Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tradedoubler, Virtumonde, Win32.murlo, Winantiviruspro2006


  • This topic is locked This topic is locked
32 replies to this topic

#1 Indiana

Indiana

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 05 October 2007 - 04:22 AM

Dear Bleeping Computer

I have several infections continous coming back to my computer.
With Spybot Search and Destroy, I get the following Malwares:
Tradedoubler
Virtumonde.rtk
VIrtumonde
Win32.Murlo.ff
Winsoftware.WinAntiVirusPro2006

I have been going trough the steps of your guide to remove malware more than one time. The only thing I haven't done is installing a "two-ways" firewall. I will do this after my computer is clean. I'm currently using the built in Windows firewall.
I'm worried that installation of a new firewall will mess up in and out access. I.e. for Skype, MSN or my soft IP telefone, etc.
Is there any risk of this?

My first step when I discovered the infection, was to write the support team of Spybot. They adviced me to run VundoFix.exe, so I have been doing this a couple of times.

The HiJackThis log file below is created in Safe Mode with networking.
Do you need one in normal mode?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:59:21, on 05-10-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Adobe\Acrobat 5.0\Acrobat\Acrobat.exe
C:\Program Files\Common Files\Adobe\Web\AOM.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [SaferScan] C:\Program Files\SaferScan\saferscan.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\VistaCodecPack\rm\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\jofiakld.dll",sitypnow
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [eyeBeam SIP Client] "C:\Program Files\CounterPath\X-Lite\x-lite.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DDC] C:\WINDOWS\system32\itmuvyyi.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-19\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: VersionBackup.lnk = C:\Program Files\VersionBackup\VersionBackup.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\dan.htm
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://downol.dr.dk/download/netradio/Rawflow.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3D2CB570-D425-11D5-ABD0-00008369C46F} (CSMenu Class) - https://netbank.danskebank.dk/html/activex/DB/Menu.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188220863062
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/au...tdccsp-0506.exe
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/...B/e-Safekey.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software - c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\psimsvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 9203 bytes

BC AdBot (Login to Remove)

 


#2 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:41 PM

Posted 06 October 2007 - 01:06 PM

Hello and welcome to BC. :thumbsup:

The HiJackThis log file below is created in Safe Mode with networking.
Do you need one in normal mode?


For future reference please be informed that Safe Mode with networking is not a safe method. Many of your security applications are not loaded when you are in Safe Mode, thus leaving the system wide open to infections.
And, yes, we would like to have the HijackThis log from Normal Mode.

#3 Indiana

Indiana
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 06 October 2007 - 01:43 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:40:46, on 06-10-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\psimsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\CounterPath\X-Lite\x-lite.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\VersionBackup\VBackRun.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\WebProxy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [SaferScan] C:\Program Files\SaferScan\saferscan.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\VistaCodecPack\rm\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [eyeBeam SIP Client] "C:\Program Files\CounterPath\X-Lite\x-lite.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-19\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: VersionBackup.lnk = C:\Program Files\VersionBackup\VersionBackup.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\dan.htm
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://downol.dr.dk/download/netradio/Rawflow.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3D2CB570-D425-11D5-ABD0-00008369C46F} (CSMenu Class) - https://netbank.danskebank.dk/html/activex/DB/Menu.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188220863062
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/au...tdccsp-0506.exe
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/...B/e-Safekey.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software - c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\psimsvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 11010 bytes

#4 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:41 PM

Posted 06 October 2007 - 02:22 PM

Please download ComboFix

Note: It is important that it is saved directly to your desktop.

Close all browsers.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log for you. Post that log in your next reply and a fresh HijackThis log please.
  • Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.


#5 Indiana

Indiana
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 06 October 2007 - 02:51 PM

why is my Anti Virus Program (Panda) detecting ComboFix.exe as potentially unwanted program?

#6 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:41 PM

Posted 06 October 2007 - 02:59 PM

Please tell your antivirus program to allow it. Combofix is safe.

#7 Indiana

Indiana
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 06 October 2007 - 03:28 PM

ComboFix 07-10-06.5 - Bruger 1 2007-10-06 22:04:49.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.225 [GMT 2:00]
Running from: C:\Downloadede programmer\Antivirus-programmer\ComboFix\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Program Files\windows
C:\WINDOWS\cookies.ini
C:\WINDOWS\Installer\{F9FD80CE-0448-4D4F-8BCD-77FC514C3F99}\program files\VistaCodecPack\Tools\233.exe
C:\WINDOWS\Installer\{F9FD80CE-0448-4D4F-8BCD-77FC514C3F99}\program files\VistaCodecPack\Tools\237.exe
C:\WINDOWS\system32\3_exception.nls
C:\WINDOWS\system32\D.tmp
C:\WINDOWS\system32\dlkaifoj.ini
C:\WINDOWS\system32\drivers\runtime2.sys . . . . failed to delete
C:\WINDOWS\system32\gjkmp.bak1
C:\WINDOWS\system32\gjkmp.bak2
C:\WINDOWS\system32\gjkmp.ini
C:\WINDOWS\system32\ibgiukow.ini
C:\WINDOWS\system32\info.txt
C:\WINDOWS\system32\jofiakld.dll
C:\WINDOWS\system32\kpcakpyu.ini
C:\WINDOWS\system32\lphoxpqy.ini
C:\WINDOWS\system32\nopacriq.dll
C:\WINDOWS\system32\nvaiuqpw.dll
C:\WINDOWS\system32\pmkjg.dll
C:\WINDOWS\system32\qircapon.ini
C:\WINDOWS\system32\uypkacpk.dll
C:\WINDOWS\system32\wokuigbi.dll
C:\WINDOWS\system32\wpquiavn.ini
C:\WINDOWS\system32\yqpxohpl.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2


((((((((((((((((((((((((( Files Created from 2007-09-06 to 2007-10-06 )))))))))))))))))))))))))))))))
.

2007-10-06 22:03 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-06 16:12 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-10-05 10:59 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-23 13:13 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Lavasoft
2007-09-17 14:04 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-09-17 10:40 3,432 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-15 15:30 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-09-14 00:01 29,056 --a------ C:\WINDOWS\system32\drivers\ip6fw.sys
2007-09-14 00:01 29,056 --a------ C:\WINDOWS\system32\dllcache\ip6fw.sys
2007-09-13 19:26 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\InterVideo
2007-09-13 19:26 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Apple
2007-09-13 19:26 <DIR> d-------- C:\Program Files\QSynchronization
2007-09-13 19:26 <DIR> d-------- C:\Program Files\Easy2Sync for Outlook
2007-09-13 19:26 <DIR> d-------- C:\Program Files\Apple Software Update
2007-09-13 16:05 <DIR> d-------- C:\VundoFix Backups
2007-09-13 11:34 <DIR> d-------- C:\Program Files\Safer Networking
2007-09-13 00:07 <DIR> d-------- C:\Program Files\Microsoft AntiSpyware
2007-09-11 18:49 <DIR> d-------- C:\Program Files\Apple Software Update(2)
2007-09-11 15:14 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Apple Computer
2007-09-10 12:18 <DIR> d-------- D:\Documents and Settings\Bruger 1\Application Data\Itsth
2007-09-10 01:05 53,248 --a------ C:\WINDOWS\system32\MMTray.exe
2007-09-10 01:05 224,256 --a------ C:\WINDOWS\system32\MMIJG32.dll
2007-09-10 01:05 <DIR> d-------- C:\Program Files\Morgan
2007-09-09 20:40 <DIR> d-------- C:\Program Files\SoftwareRevenue.org
2007-09-09 20:39 10,050,902 --a------ C:\WINDOWS\system32\mi2.exe
2007-09-09 19:05 <DIR> d-------- C:\Program Files\3ivx
2007-09-09 17:57 26,136 --a------ C:\WINDOWS\system32\IVIresize.dll
2007-09-09 17:57 210,456 --a------ C:\WINDOWS\system32\IVIresizeW7.dll
2007-09-09 17:57 206,360 --a------ C:\WINDOWS\system32\IVIresizeA6.dll
2007-09-09 17:57 198,168 --a------ C:\WINDOWS\system32\IVIresizeP6.dll
2007-09-09 17:57 198,168 --a------ C:\WINDOWS\system32\IVIresizeM6.dll
2007-09-09 17:57 194,072 --a------ C:\WINDOWS\system32\IVIresizePX.dll
2007-09-09 17:57 <DIR> d-------- C:\Program Files\Common Files\InterVideo
2007-09-09 15:38 <DIR> d-------- C:\Program Files\Codec Pack - All In 1
2007-09-09 14:31 <DIR> d-------- D:\Documents and Settings\Bruger 1\Application Data\DivX
2007-09-09 14:26 <DIR> d-------- C:\Program Files\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-06 22:18 23536 --a------ C:\WINDOWS\system32\drivers\APPFCONT.DAT
2007-10-06 22:18 1132 --a------ C:\WINDOWS\system32\drivers\APPFLTR.CFG
2007-10-06 17:37 --------- d-------- C:\Program Files\Windows Media Connect 2
2007-10-06 17:37 --------- d-------- C:\Program Files\Windows Live Toolbar
2007-10-06 17:37 --------- d-------- C:\Program Files\VersionBackup
2007-10-06 17:32 --------- d-------- C:\Program Files\MSN Messenger
2007-09-27 00:59 --------- d-------- D:\Documents and Settings\Bruger 1\Application Data\Canon
2007-09-23 13:12 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-23 12:59 --------- d-------- C:\Program Files\Lavasoft
2007-09-15 13:15 --------- d-------- D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-13 23:46 --------- d-------- C:\Program Files\QuickTime
2007-09-13 19:25 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-13 00:19 --------- d-------- C:\Program Files\Google-Translator
2007-09-12 10:27 --------- d-------- C:\Program Files\Yahoo!
2007-09-12 10:02 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-12 10:02 --------- d-------- C:\Program Files\Ulead Systems
2007-09-12 09:59 --------- d-------- C:\Program Files\Common Files\Ulead Systems
2007-09-10 02:12 --------- d-------- C:\Program Files\TimeAdjuster
2007-09-10 01:13 --------- d-------- C:\Program Files\ffdshow
2007-09-09 20:40 737280 --a------ C:\WINDOWS\iun6002.exe
2007-09-09 18:52 --------- d-------- D:\Documents and Settings\Bruger 1\Application Data\Ulead Systems
2007-09-09 18:43 --------- d-------- C:\Program Files\Mpeg2Decoder
2007-09-05 23:52 --------- d-------- C:\Program Files\VistaCodecPack
2007-09-05 21:15 --------- d-------- C:\Program Files\Common Files\Mainconcept
2007-09-04 23:50 --------- d-------- C:\Program Files\Media Center Karaoke Plug-in
2007-08-27 16:33 --------- d-------- C:\Program Files\MSXML 6.0
2007-08-27 15:55 --------- d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-08-27 15:15 --------- d-------- D:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2007-08-27 14:34 --------- d-------- D:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2004-08-09 23:30 40960 --a------ C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2331269C-D109-41CA-8CAB-6E879C267D3E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C640421-93F5-46E8-BC20-9779B4EFD614}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 16:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 16:00]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 15:56]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 19:07 C:\WINDOWS\system32\HdAShCut.exe]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-08 17:55]
"ATIPTA"="C:\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-07 23:05]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-10 16:00]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 13:00]
"SaferScan"="C:\Program Files\SaferScan\saferscan.exe" []
"TkBellExe"="C:\Program Files\VistaCodecPack\rm\Update_OB\realsched.exe" []
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-06-28 21:29]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 13:36 C:\WINDOWS\RTHDCPL.EXE]
"UVS11 Preload"="C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe" [2007-03-03 14:12]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:55]
"eyeBeam SIP Client"="C:\Program Files\CounterPath\X-Lite\x-lite.exe" [2007-06-05 08:52]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 16:00]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2006-05-12 13:24:41]
Adobe Reader Hurtigstart.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
VersionBackup.lnk - C:\Program Files\VersionBackup\VersionBackup.exe [2006-03-24 14:21:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2005-09-27 11:13 45056 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuvvtt]
vtuvvtt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winhdn32]
winhdn32.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Alcmtr"=ALCMTR.EXE
"MimBoot"=C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

