Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hjt Log Virtumonde


  • This topic is locked This topic is locked
16 replies to this topic

#1 dsdaddie

dsdaddie

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 01 January 2008 - 09:03 PM

My sony laptop is infected with virtumonde. I've deleted with spybot, mcafee, adaware, vundofix, but it shows up again after surfing. IE will slow, then won't open links, then XP looses functionality, eg. no right click options, applications fail to open. Reboot restores functionality but scans then show infection again. Please help. I ran stinger before this log and it came back clean.


Please advise. Your help is greatly appreciated.
Jeff




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:48:31 PM, on 1/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent .exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Apoint\Apoint .exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
C:\Program Files\Sony\VAIO Power Management\SPMgr .exe
C:\Program Files\Sony\HotKey Utility\HKserv .exe
C:\WINDOWS\system32\ezSP_Px .exe
C:\Program Files\mobile PhoneTools\WatchDog .exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1 .EXE
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\SiteAdvisor\6253\SiteAdv .exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup .exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SanDisk\Sansa Updater\SansaDispatch .exe
C:\WINDOWS\mrofinu1239 .exe
C:\Program Files\McAfee\McAfee QuickClean\Plguni .exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Windows Media Player\WMPNSCFG .exe
C:\Program Files\Nikon\PictureProject In Touch\PictureProjectInTouch.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F3 - REG:win.ini: load=C:\WINDOWS\system32\rqonl.exe
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px .exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [SansaDispatch] C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1239.exe 61A847B5BBF72813309831466188719AB689201522886B092CBD44BD8689220221DD325762EA4EBF968951185EFC412806867680AEDE604D64C2661373FB12EADCD66A47
O4 - HKLM\..\Run: [40252847] rundll32.exe "C:\WINDOWS\system32\owgddksr.dll",b
O4 - HKCU\..\Run: [QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\RunOnce: [DelayShred] "C:\Program Files\McAfee.com\Shredder\SHRED32.EXE" /q C:\DOCUME~1\JEFFRO~1\LOCALS~1\TEMPOR~1\Content.SH! D:\TEMPOR~1\ANTIPH~1.SH! D:\TEMPOR~1\Content.SH!
O4 - Startup: PictureProject In Touch.lnk = C:\Program Files\Nikon\PictureProject In Touch\PictureProjectInTouch.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\VmGateway.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe

--
End of file - 10984 bytes

BC AdBot (Login to Remove)

 


#2 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:07:17 AM

Posted 02 January 2008 - 06:59 AM

Hi, Wellcome to Bleeping Computer Forums!

You might want to save this page on your favorites, so you can find it again when you return.


Please take note of the following:
  • I will be handling your log and helping you, please do not make any system changes yet.
  • The process is not instant. Please continue to review my answers until I tell you that your computer is clean. Be patience.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
  • Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible.

:thumbsup:
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#3 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:07:17 AM

Posted 02 January 2008 - 11:15 AM

Hello,


Download ComboFix from Here or Here to your Desktop.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist.



Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
    • C:\WINDOWS\system32\rqonl.exe
  • Click on the submit button
  • Please post the results in your next reply.
In your next reply, please post:
- A new HijackThis log.
- The results from ComboFix.
- The results from Jotti's malware scan.
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#4 dsdaddie

dsdaddie
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 04 January 2008 - 09:25 AM

Sorry for the delay. I was watching for a new e-mail instead of watching the thread. Here's the latest results.
Thank you
jeff

ComboFix 08-01-04.1 - Jeff Robinson 2008-01-04 8:07:40.1 - NTFSx86
Running from: C:\Documents and Settings\Jeff Robinson\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\MBK\LogOnHook.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Temp\tpBe12
C:\WINDOWS\b148.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\setup.exe
C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
C:\WINDOWS\system32\aedoptoc.ini
C:\WINDOWS\system32\cotpodea.dll
C:\WINDOWS\system32\ezSP_Px .exe
C:\WINDOWS\system32\ineWc01
C:\WINDOWS\system32\jkkjkhi.dll
C:\WINDOWS\system32\lnoqr.ini
C:\WINDOWS\system32\lnoqr.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nrcqjlwm.dll
C:\WINDOWS\system32\owgddksr.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\RCX40.tmp
C:\WINDOWS\system32\rqonl.dll
C:\WINDOWS\system32\rqonl.exe
C:\WINDOWS\system32\rskddgwo.ini
C:\WINDOWS\system32\rwwcngst.dll
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\WINDOWS\system32\tgleubiy.dll
C:\WINDOWS\system32\wowfx.dll
C:\WINDOWS\system32\wqiqejnw.dll
C:\WINDOWS\system32\yibuelgt.ini

.
((((((((((((((((((((((((( Files Created from 2007-12-04 to 2008-01-04 )))))))))))))))))))))))))))))))
.

2008-01-04 08:40 . 2008-01-04 08:40 9 --a------ C:\WINDOWS\system32\40253ac9
2008-01-04 08:39 . 2008-01-04 08:40 40,960 --a------ C:\WINDOWS\system32\ezSP_Px .exe
2008-01-04 08:01 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-01 17:44 . 2008-01-01 17:44 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-31 11:21 . 2007-12-31 11:21 <DIR> d-------- C:\VundoFix Backups
2007-12-30 20:38 . 2007-12-30 20:38 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-30 20:38 . 2007-12-30 20:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-28 17:53 . 2007-12-28 20:01 212,992 --a------ C:\WINDOWS\troy44 .exe
2007-12-28 17:53 . 2007-12-30 18:48 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-28 17:53 . 2007-12-28 17:53 0 --a------ C:\WINDOWS\VAIOUpdt .INI
2007-12-24 12:18 . 2007-12-24 12:18 9,662 --a------ C:\WINDOWS\EPISME00.SWB
2007-12-18 08:35 . 2008-01-04 08:27 <DIR> d-------- C:\Temp
2007-12-16 13:16 . 2007-12-21 15:23 2,932 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-12-14 18:39 . 2007-12-14 18:39 <DIR> d-------- C:\Program Files\SanDisk
2007-12-14 18:38 . 2007-12-14 18:38 <DIR> d-------- C:\Documents and Settings\Jeff Robinson\Application Data\InstallShield
2007-12-10 10:46 . 2007-12-11 09:21 23,817 --a------ C:\Documents and Settings\Jeff Robinson\Application Data\info.dat
2007-12-09 23:04 . 2007-12-09 23:04 1,345 --a------ C:\Documents and Settings\Jeff Robinson\xl10063.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-04 13:26 --------- d-----w C:\Program Files\QuickTime
2008-01-04 13:26 --------- d-----w C:\Program Files\mobile PhoneTools
2008-01-04 13:26 --------- d-----w C:\Program Files\Apoint
2008-01-04 12:15 --------- d-----w C:\Program Files\McAfee
2008-01-04 12:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-01-04 03:32 --------- d-----w C:\Program Files\Full Tilt Poker
2008-01-03 14:48 --------- d-----w C:\Program Files\jv16 PowerTools 2006
2007-12-31 01:36 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-21 20:57 --------- d-----w C:\Program Files\HomeTech42
2007-12-21 20:37 --------- d-----w C:\Program Files\SiteAdvisor
2007-12-14 23:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-14 19:21 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\SiteAdvisor
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-24 01:26 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLbz.DAT
2007-07-20 17:54 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2007-07-20 17:54 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLds.DAT
.
<pre>
----a-w			39,792 2008-01-04 12:07:47  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w		   114,688 2008-01-04 12:06:49  C:\Program Files\Apoint\Apoint .exe
----a-w		   335,872 2008-01-04 12:07:08  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
----a-w			20,480 2008-01-04 12:08:32  C:\Program Files\McAfee\MBK\LogOnHook .exe
----a-w		 4,838,952 2008-01-04 12:09:04  C:\Program Files\McAfee\MBK\McAfeeDataBackup .exe
----a-w			81,920 2008-01-04 12:08:42  C:\Program Files\McAfee\McAfee QuickClean\Plguni .exe
----a-w		   582,992 2008-01-04 12:03:24  C:\Program Files\McAfee.com\Agent\mcagent .exe
----a-w			36,864 2008-01-04 12:07:39  C:\Program Files\mobile PhoneTools\WatchDog .exe
----a-w		   647,680 2008-01-04 12:02:46  C:\Program Files\QuickTime\qttask		  .exe
----a-w		   647,680 2008-01-03 15:16:13  C:\Program Files\QuickTime\qttask		 .exe
----a-w		   647,680 2008-01-01 23:58:02  C:\Program Files\QuickTime\qttask		.exe
----a-w		   647,680 2008-01-01 22:11:39  C:\Program Files\QuickTime\qttask	   .exe
----a-w		   647,680 2008-01-01 16:48:24  C:\Program Files\QuickTime\qttask	  .exe
----a-w		   647,680 2007-12-31 19:51:13  C:\Program Files\QuickTime\qttask	 .exe
----a-w		   647,680 2007-12-31 16:51:45  C:\Program Files\QuickTime\qttask	.exe
----a-w		   647,680 2007-12-31 16:13:19  C:\Program Files\QuickTime\qttask   .exe
----a-w		   647,680 2007-12-31 03:39:51  C:\Program Files\QuickTime\qttask  .exe
----a-w		   647,680 2007-12-30 23:46:51  C:\Program Files\QuickTime\qttask .exe
----a-w			75,584 2008-01-04 12:08:32  C:\Program Files\SanDisk\Sansa Updater\SansaDispatch .exe
----a-w			35,992 2008-01-04 12:08:14  C:\Program Files\SiteAdvisor\6253\SiteAdv .exe
----a-w			98,304 2008-01-04 12:07:19  C:\Program Files\Sony\HotKey Utility\HKserv .exe
----a-w		   167,936 2008-01-04 12:07:14  C:\Program Files\Sony\VAIO Power Management\SPMgr .exe
----a-w		   135,168 2008-01-04 12:07:27  C:\Program Files\Sony\VAIO Update 2\VAIOUpdt .exe
----a-w		   204,288 2008-01-04 12:09:04  C:\Program Files\Windows Media Player\WMPNSCFG .exe
----a-w		   212,992 2007-12-29 01:01:39  C:\WINDOWS\troy44 .exe
----a-w			28,672 2008-01-04 12:07:34  C:\WINDOWS\SONYSYS\VAIO Recovery\PartSeal .exe
----a-w			15,360 2007-12-30 23:48:13  C:\WINDOWS\system32\ctfmon .exe
----a-w			48,640 2008-01-04 13:40:19  C:\WINDOWS\system32\ezSP_Px .exe
----a-w			99,840 2008-01-04 12:07:54  C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I2H1 .EXE
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickClean Imonitor"="C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe" [ ]
"Yahoo! Pager"="1" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [ ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DelayShred"="C:\Program Files\McAfee.com\Shredder\SHRED32.exe" [2005-07-15 00:51 57344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [ ]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]
"SonyPowerCfg"="C:\Program Files\Sony\VAIO Power Management\SPMgr.exe" [ ]
"HKSERV.EXE"="C:\Program Files\Sony\HotKey Utility\HKserv.exe" [ ]
"VAIO Update 2"="C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" [ ]
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px .exe" [2008-01-04 08:40 48640]
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [ ]
"WatchDog"="C:\Program Files\mobile PhoneTools\WatchDog.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"EPSON Stylus Photo R200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [ ]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [ ]
"McAfee Backup"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [ ]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [ ]
"SansaDispatch"="C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe" [ ]

C:\Documents and Settings\Jeff Robinson\Start Menu\Programs\Startup\
PictureProject In Touch.lnk - C:\Program Files\Nikon\PictureProject In Touch\PictureProjectInTouch.exe [2005-03-21 17:30:34]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-07-22 11:42:13]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2007-07-19 19:52:51]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\\WINDOWS\\system32\\rqonl

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2005-12-18 21:35]
R2 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe [2004-03-12 16:32]
S2 0054871199448947mcinstcleanup;McAfee Application Installer Cleanup (0054871199448947);C:\WINDOWS\TEMP\005487~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog []
S3 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe [2004-03-12 15:57]

