcpy.ini -> C:\Documents and Settings\96111201\Local Settings\Temp\Adobe Reader 8\abcpy.ini ->  [Ver =  | Size = 1728 bytes | Modified Date = 2006-11-15 11:38:14 | Attr =	]
setup.ini -> C:\Documents and Settings\96111201\Local Settings\Temp\Adobe Reader 8\setup.ini ->  [Ver =  | Size = 292 bytes | Modified Date = 2006-08-25 13:00:33 | Attr =	]
abcpy.ini -> C:\Documents and Settings\96111201\Local Settings\Temp\Adobe Reader 8_\abcpy.ini ->  [Ver =  | Size = 1728 bytes | Modified Date = 2006-11-15 11:38:14 | Attr =	]
setup.ini -> C:\Documents and Settings\96111201\Local Settings\Temp\Adobe Reader 8_\setup.ini ->  [Ver =  | Size = 292 bytes | Modified Date = 2006-08-25 13:00:33 | Attr =	]
AA9FFA.EXE -> C:\WINDOWS\TEMP\AA9FFA.EXE ->  [Ver =  | Size = 172099 bytes | Modified Date = 2006-05-09 02:31:46 | Attr =	]

< End of report >


#15 Vadim

Vadim

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 02 April 2008 - 02:46 PM

DFW, I just run AVG again and it's found no infected objects. So, I will consider this case close. Your help was outstanding and professionally done. Thanks you very much for the time you spend with my problems. This site is just great.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users