R0 netflt;Panda Net Driver [NDIS Layer];C:\WINDOWS\system32\Drivers\NETFLT.SYS
R0 viaagp;VIA AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\viaagp.sys
R1 APPFLT;App Filter Plugin;\??\C:\WINDOWS\system32\Drivers\APPFLT.SYS
R1 DSAFLT;DSA Filter Plugin;\??\C:\WINDOWS\system32\Drivers\DSAFLT.SYS
R1 FNETMON;NetMon Filter Plugin;\??\C:\WINDOWS\system32\Drivers\fnetmon.SYS
R1 IDSFLT;Ids Filter Plugin;\??\C:\WINDOWS\system32\Drivers\IDSFLT.SYS
R1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\OVSound2.sys
R1 NETFLTDI;Panda Net Driver [TDI Layer];\??\C:\WINDOWS\system32\Drivers\NETFLTDI.SYS
R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\drivers\ShldDrv.sys
R1 SMSFLT;SMS Filter Plugin;\??\C:\WINDOWS\system32\Drivers\SMSFLT.SYS
R1 WNMFLT;Wifi Monitor Filter Plugin;\??\C:\WINDOWS\system32\Drivers\WNMFLT.SYS
R2 cpoint;Panda CPoint Driver;C:\WINDOWS\system32\Drivers\cpoint.sys
R2 PavProc;Panda Process Protection Driver;\??\C:\WINDOWS\system32\DRIVERS\PavProc.sys
R3 3xHybrid;3xHybrid service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys
R3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys
R3 PavSRK.sys;PavSRK.sys;\??\C:\WINDOWS\system32\PavSRK.sys
R3 QCEmerald;Logitech QuickCam Web;C:\WINDOWS\system32\DRIVERS\OVCE.sys
S3 Usblink;Usblink Driver;C:\WINDOWS\system32\Drivers\ulink.sys
S3 ZD1211U(Wireless);IEEE 802.11g USB Adapter Driver(Wireless);C:\WINDOWS\system32\DRIVERS\zd1211u.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ab1d05e-56c2-11db-9b79-0001360dde4f}]
Auto\command- sxs.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df5c6528-ccc3-11db-9bd3-0001360dde4f}]
Auto\command- sxs.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-09-12 08:32:46 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2006-01-03 15:50:11 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2005-12-27 23:38:19 C:\WINDOWS\Tasks\Registration reminder 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2007-10-06 18:31:01 C:\WINDOWS\Tasks\Søg efter opdateringer til Windows Live Toolbar.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-06 22:18:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\aawservice]
"ImagePath"="\"C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe\""

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\viaagp]
"ImagePath"="system32\DRIVERS\viaagp.sys"
.
Completion time: 2007-10-06 22:23:22 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-06 22:23
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:27:29, on 06-10-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\psimsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\apvxdwin.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\WebProxy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CounterPath\X-Lite\x-lite.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\VersionBackup\VBackRun.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C640421-93F5-46E8-BC20-9779B4EFD614} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [SaferScan] C:\Program Files\SaferScan\saferscan.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\VistaCodecPack\rm\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [eyeBeam SIP Client] "C:\Program Files\CounterPath\X-Lite\x-lite.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-19\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: VersionBackup.lnk = C:\Program Files\VersionBackup\VersionBackup.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\dan.htm
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://downol.dr.dk/download/netradio/Rawflow.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3D2CB570-D425-11D5-ABD0-00008369C46F} (CSMenu Class) - https://netbank.danskebank.dk/html/activex/DB/Menu.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188220863062
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/au...tdccsp-0506.exe
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/...B/e-Safekey.cab
O20 - Winlogon Notify: vtuvvtt - vtuvvtt.dll (file missing)
O20 - Winlogon Notify: winhdn32 - winhdn32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software - c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\psimsvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 11487 bytes

#8 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:41 PM

Posted 06 October 2007 - 03:37 PM

Running from: C:\Downloadede programmer\Antivirus-programmer\ComboFix\ComboFix.exe

Combofix needs to run from the Desktop as instructed:

Note: It is important that it is saved directly to your desktop.



#9 Indiana

Indiana
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 06 October 2007 - 03:52 PM

Info:
I get a lot of notifications from Panda Antivirus during the ComboFix run, and after.
Some is blockings, and other is registry modifications that I need to alow.


ComboFix 07-10-06.5 - Bruger 1 2007-10-06 22:41:03.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.284 [GMT 2:00]
Running from: D:\Documents and Settings\Bruger 1\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-09-06 to 2007-10-06 )))))))))))))))))))))))))))))))
.

2007-10-06 22:03 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-06 16:12 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-10-05 10:59 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-23 13:13 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Lavasoft
2007-09-17 14:04 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-09-17 10:40 3,432 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-15 15:30 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-09-14 00:01 29,056 --a------ C:\WINDOWS\system32\drivers\ip6fw.sys
2007-09-14 00:01 29,056 --a------ C:\WINDOWS\system32\dllcache\ip6fw.sys
2007-09-13 19:26 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\InterVideo
2007-09-13 19:26 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Apple
2007-09-13 19:26 <DIR> d-------- C:\Program Files\QSynchronization
2007-09-13 19:26 <DIR> d-------- C:\Program Files\Easy2Sync for Outlook
2007-09-13 19:26 <DIR> d-------- C:\Program Files\Apple Software Update
2007-09-13 16:05 <DIR> d-------- C:\VundoFix Backups
2007-09-13 11:34 <DIR> d-------- C:\Program Files\Safer Networking
2007-09-13 00:07 <DIR> d-------- C:\Program Files\Microsoft AntiSpyware
2007-09-11 18:49 <DIR> d-------- C:\Program Files\Apple Software Update(2)
2007-09-11 15:14 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Apple Computer
2007-09-10 12:18 <DIR> d-------- D:\Documents and Settings\Bruger 1\Application Data\Itsth
2007-09-10 01:05 53,248 --a------ C:\WINDOWS\system32\MMTray.exe
2007-09-10 01:05 224,256 --a------ C:\WINDOWS\system32\MMIJG32.dll
2007-09-10 01:05 <DIR> d-------- C:\Program Files\Morgan
2007-09-09 20:40 <DIR> d-------- C:\Program Files\SoftwareRevenue.org
2007-09-09 20:39 10,050,902 --a------ C:\WINDOWS\system32\mi2.exe
2007-09-09 19:05 <DIR> d-------- C:\Program Files\3ivx
2007-09-09 17:57 26,136 --a------ C:\WINDOWS\system32\IVIresize.dll
2007-09-09 17:57 210,456 --a------ C:\WINDOWS\system32\IVIresizeW7.dll
2007-09-09 17:57 206,360 --a------ C:\WINDOWS\system32\IVIresizeA6.dll
2007-09-09 17:57 198,168 --a------ C:\WINDOWS\system32\IVIresizeP6.dll
2007-09-09 17:57 198,168 --a------ C:\WINDOWS\system32\IVIresizeM6.dll
2007-09-09 17:57 194,072 --a------ C:\WINDOWS\system32\IVIresizePX.dll
2007-09-09 17:57 <DIR> d-------- C:\Program Files\Common Files\InterVideo
2007-09-09 15:38 <DIR> d-------- C:\Program Files\Codec Pack - All In 1
2007-09-09 14:31 <DIR> d-------- D:\Documents and Settings\Bruger 1\Application Data\DivX
2007-09-09 14:26 <DIR> d-------- C:\Program Files\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-06 22:18 23536 --a------ C:\WINDOWS\system32\drivers\APPFCONT.DAT
2007-10-06 22:18 1132 --a------ C:\WINDOWS\system32\drivers\APPFLTR.CFG
2007-10-06 17:37 --------- d-------- C:\Program Files\Windows Media Connect 2
2007-10-06 17:37 --------- d-------- C:\Program Files\Windows Live Toolbar
2007-10-06 17:37 --------- d-------- C:\Program Files\VersionBackup
2007-10-06 17:32 --------- d-------- C:\Program Files\MSN Messenger
2007-09-27 00:59 --------- d-------- D:\Documents and Settings\Bruger 1\Application Data\Canon
2007-09-23 13:12 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-23 12:59 --------- d-------- C:\Program Files\Lavasoft
2007-09-15 13:15 --------- d-------- D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-13 23:46 --------- d-------- C:\Program Files\QuickTime
2007-09-13 19:25 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-13 00:19 --------- d-------- C:\Program Files\Google-Translator
2007-09-12 10:27 --------- d-------- C:\Program Files\Yahoo!
2007-09-12 10:02 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-12 10:02 --------- d-------- C:\Program Files\Ulead Systems
2007-09-12 09:59 --------- d-------- C:\Program Files\Common Files\Ulead Systems
2007-09-10 02:12 --------- d-------- C:\Program Files\TimeAdjuster
2007-09-10 01:13 --------- d-------- C:\Program Files\ffdshow
2007-09-09 20:40 737280 --a------ C:\WINDOWS\iun6002.exe
2007-09-09 18:52 --------- d-------- D:\Documents and Settings\Bruger 1\Application Data\Ulead Systems
2007-09-09 18:43 --------- d-------- C:\Program Files\Mpeg2Decoder
2007-09-05 23:52 --------- d-------- C:\Program Files\VistaCodecPack
2007-09-05 21:15 --------- d-------- C:\Program Files\Common Files\Mainconcept
2007-09-04 23:50 --------- d-------- C:\Program Files\Media Center Karaoke Plug-in
2007-08-27 16:33 --------- d-------- C:\Program Files\MSXML 6.0
2007-08-27 15:55 --------- d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-08-27 15:15 --------- d-------- D:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2007-08-27 14:34 --------- d-------- D:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-07 03:51 324320 --a------ C:\WINDOWS\system32\3ivxVfWCodec.dll
2007-08-07 03:51 1139488 --a------ C:\WINDOWS\system32\3ivx.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-07-30 19:18 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-27 01:06 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-27 01:06 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-19 08:59 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-13 01:31 765952 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2004-08-09 23:30 40960 --a------ C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C640421-93F5-46E8-BC20-9779B4EFD614}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 16:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 16:00]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 15:56]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 19:07 C:\WINDOWS\system32\HdAShCut.exe]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-08 17:55]
"ATIPTA"="C:\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-07 23:05]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-10 16:00]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 13:00]
"SaferScan"="C:\Program Files\SaferScan\saferscan.exe" []
"TkBellExe"="C:\Program Files\VistaCodecPack\rm\Update_OB\realsched.exe" []
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-06-28 21:29]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 13:36 C:\WINDOWS\RTHDCPL.EXE]
"UVS11 Preload"="C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe" [2007-03-03 14:12]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:55]
"eyeBeam SIP Client"="C:\Program Files\CounterPath\X-Lite\x-lite.exe" [2007-06-05 08:52]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 16:00]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2006-05-12 13:24:41]
Adobe Reader Hurtigstart.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
VersionBackup.lnk - C:\Program Files\VersionBackup\VersionBackup.exe [2006-03-24 14:21:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2005-09-27 11:13 45056 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuvvtt]
vtuvvtt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winhdn32]
winhdn32.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Alcmtr"=ALCMTR.EXE
"MimBoot"=C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