*Newly Created Service* - 0054871199448947MCINSTCLEANUP
.
Contents of the 'Scheduled Tasks' folder
"2006-08-02 13:32:11 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2008-01-01 06:02:00 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe.4158 0
"2005-08-11 17:05:25 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-04 08:40:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-04 8:48:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-04 13:48:12
.
2007-12-13 13:08:26 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:05:44 AM, on 1/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\WINDOWS\system32\ezSP_Px .exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Nikon\PictureProject In Touch\PictureProjectInTouch.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F3 - REG:win.ini: load=C:\WINDOWS\system32\rqonl.exe
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px .exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [SansaDispatch] C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKCU\..\Run: [QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\RunOnce: [DelayShred] "C:\Program Files\McAfee.com\Shredder\SHRED32.EXE" /q C:\DOCUME~1\JEFFRO~1\LOCALS~1\TEMPOR~1\Content.SH! D:\TEMPOR~1\ANTIPH~1.SH! D:\TEMPOR~1\Content.SH!
O4 - Startup: PictureProject In Touch.lnk = C:\Program Files\Nikon\PictureProject In Touch\PictureProjectInTouch.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O23 - Service: McAfee Application Installer Cleanup (0054871199448947) (0054871199448947mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\005487~1.EXE (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\VmGateway.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe

--
End of file - 9970 bytes


Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan:
Service
Service load: 0% 100%

File: rqonl.exe
Status: INFECTED/MALWARE
MD5: 62368f668094e6c4066b9b7846a1df65
Packers detected: -
Bit9 reports: File not found

Scanner results
Scan taken on 04 Jan 2008 14:16:14 (GMT)
A-Squared Found nothing
AntiVir Found ADSPY/Virtumonde.Cli.3
ArcaVir Found Adware.Virtumonde.Cli
Avast Found nothing
AVG Antivirus Found Dropper.Generic.THT
BitDefender Found Trojan.Dropper.Vundo.E
ClamAV Found W32.Prep-1
CPsecure Found nothing
Dr.Web Found Trojan.MulDrop.9328
F-Prot Antivirus Found W32/Virtumonde.OQ
F-Secure Anti-Virus Found not-a-virus:AdWare.Win32.Virtumonde.cli (4, 1, 400)
Fortinet Found nothing
Ikarus Found not-a-virus:AdWare.Win32.Virtumonde.cli
Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.Virtumonde.cli
NOD32 Found Win32/Adware.Virtumonde.CLI application
Norman Virus Control Found W32/Vundo.AX
Panda Antivirus Found nothing
Rising Antivirus Found Worm.Win32.Vadar.h
Sophos Antivirus Found W32/VirtInf-A
VirusBuster Found Win32.Trats.B
VBA32 Found AdWare.Win32.Virtumonde.cli

#5 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:07:17 AM

Posted 07 January 2008 - 04:45 AM

Hello,

Please uninstall any of the following program(s) using Add/Remove Programs if they are present. To do this, go to Start > Settings > Control Panel and double-click on Add/Remove Programs. From within Add/Remove Programs highlight each one and select Remove.

Full Tilt Poker
- Read more about that: here.


Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Now copy/paste the entire content of the codebox below into the Notepad window:

http://www.bleepingcomputer.com/forums/index.php?showtopic=123733&st=0&gopid=700820&#entry700820

Collect::[4]
C:\WINDOWS\troy44 .exe
C:\Documents and Settings\Jeff Robinson\xl10063.exe
C:\WINDOWS\system32\rqonl.exe

RENV::
----a-w			39,792 2008-01-04 12:07:47  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w		   114,688 2008-01-04 12:06:49  C:\Program Files\Apoint\Apoint .exe
----a-w		   335,872 2008-01-04 12:07:08  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
----a-w			20,480 2008-01-04 12:08:32  C:\Program Files\McAfee\MBK\LogOnHook .exe
----a-w		 4,838,952 2008-01-04 12:09:04  C:\Program Files\McAfee\MBK\McAfeeDataBackup .exe
----a-w			81,920 2008-01-04 12:08:42  C:\Program Files\McAfee\McAfee QuickClean\Plguni .exe
----a-w		   582,992 2008-01-04 12:03:24  C:\Program Files\McAfee.com\Agent\mcagent .exe
----a-w			36,864 2008-01-04 12:07:39  C:\Program Files\mobile PhoneTools\WatchDog .exe
----a-w		   647,680 2008-01-04 12:02:46  C:\Program Files\QuickTime\qttask		  .exe
----a-w		   647,680 2008-01-03 15:16:13  C:\Program Files\QuickTime\qttask		 .exe
----a-w		   647,680 2008-01-01 23:58:02  C:\Program Files\QuickTime\qttask		.exe
----a-w		   647,680 2008-01-01 22:11:39  C:\Program Files\QuickTime\qttask	   .exe
----a-w		   647,680 2008-01-01 16:48:24  C:\Program Files\QuickTime\qttask	  .exe
----a-w		   647,680 2007-12-31 19:51:13  C:\Program Files\QuickTime\qttask	 .exe
----a-w		   647,680 2007-12-31 16:51:45  C:\Program Files\QuickTime\qttask	.exe
----a-w		   647,680 2007-12-31 16:13:19  C:\Program Files\QuickTime\qttask   .exe
----a-w		   647,680 2007-12-31 03:39:51  C:\Program Files\QuickTime\qttask  .exe
----a-w		   647,680 2007-12-30 23:46:51  C:\Program Files\QuickTime\qttask .exe
----a-w			75,584 2008-01-04 12:08:32  C:\Program Files\SanDisk\Sansa Updater\SansaDispatch .exe
----a-w			35,992 2008-01-04 12:08:14  C:\Program Files\SiteAdvisor\6253\SiteAdv .exe
----a-w			98,304 2008-01-04 12:07:19  C:\Program Files\Sony\HotKey Utility\HKserv .exe
----a-w		   167,936 2008-01-04 12:07:14  C:\Program Files\Sony\VAIO Power Management\SPMgr .exe
----a-w		   135,168 2008-01-04 12:07:27  C:\Program Files\Sony\VAIO Update 2\VAIOUpdt .exe
----a-w		   204,288 2008-01-04 12:09:04  C:\Program Files\Windows Media Player\WMPNSCFG .exe
----a-w		   212,992 2007-12-29 01:01:39  C:\WINDOWS\troy44 .exe
----a-w			28,672 2008-01-04 12:07:34  C:\WINDOWS\SONYSYS\VAIO Recovery\PartSeal .exe
----a-w			15,360 2007-12-30 23:48:13  C:\WINDOWS\system32\ctfmon .exe
----a-w			48,640 2008-01-04 13:40:19  C:\WINDOWS\system32\ezSP_Px .exe
----a-w			99,840 2008-01-04 12:07:54  C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I2H1 .EXE
IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
  • Save this as CFScript.txt, in the same location as ComboFix.exe
    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.



Please do an online scan with Kaspersky WebScanner

Click on Posted Image

You will be prompted to install an ActiveX component from Kaspersky, Click Posted Image
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on Posted Image
  • Now click on Posted Image
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click Posted Image
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post, along whit a new HijackThis log. Also let me know how i your computer its running.
In your next reply, please post:
  • A new HijackThis log
  • The results from RenV
  • The results from ComboFix
  • The results from Kaspersky online scanner.
Regards
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#6 dsdaddie

dsdaddie
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 08 January 2008 - 07:27 AM

Thanks again for your assistance.

I removed the full tilt software.

I dropped the CFScript into the ComboFix and will attach the log.

After the reboot I had an error message "Rundll not found" that kept recurring every 15 seconds until i used the task manager to stop it. Also missing some fles from McAfee Sec Suite. It says it must be reloaded. None of my special function keys work. My mousepad wont scroll. Keyboard seems to skip keystrokes.

The situation led me to install a seagate ext hd and backup all data again. Sorry about that. I wont do anything again without your direction.

I used the ATF-Cleaner. Ill run another HJT. I'll attach the logs.

I don't know what a RenV is. Did I miss something?

Thanks again


ComboFix 08-01-04.1 - Jeff Robinson 2008-01-07 7:59:05.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.145 [GMT -5:00]
Running from: C:\Documents and Settings\Jeff Robinson\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jeff Robinson\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\McAfee\MBK\LogOnHook.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\ajfhnewc.dll
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\cwenhfja.ini
C:\WINDOWS\system32\ezSP_Px .exe
C:\WINDOWS\system32\lnoqr.ini
C:\WINDOWS\system32\lnoqr.ini2
C:\WINDOWS\system32\owwhntks.dll
C:\WINDOWS\system32\rqonl.dll
C:\WINDOWS\system32\rqonl.exe
C:\WINDOWS\troy44 .exe

<pre>
"C:\Program Files\McAfee\MBK\LogOnHook .exe" replaces infected copy of "C:\Program Files\McAfee\MBK\LogOnHook.exe"
"C:\Program Files\McAfee\MBK\McAfeeDataBackup .exe" replaces infected copy of "C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe"
"C:\WINDOWS\system32\ctfmon .exe" moved to QooBox
</pre>
.
.
((((((((((((((((((((((((( Files Created from 2007-12-07 to 2008-01-07 )))))))))))))))))))))))))))))))
.

2008-01-07 08:16 . 2008-01-07 08:16 319 --ahs---- C:\WINDOWS\system32\lnoqr.ini
2008-01-04 19:59 . 2008-01-04 19:59 <DIR> d-------- C:\Program Files\Seagate
2008-01-04 19:16 . 2008-01-04 19:23 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-01-04 08:40 . 2008-01-04 08:40 9 --a------ C:\WINDOWS\system32\40253ac9
2008-01-04 08:01 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-01 17:44 . 2008-01-01 17:44 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-31 11:21 . 2007-12-31 11:21 <DIR> d-------- C:\VundoFix Backups
2007-12-30 20:38 . 2007-12-30 20:38 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-30 20:38 . 2007-12-30 20:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-28 17:53 . 2007-12-28 17:53 0 --a------ C:\WINDOWS\VAIOUpdt .INI
2007-12-24 12:18 . 2007-12-24 12:18 9,662 --a------ C:\WINDOWS\EPISME00.SWB
2007-12-18 08:35 . 2008-01-04 08:27 <DIR> d-------- C:\Temp
2007-12-16 13:16 . 2007-12-21 15:23 2,932 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-12-14 18:39 . 2007-12-14 18:39 <DIR> d-------- C:\Program Files\SanDisk
2007-12-14 18:38 . 2007-12-14 18:38 <DIR> d-------- C:\Documents and Settings\Jeff Robinson\Application Data\InstallShield
2007-12-10 10:46 . 2007-12-11 09:21 23,817 --a------ C:\Documents and Settings\Jeff Robinson\Application Data\info.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-07 13:07 --------- d-----w C:\Program Files\QuickTime
2008-01-07 13:07 --------- d-----w C:\Program Files\Apoint
2008-01-07 12:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-07 12:43 --------- d-----w C:\Program Files\Nikon
2008-01-07 12:42 --------- d-----w C:\Program Files\Common Files\Nikon
2008-01-07 12:35 --------- d-----w C:\Program Files\Full Tilt Poker
2008-01-07 00:23 --------- d-----w C:\Program Files\McAfee
2008-01-05 00:28 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-04 13:26 --------- d-----w C:\Program Files\mobile PhoneTools
2008-01-04 12:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-01-03 14:48 --------- d-----w C:\Program Files\jv16 PowerTools 2006
2007-12-21 20:57 --------- d-----w C:\Program Files\HomeTech42
2007-12-21 20:37 --------- d-----w C:\Program Files\SiteAdvisor
2007-12-14 19:21 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\SiteAdvisor
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-24 01:26 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLbz.DAT
2007-07-20 17:54 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2007-07-20 17:54 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLds.DAT
.
<pre>
----a-w			81,920 2008-01-04 12:08:42  C:\Program Files\McAfee\McAfee QuickClean\Plguni .exe
----a-w		   582,992 2008-01-06 16:32:32  C:\Program Files\McAfee.com\Agent\mcagent .exe
----a-w			36,864 2008-01-04 12:07:39  C:\Program Files\mobile PhoneTools\WatchDog .exe
----a-w			75,584 2008-01-04 12:08:32  C:\Program Files\SanDisk\Sansa Updater\SansaDispatch .exe
----a-w			35,992 2008-01-04 12:08:14  C:\Program Files\SiteAdvisor\6253\SiteAdv .exe
----a-w			98,304 2008-01-04 12:07:19  C:\Program Files\Sony\HotKey Utility\HKserv .exe
----a-w		   167,936 2008-01-04 12:07:14  C:\Program Files\Sony\VAIO Power Management\SPMgr .exe
----a-w		   135,168 2008-01-04 12:07:27  C:\Program Files\Sony\VAIO Update 2\VAIOUpdt .exe
----a-w		   204,288 2008-01-04 12:09:04  C:\Program Files\Windows Media Player\WMPNSCFG .exe
----a-w			28,672 2008-01-04 12:07:34  C:\WINDOWS\SONYSYS\VAIO Recovery\PartSeal .exe
----a-w			48,640 2008-01-07 13:16:29  C:\WINDOWS\system32\ezSP_Px .exe
----a-w			99,840 2008-01-04 12:07:54  C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I2H1 .EXE
</pre>


