ComboFix 08-05-27.4 - Owner 2008-05-30 18:21:18.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.317 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\Documents and Settings\Owner\Application Data\wklnhst.dat
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\system32\pinkip.ico
C:\WINDOWS\system32\qcntnkdm.exe
C:\WINDOWS\system32\qcntnkdn.exe
C:\WINDOWS\system32\winpfz33.sys
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Owner\Application Data\wklnhst.dat
C:\WINDOWS\SxsCaPendDel
C:\WINDOWS\system32\1064a
C:\WINDOWS\system32\1064a\tgvram102.exe
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\hI2
C:\WINDOWS\system32\hI2\aSCdt4x.exe
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\system32\pinkip.ico
C:\WINDOWS\system32\qcntnkdm.exe
C:\WINDOWS\system32\qcntnkdn.exe
C:\WINDOWS\system32\winpfz33.sys
.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-30 )))))))))))))))))))))))))))))))
.
2008-05-28 22:16 . 2008-05-28 22:16 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-28 11:05 . 2008-05-28 11:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-23 17:03 . 2008-05-23 17:03 401,972 --a------ C:\WINDOWS\system32\g98.exe
2008-05-23 16:33 . 2008-05-23 16:33 <DIR> d-------- C:\WINDOWS\system32\at1
2008-04-20 18:11 . 2008-05-25 21:06 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-20 18:11 . 2008-04-20 18:11 1,409 --a------ C:\WINDOWS\QTFont.for
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-25 19:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-23 21:49 --------- d-----w C:\Program Files\Real
2008-05-17 17:41 --------- d-----w C:\Program Files\Google
2008-04-29 18:26 --------- d-----w C:\Documents and Settings\Owner\Application Data\XnView
2008-03-30 19:30 --------- d-----w C:\Program Files\XnView
2007-08-01 01:23 92,064 ----a-w C:\Documents and Settings\Owner\mqdmmdm.sys
2007-08-01 01:23 9,232 ----a-w C:\Documents and Settings\Owner\mqdmmdfl.sys
2007-08-01 01:23 79,328 ----a-w C:\Documents and Settings\Owner\mqdmserd.sys
2007-08-01 01:23 66,656 ----a-w C:\Documents and Settings\Owner\mqdmbus.sys
2007-08-01 01:23 6,208 ----a-w C:\Documents and Settings\Owner\mqdmcmnt.sys
2007-08-01 01:23 5,936 ----a-w C:\Documents and Settings\Owner\mqdmwhnt.sys
2007-08-01 01:23 4,048 ----a-w C:\Documents and Settings\Owner\mqdmcr.sys
2007-08-01 01:23 25,600 ----a-w C:\Documents and Settings\Owner\usbsermptxp.sys
2007-08-01 01:23 22,768 ----a-w C:\Documents and Settings\Owner\usbsermpt.sys
2006-10-24 13:51 76,736 ----a-w C:\Program Files\MySpaceIM_Setup.exe
2006-08-17 01:42 4,526,408 ----a-w C:\Program Files\BSINSTALL.exe
2006-06-09 20:12 3,725,420 ----a-w C:\Program Files\Pat[1].Orlando.01-027.zip
2006-04-26 21:23 905,728 ----a-w C:\Program Files\iview398.exe
.
((((((((((((((((((((((((((((( snapshot@2008-05-30_ 7.39.39.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-30 12:33:18 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-30 23:24:29 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-30 22:45:13 4,724 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{59E71F09-8508-4166-B194-8FD8E88C2C30}.bin
- 2008-04-06 05:56:20 19,836,024 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-05-09 21:35:04 16,863,864 ----a-w C:\WINDOWS\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"Aim6"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-19 21:38 68856]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-07 02:33 8720384]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 13:50 155648]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 20:47 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 20:47 688218]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 22:24 32768]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-05-13 02:29 126976]
"_AntiSpyware"="c:\progra~1\mcafee\MCAFEE~1\MssCli.exe" [ ]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [ ]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [ ]
"HostManager"="C:\Program Files\Common Files\AOL\1130631592\EE\AOLHostManager.exe" [ ]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [ ]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [ ]
"URLLSTCK.exe"="C:\Program Files\Norton Internet Security\UrlLstCk.exe" [ ]
"IS CfgWiz"="C:\Program Files\Norton Internet Security\cfgwiz.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 11:59 124520]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58 282624]
"ProfileWatcher"="C:\Program Files\ProfileWatcher\profilewatcher.exe" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-07 02:33 8720384]
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-01-05 16:52:55 344064]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 01:05:26 29696]
Install Pending Files.LNK - C:\Program Files\SIFXINST\SIFXINST.EXE [2005-10-29 19:17:39 729088]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\AOL\\1133305375\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1133305375\\ee\\aim6.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\BearShare\\BearShare.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
S1 HSFHWICHH;HSFHWICHH;C:\WINDOWS\system32\drivers\HSFHWICHH.sys []
.