R0 netflt;Panda Net Driver [NDIS Layer];C:\WINDOWS\system32\Drivers\NETFLT.SYS
R0 viaagp;VIA AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\viaagp.sys
R1 APPFLT;App Filter Plugin;\??\C:\WINDOWS\system32\Drivers\APPFLT.SYS
R1 DSAFLT;DSA Filter Plugin;\??\C:\WINDOWS\system32\Drivers\DSAFLT.SYS
R1 FNETMON;NetMon Filter Plugin;\??\C:\WINDOWS\system32\Drivers\fnetmon.SYS
R1 IDSFLT;Ids Filter Plugin;\??\C:\WINDOWS\system32\Drivers\IDSFLT.SYS
R1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\OVSound2.sys
R1 NETFLTDI;Panda Net Driver [TDI Layer];\??\C:\WINDOWS\system32\Drivers\NETFLTDI.SYS
R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\drivers\ShldDrv.sys
R1 SMSFLT;SMS Filter Plugin;\??\C:\WINDOWS\system32\Drivers\SMSFLT.SYS
R1 WNMFLT;Wifi Monitor Filter Plugin;\??\C:\WINDOWS\system32\Drivers\WNMFLT.SYS
R2 cpoint;Panda CPoint Driver;C:\WINDOWS\system32\Drivers\cpoint.sys
R2 PavProc;Panda Process Protection Driver;\??\C:\WINDOWS\system32\DRIVERS\PavProc.sys
R3 3xHybrid;3xHybrid service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys
R3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys
R3 PavSRK.sys;PavSRK.sys;\??\C:\WINDOWS\system32\PavSRK.sys
R3 QCEmerald;Logitech QuickCam Web;C:\WINDOWS\system32\DRIVERS\OVCE.sys
S3 Usblink;Usblink Driver;C:\WINDOWS\system32\Drivers\ulink.sys
S3 ZD1211U(Wireless);IEEE 802.11g USB Adapter Driver(Wireless);C:\WINDOWS\system32\DRIVERS\zd1211u.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ab1d05e-56c2-11db-9b79-0001360dde4f}]
Auto\command- sxs.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df5c6528-ccc3-11db-9bd3-0001360dde4f}]
Auto\command- sxs.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-09-12 08:32:46 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2006-01-03 15:50:11 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2005-12-27 23:38:19 C:\WINDOWS\Tasks\Registration reminder 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2007-10-06 20:31:01 C:\WINDOWS\Tasks\Søg efter opdateringer til Windows Live Toolbar.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-06 22:45:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\aawservice]
"ImagePath"="\"C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe\""

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\viaagp]
"ImagePath"="system32\DRIVERS\viaagp.sys"
.
Completion time: 2007-10-06 22:48:07
C:\ComboFix-quarantined-files.txt ... 2007-10-06 22:47
C:\ComboFix2.txt ... 2007-10-06 22:23
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:49:41, on 06-10-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\psimsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\apvxdwin.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\WebProxy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CounterPath\X-Lite\x-lite.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\VersionBackup\VBackRun.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\avciman.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\psimreal.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C640421-93F5-46E8-BC20-9779B4EFD614} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [SaferScan] C:\Program Files\SaferScan\saferscan.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\VistaCodecPack\rm\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [eyeBeam SIP Client] "C:\Program Files\CounterPath\X-Lite\x-lite.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-19\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: VersionBackup.lnk = C:\Program Files\VersionBackup\VersionBackup.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\dan.htm
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://downol.dr.dk/download/netradio/Rawflow.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3D2CB570-D425-11D5-ABD0-00008369C46F} (CSMenu Class) - https://netbank.danskebank.dk/html/activex/DB/Menu.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188220863062
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/au...tdccsp-0506.exe
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/...B/e-Safekey.cab
O20 - Winlogon Notify: vtuvvtt - vtuvvtt.dll (file missing)
O20 - Winlogon Notify: winhdn32 - winhdn32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software - c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\psimsvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 11617 bytes

#10 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:41 PM

Posted 06 October 2007 - 05:03 PM

Hi,

Please disable teatimer so that it will not interfere with the fixes.

While both Tea timer and SpyBot are closed download

ResetTeaTimer.bat.

Double click ResetTeaTimer.bat to remove all entries set by SpyBot's TeaTimer.
Once it's ran, you can delete it. It will not be needed again.

Note: If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

===============================

SaferScan is a rogue program, please remove it via Add/Remove Programs in Control Panel

===============================

Scan with HijackThis and put a checkmark against the following entries:

O2 - BHO: (no name) - {5C640421-93F5-46E8-BC20-9779B4EFD614} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SaferScan] C:\Program Files\SaferScan\saferscan.exe
O20 - Winlogon Notify: vtuvvtt - vtuvvtt.dll (file missing)
O20 - Winlogon Notify: winhdn32 - winhdn32.dll (file missing)


Close all browsers/windows other than HijackThis and click on fix checked.

================================

Please download Flash_Disinfector.exe by sUBs and save it to your desktop:
  • Double-click Flash_Disinfector.exe to run it.
  • Follow any prompts that may appear.
  • Wait until the program has finished scanning, then please exit the program.
The tool may ask you to insert your flash drive, or other removable drives. Please do so and allow the tool to clean it up as well.

===============================

Open notepad (it must be notepad, not wordpad, or it won't work) and copy/paste the text in the quotebox below into it (starting from File:.....):

File::
system32\mi2.exe

Folder::
C:\Program Files\SaferScan
C:\Program Files\SoftwareRevenue.org
C:\VundoFix Backups
C:\Program Files\VistaCodecPack

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ab1d05e-56c2-11db-9b79-0001360dde4f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df5c6528-ccc3-11db-9bd3-0001360dde4f}]


Save this as CFScript.txt

Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


=============================================

Restart your computer.

=============================================

Go to Start>Control Panel>Add/Remove Programs and remove if Kaspersky online scanner is present prior to downloading the most up-to-date one.

Now run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Standard
  • Scan Options:
  • Scan Archives
  • Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
  • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop in txt format.
Copy and paste that information from Kapersky in your next post.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans for no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Or use Firefox with IE-Tab plugin

================================

Post a fresh HijackThis log along with the Kaspersky report please.

#11 Indiana

Indiana
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 06 October 2007 - 09:11 PM

SaferScan did NOT appear in the "Ad/Remove Programs" list!

------------------------------

When running Flash Disinfector a continous Windows prompt message popped up:

"Windows - No disc.
Exception processing Message c0000013 Parameters 75b6bf7c4 75b6bf7c 75b6bf7c"

I had to press "Continue" at least 20 times to get to the end message: "Finish - Done"

I don't think it run proberly!

---------------------------------

When ComboFix did a reboot of the computer, I did not notice that my external harddisk (drive F:\) was not detected.
I first discovered this close to the end of the Kaspersky online scanning.
Therefore I made Kaspersky run en ekstra scan of drive F after the first scan. (the log file is therefore two logs).
I did run the Flash Disinfector again after discovering the missing drive F, but it had no effect on the out come. (Still all the fault messages).

----------------------------------

ComboFix 07-10-06.5 - Bruger 1 2007-10-07 0:34:04.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.261 [GMT 2:00]
Running from: D:\Documents and Settings\Bruger 1\Desktop\ComboFix.exe
Command switches used :: D:\Documents and Settings\Bruger 1\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\SoftwareRevenue.org
C:\Program Files\SoftwareRevenue.org\Activeshopper_trim.bmp
C:\Program Files\SoftwareRevenue.org\googlepage.bmp
C:\Program Files\VistaCodecPack
C:\Program Files\VistaCodecPack\filters\xvidcore.dll
C:\VundoFix Backups
C:\VundoFix Backups\femrsogl.ini.bad
C:\VundoFix Backups\htaikbgn.ini.bad
C:\VundoFix Backups\kxdsgdir.ini.bad
C:\VundoFix Backups\lgwyvckd.ini.bad
C:\VundoFix Backups\pryipseb.ini.bad
C:\VundoFix Backups\sbnnbukg.ini.bad
C:\VundoFix Backups\xxdlccou.ini.bad

.
((((((((((((((((((((((((( Files Created from 2007-09-06 to 2007-10-06 )))))))))))))))))))))))))))))))
.

2007-10-07 00:27 <DIR> drahs---- C:\autorun.inf
2007-10-06 22:03 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-06 16:12 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-10-05 10:59 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-23 13:13 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Lavasoft
2007-09-17 14:04 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-09-17 10:40 3,432 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-15 15:30 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-09-14 00:01 29,056 --a------ C:\WINDOWS\system32\drivers\ip6fw.sys
2007-09-14 00:01 29,056 --a------ C:\WINDOWS\system32\dllcache\ip6fw.sys
2007-09-13 19:26 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\InterVideo
2007-09-13 19:26 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Apple
2007-09-13 19:26 <DIR> d-------- C:\Program Files\QSynchronization
2007-09-13 19:26 <DIR> d-------- C:\Program Files\Easy2Sync for Outlook
2007-09-13 19:26 <DIR> d-------- C:\Program Files\Apple Software Update
2007-09-13 11:34 <DIR> d-------- C:\Program Files\Safer Networking
2007-09-13 00:07 <DIR> d-------- C:\Program Files\Microsoft AntiSpyware
2007-09-11 18:49 <DIR> d-------- C:\Program Files\Apple Software Update(2)
2007-09-11 15:14 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Apple Computer
2007-09-10 12:18 <DIR> d-------- D:\Documents and Settings\Bruger 1\Application Data\Itsth
2007-09-10 01:05 53,248 --a------ C:\WINDOWS\system32\MMTray.exe
2007-09-10 01:05 224,256 --a------ C:\WINDOWS\system32\MMIJG32.dll
2007-09-10 01:05 <DIR> d-------- C:\Program Files\Morgan
2007-09-09 20:39 10,050,902 --a------ C:\WINDOWS\system32\mi2.exe
2007-09-09 19:05 <DIR> d-------- C:\Program Files\3ivx
2007-09-09 17:57 26,136 --a------ C:\WINDOWS\system32\IVIresize.dll
2007-09-09 17:57 210,456 --a------ C:\WINDOWS\system32\IVIresizeW7.dll
2007-09-09 17:57 206,360 --a------ C:\WINDOWS\system32\IVIresizeA6.dll
2007-09-09 17:57 198,168 --a------ C:\WINDOWS\system32\IVIresizeP6.dll
2007-09-09 17:57 198,168 --a------ C:\WINDOWS\system32\IVIresizeM6.dll
2007-09-09 17:57 194,072 --a------ C:\WINDOWS\system32\IVIresizePX.dll
2007-09-09 17:57 <DIR> d-------- C:\Program Files\Common Files\InterVideo
2007-09-09 15:38 <DIR> d-------- C:\Program Files\Codec Pack - All In 1
2007-09-09 14:31 <DIR> d-------- D:\Documents and Settings\Bruger 1\Application Data\DivX
2007-09-09 14:26 <DIR> d-------- C:\Program Files\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-07 00:42 23536 --a------ C:\WINDOWS\system32\drivers\APPFCONT.DAT
2007-10-07 00:42 1132 --a------ C:\WINDOWS\system32\drivers\APPFLTR.CFG
2007-10-06 17:37 --------- d-------- C:\Program Files\Windows Media Connect 2
2007-10-06 17:37 --------- d-------- C:\Program Files\Windows Live Toolbar
2007-10-06 17:37 --------- d-------- C:\Program Files\VersionBackup
2007-10-06 17:32 --------- d-------- C:\Program Files\MSN Messenger
2007-09-27 00:59 --------- d-------- D:\Documents and Settings\Bruger 1\Application Data\Canon
2007-09-23 13:12 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-23 12:59 --------- d-------- C:\Program Files\Lavasoft
2007-09-15 13:15 --------- d-------- D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-13 23:46 --------- d-------- C:\Program Files\QuickTime
2007-09-13 19:25 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-13 00:19 --------- d-------- C:\Program Files\Google-Translator
2007-09-12 10:27 --------- d-------- C:\Program Files\Yahoo!
2007-09-12 10:02 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-12 10:02 --------- d-------- C:\Program Files\Ulead Systems
2007-09-12 09:59 --------- d-------- C:\Program Files\Common Files\Ulead Systems
2007-09-10 02:12 --------- d-------- C:\Program Files\TimeAdjuster
2007-09-10 01:13 --------- d-------- C:\Program Files\ffdshow
2007-09-09 20:40 737280 --a------ C:\WINDOWS\iun6002.exe
2007-09-09 18:52 --------- d-------- D:\Documents and Settings\Bruger 1\Application Data\Ulead Systems
2007-09-09 18:43 --------- d-------- C:\Program Files\Mpeg2Decoder
2007-09-05 21:15 --------- d-------- C:\Program Files\Common Files\Mainconcept
2007-09-04 23:50 --------- d-------- C:\Program Files\Media Center Karaoke Plug-in
2007-08-27 16:33 --------- d-------- C:\Program Files\MSXML 6.0
2007-08-27 15:55 --------- d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-08-27 15:15 --------- d-------- D:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2007-08-27 14:34 --------- d-------- D:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2004-08-09 23:30 40960 --a------ C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 16:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 16:00]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 15:56]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 19:07 C:\WINDOWS\system32\HdAShCut.exe]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-08 17:55]
"ATIPTA"="C:\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-07 23:05]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-10 16:00]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 13:00]
"TkBellExe"="C:\Program Files\VistaCodecPack\rm\Update_OB\realsched.exe" []
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-06-28 21:29]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 13:36 C:\WINDOWS\RTHDCPL.EXE]
"UVS11 Preload"="C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe" [2007-03-03 14:12]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:55]
"eyeBeam SIP Client"="C:\Program Files\CounterPath\X-Lite\x-lite.exe" [2007-06-05 08:52]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 16:00]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2006-05-12 13:24:41]
Adobe Reader Hurtigstart.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
VersionBackup.lnk - C:\Program Files\VersionBackup\VersionBackup.exe [2006-03-24 14:21:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2005-09-27 11:13 45056 C:\WINDOWS\system32\avldr.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Alcmtr"=ALCMTR.EXE
"MimBoot"=C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