((((((((((((((((((((((((((((( snapshot@2008-01-04_ 8.47.37.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-06 16:20:04 68,608 ----a-w C:\WINDOWS\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2008-01-06 16:20:40 72,192 ----a-w C:\WINDOWS\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2008-01-06 16:20:42 4,308,992 ----a-w C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2008-01-06 16:20:47 482,304 ----a-w C:\WINDOWS\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2008-01-06 16:20:30 2,902,016 ----a-w C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2008-01-06 16:19:32 258,048 ----a-w C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2008-01-06 16:19:32 114,176 ----a-w C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2008-01-06 16:21:03 260,096 ----a-w C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2008-01-06 16:20:13 5,156,864 ----a-w C:\WINDOWS\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2008-01-06 16:20:00 10,752 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2008-01-06 16:19:30 507,904 ----a-w C:\WINDOWS\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2008-01-06 16:19:44 13,312 ----a-w C:\WINDOWS\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2008-01-06 16:20:35 8,192 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2008-01-06 16:20:37 36,864 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
+ 2008-01-06 16:20:38 5,632 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2008-01-06 16:19:49 413,696 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2008-01-06 16:19:53 36,864 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2008-01-06 16:19:55 647,168 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2008-01-06 16:19:59 73,728 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2008-01-06 16:19:46 749,568 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2008-01-06 16:21:10 110,592 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2008-01-06 16:21:08 372,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2008-01-06 16:19:22 28,672 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2008-01-06 16:21:07 667,648 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2008-01-06 16:21:12 5,632 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2008-01-06 16:19:28 12,800 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2008-01-06 16:19:24 32,768 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2008-01-06 16:19:26 7,168 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2008-01-06 16:20:55 110,592 ----a-w C:\WINDOWS\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2008-01-06 16:20:05 81,920 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2008-01-06 16:20:56 413,696 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2008-01-06 16:20:49 716,800 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2008-01-06 16:19:38 888,832 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2008-01-06 16:20:33 5,001,216 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2008-01-06 16:20:08 188,416 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2008-01-06 16:20:07 397,312 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2008-01-06 16:20:10 81,920 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2008-01-06 16:21:00 577,536 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2008-01-06 16:20:50 372,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2008-01-06 16:21:02 258,048 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2008-01-06 16:20:52 299,008 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2008-01-06 16:20:53 131,072 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2008-01-06 16:20:02 258,048 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2008-01-06 16:20:12 114,688 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2008-01-06 16:21:05 835,584 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2008-01-06 16:20:17 86,016 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2008-01-06 16:20:18 823,296 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2008-01-06 16:20:21 5,152,768 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2008-01-06 16:20:23 2,027,520 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2008-01-06 16:20:58 2,940,928 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
+ 2008-01-06 16:28:38 26,624 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Accessibility\a9cbdd63507da5bf972ce99a0d3cf83e\Accessibility.ni.dll
+ 2008-01-06 16:28:40 888,832 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\72c5e12621a48ca07d73c8a02378bff2\AspNetMMCExt.ni.dll
+ 2008-01-06 16:28:42 237,568 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\7090bcee88103335b28c84a4eb3dabb6\CustomMarshalers.ni.dll
+ 2008-01-06 16:28:41 15,360 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\dfsvc\3b6feafcebe87b5424716fdd1b74fef6\dfsvc.ni.exe
+ 2008-01-06 16:28:49 880,640 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\afa35200f555b662ebccd1b87a59f8e8\Microsoft.Build.Engine.ni.dll
+ 2008-01-06 16:28:51 81,920 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\9d07e927a713659c30dd1cf0d5fdd37a\Microsoft.Build.Framework.ni.dll
+ 2008-01-06 16:29:02 1,687,552 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\1d47fdf0df4689c49d7c8deaa9704685\Microsoft.Build.Tasks.ni.dll
+ 2008-01-06 16:29:09 163,840 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\7bd18c7721b488380b5ac901ff100f3c\Microsoft.Build.Utilities.ni.dll
+ 2008-01-06 16:37:47 1,720,320 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\ab3a8acf60f6e410b553b9d26c1912a0\Microsoft.VisualBasic.ni.dll
+ 2008-01-06 16:24:23 11,304,960 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\e44b2b9eaeac698233fbf295729c9a8e\mscorlib.ni.dll
+ 2008-01-06 16:38:02 1,003,520 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\faf60edbfa148791dd8f50d7f6338847\System.Configuration.ni.dll
+ 2008-01-06 16:25:56 6,676,480 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Data\0ecb0cd2738d09a50d9ecd597b638f15\System.Data.ni.dll
+ 2008-01-06 16:38:14 1,724,416 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Deployment\a7f35417892c160889c57ed490550f16\System.Deployment.ni.dll
+ 2008-01-06 16:26:23 10,702,848 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Design\d6734ab03d54d7e6abe98e81e45a3d13\System.Design.ni.dll
+ 2008-01-06 16:38:35 1,216,512 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\00baeeb4693e760c8ac2fe2aa0145f72\System.DirectoryServices.ni.dll
+ 2008-01-06 16:38:50 512,000 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\d3ef031376f4aab5e05f4d55753f1591\System.DirectoryServices.Protocols.ni.dll
+ 2008-01-06 16:26:29 229,376 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\0b8f201864a4d17e457ef146f9655a1a\System.Drawing.Design.ni.dll
+ 2008-01-06 16:26:27 1,601,536 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\947e85a0d127663f00640818b859cad7\System.Drawing.ni.dll
+ 2008-01-06 16:39:04 659,456 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\839824f38b152a7265490c6cd231923d\System.EnterpriseServices.ni.dll
+ 2008-01-06 16:39:04 294,912 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\839824f38b152a7265490c6cd231923d\System.EnterpriseServices.Wrapper.dll
+ 2008-01-06 16:39:11 729,088 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Security\fec5678ed4d9fd689e75fd4f785fd1b7\System.Security.ni.dll
+ 2008-01-06 16:39:18 684,032 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Transactions\5cfb0b03fa2f363369f0098e53d6f1a6\System.Transactions.ni.dll
+ 2008-01-06 22:16:24 2,306,048 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\f77d468508114ff8b79da5a9eb014d47\System.Web.Mobile.ni.dll
+ 2008-01-06 22:16:27 237,568 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\2b68c943b142af188b14f46bcd0ffc94\System.Web.RegularExpressions.ni.dll
+ 2008-01-06 22:16:32 1,941,504 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Services\2d1055496176480f6b07f027f2783826\System.Web.Services.ni.dll
+ 2008-01-06 16:40:29 12,185,600 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\fd8ced7c6c4ce9063a509bbd4204da96\System.Web.ni.dll
+ 2008-01-06 16:26:52 13,107,200 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\585221fb87d335d2ad0562d30c45587a\System.Windows.Forms.ni.dll
+ 2008-01-06 16:27:04 5,623,808 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\d829fd1c28f99016cffbd27a7d19d0e5\System.Xml.ni.dll
+ 2008-01-06 16:25:25 8,130,560 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\00e79a3ef0cf44c48a9bfa8b8eb01f16\System.ni.dll
+ 2008-01-06 16:29:20 1,408,316 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP158.tmp\Microsoft.VisualBasic.dll
+ 2008-01-05 00:59:19 7,680 ----a-r C:\WINDOWS\Installer\{98613C99-1399-416C-A07C-1EE1C585D872}\Icon98613C99.exe
- 2003-02-20 23:09:46 57,344 ----a-w C:\WINDOWS\Microsoft.NET\Framework\NETFXSBS10.exe
+ 2005-09-23 12:28:52 72,704 ----a-w C:\WINDOWS\Microsoft.NET\Framework\NETFXSBS10.exe
- 2003-02-20 23:09:32 5,120 ----a-w C:\WINDOWS\Microsoft.NET\Framework\sbscmp10.dll
+ 2005-09-23 12:28:52 7,680 ----a-w C:\WINDOWS\Microsoft.NET\Framework\sbscmp10.dll
+ 2005-09-23 12:28:56 7,680 ----a-w C:\WINDOWS\Microsoft.NET\Framework\sbscmp20_mscorwks.dll
+ 2005-09-23 12:28:58 7,680 ----a-w C:\WINDOWS\Microsoft.NET\Framework\sbscmp20_perfcounter.dll
+ 2005-09-23 12:28:56 7,680 ----a-w C:\WINDOWS\Microsoft.NET\Framework\SharedReg12.dll
- 2003-02-20 22:43:50 131,072 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\mscormmc.dll
+ 2005-09-23 12:28:52 86,528 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\mscormmc.dll
+ 2005-09-23 12:28:36 18,944 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\1033\alinkui.dll
+ 2005-09-23 12:28:42 136,192 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\1033\cscompui.dll
+ 2005-09-23 12:28:44 4,608 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\1033\CvtResUI.dll
+ 2005-09-23 12:29:04 183,808 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\1033\vbc7ui.dll
+ 2005-09-23 12:28:28 208,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\1033\Vsavb7rtUI.dll
+ 2005-09-23 12:28:56 10,752 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Accessibility.dll
+ 2005-09-23 12:28:58 138,240 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\AdoNetDiag.dll
+ 2005-09-23 12:28:36 87,552 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\alink.dll
+ 2007-04-13 08:21:18 58,712 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
+ 2005-09-23 12:28:32 36,864 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
+ 2007-04-13 08:20:52 10,752 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_filter.dll
+ 2007-04-13 08:20:52 8,192 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll
+ 2007-04-13 08:20:52 23,552 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Aspnet_perf.dll
+ 2007-04-13 08:20:50 75,264 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_rc.dll
+ 2005-09-23 12:28:32 13,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe
+ 2007-04-13 08:20:52 32,608 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe
+ 2005-09-23 12:28:32 106,496 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe
+ 2007-04-13 08:20:52 33,632 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
+ 2007-04-13 08:20:52 32,600 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
+ 2007-04-13 08:20:52 507,904 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\AspNetMMCExt.dll
+ 2005-09-23 12:28:56 106,496 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
+ 2007-04-13 08:21:16 88,576 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CORPerfMonExt.dll
+ 2005-09-23 12:28:42 76,984 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe
+ 2005-09-23 12:28:42 1,144,832 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cscomp.dll
+ 2005-09-23 12:28:42 13,312 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cscompmgd.dll
+ 2005-09-23 12:28:58 17,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Culture.dll
+ 2005-09-23 12:28:56 68,608 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CustomMarshalers.dll
+ 2005-09-23 12:28:44 31,936 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
+ 2005-09-23 12:28:38 52,736 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\dfdll.dll
+ 2007-04-13 08:20:58 5,120 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
+ 2005-09-23 12:29:12 547,840 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\diasymreader.dll
+ 2005-09-23 12:28:56 788,992 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll
+ 2005-09-23 12:28:50 9,216 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\fusion.dll
+ 2007-04-13 08:21:16 9,728 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\IEExec.exe
+ 2005-09-23 12:28:56 8,192 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\IEExecRemote.dll
+ 2005-09-23 12:28:56 36,864 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\IEHost.dll
+ 2005-09-23 12:28:56 5,632 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\IIEHost.dll
+ 2007-04-13 08:21:16 228,688 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ilasm.exe