Contents of the 'Scheduled Tasks' folder
"2008-05-30 23:27:57 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2008-05-30 18:25:22
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-05-30 18:31:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-30 23:30:57
ComboFix2.txt 2008-05-30 12:40:34
Pre-Run: 24,752,914,432 bytes free
Post-Run: 24,740,593,664 bytes free
146 --- E O F --- 2008-05-30 12:47:05
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-05-30 21:17
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 31/05/2008
Kaspersky Anti-Virus database records: 816364
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 53310
Number of viruses found: 28
Number of infected objects: 82
Number of suspicious objects: 0
Duration of the scan process: 00:45:28
Infected Object Name / Virus Name / Last Action
C:\2C.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\2C.tmp NSIS: infected - 1 skipped
C:\2D.tmp/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\2D.tmp/stream/data0003 Infected: not-a-virus:AdWare.Win32.Agent.ay skipped
C:\2D.tmp/stream Infected: not-a-virus:AdWare.Win32.Agent.ay skipped
C:\2D.tmp NSIS: infected - 3 skipped
C:\31.tmp Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12302006-202400.log Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\MySpace\IM\Logs\MySpaceIM-20080530-182732.log Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Desktop\BearShareV6.exe/WISE0105.BIN/stream/data0005 Infected: not-a-virus:AdWare.Win32.Mostofate.j skipped
C:\Documents and Settings\Owner\Desktop\BearShareV6.exe/WISE0105.BIN/stream Infected: not-a-virus:AdWare.Win32.Mostofate.j skipped
C:\Documents and Settings\Owner\Desktop\BearShareV6.exe/WISE0105.BIN Infected: not-a-virus:AdWare.Win32.Mostofate.j skipped
C:\Documents and Settings\Owner\Desktop\BearShareV6.exe WiseSFX: infected - 3 skipped
C:\Documents and Settings\Owner\Desktop\BearShareV6.exe WiseSFXDropper: infected - 3 skipped
C:\Documents and Settings\Owner\Desktop\MUSIC FILES\hip-hop\webbi i know.mp3 Infected: Trojan-Downloader.WMA.Wimad.n skipped
C:\Documents and Settings\Owner\Desktop\SDFix\backups\backups.zip/backups/b122.exe Infected: not-a-virus:AdWare.Win32.Rond.c skipped
C:\Documents and Settings\Owner\Desktop\SDFix\backups\backups.zip/backups/jmwnw64l.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bg skipped
C:\Documents and Settings\Owner\Desktop\SDFix\backups\backups.zip/backups/mrofinu1000106.exe Infected: Trojan-Downloader.Win32.Homles.bo skipped
C:\Documents and Settings\Owner\Desktop\SDFix\backups\backups.zip/backups/rqRKEULC.dll Infected: Trojan.Win32.Inject.cgf skipped
C:\Documents and Settings\Owner\Desktop\SDFix\backups\backups.zip/backups/rwwnw64d.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bg skipped
C:\Documents and Settings\Owner\Desktop\SDFix\backups\backups.zip/backups/svchost.exe Infected: Trojan.Win32.VB.daj skipped
C:\Documents and Settings\Owner\Desktop\SDFix\backups\backups.zip/backups/UWFX6_0001_N68M2301NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.d skipped
C:\Documents and Settings\Owner\Desktop\SDFix\backups\backups.zip/backups/vntiho051080.exe Infected: Trojan-Downloader.Win32.VB.epp skipped
C:\Documents and Settings\Owner\Desktop\SDFix\backups\backups.zip/backups/Yazzle1552OinAdmin.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Documents and Settings\Owner\Desktop\SDFix\backups\backups.zip ZIP: infected - 9 skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008053020080531\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\temp\~DF8BDD.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\temp\~DFCE1E.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\temp\~DFCE29.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\My Documents\Big John\BSINSTALL.exe/WISE0025.BIN Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Documents and Settings\Owner\My Documents\Big John\BSINSTALL.exe WiseSFX: infected - 1 skipped
C:\Documents and Settings\Owner\My Documents\Big John\BSINSTALL.exe WiseSFXDropper: infected - 1 skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\BSINSTALL.exe/WISE0026.BIN/clientax.dll Infected: not-a-virus:AdWare.Win32.180Solutions.ao skipped
C:\Program Files\BSINSTALL.exe/WISE0026.BIN Infected: not-a-virus:AdWare.Win32.180Solutions.ao skipped
C:\Program Files\BSINSTALL.exe WiseSFX: infected - 2 skipped
C:\Program Files\BSINSTALL.exe WiseSFXDropper: infected - 2 skipped
C:\QooBox\Quarantine\C\Program Files\PCODEC\iesuninst.exe.vir Infected: not-virus:Hoax.Win32.Renos.fh skipped
C:\QooBox\Quarantine\C\Program Files\PCODEC\pmuninst.exe.vir Infected: not-virus:Hoax.Win32.Renos.fh skipped
C:\QooBox\Quarantine\C\Program Files\Video ActiveX Object\isauninst.exe.vir Infected: Trojan-Downloader.Win32.Zlob.biu skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\1064a\tgvram102.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.bg skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\cvvfsmxv.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.umu skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hI2\aSCdt4x.exe.vir Infected: Trojan.Win32.Agent.lom skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ljtlqcri.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.uor skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\llcbnkge.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.uor skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qcntnkdm.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qcntnkdn.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.ax skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP767\A0036668.exe Infected: Trojan-Downloader.Win32.Homles.bo skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP767\A0036669.exe Infected: Trojan-Downloader.Win32.Homles.bo skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP772\A0036683.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP772\A0036686.