R0 netflt;Panda Net Driver [NDIS Layer];C:\WINDOWS\system32\Drivers\NETFLT.SYS
R0 viaagp;VIA AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\viaagp.sys
R1 APPFLT;App Filter Plugin;\??\C:\WINDOWS\system32\Drivers\APPFLT.SYS
R1 DSAFLT;DSA Filter Plugin;\??\C:\WINDOWS\system32\Drivers\DSAFLT.SYS
R1 FNETMON;NetMon Filter Plugin;\??\C:\WINDOWS\system32\Drivers\fnetmon.SYS
R1 IDSFLT;Ids Filter Plugin;\??\C:\WINDOWS\system32\Drivers\IDSFLT.SYS
R1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\OVSound2.sys
R1 NETFLTDI;Panda Net Driver [TDI Layer];\??\C:\WINDOWS\system32\Drivers\NETFLTDI.SYS
R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\drivers\ShldDrv.sys
R1 SMSFLT;SMS Filter Plugin;\??\C:\WINDOWS\system32\Drivers\SMSFLT.SYS
R1 WNMFLT;Wifi Monitor Filter Plugin;\??\C:\WINDOWS\system32\Drivers\WNMFLT.SYS
R2 cpoint;Panda CPoint Driver;C:\WINDOWS\system32\Drivers\cpoint.sys
R2 PavProc;Panda Process Protection Driver;\??\C:\WINDOWS\system32\DRIVERS\PavProc.sys
R3 3xHybrid;3xHybrid service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys
R3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys
R3 PavSRK.sys;PavSRK.sys;\??\C:\WINDOWS\system32\PavSRK.sys
R3 QCEmerald;Logitech QuickCam Web;C:\WINDOWS\system32\DRIVERS\OVCE.sys
S3 Usblink;Usblink Driver;C:\WINDOWS\system32\Drivers\ulink.sys
S3 ZD1211U(Wireless);IEEE 802.11g USB Adapter Driver(Wireless);C:\WINDOWS\system32\DRIVERS\zd1211u.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-12 08:32:46 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2006-01-03 15:50:11 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2005-12-27 23:38:19 C:\WINDOWS\Tasks\Registration reminder 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2007-10-06 22:31:00 C:\WINDOWS\Tasks\Søg efter opdateringer til Windows Live Toolbar.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-07 00:42:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\aawservice]
"ImagePath"="\"C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe\""

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\viaagp]
"ImagePath"="system32\DRIVERS\viaagp.sys"
.
Completion time: 2007-10-07 0:47:25 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-07 00:47
C:\ComboFix2.txt ... 2007-10-06 22:48
C:\ComboFix3.txt ... 2007-10-06 22:23
.
--- E O F ---


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, October 07, 2007 2:34:21 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 7/10/2007
Kaspersky Anti-Virus database records: 402290
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
L:\

Scan Statistics:
Total number of scanned objects: 103453
Number of viruses found: 15
Number of infected objects: 34
Number of suspicious objects: 10
Duration of the scan process: 01:25:03

Infected Object Name / Virus Name / Last Action
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP2\A0000071.sys Infected: Rootkit.Win32.Agent.ey skipped
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP3\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{D6ED0F0B-2F58-4311-B0D4-B6404AC955E1}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ErrorSafe1.zip/Install.exe Suspicious: Password-protected-EXE skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ErrorSafe1.zip ZIP: suspicious - 1 skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip/winDE.tmp.exe Infected: Trojan.Win32.Dialer.qn skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip ZIP: infected - 1 skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip/winD8.tmp.exe Infected: Trojan.Win32.Dialer.qn skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip ZIP: infected - 1 skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde3.zip/winhdn32.dll Infected: Trojan.Win32.Dialer.qn skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde3.zip ZIP: infected - 1 skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde4.zip/gosD6.tmp Infected: Trojan.Win32.Dialer.qn skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde4.zip ZIP: infected - 1 skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloff.zip/startdrv.exe Infected: Trojan-Downloader.Win32.Agent.dfg skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloff.zip ZIP: infected - 1 skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloff11.zip/startdrv.exe Infected: Trojan-Downloader.Win32.Small.fpa skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloff11.zip ZIP: infected - 1 skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloff13.zip/startdrv.exe Infected: Trojan-Downloader.Win32.Small.fpa skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloff13.zip ZIP: infected - 1 skipped
D:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_2284412755_2621440_3044 Object is locked skipped
D:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_2284412755_7471104_3069 Object is locked skipped
D:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE13.tmp Object is locked skipped
D:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBEA.tmp Object is locked skipped
D:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\{90BB9F03-D3BA-4916-B42E-6323542C8C24}.TmpSBE Object is locked skipped
D:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\{E371D961-CC7C-41AC-A272-CFCE11F475D6}.TmpSBE Object is locked skipped
D:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp Object is locked skipped
D:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
D:\Documents and Settings\Bruger 1\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\Bruger 1\Local Settings\Application Data\Microsoft\Messenger\sofus.riishede@mail.dk\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
D:\Documents and Settings\Bruger 1\Local Settings\Application Data\Microsoft\Messenger\sofus.riishede@mail.dk\SharingMetadata\pending.dat Object is locked skipped
D:\Documents and Settings\Bruger 1\Local Settings\Application Data\Microsoft\Messenger\sofus.riishede@mail.dk\SharingMetadata\Working\database_A288_298B_8829_5F53\dfsr.db Object is locked skipped
D:\Documents and Settings\Bruger 1\Local Settings\Application Data\Microsoft\Messenger\sofus.riishede@mail.dk\SharingMetadata\Working\database_A288_298B_8829_5F53\fsr.log Object is locked skipped
D:\Documents and Settings\Bruger 1\Local Settings\Application Data\Microsoft\Messenger\sofus.riishede@mail.dk\SharingMetadata\Working\database_A288_298B_8829_5F53\fsrtmp.log Object is locked skipped
D:\Documents and Settings\Bruger 1\Local Settings\Application Data\Microsoft\Messenger\sofus.riishede@mail.dk\SharingMetadata\Working\database_A288_298B_8829_5F53\tmp.edb Object is locked skipped
D:\Documents and Settings\Bruger 1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\Bruger 1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\Bruger 1\Local Settings\Application Data\Microsoft\Windows Live Contacts\sofus.riishede@mail.dk\real\members.stg Object is locked skipped
D:\Documents and Settings\Bruger 1\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Bruger 1\Local Settings\History\History.IE5\MSHist012007100720071008\index.dat Object is locked skipped
D:\Documents and Settings\Bruger 1\Local Settings\Temp\~DF1464.tmp Object is locked skipped
D:\Documents and Settings\Bruger 1\Local Settings\Temp\~DFF9F.tmp Object is locked skipped
D:\Documents and Settings\Bruger 1\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
D:\Documents and Settings\Bruger 1\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Bruger 1\My Documents\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/25 Apr 2004 15:07 to sr@besked.com:Mail delivery failed: returni.eml/[From sr@besked.com][Date Sun, 25 Apr 2004 17:07:06 +0200]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\Documents and Settings\Bruger 1\My Documents\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/25 Apr 2004 15:07 to sr@besked.com:Mail delivery failed: returni.eml/[From sr@besked.com][Date Sun, 25 Apr 2004 17:07:06 +0200]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\Documents and Settings\Bruger 1\My Documents\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/25 Apr 2004 15:07 to sr@besked.com:Mail delivery failed: returni.eml/[From sr@besked.com][Date Sun, 25 Apr 2004 17:07:06 +0200]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
D:\Documents and Settings\Bruger 1\My Documents\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/25 Apr 2004 15:07 to sr@besked.com:Mail delivery failed: returni.eml/[From sr@besked.com][Date Sun, 25 Apr 2004 17:07:06 +0200]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\Documents and Settings\Bruger 1\My Documents\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/25 Apr 2004 15:07 to sr@besked.com:Mail delivery failed: returni.eml Infected: Email-Worm.Win32.NetSky.q skipped
D:\Documents and Settings\Bruger 1\My Documents\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/21 May 2004 08:21 from Natasha Salinas:Office XP Blowout Price $.html Infected: Exploit.HTML.ObjData skipped
D:\Documents and Settings\Bruger 1\My Documents\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/03 Jun 2004 01:18 from MAILER-DAEMON@post.skolekom.dk:failure no.eml/[From s@sport.dk][Date Wed, 2 Jun 2004 18:42:47 +0200]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\Documents and Settings\Bruger 1\My Documents\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/03 Jun 2004 01:18 from MAILER-DAEMON@post.skolekom.dk:failure no.eml/[From s@sport.dk][Date Wed, 2 Jun 2004 18:42:47 +0200]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\Documents and Settings\Bruger 1\My Documents\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/03 Jun 2004 01:18 from MAILER-DAEMON@post.skolekom.dk:failure no.eml/[From s@sport.dk][Date Wed, 2 Jun 2004 18:42:47 +0200]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
D:\Documents and Settings\Bruger 1\My Documents\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/03 Jun 2004 01:18 from MAILER-DAEMON@post.skolekom.dk:failure no.eml/[From s@sport.dk][Date Wed, 2 Jun 2004 18:42:47 +0200]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\Documents and Settings\Bruger 1\My Documents\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/03 Jun 2004 01:18 from MAILER-DAEMON@post.skolekom.dk:failure no.eml Infected: Email-Worm.Win32.NetSky.q skipped
D:\Documents and Settings\Bruger 1\My Documents\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/23 Jun 2004 19:32 from MAILER-DAEMON@plesk1.dmerhverv.dk:failure.eml/[From sr@besked.com][Date Wed, 23 Jun 2004 21:26:17 +0200]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\Documents and Settings\Bruger 1\My Documents\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/23 Jun 2004 19:32 from MAILER-DAEMON@plesk1.dmerhverv.dk:failure.eml/[From sr@besked.com][Date Wed, 23 Jun 2004 21:26:17 +0200]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\Documents and Settings\Bruger 1\My Documents\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/23 Jun 2004 19:32 from MAILER-DAEMON@plesk1.dmerhverv.dk:failure.eml/[From sr@besked.com][Date Wed, 23 Jun 2004 21:26:17 +0200]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\Documents and Settings\Bruger 1\My Documents\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/23 Jun 2004 19:32 from MAILER-DAEMON@plesk1.dmerhverv.dk:failure.eml Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\Documents and Settings\Bruger 1\My Documents\Mail Outlook\mailbox.pst Mail MS Mail: infected - 7, suspicious - 8 skipped
D:\Documents and Settings\Bruger 1\My Documents\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/Privat/gfx/upload/123.gif.asp Infected: Backdoor.ASP.Ace.cz skipped
D:\Documents and Settings\Bruger 1\My Documents\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/Privat/gfx/upload/22.aspx Infected: Backdoor.ASP.Titshell.a skipped
D:\Documents and Settings\Bruger 1\My Documents\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/Privat/gfx/upload/nhd.asp Infected: Backdoor.ASP.Ace.bl skipped
D:\Documents and Settings\Bruger 1\My Documents\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/Privat/gfx/upload/Zehir2.asp Infected: Backdoor.ASP.Ace.q skipped
D:\Documents and Settings\Bruger 1\My Documents\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/Privat/gfx/upload/zehir3.asp Infected: Backdoor.ASP.Ace.bo skipped
D:\Documents and Settings\Bruger 1\My Documents\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/Privat/gfx/upload/zehir4.asp.gif Infected: Backdoor.ASP.Ace.ai skipped
D:\Documents and Settings\Bruger 1\My Documents\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/Privat/gfx/upload/zehir4.gif.ASP Infected: Backdoor.ASP.Ace.ai skipped
D:\Documents and Settings\Bruger 1\My Documents\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/VRI/gfx/upload/3nigm4.asp Infected: Backdoor.ASP.Ace.cb skipped
D:\Documents and Settings\Bruger 1\My Documents\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/VRI/gfx/upload/bad.asp Infected: Backdoor.ASP.Ace.ai skipped
D:\Documents and Settings\Bruger 1\My Documents\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/VRI/gfx/upload/zehir3.jpg Infected: Backdoor.ASP.Ace.q skipped
D:\Documents and Settings\Bruger 1\My Documents\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip ZIP: infected - 10 skipped
D:\Documents and Settings\Bruger 1\ntuser.dat Object is locked skipped
D:\Documents and Settings\Bruger 1\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\LocalService.NT AUTHORITY.006\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\LocalService.NT AUTHORITY.006\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\LocalService.NT AUTHORITY.006\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\LocalService.NT AUTHORITY.006\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService.NT AUTHORITY.006\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService.NT AUTHORITY.006\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\LocalService.NT AUTHORITY.006\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService.NT AUTHORITY.007\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\NetworkService.NT AUTHORITY.007\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService.NT AUTHORITY.007\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\NetworkService.NT AUTHORITY.007\ntuser.dat.LOG Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP3\change.log Object is locked skipped