+ 2007-04-13 08:21:16 28,672 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
+ 2005-09-23 12:28:56 55,296 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\InstallUtilLib.dll
+ 2005-09-23 12:28:56 72,192 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ISymWrapper.dll
+ 2005-09-23 12:28:48 40,960 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\jsc.exe
+ 2005-09-23 12:01:16 609,472 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
+ 2005-09-23 11:29:48 80,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1025.dll
+ 2005-09-23 11:32:24 80,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1028.dll
+ 2005-09-23 11:34:10 82,944 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1029.dll
+ 2005-09-23 11:34:12 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1030.dll
+ 2005-09-23 11:34:44 85,504 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1031.dll
+ 2005-09-23 11:36:24 87,552 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1032.dll
+ 2005-09-23 08:46:14 80,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1033.dll
+ 2005-09-23 11:38:26 81,408 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1035.dll
+ 2005-09-23 11:38:52 86,016 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1036.dll
+ 2005-09-23 11:40:30 80,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1037.dll
+ 2005-09-23 11:40:32 83,968 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1038.dll
+ 2005-09-23 11:40:56 84,480 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1040.dll
+ 2005-09-23 11:42:58 80,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1041.dll
+ 2005-09-23 11:44:58 80,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1042.dll
+ 2005-09-23 11:46:38 83,456 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1043.dll
+ 2005-09-23 11:46:38 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1044.dll
+ 2005-09-23 11:46:40 83,456 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1045.dll
+ 2005-09-23 11:47:04 82,432 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1046.dll
+ 2005-09-23 11:47:30 82,432 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1049.dll
+ 2005-09-23 11:47:32 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1053.dll
+ 2005-09-23 11:47:32 80,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1055.dll
+ 2005-09-23 11:30:18 80,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.2052.dll
+ 2005-09-23 11:47:06 84,480 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.2070.dll
+ 2005-09-23 11:29:50 80,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.3076.dll
+ 2005-09-23 11:36:48 85,504 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.3082.dll
+ 2005-09-23 12:57:06 245,408 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\unicows.dll
+ 2007-04-13 08:21:10 413,696 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Engine.dll
+ 2005-09-23 12:28:48 36,864 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Framework.dll
+ 2007-04-13 08:21:10 647,168 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Tasks.dll
+ 2005-09-23 12:28:48 73,728 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Utilities.dll
+ 2007-04-13 08:21:08 749,568 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.JScript.dll
+ 2005-09-23 12:29:10 110,592 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2005-09-23 12:29:10 372,736 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Compatibility.dll
+ 2005-09-23 12:29:08 667,648 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.dll
+ 2005-09-23 12:28:30 28,672 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Vsa.dll
+ 2005-09-23 12:29:10 5,632 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualC.Dll
+ 2005-09-23 12:28:30 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.Vsa.dll
+ 2005-09-23 12:28:30 12,800 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2005-09-23 12:28:30 7,168 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft_VsaVb.dll
+ 2007-04-13 08:20:52 87,040 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\MmcAspExt.dll
+ 2005-09-23 12:28:48 69,632 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
+ 2007-04-13 08:21:18 802,304 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll
+ 2005-09-23 12:28:56 73,216 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscordbc.dll
+ 2005-09-23 12:28:56 288,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll
+ 2007-04-13 08:21:16 36,864 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorie.dll
+ 2007-04-13 08:21:16 326,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
+ 2005-09-23 12:28:56 81,408 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorld.dll
+ 2007-04-13 08:21:16 4,308,992 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
+ 2007-04-13 08:21:16 102,912 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorpe.dll
+ 2005-09-23 12:29:00 330,752 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
+ 2005-09-23 12:28:56 67,072 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsec.dll
+ 2005-09-23 12:28:50 9,216 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsn.dll
+ 2007-04-13 08:21:18 227,328 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvc.dll
+ 2007-04-13 08:21:18 68,952 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
+ 2005-09-23 12:28:56 10,240 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscortim.dll
+ 2007-04-13 08:21:12 5,634,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
+ 2005-09-23 12:29:00 22,528 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\MUI\0409\mscorsecr.dll
+ 2007-04-13 08:21:16 99,152 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ngen.exe
+ 2007-04-13 08:21:18 15,360 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\normalization.dll
+ 2005-09-23 12:28:56 78,336 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\PerfCounter.dll
+ 2007-04-13 08:21:12 136,192 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\peverify.dll
+ 2005-09-23 12:28:56 53,248 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
+ 2005-09-23 12:28:56 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
+ 2005-09-23 12:29:02 59,072 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\regtlibv12.exe
+ 2005-09-23 12:28:58 7,680 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\sbscmp20_mscorlib.dll
+ 2005-09-23 12:28:56 107,520 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\shfusion.dll
+ 2005-09-23 12:29:00 85,504 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ShFusRes.dll
+ 2007-04-13 08:21:18 382,464 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\SOS.dll
+ 2007-04-13 08:21:18 110,592 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\sysglobl.dll
+ 2007-04-13 08:21:18 413,696 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.configuration.dll
+ 2005-09-23 12:28:56 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Configuration.Install.dll
+ 2007-04-13 08:21:16 2,902,016 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Data.dll
+ 2007-04-13 08:21:18 482,304 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Data.OracleClient.dll
+ 2007-04-13 08:21:18 716,800 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Data.SqlXml.dll
+ 2007-04-13 08:20:58 888,832 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Deployment.dll
+ 2007-04-13 08:21:16 5,001,216 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Design.dll
+ 2005-09-23 12:28:56 397,312 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.DirectoryServices.dll
+ 2007-04-13 08:21:18 188,416 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.DirectoryServices.Protocols.dll
+ 2007-04-13 08:21:16 2,940,928 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.dll
+ 2005-09-23 12:28:56 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Drawing.Design.dll
+ 2007-04-13 08:21:16 577,536 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Drawing.dll
+ 2007-04-13 08:21:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.dll
+ 2007-04-13 08:21:18 47,616 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.Thunk.dll
+ 2007-04-13 08:21:18 114,176 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.Wrapper.dll
+ 2007-04-13 08:21:16 372,736 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Management.dll
+ 2005-09-23 12:28:56 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Messaging.dll
+ 2007-04-13 08:21:16 299,008 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Runtime.Remoting.dll
+ 2005-09-23 12:28:56 131,072 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Runtime.Serialization.Formatters.Soap.dll
+ 2005-09-23 12:28:56 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Security.dll
+ 2005-09-23 12:28:56 114,688 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.ServiceProcess.dll
+ 2007-04-13 08:21:18 260,096 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Transactions.dll
+ 2007-04-13 08:21:16 5,156,864 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Web.dll
+ 2005-09-23 12:28:56 835,584 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Web.Mobile.dll
+ 2005-09-23 12:28:56 86,016 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Web.RegularExpressions.dll
+ 2005-09-23 12:28:56 823,296 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Web.Services.dll
+ 2007-04-13 08:21:16 5,152,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Windows.Forms.dll
+ 2007-04-13 08:21:16 2,027,520 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.XML.dll
+ 2005-09-23 12:28:56 71,680 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\TLBREF.DLL
+ 2007-04-13 08:21:28 1,166,672 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe
+ 2007-04-13 08:20:50 1,330,688 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\VsaVb7rt.dll
+ 2007-04-13 08:20:52 406,016 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\webengine.dll
+ 2005-09-23 12:28:56 28,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\WMINet_Utils.dll
- 2008-01-04 12:08:59 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-07 12:21:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-01-04 12:08:59 32,768 ------w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-07 12:21:30 32,768 ------w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-09-23 12:28:38 83,456 ----a-w C:\WINDOWS\system32\dfshim.dll
- 2007-07-20 12:46:39 251,088 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-01-07 13:14:16 241,536 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2006-12-22 16:28:14 271,360 ----a-w C:\WINDOWS\system32\mscoree.dll
+ 2007-04-13 08:21:14 271,360 ----a-w C:\WINDOWS\system32\mscoree.dll
- 2004-07-15 03:34:06 16,896 ----a-w C:\WINDOWS\system32\mscorier.dll
+ 2005-09-23 12:28:52 150,016 ----a-w C:\WINDOWS\system32\mscorier.dll
- 2003-02-20 23:09:14 106,496 ----a-w C:\WINDOWS\system32\mscories.dll
+ 2005-09-23 12:28:52 74,240 ----a-w C:\WINDOWS\system32\mscories.dll
- 2007-12-13 22:19:30 67,300 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-01-06 16:21:58 76,880 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-12-13 22:19:30 453,444 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-06 16:21:58 474,158 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-07 13:19:40 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_fd4.dat
+ 2005-09-23 12:29:16 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcm80.dll
+ 2005-09-23 12:29:16 548,864 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcp80.dll
+ 2005-09-23 12:29:16 626,688 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcr80.dll
+ 2008-01-06 16:19:32 258,048 ----a-w C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2008-01-06 16:19:32 114,176 ----a-w C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickClean Imonitor"="C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe" [ ]
"Yahoo! Pager"="1" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [ ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DelayShred"="C:\Program Files\McAfee.com\Shredder\SHRED32.exe" [2005-07-15 00:51 57344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [ ]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]
"SonyPowerCfg"="C:\Program Files\Sony\VAIO Power Management\SPMgr.exe" [ ]
"HKSERV.EXE"="C:\Program Files\Sony\HotKey Utility\HKserv.exe" [ ]
"VAIO Update 2"="C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" [ ]
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px .exe" [2008-01-07 08:16 48640]
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [ ]
"WatchDog"="C:\Program Files\mobile PhoneTools\WatchDog.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"EPSON Stylus Photo R200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [ ]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [ ]
"McAfee Backup"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [2008-01-07 08:16 4866560]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2008-01-07 08:16 26112]
"SansaDispatch"="C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe" [ ]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\\WINDOWS\\system32\\rqonl