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP772\A0036687.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP772\A0036693.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP773\A0036704.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP774\A0036711.dll Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP775\A0036714.dll Infected: Trojan.Win32.BHO.cmd skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP776\A0036774.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP776\A0036780.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ugj skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP777\A0039865.dll Infected: Trojan.Win32.Inject.cgf skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP777\A0039867.exe Infected: Trojan-Downloader.Win32.VB.epp skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP777\A0039868.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP777\A0039870.exe Infected: not-a-virus:AdWare.Win32.Rond.c skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP777\A0039871.exe Infected: Trojan-Downloader.Win32.Homles.bo skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP777\A0039874.exe Infected: Trojan.Win32.VB.daj skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP777\A0039876.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bg skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP777\A0039878.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bg skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP777\A0039885.exe Infected: not-a-virus:AdWare.Win32.Rond.c skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP777\A0039889.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bg skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP777\A0039890.exe Infected: Trojan-Downloader.Win32.Homles.bo skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP777\A0039894.dll Infected: Trojan.Win32.Inject.cgf skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP777\A0039895.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bg skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP777\A0039896.exe Infected: Trojan.Win32.VB.daj skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP777\A0039899.exe Infected: not-a-virus:Downloader.Win32.WinFixer.d skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP777\A0039900.exe Infected: Trojan-Downloader.Win32.VB.epp skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP777\A0039901.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP778\A0039975.exe Infected: not-virus:Hoax.Win32.Renos.fh skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP778\A0039976.exe Infected: not-virus:Hoax.Win32.Renos.fh skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP778\A0039977.exe Infected: Trojan-Downloader.Win32.Zlob.biu skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP778\A0039982.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.umu skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP778\A0039985.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.uor skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP778\A0039986.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.uor skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP781\A0040059.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bg skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP781\A0040060.exe Infected: Trojan.Win32.Agent.lom skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP781\A0040064.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP781\A0040065.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ax skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP781\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\at1\sxdparsdll.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\g98.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\WINDOWS\system32\g98.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\WINDOWS\system32\g98.exe NSIS: infected - 2 skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP781\change.log Object is locked skipped
Scan process completed.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:19, on 2008-05-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\MssCli.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1130631592\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ProfileWatcher] C:\Program Files\ProfileWatcher\profilewatcher.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Add to Windows &Live Favorites -
http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) -
http://go.microsoft....k/?linkid=67633
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft....k/?linkid=39204
O16 - DPF: {339234B4-4E14-4280-B8B4-8BAE5AF99063} (Chess Object) -
http://zone.msn.com/...rp.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) -
http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
http://by115fd.bay11...es/MsnPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) -
http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.micros...b?1147825771500
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) -
http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) -
http://zone.msn.com/...xy.cab55579.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) -
http://by115fd.bay11...ex/HMAtchmt.ocx
O21 - SSODL: buprestidae - {b59f3ba4-98da-4b5f-8a2d-7b56fb11140b} - (no file)
O22 - SharedTaskScheduler: buprestidae - {b59f3ba4-98da-4b5f-8a2d-7b56fb11140b} - (no file)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O24 - Desktop Component 0: (no name) -
http://organizations...et/0f5a7770.jpg
O24 - Desktop Component 1: (no name) -
http://myspace-974.v...528201974_m.jpg
O24 - Desktop Component 2: (no name) -
http://myspace-974.v...528201974_l.jpg
O24 - Desktop Component 3: (no name) -
http://organizations...et/0f3a6760.jpg
O24 - Desktop Component 4: (no name) -
http://organizations...et/0f1b1740.jpg
--
End of file - 9331 bytes