Scan process completed.


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, October 07, 2007 3:54:27 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 7/10/2007
Kaspersky Anti-Virus database records: 402290
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
F:\

Scan Statistics:
Total number of scanned objects: 31705
Number of viruses found: 10
Number of infected objects: 92
Number of suspicious objects: 48
Duration of the scan process: 01:11:55

Infected Object Name / Virus Name / Last Action
F:\Back Up\Back Up pr. 26.09.07 (v Virus fight)\My Documents\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/25 Apr 2004 15:07 to sr@besked.com:Mail delivery failed: returni.eml/[From sr@besked.com][Date Sun, 25 Apr 2004 17:07:06 +0200]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Back Up\Back Up pr. 26.09.07 (v Virus fight)\My Documents\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/25 Apr 2004 15:07 to sr@besked.com:Mail delivery failed: returni.eml/[From sr@besked.com][Date Sun, 25 Apr 2004 17:07:06 +0200]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Back Up\Back Up pr. 26.09.07 (v Virus fight)\My Documents\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/25 Apr 2004 15:07 to sr@besked.com:Mail delivery failed: returni.eml/[From sr@besked.com][Date Sun, 25 Apr 2004 17:07:06 +0200]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
F:\Back Up\Back Up pr. 26.09.07 (v Virus fight)\My Documents\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/25 Apr 2004 15:07 to sr@besked.com:Mail delivery failed: returni.eml/[From sr@besked.com][Date Sun, 25 Apr 2004 17:07:06 +0200]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
F:\Back Up\Back Up pr. 26.09.07 (v Virus fight)\My Documents\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/25 Apr 2004 15:07 to sr@besked.com:Mail delivery failed: returni.eml Infected: Email-Worm.Win32.NetSky.q skipped
F:\Back Up\Back Up pr. 26.09.07 (v Virus fight)\My Documents\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/21 May 2004 08:21 from Natasha Salinas:Office XP Blowout Price $.html Infected: Exploit.HTML.ObjData skipped
F:\Back Up\Back Up pr. 26.09.07 (v Virus fight)\My Documents\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/03 Jun 2004 01:18 from MAILER-DAEMON@post.skolekom.dk:failure no.eml/[From s@sport.dk][Date Wed, 2 Jun 2004 18:42:47 +0200]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Back Up\Back Up pr. 26.09.07 (v Virus fight)\My Documents\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/03 Jun 2004 01:18 from MAILER-DAEMON@post.skolekom.dk:failure no.eml/[From s@sport.dk][Date Wed, 2 Jun 2004 18:42:47 +0200]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Back Up\Back Up pr. 26.09.07 (v Virus fight)\My Documents\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/03 Jun 2004 01:18 from MAILER-DAEMON@post.skolekom.dk:failure no.eml/[From s@sport.dk][Date Wed, 2 Jun 2004 18:42:47 +0200]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
F:\Back Up\Back Up pr. 26.09.07 (v Virus fight)\My Documents\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/03 Jun 2004 01:18 from MAILER-DAEMON@post.skolekom.dk:failure no.eml/[From s@sport.dk][Date Wed, 2 Jun 2004 18:42:47 +0200]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
F:\Back Up\Back Up pr. 26.09.07 (v Virus fight)\My Documents\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/03 Jun 2004 01:18 from MAILER-DAEMON@post.skolekom.dk:failure no.eml Infected: Email-Worm.Win32.NetSky.q skipped
F:\Back Up\Back Up pr. 26.09.07 (v Virus fight)\My Documents\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/23 Jun 2004 19:32 from MAILER-DAEMON@plesk1.dmerhverv.dk:failure.eml/[From sr@besked.com][Date Wed, 23 Jun 2004 21:26:17 +0200]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Back Up\Back Up pr. 26.09.07 (v Virus fight)\My Documents\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/23 Jun 2004 19:32 from MAILER-DAEMON@plesk1.dmerhverv.dk:failure.eml/[From sr@besked.com][Date Wed, 23 Jun 2004 21:26:17 +0200]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Back Up\Back Up pr. 26.09.07 (v Virus fight)\My Documents\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/23 Jun 2004 19:32 from MAILER-DAEMON@plesk1.dmerhverv.dk:failure.eml/[From sr@besked.com][Date Wed, 23 Jun 2004 21:26:17 +0200]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Back Up\Back Up pr. 26.09.07 (v Virus fight)\My Documents\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/23 Jun 2004 19:32 from MAILER-DAEMON@plesk1.dmerhverv.dk:failure.eml Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Back Up\Back Up pr. 26.09.07 (v Virus fight)\My Documents\Mail Outlook\mailbox.pst Mail MS Mail: infected - 7, suspicious - 8 skipped
F:\Back Up\Back Up pr. 26.09.07 (v Virus fight)\My Documents\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/Privat/gfx/upload/123.gif.asp Infected: Backdoor.ASP.Ace.cz skipped
F:\Back Up\Back Up pr. 26.09.07 (v Virus fight)\My Documents\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/Privat/gfx/upload/22.aspx Infected: Backdoor.ASP.Titshell.a skipped
F:\Back Up\Back Up pr. 26.09.07 (v Virus fight)\My Documents\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/Privat/gfx/upload/nhd.asp Infected: Backdoor.ASP.Ace.bl skipped
F:\Back Up\Back Up pr. 26.09.07 (v Virus fight)\My Documents\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/Privat/gfx/upload/Zehir2.asp Infected: Backdoor.ASP.Ace.q skipped
F:\Back Up\Back Up pr. 26.09.07 (v Virus fight)\My Documents\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/Privat/gfx/upload/zehir3.asp Infected: Backdoor.ASP.Ace.bo skipped
F:\Back Up\Back Up pr. 26.09.07 (v Virus fight)\My Documents\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/Privat/gfx/upload/zehir4.asp.gif Infected: Backdoor.ASP.Ace.ai skipped
F:\Back Up\Back Up pr. 26.09.07 (v Virus fight)\My Documents\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/Privat/gfx/upload/zehir4.gif.ASP Infected: Backdoor.ASP.Ace.ai skipped
F:\Back Up\Back Up pr. 26.09.07 (v Virus fight)\My Documents\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/VRI/gfx/upload/3nigm4.asp Infected: Backdoor.ASP.Ace.cb skipped
F:\Back Up\Back Up pr. 26.09.07 (v Virus fight)\My Documents\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/VRI/gfx/upload/bad.asp Infected: Backdoor.ASP.Ace.ai skipped
F:\Back Up\Back Up pr. 26.09.07 (v Virus fight)\My Documents\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/VRI/gfx/upload/zehir3.jpg Infected: Backdoor.ASP.Ace.q skipped
F:\Back Up\Back Up pr. 26.09.07 (v Virus fight)\My Documents\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip ZIP: infected - 10 skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP3\change.log Object is locked skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-12\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/25 Apr 2004 15:07 to sr@besked.com:Mail delivery failed: returni.eml/[From sr@besked.com][Date Sun, 25 Apr 2004 17:07:06 +0200]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-12\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/25 Apr 2004 15:07 to sr@besked.com:Mail delivery failed: returni.eml/[From sr@besked.com][Date Sun, 25 Apr 2004 17:07:06 +0200]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-12\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/25 Apr 2004 15:07 to sr@besked.com:Mail delivery failed: returni.eml/[From sr@besked.com][Date Sun, 25 Apr 2004 17:07:06 +0200]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-12\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/25 Apr 2004 15:07 to sr@besked.com:Mail delivery failed: returni.eml/[From sr@besked.com][Date Sun, 25 Apr 2004 17:07:06 +0200]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-12\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/25 Apr 2004 15:07 to sr@besked.com:Mail delivery failed: returni.eml Infected: Email-Worm.Win32.NetSky.q skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-12\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/21 May 2004 08:21 from Natasha Salinas:Office XP Blowout Price $.html Infected: Exploit.HTML.ObjData skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-12\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/03 Jun 2004 01:18 from MAILER-DAEMON@post.skolekom.dk:failure no.eml/[From s@sport.dk][Date Wed, 2 Jun 2004 18:42:47 +0200]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-12\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/03 Jun 2004 01:18 from MAILER-DAEMON@post.skolekom.dk:failure no.eml/[From s@sport.dk][Date Wed, 2 Jun 2004 18:42:47 +0200]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-12\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/03 Jun 2004 01:18 from MAILER-DAEMON@post.skolekom.dk:failure no.eml/[From s@sport.dk][Date Wed, 2 Jun 2004 18:42:47 +0200]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-12\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/03 Jun 2004 01:18 from MAILER-DAEMON@post.skolekom.dk:failure no.eml/[From s@sport.dk][Date Wed, 2 Jun 2004 18:42:47 +0200]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-12\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/03 Jun 2004 01:18 from MAILER-DAEMON@post.skolekom.dk:failure no.eml Infected: Email-Worm.Win32.NetSky.q skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-12\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/23 Jun 2004 19:32 from MAILER-DAEMON@plesk1.dmerhverv.dk:failure.eml/[From sr@besked.com][Date Wed, 23 Jun 2004 21:26:17 +0200]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-12\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/23 Jun 2004 19:32 from MAILER-DAEMON@plesk1.dmerhverv.dk:failure.eml/[From sr@besked.com][Date Wed, 23 Jun 2004 21:26:17 +0200]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-12\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/23 Jun 2004 19:32 from MAILER-DAEMON@plesk1.dmerhverv.dk:failure.eml/[From sr@besked.com][Date Wed, 23 Jun 2004 21:26:17 +0200]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-12\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/23 Jun 2004 19:32 from MAILER-DAEMON@plesk1.dmerhverv.dk:failure.eml Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-12\Mail Outlook\mailbox.pst Mail MS Mail: infected - 7, suspicious - 8 skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-12\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/Privat/gfx/upload/123.gif.asp Infected: Backdoor.ASP.Ace.cz skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-12\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/Privat/gfx/upload/22.aspx Infected: Backdoor.ASP.Titshell.a skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-12\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/Privat/gfx/upload/nhd.asp Infected: Backdoor.ASP.Ace.bl skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-12\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/Privat/gfx/upload/Zehir2.asp Infected: Backdoor.ASP.Ace.q skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-12\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/Privat/gfx/upload/zehir3.asp Infected: Backdoor.ASP.Ace.bo skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-12\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/Privat/gfx/upload/zehir4.asp.gif Infected: Backdoor.ASP.Ace.ai skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-12\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/Privat/gfx/upload/zehir4.gif.ASP Infected: Backdoor.ASP.Ace.ai skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-12\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/VRI/gfx/upload/3nigm4.asp Infected: Backdoor.ASP.Ace.cb skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-12\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/VRI/gfx/upload/bad.asp Infected: Backdoor.ASP.Ace.ai skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-12\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/VRI/gfx/upload/zehir3.jpg Infected: Backdoor.ASP.Ace.q skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-12\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip ZIP: infected - 10 skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-14\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/25 Apr 2004 15:07 to sr@besked.com:Mail delivery failed: returni.eml/[From sr@besked.com][Date Sun, 25 Apr 2004 17:07:06 +0200]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-14\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/25 Apr 2004 15:07 to sr@besked.com:Mail delivery failed: returni.eml/[From sr@besked.com][Date Sun, 25 Apr 2004 17:07:06 +0200]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-14\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/25 Apr 2004 15:07 to sr@besked.com:Mail delivery failed: returni.eml/[From sr@besked.com][Date Sun, 25 Apr 2004 17:07:06 +0200]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-14\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/25 Apr 2004 15:07 to sr@besked.com:Mail delivery failed: returni.eml/[From sr@besked.com][Date Sun, 25 Apr 2004 17:07:06 +0200]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-14\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/25 Apr 2004 15:07 to sr@besked.com:Mail delivery failed: returni.eml Infected: Email-Worm.Win32.NetSky.q skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-14\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/21 May 2004 08:21 from Natasha Salinas:Office XP Blowout Price $.html Infected: Exploit.HTML.ObjData skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-14\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/03 Jun 2004 01:18 from MAILER-DAEMON@post.skolekom.dk:failure no.eml/[From s@sport.dk][Date Wed, 2 Jun 2004 18:42:47 +0200]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-14\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/03 Jun 2004 01:18 from MAILER-DAEMON@post.skolekom.dk:failure no.eml/[From s@sport.dk][Date Wed, 2 Jun 2004 18:42:47 +0200]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-14\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/03 Jun 2004 01:18 from MAILER-DAEMON@post.skolekom.dk:failure no.eml/[From s@sport.dk][Date Wed, 2 Jun 2004 18:42:47 +0200]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-14\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/03 Jun 2004 01:18 from MAILER-DAEMON@post.skolekom.dk:failure no.eml/[From s@sport.dk][Date Wed, 2 Jun 2004 18:42:47 +0200]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-14\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/03 Jun 2004 01:18 from MAILER-DAEMON@post.skolekom.dk:failure no.eml Infected: Email-Worm.Win32.NetSky.q skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-14\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/23 Jun 2004 19:32 from MAILER-DAEMON@plesk1.dmerhverv.dk:failure.eml/[From sr@besked.com][Date Wed, 23 Jun 2004 21:26:17 +0200]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-14\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/23 Jun 2004 