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2005-12-18 21:35]
S2 0243111199665433mcinstcleanup;McAfee Application Installer Cleanup (0243111199665433);C:\WINDOWS\TEMP\024311~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog []

*Newly Created Service* - 0243111199665433MCINSTCLEANUP
.
Contents of the 'Scheduled Tasks' folder
"2006-08-02 13:32:11 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2008-01-01 06:02:00 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe.4158 0
"2005-08-11 17:05:25 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-07 08:16:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\rqonl.dll
.
Completion time: 2008-01-07 8:24:29 - machine was rebooted [Jeff Robinson]
ComboFix-quarantined-files.txt 2008-01-07 13:24:22
ComboFix2.txt 2008-01-04 13:48:20
.
2008-01-06 16:23:41 --- E O F ---
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, January 08, 2008 7:19:07 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 8/01/2008
Kaspersky Anti-Virus database records: 504024
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 83988
Number of viruses found: 9
Number of infected objects: 314
Number of suspicious objects: 0
Duration of the scan process: 02:06:21

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{4355EE27-BCC9-456A-A1C5-2C218F79B49F}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\MSKWMDB.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\settingsdb.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR12.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Sony Corporation\SonicStage\Packages\MtData.ldb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Sony Corporation\SonicStage\Packages\MtData.mdb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Sony Corporation\VAIO Entertainment Platform\1.0\VzCdb\MtData.ldb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Sony Corporation\VAIO Entertainment Platform\1.0\VzCdb\MtData.mdb Object is locked skipped
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\Jeff Robinson\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jeff Robinson\Desktop\[4]-Submit_2008-01-07@7.58.zip/rqonl.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Documents and Settings\Jeff Robinson\Desktop\[4]-Submit_2008-01-07@7.58.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Jeff Robinson\Local Settings\Application Data\ApplicationHistory\McAfeeDataBackup .exe.53ee5a1c.ini.inuse Object is locked skipped
C:\Documents and Settings\Jeff Robinson\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Jeff Robinson\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\Jeff Robinson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jeff Robinson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jeff Robinson\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jeff Robinson\Local Settings\History\History.IE5\MSHist012008010720080108\index.dat Object is locked skipped
C:\Documents and Settings\Jeff Robinson\Local Settings\Temp\sqlite_78lbyQw5KZy9rQl Object is locked skipped
C:\Documents and Settings\Jeff Robinson\Local Settings\Temp\~DF4FED.tmp Object is locked skipped
C:\Documents and Settings\Jeff Robinson\My Documents\My Received Files\ATT_SST_Installer.exe/WISE0107.BIN/WISE0008.BIN Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
C:\Documents and Settings\Jeff Robinson\My Documents\My Received Files\ATT_SST_Installer.exe/WISE0107.BIN/WISE0009.BIN Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
C:\Documents and Settings\Jeff Robinson\My Documents\My Received Files\ATT_SST_Installer.exe/WISE0107.BIN Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
C:\Documents and Settings\Jeff Robinson\My Documents\My Received Files\ATT_SST_Installer.exe WiseSFX: infected - 3 skipped
C:\Documents and Settings\Jeff Robinson\My Documents\My Received Files\ATT_SST_Installer.exe WiseSFXDropper: infected - 3 skipped
C:\Documents and Settings\Jeff Robinson\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jeff Robinson\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\McAfee\MBK\LogOnHook.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\Apoint\Apoint.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\McAfee\MBK\LogOnHook.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\McAfee\MBK\McAfeeDataBackup.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\McAfee\McAfee QuickClean\Plguni.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\McAfee.com\Agent\mcagent.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\mobile PhoneTools\WatchDog.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\SiteAdvisor\6253\SiteAdv.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\Sony\HotKey Utility\HKserv.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\Sony\VAIO Power Management\SPMgr.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\Windows Media Player\WMPNSCFG.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\WINDOWS\SONYSYS\VAIO Recovery\PartSeal.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ajfhnewc.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\cotpodea.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ctfmon.exe.tmp.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ezSP_Px .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\nrcqjlwm.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dim skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\owgddksr.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX40.tmp.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rqonl.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dgy skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I2H1.EXE.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tgleubiy.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\QooBox\Quarantine\catchme2008-01-04_ 83839.00.zip/wowfx.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\QooBox\Quarantine\catchme2008-01-04_ 83839.00.zip/jkkjkhi.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.byj skipped
C:\QooBox\Quarantine\catchme2008-01-04_ 83839.00.zip/rqonl.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dgy skipped
C:\QooBox\Quarantine\catchme2008-01-04_ 83839.00.zip ZIP: infected - 3 skipped
C:\QooBox\Quarantine\catchme2008-01-07_ 81532.97.zip/rqonl.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dgy skipped
C:\QooBox\Quarantine\catchme2008-01-07_ 81532.97.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050146.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050147.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050150.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050151.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050152.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050153.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050154.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050155.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050164.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050165.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050167.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050168.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050169.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050170.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050171.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050172.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050173.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050174.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050176.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050177.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050178.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050179.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050180.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050181.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050183.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050184.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050185.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050186.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050188.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050190.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050191.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050192.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050193.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050194.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050195.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050196.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050197.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050199.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050200.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050202.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050203.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050204.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050205.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050206.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP453\A0050207.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP454\A0051146.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP454\A0051147.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP454\A0051148.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP454\A0051151.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP458\A0052415.exe Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP459\A0052423.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP459\A0052435.exe Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP459\A0052437.exe Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP459\A0052438.exe Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP459\A0052439.exe Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP459\A0053328.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP459\A0053331.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP459\A0053332.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP459\A0053333.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP459\A0053334.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP459\A0053335.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP459\A0053336.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP459\A0053337.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP459\A0053338.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP459\A0053339.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP459\A0053340.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP459\A0053341.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP459\A0053342.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP459\A0053343.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP459\A0053349.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP459\A0053350.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP459\A0053351.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP459\A0053352.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP459\A0053354.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP459\A0053360.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP459\A0053372.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP459\A0053375.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP459\A0053376.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP459\A0053377.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP459\A0053378.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP459\A0053379.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP459\A0053380.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP459\A0053382.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP459\A0053383.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP459\A0053384.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP459\A0053385.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP459\A0053387.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP459\A0053388.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP459\A0053389.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP459\A0053390.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP459\A0053391.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP459\A0053394.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP460\A0054372.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP460\A0054375.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP460\A0054376.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP460\A0054377.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP460\A0054378.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP460\A0054379.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP460\A0054380.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP460\A0054382.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP460\A0054383.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP460\A0054384.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP460\A0054385.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP460\A0054387.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP460\A0054389.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP460\A0054394.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP460\A0054397.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP460\A0054398.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP460\A0054402.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP461\A0054447.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP461\A0054451.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP461\A0054453.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP461\A0054454.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP461\A0054457.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP461\A0054459.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP461\A0054460.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP461\A0054461.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP461\A0054462.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP461\A0054463.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP461\A0054464.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP461\A0054466.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP461\A0054467.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP461\A0054468.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP461\A0054469.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP461\A0054470.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP461\A0054471.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP461\A0054472.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP461\A0055479.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP461\A0055482.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP461\A0055483.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP461\A0055484.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP461\A0055485.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP461\A0055486.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP461\A0055492.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP461\A0055494.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP461\A0055495.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP461\A0055496.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP461\A0055497.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP461\A0055499.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP461\A0055500.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP461\A0055502.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP461\A0055506.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP461\A0055507.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP461\A0055514.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP462\A0055549.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP462\A0055551.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP462\A0055553.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP462\A0055554.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP462\A0055555.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP462\A0055556.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP462\A0055557.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP462\A0055559.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP462\A0055560.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP462\A0055561.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP462\A0055562.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP462\A0055564.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP462\A0055565.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP462\A0055566.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP462\A0055567.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP462\A0055568.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP462\A0055570.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP462\A0055599.exe Infected: Trojan-Clicker.Win32.VB.vx skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP463\A0056590.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP463\A0056593.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP463\A0056594.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP463\A0056595.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP463\A0056596.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP463\A0056597.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP463\A0056598.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP463\A0056600.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP463\A0056601.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP463\A0056602.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP463\A0056603.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP463\A0056605.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP463\A0056606.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP463\A0056607.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP463\A0056608.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP463\A0056609.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP463\A0056611.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP464\A0056674.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP464\A0056677.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP464\A0056678.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP464\A0056679.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP464\A0056680.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP464\A0056681.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP464\A0056682.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP464\A0056683.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP464\A0056684.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP464\A0056685.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP464\A0056686.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP464\A0056687.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP464\A0056688.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP464\A0056689.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP464\A0056690.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP464\A0056691.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP464\A0056692.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP464\A0056693.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP464\A0056694.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP465\A0056745.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP465\A0056748.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP465\A0056749.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP465\A0056750.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP465\A0056751.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP465\A0056752.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP465\A0056753.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP465\A0056755.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP465\A0056756.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP465\A0056757.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP465\A0056758.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP465\A0056760.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP465\A0056761.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP465\A0056762.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP465\A0056763.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP465\A0056764.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP465\A0056765.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP466\A0056798.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP466\A0056800.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP466\A0056801.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP466\A0056802.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP466\A0056803.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP466\A0056804.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP466\A0056805.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP466\A0056807.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP466\A0056808.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP466\A0056809.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP466\A0056810.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP466\A0056812.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP466\A0056813.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP466\A0056814.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP466\A0056816.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP466\A0056817.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP466\A0056818.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP466\A0056820.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP466\A0056821.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dim skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP466\A0056822.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP466\A0056824.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP466\A0056835.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dgy skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP474\A0057222.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP474\A0057226.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP474\A0057227.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP475\A0057231.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP475\A0057235.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP475\A0057236.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP475\A0057237.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP475\A0057238.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP475\A0057239.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP475\A0057240.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP475\A0057241.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP475\A0057242.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP475\A0057243.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP475\A0057244.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP475\A0057245.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP475\A0057246.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP475\A0057247.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP475\A0057248.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP475\A0057249.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP475\A0057250.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP475\A0057251.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP475\A0057259.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dgy skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP478\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\accwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\crypt32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\cryptsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hh.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhctrl.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhsetup.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\html32.cnv Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\itss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\locator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\magnify.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\migwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\mrxsmb.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\msconv97.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\narrator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\newdev.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\pchshell.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\raspptp.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shdocvw.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shell32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shmedia.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srrstr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srv.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\urlmon.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\winsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\dhcpcsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\ndis.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\ndisuio.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\netshell.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcdlg.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcsapi.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828028$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\xpsp2res.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\wmp.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{D81EB8A8-49A4-43B6-839E-EC08D2536622}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\ezSP_Px.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\rqonl.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dgy skipped
C:\WINDOWS\system32\rqonl.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\JET2D47.tmp Object is locked skipped
C:\WINDOWS\Temp\JET6999.tmp Object is locked skipped
C:\WINDOWS\Temp\mcmsc_LXdKFFc7Th8kEvP Object is locked skipped
C:\WINDOWS\Temp\mcmsc_Ph21EunfOF2mU5o Object is locked skipped
C:\WINDOWS\Temp\mcmsc_R6Xm0HqyDbbaY4t Object is locked skipped
C:\WINDOWS\Temp\mcmsc_Ut8gtz95IKykfAo Object is locked skipped
C:\WINDOWS\Temp\mcmsc_ZjNDiIgatmJdZEQ Object is locked skipped
C:\WINDOWS\Temp\sqlite_C6LMjt8EU5afKXh Object is locked skipped
C:\WINDOWS\Temp\sqlite_N65TVMZ2kio6B8h Object is locked skipped
C:\WINDOWS\Temp\sqlite_NZ9f4a0LnRFcbez Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP478\change.log Object is locked skipped
D:\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
D:\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

Scan process completed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:25:31 AM, on 1/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ezSP_Px .exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup .exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F3 - REG:win.ini: load=C:\WINDOWS\system32\rqonl.exe
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px .exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [SansaDispatch] C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKCU\..\Run: [QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\RunOnce: [DelayShred] "C:\Program Files\McAfee.com\Shredder\SHRED32.EXE" /q C:\DOCUME~1\JEFFRO~1\LOCALS~1\TEMPOR~1\Content.SH! D:\TEMPOR~1\ANTIPH~1.SH! D:\TEMPOR~1\Content.SH!
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O23 - Service: McAfee Application Installer Cleanup (0243111199665433) (0243111199665433mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\024311~1.EXE (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\VmGateway.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe

--
End of file - 10287 bytes

#7 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:07:17 AM

Posted 08 January 2008 - 12:59 PM

Hello

Please go to the following url: http://www.bleepingcomputer.com/submit-malware.php?channel=4
  • "Link to topic where this file was requested:" - please insert the link to this topic in the text box
  • "Browse to the file you want to submit:" - please click on browse and navigate to:
    C:\Documents and Settings\Jeff Robinson\Desktop\[4]-Submit_2008-01-07@7.58.zip
  • "Leave any comments, further information about this file, or contact information:" - please mention in the text box that Lusitano requested you to submit the file.
  • Click Submit
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Now, close any open browsers.
  • Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Documents and Settings\Jeff Robinson\Desktop\[4]-Submit_2008-01-07@7.58.zip
C:\Documents and Settings\Jeff Robinson\My Documents\My Received Files\ATT_SST_Installer.exe
C:\WINDOWS\system32\rqonl.dll

RENV::
----a-w 81,920 2008-01-04 12:08:42 C:\Program Files\McAfee\McAfee QuickClean\Plguni .exe
----a-w 582,992 2008-01-06 16:32:32 C:\Program Files\McAfee.com\Agent\mcagent .exe
----a-w 36,864 2008-01-04 12:07:39 C:\Program Files\mobile PhoneTools\WatchDog .exe
----a-w 75,584 2008-01-04 12:08:32 C:\Program Files\SanDisk\Sansa Updater\SansaDispatch .exe
----a-w 35,992 2008-01-04 12:08:14 C:\Program Files\SiteAdvisor\6253\SiteAdv .exe
----a-w 98,304 2008-01-04 12:07:19 C:\Program Files\Sony\HotKey Utility\HKserv .exe
----a-w 167,936 2008-01-04 12:07:14 C:\Program Files\Sony\VAIO Power Management\SPMgr .exe
----a-w 135,168 2008-01-04 12:07:27 C:\Program Files\Sony\VAIO Update 2\VAIOUpdt .exe
----a-w 204,288 2008-01-04 12:09:04 C:\Program Files\Windows Media Player\WMPNSCFG .exe
----a-w 28,672 2008-01-04 12:07:34 C:\WINDOWS\SONYSYS\VAIO Recovery\PartSeal .exe
----a-w 48,640 2008-01-07 13:16:29 C:\WINDOWS\system32\ezSP_Px .exe
----a-w 99,840 2008-01-04 12:07:54 C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I2H1 .EXE

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
  • Save this as CFScript.txt, in the same location as ComboFix.exe
    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please post them, along with a new HijackThis log.
Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#8 dsdaddie

dsdaddie
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 08 January 2008 - 02:30 PM

I posted the 4-submit zip as requested.
Ran the CFScript on ComboFix, but forgot to disable McAfee Sec Ctr.