19:32 from MAILER-DAEMON@plesk1.dmerhverv.dk:failure.eml/[From sr@besked.com][Date Wed, 23 Jun 2004 21:26:17 +0200]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-14\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/23 Jun 2004 19:32 from MAILER-DAEMON@plesk1.dmerhverv.dk:failure.eml/[From sr@besked.com][Date Wed, 23 Jun 2004 21:26:17 +0200]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-14\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/23 Jun 2004 19:32 from MAILER-DAEMON@plesk1.dmerhverv.dk:failure.eml Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-14\Mail Outlook\mailbox.pst Mail MS Mail: infected - 7, suspicious - 8 skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-15\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/25 Apr 2004 15:07 to sr@besked.com:Mail delivery failed: returni.eml/[From sr@besked.com][Date Sun, 25 Apr 2004 17:07:06 +0200]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-15\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/25 Apr 2004 15:07 to sr@besked.com:Mail delivery failed: returni.eml/[From sr@besked.com][Date Sun, 25 Apr 2004 17:07:06 +0200]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-15\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/25 Apr 2004 15:07 to sr@besked.com:Mail delivery failed: returni.eml/[From sr@besked.com][Date Sun, 25 Apr 2004 17:07:06 +0200]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-15\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/25 Apr 2004 15:07 to sr@besked.com:Mail delivery failed: returni.eml/[From sr@besked.com][Date Sun, 25 Apr 2004 17:07:06 +0200]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-15\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/25 Apr 2004 15:07 to sr@besked.com:Mail delivery failed: returni.eml Infected: Email-Worm.Win32.NetSky.q skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-15\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/21 May 2004 08:21 from Natasha Salinas:Office XP Blowout Price $.html Infected: Exploit.HTML.ObjData skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-15\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/03 Jun 2004 01:18 from MAILER-DAEMON@post.skolekom.dk:failure no.eml/[From s@sport.dk][Date Wed, 2 Jun 2004 18:42:47 +0200]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-15\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/03 Jun 2004 01:18 from MAILER-DAEMON@post.skolekom.dk:failure no.eml/[From s@sport.dk][Date Wed, 2 Jun 2004 18:42:47 +0200]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-15\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/03 Jun 2004 01:18 from MAILER-DAEMON@post.skolekom.dk:failure no.eml/[From s@sport.dk][Date Wed, 2 Jun 2004 18:42:47 +0200]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-15\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/03 Jun 2004 01:18 from MAILER-DAEMON@post.skolekom.dk:failure no.eml/[From s@sport.dk][Date Wed, 2 Jun 2004 18:42:47 +0200]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-15\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/03 Jun 2004 01:18 from MAILER-DAEMON@post.skolekom.dk:failure no.eml Infected: Email-Worm.Win32.NetSky.q skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-15\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/23 Jun 2004 19:32 from MAILER-DAEMON@plesk1.dmerhverv.dk:failure.eml/[From sr@besked.com][Date Wed, 23 Jun 2004 21:26:17 +0200]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-15\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/23 Jun 2004 19:32 from MAILER-DAEMON@plesk1.dmerhverv.dk:failure.eml/[From sr@besked.com][Date Wed, 23 Jun 2004 21:26:17 +0200]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-15\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/23 Jun 2004 19:32 from MAILER-DAEMON@plesk1.dmerhverv.dk:failure.eml/[From sr@besked.com][Date Wed, 23 Jun 2004 21:26:17 +0200]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-15\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/23 Jun 2004 19:32 from MAILER-DAEMON@plesk1.dmerhverv.dk:failure.eml Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-15\Mail Outlook\mailbox.pst Mail MS Mail: infected - 7, suspicious - 8 skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-15\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/Privat/gfx/upload/123.gif.asp Infected: Backdoor.ASP.Ace.cz skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-15\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/Privat/gfx/upload/22.aspx Infected: Backdoor.ASP.Titshell.a skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-15\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/Privat/gfx/upload/nhd.asp Infected: Backdoor.ASP.Ace.bl skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-15\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/Privat/gfx/upload/Zehir2.asp Infected: Backdoor.ASP.Ace.q skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-15\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/Privat/gfx/upload/zehir3.asp Infected: Backdoor.ASP.Ace.bo skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-15\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/Privat/gfx/upload/zehir4.asp.gif Infected: Backdoor.ASP.Ace.ai skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-15\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/Privat/gfx/upload/zehir4.gif.ASP Infected: Backdoor.ASP.Ace.ai skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-15\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/VRI/gfx/upload/3nigm4.asp Infected: Backdoor.ASP.Ace.cb skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-15\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/VRI/gfx/upload/bad.asp Infected: Backdoor.ASP.Ace.ai skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-15\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/VRI/gfx/upload/zehir3.jpg Infected: Backdoor.ASP.Ace.q skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-15\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip ZIP: infected - 10 skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-17\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/25 Apr 2004 15:07 to sr@besked.com:Mail delivery failed: returni.eml/[From sr@besked.com][Date Sun, 25 Apr 2004 17:07:06 +0200]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-17\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/25 Apr 2004 15:07 to sr@besked.com:Mail delivery failed: returni.eml/[From sr@besked.com][Date Sun, 25 Apr 2004 17:07:06 +0200]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-17\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/25 Apr 2004 15:07 to sr@besked.com:Mail delivery failed: returni.eml/[From sr@besked.com][Date Sun, 25 Apr 2004 17:07:06 +0200]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-17\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/25 Apr 2004 15:07 to sr@besked.com:Mail delivery failed: returni.eml/[From sr@besked.com][Date Sun, 25 Apr 2004 17:07:06 +0200]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-17\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/25 Apr 2004 15:07 to sr@besked.com:Mail delivery failed: returni.eml Infected: Email-Worm.Win32.NetSky.q skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-17\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/21 May 2004 08:21 from Natasha Salinas:Office XP Blowout Price $.html Infected: Exploit.HTML.ObjData skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-17\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/03 Jun 2004 01:18 from MAILER-DAEMON@post.skolekom.dk:failure no.eml/[From s@sport.dk][Date Wed, 2 Jun 2004 18:42:47 +0200]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-17\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/03 Jun 2004 01:18 from MAILER-DAEMON@post.skolekom.dk:failure no.eml/[From s@sport.dk][Date Wed, 2 Jun 2004 18:42:47 +0200]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-17\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/03 Jun 2004 01:18 from MAILER-DAEMON@post.skolekom.dk:failure no.eml/[From s@sport.dk][Date Wed, 2 Jun 2004 18:42:47 +0200]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-17\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/03 Jun 2004 01:18 from MAILER-DAEMON@post.skolekom.dk:failure no.eml/[From s@sport.dk][Date Wed, 2 Jun 2004 18:42:47 +0200]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-17\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/03 Jun 2004 01:18 from MAILER-DAEMON@post.skolekom.dk:failure no.eml Infected: Email-Worm.Win32.NetSky.q skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-17\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/23 Jun 2004 19:32 from MAILER-DAEMON@plesk1.dmerhverv.dk:failure.eml/[From sr@besked.com][Date Wed, 23 Jun 2004 21:26:17 +0200]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-17\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/23 Jun 2004 19:32 from MAILER-DAEMON@plesk1.dmerhverv.dk:failure.eml/[From sr@besked.com][Date Wed, 23 Jun 2004 21:26:17 +0200]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-17\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/23 Jun 2004 19:32 from MAILER-DAEMON@plesk1.dmerhverv.dk:failure.eml/[From sr@besked.com][Date Wed, 23 Jun 2004 21:26:17 +0200]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-17\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/23 Jun 2004 19:32 from MAILER-DAEMON@plesk1.dmerhverv.dk:failure.eml Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-17\Mail Outlook\mailbox.pst Mail MS Mail: infected - 7, suspicious - 8 skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-17\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/Privat/gfx/upload/123.gif.asp Infected: Backdoor.ASP.Ace.cz skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-17\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/Privat/gfx/upload/22.aspx Infected: Backdoor.ASP.Titshell.a skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-17\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/Privat/gfx/upload/nhd.asp Infected: Backdoor.ASP.Ace.bl skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-17\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/Privat/gfx/upload/Zehir2.asp Infected: Backdoor.ASP.Ace.q skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-17\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/Privat/gfx/upload/zehir3.asp Infected: Backdoor.ASP.Ace.bo skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-17\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/Privat/gfx/upload/zehir4.asp.gif Infected: Backdoor.ASP.Ace.ai skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-17\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/Privat/gfx/upload/zehir4.gif.ASP Infected: Backdoor.ASP.Ace.ai skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-17\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/VRI/gfx/upload/3nigm4.asp Infected: Backdoor.ASP.Ace.cb skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-17\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/VRI/gfx/upload/bad.asp Infected: Backdoor.ASP.Ace.ai skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-17\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip/Sofus/VRI/gfx/upload/zehir3.jpg Infected: Backdoor.ASP.Ace.q skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-17\WWW.sofus.hikers.DK\sofus trænerside, bach up 26.09.06.zip ZIP: infected - 10 skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-18\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/25 Apr 2004 15:07 to sr@besked.com:Mail delivery failed: returni.eml/[From sr@besked.com][Date Sun, 25 Apr 2004 17:07:06 +0200]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-18\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/25 Apr 2004 15:07 to sr@besked.com:Mail delivery failed: returni.eml/[From sr@besked.com][Date Sun, 25 Apr 2004 17:07:06 +0200]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-18\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/25 Apr 2004 15:07 to sr@besked.com:Mail delivery failed: returni.eml/[From sr@besked.com][Date Sun, 25 Apr 2004 17:07:06 +0200]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-18\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/25 Apr 2004 15:07 to sr@besked.com:Mail delivery failed: returni.eml/[From sr@besked.com][Date Sun, 25 Apr 2004 17:07:06 +0200]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-18\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/25 Apr 2004 15:07 to sr@besked.com:Mail delivery failed: returni.eml Infected: Email-Worm.Win32.NetSky.q skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-18\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/21 May 2004 08:21 from Natasha Salinas:Office XP Blowout Price $.html Infected: Exploit.HTML.ObjData skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-18\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/03 Jun 2004 01:18 from MAILER-DAEMON@post.skolekom.dk:failure no.eml/[From s@sport.dk][Date Wed, 2 Jun 2004 18:42:47 +0200]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-18\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/03 Jun 2004 01:18 from MAILER-DAEMON@post.skolekom.dk:failure no.eml/[From s@sport.dk][Date Wed, 2 Jun 2004 18:42:47 +0200]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-18\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/03 Jun 2004 01:18 from MAILER-DAEMON@post.skolekom.dk:failure no.eml/[From s@sport.dk][Date Wed, 2 Jun 2004 18:42:47 +0200]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-18\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/03 Jun 2004 01:18 from MAILER-DAEMON@post.skolekom.dk:failure no.eml/[From s@sport.dk][Date Wed, 2 Jun 2004 18:42:47 +0200]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-18\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/03 Jun 2004 01:18 from MAILER-DAEMON@post.skolekom.dk:failure no.eml Infected: Email-Worm.Win32.NetSky.q skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-18\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/23 Jun 2004 19:32 from MAILER-DAEMON@plesk1.dmerhverv.dk:failure.eml/[From sr@besked.com][Date Wed, 23 Jun 2004 21:26:17 +0200]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-18\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/23 Jun 2004 19:32 from MAILER-DAEMON@plesk1.dmerhverv.dk:failure.eml/[From sr@besked.com][Date Wed, 23 Jun 2004 21:26:17 +0200]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-18\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/23 Jun 2004 19:32 from MAILER-DAEMON@plesk1.dmerhverv.dk:failure.eml/[From sr@besked.com][Date Wed, 23 Jun 2004 21:26:17 +0200]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-18\Mail Outlook\mailbox.pst/Private mapper/Deleted Items/23 Jun 2004 19:32 from MAILER-DAEMON@plesk1.dmerhverv.dk:failure.eml Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\VersionBackup\My Documents (D;Documents and Settings;Bruger1)\2007-09-18\Mail Outlook\mailbox.pst Mail MS Mail: infected - 7, suspicious - 8 skipped

Scan process completed.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:10:46, on 07-10-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\psimsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CounterPath\X-Lite\x-lite.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\VersionBackup\VBackRun.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\Apvxdwin.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\WebProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\VistaCodecPack\rm\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [eyeBeam SIP Client] "C:\Program Files\CounterPath\X-Lite\x-lite.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-19\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: VersionBackup.lnk = C:\Program Files\VersionBackup\VersionBackup.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\dan.htm
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://downol.dr.dk/download/netradio/Rawflow.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3D2CB570-D425-11D5-ABD0-00008369C46F} (CSMenu Class) - https://netbank.danskebank.dk/html/activex/DB/Menu.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188220863062
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/au...tdccsp-0506.exe
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/...B/e-Safekey.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software - c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\psimsvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 11155 bytes

#12 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:41 PM

Posted 07 October 2007 - 06:46 PM

Hi Indiana,

Sorry I was very busy all day long and couldn't get to you earlier. Your log is clean.

When running Flash Disinfector a continous Windows prompt message popped up:

"Windows - No disc.
Exception processing Message c0000013 Parameters 75b6bf7c4 75b6bf7c 75b6bf7c"

I had to press "Continue" at least 20 times to get to the end message: "Finish - Done"


I think it was looking for the removable drive.

I have also found the following you might like to read:

http://forums.techguy.org/windows-vista/56...-message-3.html
http://support.microsoft.com/default.aspx?...kb;en-us;330137

==================================

I don't know what else you have on the external drive F, but Kaspersky listed a lot of infected Outlook mailbox contents backed up with VersionBackup. Please delete them. They are in the following folders. There are too many for me to list them here. If you don't have anything else, you might as well delete the whole content.

F:\Back Up
F:\VersionBackup

You have some infected mail in the D drive as well. Empty the deleted items folder of the Mailbox

D:\Documents and Settings\Bruger 1\My Documents\Mail Outlook\mailbox.pst
D:\Documents and Settings\Bruger 1\My Documents\Mail Outlook\mailbox.pst/Private mapper/Deleted Items

Delete the following folder:
D:\Documents and Settings\Bruger 1\My Documents\WWW.sofus.hikers.DK

Open SpyBot Search & Destroy
Click on Recovery button
Highlight all items
Select Purge selected items

==================================

Clean your Cache and Cookies in IE:

Close all instances of Outlook Express and Internet Explorer
Go to Control Panel > Internet Options > General tab
Click the "Delete Cookies" button
Next to it, Click the "Delete Files" button
When prompted, place a check in: "Delete all offline content", click OK

Clean your Cache and Cookies in Firefox (If you have Firefox installed):
Go to Tools > Options.
Click Privacy in the menu on the left side of the Options window.
Click the Clear button located to the right of each option (History, Cookies, Cache).
Click OK to close the Options window
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.

Clean other Temporary files + Recycle bin
Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.

===================================

Open notepad (it must be notepad, not wordpad, or it won't work) and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\mi2.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"=-


Save this as CFScript.txt

Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

Edited by amateur, 07 October 2007 - 06:47 PM.


#13 Indiana

Indiana
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 08 October 2007 - 06:30 AM

Thanks for finding support blogs for me.
I don't know quite which information I need from those and how to use it?

----------------------------------------

I have tried to delete all back ups of pst files on the external hard disc.
How do I make sure I got all the infected files?

When can I back up my original Outlook files again?

-----------------------------------------

I could not find the "Delete all offline content" checkbox.
Are you sure it is existing in IE v.7.0? (it is the Danish version).
Could not find anything either when trying to use the Help function, searching on "Offline content".

------------------------------------------

When I'm running ComboFix, my anti virus (Panda) is blocking dangerous actions two times. In the beginning and when its finished.

It is also asking me to deny or allow an "internet Explorer Hijack attempt".
Should I allow or deny?
All is related to: Associated file: C:\WINDOWS\REGEDIT.exe

In exaple, when ComboFix is finished, Panda is blocking:
"Program: Registry Editor. Associated file: C:\WINDOWS\REGEDIT.EXE"

------------------------------------------

I suddenly remembered, that I turned of "Automatic system restore" during your guide to malware.
Should I turn system retore back on?

-------------------------------------------

I posted a HiJackThis scan log in the end.
Do you need this every time?

-------------------------------------------

ComboFix 07-10-06.5 - Bruger 1 2007-10-08 13:02:54.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.249 [GMT 2:00]
Running from: D:\Documents and Settings\Bruger 1\Desktop\ComboFix.exe
Command switches used :: D:\Documents and Settings\Bruger 1\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\mi2.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\mi2.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-08 to 2007-10-08 )))))))))))))))))))))))))))))))
.