Log and new HJT is here:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:15:58 PM, on 1/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\WINDOWS\system32\ezSP_Px .exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\system32\rundll32.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\Program Files\McAfee\MSC\mcshell.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F3 - REG:win.ini: load=C:\WINDOWS\system32\rqonl.exe
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px .exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [SansaDispatch] C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKCU\..\Run: [QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\RunOnce: [DelayShred] "C:\Program Files\McAfee.com\Shredder\SHRED32.EXE" /q C:\DOCUME~1\JEFFRO~1\LOCALS~1\TEMPOR~1\Content.SH! D:\TEMPOR~1\ANTIPH~1.SH! D:\TEMPOR~1\Content.SH!
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O23 - Service: McAfee Application Installer Cleanup (0028171199799332) (0028171199799332mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\002817~1.EXE (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\VmGateway.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe

--
End of file - 10290 bytes


ComboFix 08-01-04.1 - Jeff Robinson 2008-01-08 13:36:27.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.109 [GMT -5:00]
Running from: C:\Documents and Settings\Jeff Robinson\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jeff Robinson\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\Jeff Robinson\Desktop\[4]-Submit_2008-01-07@7.58.zip
C:\Documents and Settings\Jeff Robinson\My Documents\My Received Files\ATT_SST_Installer.exe
C:\WINDOWS\system32\rqonl.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Jeff Robinson\Desktop\[4]-Submit_2008-01-07@7.58.zip
C:\Documents and Settings\Jeff Robinson\My Documents\My Received Files\ATT_SST_Installer.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\MBK\LogOnHook.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\ezSP_Px .exe
C:\WINDOWS\system32\lnoqr.ini
C:\WINDOWS\system32\lnoqr.ini2
C:\WINDOWS\system32\mniypijj.dll
C:\WINDOWS\system32\pkesopcq.ini
C:\WINDOWS\system32\qcposekp.dll
C:\WINDOWS\system32\rqonl.dll
C:\WINDOWS\system32\rqonl.exe

<pre>
"C:\Program Files\McAfee\MBK\LogOnHook .exe" replaces infected copy of "C:\Program Files\McAfee\MBK\LogOnHook.exe"
"C:\Program Files\McAfee\MBK\McAfeeDataBackup .exe" replaces infected copy of "C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe"
"C:\Program Files\McAfee.com\Agent\mcagent .exe" replaces infected copy of "C:\Program Files\McAfee.com\Agent\mcagent.exe"
"C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics .exe" replaces infected copy of "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
"C:\WINDOWS\system32\ctfmon .exe" moved to QooBox
</pre>
.
.
((((((((((((((((((((((((( Files Created from 2007-12-08 to 2008-01-08 )))))))))))))))))))))))))))))))
.

2008-01-08 13:56 . 2008-01-08 13:56 382,976 --a------ C:\WINDOWS\system32\ezSP_Px .exe
2008-01-08 13:56 . 2008-01-08 13:56 334,336 --------- C:\WINDOWS\system32\rqonl.dll
2008-01-08 08:32 . <DIR> C:\WINDOWS\LastGood.Tmp
2008-01-07 21:09 . 2008-01-07 21:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Seagate
2008-01-07 21:08 . 2008-01-07 21:08 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-01-07 20:29 . 2008-01-07 20:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-07 20:28 . 2008-01-07 20:28 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-04 19:59 . 2008-01-07 21:09 <DIR> d-------- C:\Program Files\Seagate
2008-01-04 19:16 . 2008-01-04 19:23 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-01-04 08:40 . 2008-01-04 08:40 9 --a------ C:\WINDOWS\system32\40253ac9
2008-01-04 08:01 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-01 17:44 . 2008-01-01 17:44 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-31 11:21 . 2008-01-08 00:07 <DIR> d-------- C:\VundoFix Backups
2007-12-30 20:38 . 2007-12-30 20:38 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-30 20:38 . 2007-12-30 20:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-28 17:53 . 2007-12-28 17:53 0 --a------ C:\WINDOWS\VAIOUpdt .INI
2007-12-24 12:18 . 2007-12-24 12:18 9,662 --a------ C:\WINDOWS\EPISME00.SWB
2007-12-18 08:35 . 2008-01-04 08:27 <DIR> d-------- C:\Temp
2007-12-16 13:16 . 2007-12-21 15:23 2,932 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-12-14 18:39 . 2007-12-14 18:39 <DIR> d-------- C:\Program Files\SanDisk
2007-12-14 18:38 . 2007-12-14 18:38 <DIR> d-------- C:\Documents and Settings\Jeff Robinson\Application Data\InstallShield
2007-12-10 10:46 . 2007-12-11 09:21 23,817 --a------ C:\Documents and Settings\Jeff Robinson\Application Data\info.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-08 02:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-07 13:07 --------- d-----w C:\Program Files\QuickTime
2008-01-07 13:07 --------- d-----w C:\Program Files\Apoint
2008-01-07 12:43 --------- d-----w C:\Program Files\Nikon
2008-01-07 12:42 --------- d-----w C:\Program Files\Common Files\Nikon
2008-01-07 12:35 --------- d-----w C:\Program Files\Full Tilt Poker
2008-01-07 00:23 --------- d-----w C:\Program Files\McAfee
2008-01-05 00:28 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-04 13:26 --------- d-----w C:\Program Files\mobile PhoneTools
2008-01-04 12:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-01-03 14:48 --------- d-----w C:\Program Files\jv16 PowerTools 2006
2007-12-29 03:00 382,976 ----a-w C:\WINDOWS\system32\ezSP_Px.exe
2007-12-21 20:57 --------- d-----w C:\Program Files\HomeTech42
2007-12-21 20:37 --------- d-----w C:\Program Files\SiteAdvisor
2007-12-14 19:21 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\SiteAdvisor
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-24 01:26 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLbz.DAT
2007-07-20 17:54 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2007-07-20 17:54 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLds.DAT
.
<pre>
----a-w		   582,992 2008-01-08 19:00:46  C:\Program Files\McAfee.com\Agent\mcagent .exe
----a-w			36,864 2008-01-04 12:07:39  C:\Program Files\mobile PhoneTools\WatchDog .exe
----a-w			75,584 2008-01-04 12:08:32  C:\Program Files\SanDisk\Sansa Updater\SansaDispatch .exe
----a-w			35,992 2008-01-04 12:08:14  C:\Program Files\SiteAdvisor\6253\SiteAdv .exe
----a-w			98,304 2008-01-04 12:07:19  C:\Program Files\Sony\HotKey Utility\HKserv .exe
----a-w		   167,936 2008-01-04 12:07:14  C:\Program Files\Sony\VAIO Power Management\SPMgr .exe
----a-w		   135,168 2008-01-04 12:07:27  C:\Program Files\Sony\VAIO Update 2\VAIOUpdt .exe
----a-w		   204,288 2008-01-04 12:09:04  C:\Program Files\Windows Media Player\WMPNSCFG .exe
----a-w			28,672 2008-01-04 12:07:34  C:\WINDOWS\SONYSYS\VAIO Recovery\PartSeal .exe
----a-w		   382,976 2008-01-08 18:56:21  C:\WINDOWS\system32\ezSP_Px .exe
----a-w			99,840 2008-01-04 12:07:54  C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I2H1 .EXE
</pre>


((((((((((((((((((((((((((((( snapshot_2008-01-07_ 8.23.54.71 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-08 02:10:34 69,632 ----a-r C:\WINDOWS\Installer\{48B0F38D-1913-44F3-99AA-D4C55A2B038E}\ARPPRODUCTICON.exe
+ 2008-01-08 02:10:34 69,632 ----a-r C:\WINDOWS\Installer\{48B0F38D-1913-44F3-99AA-D4C55A2B038E}\NewShortcut1_D5E5682B2798457BBBF70892B58EFF3A.exe
+ 2008-01-08 02:10:34 69,632 ----a-r C:\WINDOWS\Installer\{48B0F38D-1913-44F3-99AA-D4C55A2B038E}\NewShortcut2_60EEB642E9E045A2A676B9D8FE17C4A9.exe
+ 2008-01-08 02:10:34 45,056 ----a-r C:\WINDOWS\Installer\{48B0F38D-1913-44F3-99AA-D4C55A2B038E}\NewShortcut3_129CE8B7DA8F497CB4428DA1D987019D.exe
- 2008-01-07 12:21:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-08 17:59:20 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-01-07 12:21:30 32,768 ------w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-08 17:59:20 32,768 ------w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2007-05-15 20:43:10 1,320,800 ----a-w C:\WINDOWS\system32\msxml6.dll
+ 2006-10-05 09:31:10 79,872 ----a-w C:\WINDOWS\system32\msxml6r.dll
+ 2006-12-02 03:56:00 96,256 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
+ 2006-12-02 03:54:32 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-02 03:54:34 548,864 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-02 03:54:32 626,688 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
+ 2006-12-02 05:25:52 1,101,824 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
+ 2006-12-02 05:25:56 1,093,120 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2006-12-02 05:25:58 69,632 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2006-12-02 05:26:00 57,856 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2006-12-02 05:08:00 40,960 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2006-12-02 05:08:00 45,056 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2006-12-02 05:08:00 65,536 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-02 05:08:00 57,344 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2006-12-02 05:08:00 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2006-12-02 05:08:00 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-02 05:08:00 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-02 05:08:00 49,152 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2006-12-02 05:08:00 49,152 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B917E3EC-1BAD-44BF-ABFB-3F090F31306A}]
2008-01-08 13:56 334336 --------- C:\WINDOWS\system32\rqonl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickClean Imonitor"="C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe" [ ]
"Yahoo! Pager"="1" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [ ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DelayShred"="C:\Program Files\McAfee.com\Shredder\SHRED32.exe" [2005-07-15 00:51 57344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [ ]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]
"SonyPowerCfg"="C:\Program Files\Sony\VAIO Power Management\SPMgr.exe" [ ]
"HKSERV.EXE"="C:\Program Files\Sony\HotKey Utility\HKserv.exe" [ ]
"VAIO Update 2"="C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" [ ]
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px .exe" [2008-01-08 13:56 382976]
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [ ]
"WatchDog"="C:\Program Files\mobile PhoneTools\WatchDog.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"EPSON Stylus Photo R200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2008-01-08 13:56 947712]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [ ]
"McAfee Backup"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [2008-01-08 13:56 5200896]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2008-01-08 13:56 360448]
"SansaDispatch"="C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe" [ ]
"basicsmssmenu"="C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2008-01-08 13:56 598528]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\rqonl.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\rqonl

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2005-12-18 21:35]
R2 Basics Service;Basics Service;"C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe" [2007-10-09 16:21]
R2 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe [2004-03-12 16:32]
S2 0028171199799332mcinstcleanup;McAfee Application Installer Cleanup (0028171199799332);C:\WINDOWS\TEMP\002817~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog []
S3 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe [2004-03-12 15:57]

*Newly Created Service* - 0028171199799332MCINSTCLEANUP
.
Contents of the 'Scheduled Tasks' folder
"2006-08-02 13:32:11 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2008-01-01 06:02:00 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe.4158 0
"2005-08-11 17:05:25 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-08 13:58:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\lnoqr.ini 6516 bytes
C:\WINDOWS\system32\lnoqr.ini2 6516 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
Completion time: 2008-01-08 14:08:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-08 19:08:01
ComboFix2.txt 2008-01-07 13:24:29
ComboFix3.txt 2008-01-04 13:48:20
.
2008-01-08 18:19:58 --- E O F ---

#9 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:07:17 AM

Posted 09 January 2008 - 01:54 PM

Hello dsdaddie,

Your computer its infected with a nasty variant of vundo. Please keep this machine disconnected from internet and please try not reboot the machine until you get my next instrucions. Thanks! :thumbsup:

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Now, close any open browsers.
  • Open notepad and copy/paste the text in the quotebox below into it:

DirLook::
C:\WINDOWS\system32\40253ac9

Rootkit::
C:\WINDOWS\system32\rqonl.dll
C:\WINDOWS\system32\lnoqr.ini
C:\WINDOWS\system32\lnoqr.ini2

RENV::
----a-w 582,992 2008-01-08 19:00:46 C:\Program Files\McAfee.com\Agent\mcagent .exe
----a-w 36,864 2008-01-04 12:07:39 C:\Program Files\mobile PhoneTools\WatchDog .exe
----a-w 75,584 2008-01-04 12:08:32 C:\Program Files\SanDisk\Sansa Updater\SansaDispatch .exe
----a-w 35,992 2008-01-04 12:08:14 C:\Program Files\SiteAdvisor\6253\SiteAdv .exe
----a-w 98,304 2008-01-04 12:07:19 C:\Program Files\Sony\HotKey Utility\HKserv .exe
----a-w 167,936 2008-01-04 12:07:14 C:\Program Files\Sony\VAIO Power Management\SPMgr .exe
----a-w 135,168 2008-01-04 12:07:27 C:\Program Files\Sony\VAIO Update 2\VAIOUpdt .exe
----a-w 204,288 2008-01-04 12:09:04 C:\Program Files\Windows Media Player\WMPNSCFG .exe
----a-w 28,672 2008-01-04 12:07:34 C:\WINDOWS\SONYSYS\VAIO Recovery\PartSeal .exe
----a-w 382,976 2008-01-08 18:56:21 C:\WINDOWS\system32\ezSP_Px .exe
----a-w 99,840 2008-01-04 12:07:54 C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I2H1 .EXE

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B917E3EC-1BAD-44BF-ABFB-3F090F31306A}]
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=-

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
  • Save this as CFScript.txt, in the same location as ComboFix.exe
    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"
  • Post the contents of that log and a new HijackThis log. Also let me know how your computer its running now.
Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Regards
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#10 dsdaddie

dsdaddie
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 10 January 2008 - 09:42 AM

Thanks again.
On ComboFix reboot my McASfee sec ctr was missing files and needed reinstallation.
Here's the latest logs.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:30:41 AM, on 1/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\WINDOWS\system32\ezSP_Px .exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px .exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [SansaDispatch] C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKCU\..\Run: [QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\RunOnce: [DelayShred] "C:\Program Files\McAfee.com\Shredder\SHRED32.EXE" /q C:\DOCUME~1\JEFFRO~1\LOCALS~1\TEMPOR~1\Content.SH! D:\TEMPOR~1\ANTIPH~1.SH! D:\TEMPOR~1\Content.SH!
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O23 - Service: McAfee Application Installer Cleanup (0322731199968902) (0322731199968902mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\032273~1.EXE (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\VmGateway.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe

--
End of file - 10676 bytes

ComboFix 08-01-04.1 - Jeff Robinson 2008-01-10 9:01:33.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.120 [GMT -5:00]
Running from: C:\Documents and Settings\Jeff Robinson\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jeff Robinson\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ezSP_Px .exe
C:\WINDOWS\system32\lnoqr.ini
C:\WINDOWS\system32\lnoqr.ini2
C:\WINDOWS\system32\rqonl.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-10 to 2008-01-10 )))))))))))))))))))))))))))))))
.

2008-01-10 09:11 . 2008-01-10 09:11 40,960 --a------ C:\WINDOWS\system32\ezSP_Px .exe
2008-01-07 21:09 . 2008-01-07 21:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Seagate
2008-01-07 21:08 . 2008-01-07 21:08 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-01-07 20:29 . 2008-01-07 20:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-07 20:28 . 2008-01-07 20:28 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-04 19:59 . 2008-01-07 21:09 <DIR> d-------- C:\Program Files\Seagate
2008-01-04 19:16 . 2008-01-04 19:23 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-01-04 08:40 . 2008-01-04 08:40 9 --a------ C:\WINDOWS\system32\40253ac9
2008-01-04 08:01 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-01 17:44 . 2008-01-01 17:44 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-31 11:21 . 2008-01-08 00:07 <DIR> d-------- C:\VundoFix Backups
2007-12-30 20:38 . 2007-12-30 20:38 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-30 20:38 . 2007-12-30 20:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-28 17:53 . 2007-12-28 17:53 0 --a------ C:\WINDOWS\VAIOUpdt .INI
2007-12-24 12:18 . 2007-12-24 12:18 9,662 --a------ C:\WINDOWS\EPISME00.SWB
2007-12-18 08:35 . 2008-01-04 08:27 <DIR> d-------- C:\Temp
2007-12-16 13:16 . 2007-12-21 15:23 2,932 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-12-14 18:39 . 2007-12-14 18:39 <DIR> d-------- C:\Program Files\SanDisk
2007-12-14 18:38 . 2007-12-14 18:38 <DIR> d-------- C:\Documents and Settings\Jeff Robinson\Application Data\InstallShield
2007-12-10 10:46 . 2007-12-11 09:21 23,817 --a------ C:\Documents and Settings\Jeff Robinson\Application Data\info.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-10 13:19 --------- d-----w C:\Program Files\mobile PhoneTools
2008-01-08 02:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-07 13:07 --------- d-----w C:\Program Files\QuickTime
2008-01-07 13:07 --------- d-----w C:\Program Files\Apoint
2008-01-07 12:43 --------- d-----w C:\Program Files\Nikon
2008-01-07 12:42 --------- d-----w C:\Program Files\Common Files\Nikon
2008-01-07 12:35 --------- d-----w C:\Program Files\Full Tilt Poker
2008-01-07 00:23 --------- d-----w C:\Program Files\McAfee
2008-01-05 00:28 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-04 12:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-01-03 14:48 --------- d-----w C:\Program Files\jv16 PowerTools 2006
2007-12-21 20:57 --------- d-----w C:\Program Files\HomeTech42
2007-12-21 20:37 --------- d-----w C:\Program Files\SiteAdvisor
2007-12-14 19:21 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\SiteAdvisor
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-24 01:26 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLbz.DAT
2007-07-20 17:54 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2007-07-20 17:54 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLds.DAT
.
<pre>
------w			75,584 2008-01-04 12:08:32  C:\Program Files\SanDisk\Sansa Updater\SansaDispatch .exe
----a-w			35,992 2008-01-04 12:08:14  C:\Program Files\SiteAdvisor\6253\SiteAdv .exe
----a-w			98,304 2008-01-04 12:07:19  C:\Program Files\Sony\HotKey Utility\HKserv .exe
----a-w		   167,936 2008-01-04 12:07:14  C:\Program Files\Sony\VAIO Power Management\SPMgr .exe
----a-w		   135,168 2008-01-04 12:07:27  C:\Program Files\Sony\VAIO Update 2\VAIOUpdt .exe
----a-w		   204,288 2008-01-04 12:09:04  C:\Program Files\Windows Media Player\WMPNSCFG .exe
----a-w			28,672 2008-01-04 12:07:34  C:\WINDOWS\SONYSYS\VAIO Recovery\PartSeal .exe
----a-w			40,960 2008-01-10 14:11:24  C:\WINDOWS\system32\ezSP_Px .exe
----a-w			99,840 2008-01-04 12:07:54  C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I2H1 .EXE
</pre>


(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\system32\40253ac9 ----

C:\WINDOWS\system32\40253ac9\


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickClean Imonitor"="C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe" [ ]
"Yahoo! Pager"="1" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [ ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DelayShred"="C:\Program Files\McAfee.com\Shredder\SHRED32.exe" [2005-07-15 00:51 57344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [ ]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]
"SonyPowerCfg"="C:\Program Files\Sony\VAIO Power Management\SPMgr.exe" [ ]
"HKSERV.EXE"="C:\Program Files\Sony\HotKey Utility\HKserv.exe" [ ]
"VAIO Update 2"="C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" [ ]
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px .exe" [2008-01-10 09:11 40960]
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [ ]
"WatchDog"="C:\Program Files\mobile PhoneTools\WatchDog.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"EPSON Stylus Photo R200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [ ]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [ ]
"McAfee Backup"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [ ]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [ ]
"SansaDispatch"="C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe" [ ]
"basicsmssmenu"="C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [ ]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\\WINDOWS\\system32\\rqonl

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2005-12-18 21:35]
R2 Basics Service;Basics Service;"C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe" [2007-10-09 16:21]
R2 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe [2004-03-12 16:32]
S2 0322731199968902mcinstcleanup;McAfee Application Installer Cleanup (0322731199968902);C:\WINDOWS\TEMP\032273~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog []
S3 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe [2004-03-12 15:57]

.
Contents of the 'Scheduled Tasks' folder
"2006-08-02 13:32:11 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2008-01-01 06:02:00 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe.4158 0
"2005-08-11 17:05:25 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-10 09:11:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-10 9:19:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-10 14:19:09
ComboFix2.txt 2008-01-10 13:36:02
ComboFix3.txt 2008-01-08 19:08:12
ComboFix4.txt 2008-01-07 13:24:29
ComboFix5.txt 2008-01-04 13:48:20
.
2008-01-10 12:44:17 --- E O F ---

#11 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:07:17 AM

Posted 11 January 2008 - 01:58 PM

Hi,

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Now, close any open browsers.
  • Open notepad and copy/paste the text in the quotebox below into it:

Folder::
C:\WINDOWS\system32\40253ac9

RENV::
------w 75,584 2008-01-04 12:08:32 C:\Program Files\SanDisk\Sansa Updater\SansaDispatch .exe
----a-w 35,992 2008-01-04 12:08:14 C:\Program Files\SiteAdvisor\6253\SiteAdv .exe
----a-w 98,304 2008-01-04 12:07:19 C:\Program Files\Sony\HotKey Utility\HKserv .exe
----a-w 167,936 2008-01-04 12:07:14 C:\Program Files\Sony\VAIO Power Management\SPMgr .exe
----a-w 135,168 2008-01-04 12:07:27 C:\Program Files\Sony\VAIO Update 2\VAIOUpdt .exe
----a-w 204,288 2008-01-04 12:09:04 C:\Program Files\Windows Media Player\WMPNSCFG .exe
----a-w 28,672 2008-01-04 12:07:34 C:\WINDOWS\SONYSYS\VAIO Recovery\PartSeal .exe
----a-w 40,960 2008-01-10 14:11:24 C:\WINDOWS\system32\ezSP_Px .exe
----a-w 99,840 2008-01-04 12:07:54 C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I2H1 .EXE

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
  • Save this as CFScript.txt, in the same location as ComboFix.exe
    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.




Please Disable and Enable System Restore. You can find instructions on how to enable and reenable system restore here:

Windows XP System Restore Guide



Please do an online scan with Kaspersky WebScanner

Click on Posted Image

You will be prompted to install an ActiveX component from Kaspersky, Click Posted Image
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on Posted Image
  • Now click on Posted Image
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click Posted Image
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post, along whit a new HijackThis log. Also let me know how i your computer its running.

Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#12 dsdaddie

dsdaddie
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 11 January 2008 - 07:42 PM

Hi
My computer is running a bit faster and I'm not seeing wireless activity when the browser is closed. I am still missing the function key features like the volume, and screen brightness controls.

ComboFix 08-01-04.1 - Jeff Robinson 2008-01-11 15:30:13.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.162 [GMT -5:00]
Running from: C:\Documents and Settings\Jeff Robinson\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jeff Robinson\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\40253ac9\

.
((((((((((((((((((((((((( Files Created from 2007-12-11 to 2008-01-11 )))))))))))))))))))))))))))))))
.