2007-10-07 00:53 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-07 00:53 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-07 00:27 <DIR> drahs---- C:\autorun.inf
2007-10-06 22:03 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-06 16:12 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-10-05 10:59 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-23 13:13 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Lavasoft
2007-09-17 14:04 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-09-17 10:40 3,432 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-15 15:30 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-09-14 00:01 29,056 --a------ C:\WINDOWS\system32\drivers\ip6fw.sys
2007-09-14 00:01 29,056 --a------ C:\WINDOWS\system32\dllcache\ip6fw.sys
2007-09-13 19:26 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\InterVideo
2007-09-13 19:26 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Apple
2007-09-13 19:26 <DIR> d-------- C:\Program Files\QSynchronization
2007-09-13 19:26 <DIR> d-------- C:\Program Files\Easy2Sync for Outlook
2007-09-13 19:26 <DIR> d-------- C:\Program Files\Apple Software Update
2007-09-13 11:34 <DIR> d-------- C:\Program Files\Safer Networking
2007-09-13 00:07 <DIR> d-------- C:\Program Files\Microsoft AntiSpyware
2007-09-11 18:49 <DIR> d-------- C:\Program Files\Apple Software Update(2)
2007-09-11 15:14 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Apple Computer
2007-09-10 12:18 <DIR> d-------- D:\Documents and Settings\Bruger 1\Application Data\Itsth
2007-09-10 01:05 53,248 --a------ C:\WINDOWS\system32\MMTray.exe
2007-09-10 01:05 224,256 --a------ C:\WINDOWS\system32\MMIJG32.dll
2007-09-10 01:05 <DIR> d-------- C:\Program Files\Morgan
2007-09-09 19:05 <DIR> d-------- C:\Program Files\3ivx
2007-09-09 17:57 26,136 --a------ C:\WINDOWS\system32\IVIresize.dll
2007-09-09 17:57 210,456 --a------ C:\WINDOWS\system32\IVIresizeW7.dll
2007-09-09 17:57 206,360 --a------ C:\WINDOWS\system32\IVIresizeA6.dll
2007-09-09 17:57 198,168 --a------ C:\WINDOWS\system32\IVIresizeP6.dll
2007-09-09 17:57 198,168 --a------ C:\WINDOWS\system32\IVIresizeM6.dll
2007-09-09 17:57 194,072 --a------ C:\WINDOWS\system32\IVIresizePX.dll
2007-09-09 17:57 <DIR> d-------- C:\Program Files\Common Files\InterVideo
2007-09-09 15:38 <DIR> d-------- C:\Program Files\Codec Pack - All In 1
2007-09-09 14:31 <DIR> d-------- D:\Documents and Settings\Bruger 1\Application Data\DivX
2007-09-09 14:26 <DIR> d-------- C:\Program Files\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-08 12:48 23536 --a------ C:\WINDOWS\system32\drivers\APPFCONT.DAT
2007-10-08 12:48 1132 --a------ C:\WINDOWS\system32\drivers\APPFLTR.CFG
2007-10-07 22:53 737280 --a------ C:\WINDOWS\iun6002.exe
2007-10-07 22:51 --------- d-------- C:\Program Files\Mpeg2Decoder
2007-10-07 18:04 --------- d-------- C:\Program Files\Windows Live Toolbar
2007-10-07 18:04 --------- d-------- C:\Program Files\VersionBackup
2007-10-07 18:04 --------- d-------- C:\Program Files\MSN Messenger
2007-10-06 17:37 --------- d-------- C:\Program Files\Windows Media Connect 2
2007-09-27 00:59 --------- d-------- D:\Documents and Settings\Bruger 1\Application Data\Canon
2007-09-23 13:12 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-23 12:59 --------- d-------- C:\Program Files\Lavasoft
2007-09-15 13:15 --------- d-------- D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-13 23:46 --------- d-------- C:\Program Files\QuickTime
2007-09-13 19:25 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-13 00:19 --------- d-------- C:\Program Files\Google-Translator
2007-09-12 10:27 --------- d-------- C:\Program Files\Yahoo!
2007-09-12 10:02 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-12 10:02 --------- d-------- C:\Program Files\Ulead Systems
2007-09-12 09:59 --------- d-------- C:\Program Files\Common Files\Ulead Systems
2007-09-10 02:12 --------- d-------- C:\Program Files\TimeAdjuster
2007-09-10 01:13 --------- d-------- C:\Program Files\ffdshow
2007-09-09 18:52 --------- d-------- D:\Documents and Settings\Bruger 1\Application Data\Ulead Systems
2007-09-05 21:15 --------- d-------- C:\Program Files\Common Files\Mainconcept
2007-09-04 23:50 --------- d-------- C:\Program Files\Media Center Karaoke Plug-in
2007-08-27 16:33 --------- d-------- C:\Program Files\MSXML 6.0
2007-08-27 15:55 --------- d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-08-27 15:15 --------- d-------- D:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2007-08-27 14:34 --------- d-------- D:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-08-07 03:51 324320 --a------ C:\WINDOWS\system32\3ivxVfWCodec.dll
2007-08-07 03:51 1139488 --a------ C:\WINDOWS\system32\3ivx.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-07-30 19:18 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-27 01:06 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-27 01:06 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-19 08:59 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-13 01:31 765952 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2004-08-09 23:30 40960 --a------ C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( snapshot@2007-10-06_22.22.10.14 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 213,048 2005-05-24 09:27:16 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
----a-w 94,208 2007-09-07 09:29:00 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
----a-w 946,176 2007-09-07 09:29:00 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
----a-w 20,992 2004-08-10 14:00:00 C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\hid.dll
----a-w 36,224 2004-08-03 21:08:20 C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\hidclass.sys
----a-w 19,200 2006-01-11 00:48:53 C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\hidir.sys
----a-w 24,960 2004-08-03 21:08:18 C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\hidparse.sys
----a-w 46,592 2006-01-11 00:48:58 C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\i386\IrBus.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 16:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 16:00]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 15:56]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 19:07 C:\WINDOWS\system32\HdAShCut.exe]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-08 17:55]
"ATIPTA"="C:\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-07 23:05]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-10 16:00]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 13:00]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-06-28 21:29]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 13:36 C:\WINDOWS\RTHDCPL.EXE]
"UVS11 Preload"="C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe" [2007-03-03 14:12]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:55]
"eyeBeam SIP Client"="C:\Program Files\CounterPath\X-Lite\x-lite.exe" [2007-06-05 08:52]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 16:00]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2006-05-12 13:24:41]
Adobe Reader Hurtigstart.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
VersionBackup.lnk - C:\Program Files\VersionBackup\VersionBackup.exe [2006-03-24 14:21:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2005-09-27 11:13 45056 C:\WINDOWS\system32\avldr.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Alcmtr"=ALCMTR.EXE
"MimBoot"=C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

R0 netflt;Panda Net Driver [NDIS Layer];C:\WINDOWS\system32\Drivers\NETFLT.SYS
R0 viaagp;VIA AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\viaagp.sys
R1 APPFLT;App Filter Plugin;\??\C:\WINDOWS\system32\Drivers\APPFLT.SYS
R1 DSAFLT;DSA Filter Plugin;\??\C:\WINDOWS\system32\Drivers\DSAFLT.SYS
R1 FNETMON;NetMon Filter Plugin;\??\C:\WINDOWS\system32\Drivers\fnetmon.SYS
R1 IDSFLT;Ids Filter Plugin;\??\C:\WINDOWS\system32\Drivers\IDSFLT.SYS
R1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\OVSound2.sys
R1 NETFLTDI;Panda Net Driver [TDI Layer];\??\C:\WINDOWS\system32\Drivers\NETFLTDI.SYS
R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\drivers\ShldDrv.sys
R1 SMSFLT;SMS Filter Plugin;\??\C:\WINDOWS\system32\Drivers\SMSFLT.SYS
R1 WNMFLT;Wifi Monitor Filter Plugin;\??\C:\WINDOWS\system32\Drivers\WNMFLT.SYS
R2 cpoint;Panda CPoint Driver;C:\WINDOWS\system32\Drivers\cpoint.sys
R2 PavProc;Panda Process Protection Driver;\??\C:\WINDOWS\system32\DRIVERS\PavProc.sys
R3 3xHybrid;3xHybrid service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys
R3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys
R3 PavSRK.sys;PavSRK.sys;\??\C:\WINDOWS\system32\PavSRK.sys
R3 QCEmerald;Logitech QuickCam Web;C:\WINDOWS\system32\DRIVERS\OVCE.sys
S3 Usblink;Usblink Driver;C:\WINDOWS\system32\Drivers\ulink.sys
S3 ZD1211U(Wireless);IEEE 802.11g USB Adapter Driver(Wireless);C:\WINDOWS\system32\DRIVERS\zd1211u.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-12 08:32:46 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2006-01-03 15:50:11 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2005-12-27 23:38:19 C:\WINDOWS\Tasks\Registration reminder 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2007-10-08 10:31:01 C:\WINDOWS\Tasks\Søg efter opdateringer til Windows Live Toolbar.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-08 13:07:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\aawservice]
"ImagePath"="\"C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe\""

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\viaagp]
"ImagePath"="system32\DRIVERS\viaagp.sys"
.
Completion time: 2007-10-08 13:09:57
C:\ComboFix-quarantined-files.txt ... 2007-10-08 13:09
C:\ComboFix2.txt ... 2007-10-07 00:47
C:\ComboFix3.txt ... 2007-10-06 22:48
.
--- E O F ---

-------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:29:51, on 08-10-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\psimsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\apvxdwin.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\CounterPath\X-Lite\x-lite.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\VersionBackup\VBackRun.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\WebProxy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\avciman.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\psimreal.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [eyeBeam SIP Client] "C:\Program Files\CounterPath\X-Lite\x-lite.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-19\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: VersionBackup.lnk = C:\Program Files\VersionBackup\VersionBackup.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\dan.htm
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://downol.dr.dk/download/netradio/Rawflow.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3D2CB570-D425-11D5-ABD0-00008369C46F} (CSMenu Class) - https://netbank.danskebank.dk/html/activex/DB/Menu.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188220863062
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/au...tdccsp-0506.exe
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/...B/e-Safekey.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software - c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\psimsvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 11266 bytes

--------------------------------------------

#14 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:41 PM

Posted 08 October 2007 - 08:16 AM

Hi,

The logs are clean.

Thanks for finding support blogs for me.
I don't know quite which information I need from those and how to use it?

Ae you still getting the error message and when do you get it? Have you tried disconnecting the external drives?

You were infected with a flash drive/pen drive. You were asked to instert the pen drive during the Combofix scan. Did yo do that?

=====================================

I have tried to delete all back ups of pst files on the external hard disc.
How do I make sure I got all the infected files?

When can I back up my original Outlook files again?


You can scan again with Kaspersky and see if it's still reporting them.

=====================================

I could not find the "Delete all offline content" checkbox.
Are you sure it is existing in IE v.7.0? (it is the Danish version).
Could not find anything either when trying to use the Help function, searching on "Offline content".


That's OK.

=====================================

When I'm running ComboFix, my anti virus (Panda) is blocking dangerous actions two times. In the beginning and when its finished.
It is also asking me to deny or allow an "internet Explorer Hijack attempt".
Should I allow or deny?


Combofix has a database of bad entries and your Panda is probably seeing them as threat. Yes, you should allow it. Or better yet, disconnect from the internet and turn your Panda off completely during the Combofix scan. When done, you can turn it back on and connect to the internet.

======================================

I suddenly remembered, that I turned of "Automatic system restore" during your guide to malware.
Should I turn system retore back on?

I don't know where it says that, I'll check. But, yes please turn it on. Even a bad restore point is better than none.

=====================================

I posted a HiJackThis scan log in the end.
Do you need this every time?


Yes, just to make sure that nothing changed.

#15 Indiana

Indiana
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 08 October 2007 - 09:16 AM

the error message only occur when I run Flash-Disinfector.
Do you want me to run that again?

--------------------------------------------------------

I was not asked to insert anything (neither a pen drive) when I run the last ComboFix!
Or did I miss it, and it continued without me doing anything?
(Both my ext harddisc and USB pen is active and detected!)

Do you want me to run ComboFix again, and disconect the LAN and turn off Panda?

----------------------------------------------------------

What about the fact, that SaferScan did not apear in the "Ad/remove programs" list?

----------------------------------------------------------

Sorry, my bad..... The system restore disabling was in the guide from "McAffe AVERT stinger", and it seams like is has automaticaly turned on again. (by all the scannings and programs we run to clean and fix I guess?).

-----------------------------------------------------------

I'm running a online Kaspersky scan again at this moment. I will send the log with the next reply.

-----------------------------------------------------------




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users