2008-01-11 15:39 . 2008-01-11 15:39 334,336 --a------ C:\WINDOWS\system32\rqonl.dll
2008-01-11 07:31 . 2008-01-11 07:31 <DIR> d-------- C:\Documents and Settings\Jeff Robinson\Application Data\DivX
2008-01-10 09:45 . 2008-01-10 09:45 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-01-10 09:11 . 2008-01-11 15:40 40,960 --a------ C:\WINDOWS\system32\ezSP_Px .exe
2008-01-07 21:09 . 2008-01-07 21:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Seagate
2008-01-07 21:08 . 2008-01-07 21:08 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-01-07 20:29 . 2008-01-07 20:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-07 20:28 . 2008-01-07 20:28 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-07 20:16 . 2008-01-07 20:16 630,784 --a------ C:\WINDOWS\system32\divxdec.ax
2008-01-04 19:59 . 2008-01-07 21:09 <DIR> d-------- C:\Program Files\Seagate
2008-01-04 19:16 . 2008-01-04 19:23 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-01-04 16:59 . 2008-01-04 16:59 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-01-04 16:59 . 2008-01-04 16:59 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-01-04 16:58 . 2008-01-04 16:58 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-01-04 16:58 . 2008-01-04 16:58 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-01-04 16:58 . 2008-01-04 16:58 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-01-04 16:56 . 2008-01-04 16:56 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-01-04 16:56 . 2008-01-04 16:56 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-01-04 08:40 . 2008-01-04 08:40 9 --a------ C:\WINDOWS\system32\40253ac9
2008-01-04 08:01 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-01 17:44 . 2008-01-01 17:44 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-31 11:21 . 2008-01-08 00:07 <DIR> d-------- C:\VundoFix Backups
2007-12-30 20:38 . 2007-12-30 20:38 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-30 20:38 . 2007-12-30 20:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-28 17:53 . 2007-12-28 17:53 0 --a------ C:\WINDOWS\VAIOUpdt .INI
2007-12-24 12:18 . 2007-12-24 12:18 9,662 --a------ C:\WINDOWS\EPISME00.SWB
2007-12-18 08:35 . 2008-01-04 08:27 <DIR> d-------- C:\Temp
2007-12-16 13:16 . 2007-12-21 15:23 2,932 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-12-14 18:39 . 2007-12-14 18:39 <DIR> d-------- C:\Program Files\SanDisk
2007-12-14 18:38 . 2007-12-14 18:38 <DIR> d-------- C:\Documents and Settings\Jeff Robinson\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-11 20:40 337,920 ----a-w C:\WINDOWS\system32\rqonl.exe
2008-01-11 20:40 15,360 ----a-w C:\WINDOWS\system32\ctfmon .exe
2008-01-10 14:55 --------- d-----w C:\Program Files\DivX
2008-01-10 13:19 --------- d-----w C:\Program Files\mobile PhoneTools
2008-01-08 02:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-07 13:07 --------- d-----w C:\Program Files\QuickTime
2008-01-07 13:07 --------- d-----w C:\Program Files\Apoint
2008-01-07 12:43 --------- d-----w C:\Program Files\Nikon
2008-01-07 12:42 --------- d-----w C:\Program Files\Common Files\Nikon
2008-01-07 12:35 --------- d-----w C:\Program Files\Full Tilt Poker
2008-01-07 00:23 --------- d-----w C:\Program Files\McAfee
2008-01-05 00:28 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-01-04 21:57 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-01-04 21:57 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-01-04 21:57 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-01-04 21:57 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-01-04 21:57 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-01-04 21:57 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-01-04 21:57 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-01-04 21:57 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-01-04 12:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-01-03 14:48 --------- d-----w C:\Program Files\jv16 PowerTools 2006
2007-12-29 03:00 382,976 ----a-w C:\WINDOWS\system32\ezSP_Px.exe
2007-12-21 20:57 --------- d-----w C:\Program Files\HomeTech42
2007-12-21 20:37 --------- d-----w C:\Program Files\SiteAdvisor
2007-12-14 19:21 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\SiteAdvisor
2007-12-11 14:21 23,817 ----a-w C:\Documents and Settings\Jeff Robinson\Application Data\info.dat
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-24 01:26 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLbz.DAT
2007-07-20 17:54 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2007-07-20 17:54 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLds.DAT
.
<pre>
----a-w		   582,992 2008-01-11 20:41:14  C:\Program Files\McAfee.com\Agent\mcagent .exe
----a-w			35,992 2008-01-04 12:08:14  C:\Program Files\SiteAdvisor\6253\SiteAdv .exe
----a-w			98,304 2008-01-04 12:07:19  C:\Program Files\Sony\HotKey Utility\HKserv .exe
----a-w		   167,936 2008-01-04 12:07:14  C:\Program Files\Sony\VAIO Power Management\SPMgr .exe
----a-w		   135,168 2008-01-04 12:07:27  C:\Program Files\Sony\VAIO Update 2\VAIOUpdt .exe
----a-w		   204,288 2008-01-04 12:09:04  C:\Program Files\Windows Media Player\WMPNSCFG .exe
----a-w			28,672 2008-01-04 12:07:34  C:\WINDOWS\SONYSYS\VAIO Recovery\PartSeal .exe
----a-w			15,360 2008-01-11 20:40:40  C:\WINDOWS\system32\ctfmon .exe
----a-w		   382,976 2008-01-11 20:40:37  C:\WINDOWS\system32\ezSP_Px .exe
----a-w			99,840 2008-01-04 12:07:54  C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I2H1 .EXE
</pre>


((((((((((((((((((((((((((((( snapshot_2008-01-10_ 8.35.00.74 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-10 12:23:28 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-11 19:53:33 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-01-10 12:23:28 32,768 ------w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-11 19:53:33 32,768 ------w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-01-10 12:23:28 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-11 19:53:33 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AB07E4D1-CF05-4351-8F30-A60F5DD5CDD9}]
2008-01-11 15:39 334336 --a------ C:\WINDOWS\system32\rqonl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickClean Imonitor"="C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe" [ ]
"Yahoo! Pager"="1" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [ ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DelayShred"="C:\Program Files\McAfee.com\Shredder\SHRED32.exe" [2005-07-15 00:51 57344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [ ]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]
"SonyPowerCfg"="C:\Program Files\Sony\VAIO Power Management\SPMgr.exe" [ ]
"HKSERV.EXE"="C:\Program Files\Sony\HotKey Utility\HKserv.exe" [ ]
"VAIO Update 2"="C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" [ ]
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px .exe" [2008-01-11 15:40 382976]
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [ ]
"WatchDog"="C:\Program Files\mobile PhoneTools\WatchDog.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"EPSON Stylus Photo R200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2008-01-11 15:40 947712]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [ ]
"McAfee Backup"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 13:59 4838952]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2008-01-11 15:40 360448]
"SansaDispatch"="C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe" [2008-01-11 15:40 414208]
"basicsmssmenu"="C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [ ]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\rqonl.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\rqonl

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2005-12-18 21:35]
R2 Basics Service;Basics Service;"C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe" [2007-10-09 16:21]
R2 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe [2004-03-12 16:32]
S2 0162421200054302mcinstcleanup;McAfee Application Installer Cleanup (0162421200054302);C:\WINDOWS\TEMP\016242~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog []
S3 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe [2004-03-12 15:57]

*Newly Created Service* - 0162421200054302MCINSTCLEANUP
.
Contents of the 'Scheduled Tasks' folder
"2006-08-02 13:32:11 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2008-01-01 06:02:00 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe.4158 0
"2005-08-11 17:05:25 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-11 15:40:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-11 15:49:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-11 20:49:38
ComboFix2.txt 2008-01-10 14:19:16
ComboFix3.txt 2008-01-10 13:36:02
ComboFix4.txt 2008-01-08 19:08:12
ComboFix5.txt 2008-01-07 13:24:29
.
2008-01-10 12:44:17 --- E O F ---

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, January 11, 2008 6:58:59 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 11/01/2008
Kaspersky Anti-Virus database records: 507898
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 81312
Number of viruses found: 8
Number of infected objects: 64
Number of suspicious objects: 0
Duration of the scan process: 01:29:22

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\MSKWMDB.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\settingsdb.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Sony Corporation\SonicStage\Packages\MtData.ldb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Sony Corporation\SonicStage\Packages\MtData.mdb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Sony Corporation\VAIO Entertainment Platform\1.0\VzCdb\MtData.ldb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Sony Corporation\VAIO Entertainment Platform\1.0\VzCdb\MtData.mdb Object is locked skipped
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\Jeff Robinson\Application Data\McAfee\MBK\ARBUSFILE.GDB Object is locked skipped
C:\Documents and Settings\Jeff Robinson\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jeff Robinson\Local Settings\Application Data\ApplicationHistory\McAfeeDataBackup.exe.e548c4c.ini.inuse Object is locked skipped
C:\Documents and Settings\Jeff Robinson\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Jeff Robinson\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\Jeff Robinson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jeff Robinson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jeff Robinson\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jeff Robinson\Local Settings\History\History.IE5\MSHist012008011120080112\index.dat Object is locked skipped
C:\Documents and Settings\Jeff Robinson\Local Settings\Temp\fb_1352.lck Object is locked skipped
C:\Documents and Settings\Jeff Robinson\Local Settings\Temp\sqlite_zexPnVbboQmHKU8 Object is locked skipped
C:\Documents and Settings\Jeff Robinson\Local Settings\Temp\~DF487.tmp Object is locked skipped
C:\Documents and Settings\Jeff Robinson\Local Settings\Temp\~DF6B03.tmp Object is locked skipped
C:\Documents and Settings\Jeff Robinson\Local Settings\Temp\~DF6B6C.tmp Object is locked skipped
C:\Documents and Settings\Jeff Robinson\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jeff Robinson\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\McAfee\MBK\LogOnHook.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\McAfee.com\Agent\mcagent.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Documents and Settings\Jeff Robinson\Desktop\[4]-Submit_2008-01-07@7.58.zip.vir/rqonl.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Documents and Settings\Jeff Robinson\Desktop\[4]-Submit_2008-01-07@7.58.zip.vir/troy44 .exe Infected: Trojan-Clicker.Win32.VB.yh skipped
C:\QooBox\Quarantine\C\Documents and Settings\Jeff Robinson\Desktop\[4]-Submit_2008-01-07@7.58.zip.vir ZIP: infected - 2 skipped
C:\QooBox\Quarantine\C\Documents and Settings\Jeff Robinson\My Documents\My Received Files\ATT_SST_Installer.exe.vir/WISE0107.BIN/WISE0008.BIN Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
C:\QooBox\Quarantine\C\Documents and Settings\Jeff Robinson\My Documents\My Received Files\ATT_SST_Installer.exe.vir/WISE0107.BIN/WISE0009.BIN Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
C:\QooBox\Quarantine\C\Documents and Settings\Jeff Robinson\My Documents\My Received Files\ATT_SST_Installer.exe.vir/WISE0107.BIN Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
C:\QooBox\Quarantine\C\Documents and Settings\Jeff Robinson\My Documents\My Received Files\ATT_SST_Installer.exe.vir WiseSFX: infected - 3 skipped
C:\QooBox\Quarantine\C\Documents and Settings\Jeff Robinson\My Documents\My Received Files\ATT_SST_Installer.exe.vir WiseSFXDropper: infected - 3 skipped
C:\QooBox\Quarantine\C\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\Apoint\Apoint.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\McAfee\MBK\LogOnHook.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\McAfee\MBK\McAfeeDataBackup.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\McAfee\McAfee QuickClean\Plguni.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\McAfee.com\Agent\mcagent.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\mobile PhoneTools\WatchDog.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\SiteAdvisor\6253\SiteAdv.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\Sony\HotKey Utility\HKserv.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\Sony\VAIO Power Management\SPMgr.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\Windows Media Player\WMPNSCFG.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\WINDOWS\SONYSYS\VAIO Recovery\PartSeal.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ajfhnewc.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\asmppgax.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\cotpodea.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ctfmon.exe.tmp.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ezSP_Px .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\nrcqjlwm.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dim skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\owgddksr.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qcposekp.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX40.tmp.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rqonl.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dgy skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rqonl.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I2H1.EXE.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tgleubiy.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\QooBox\Quarantine\catchme2008-01-04_ 83839.00.zip/wowfx.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\QooBox\Quarantine\catchme2008-01-04_ 83839.00.zip/jkkjkhi.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.byj skipped
C:\QooBox\Quarantine\catchme2008-01-04_ 83839.00.zip/rqonl.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dgy skipped
C:\QooBox\Quarantine\catchme2008-01-04_ 83839.00.zip ZIP: infected - 3 skipped
C:\QooBox\Quarantine\catchme2008-01-07_ 81532.97.zip/rqonl.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dgy skipped
C:\QooBox\Quarantine\catchme2008-01-07_ 81532.97.zip ZIP: infected - 1 skipped
C:\QooBox\Quarantine\catchme2008-01-08_135605.92.zip/rqonl.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dgy skipped
C:\QooBox\Quarantine\catchme2008-01-08_135605.92.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP487\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\accwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\crypt32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\cryptsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hh.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhctrl.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhsetup.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\html32.cnv Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\itss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\locator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\magnify.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\migwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\mrxsmb.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\msconv97.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\narrator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\newdev.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\pchshell.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\raspptp.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shdocvw.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shell32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shmedia.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srrstr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srv.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\urlmon.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\winsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\dhcpcsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\ndis.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\ndisuio.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\netshell.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcdlg.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcsapi.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828028$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\xpsp2res.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\wmp.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\ezSP_Px .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\WINDOWS\system32\ezSP_Px.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\rqonl.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dgy skipped
C:\WINDOWS\system32\rqonl.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\JET4EFE.tmp Object is locked skipped
C:\WINDOWS\Temp\JETED64.tmp Object is locked skipped
C:\WINDOWS\Temp\mcmsc_kG6BS4Up0fhpE3h Object is locked skipped
C:\WINDOWS\Temp\sqlite_7JpTomo8CsBxhhs Object is locked skipped
C:\WINDOWS\Temp\sqlite_DgphkNUMYu1S56t Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
D:\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

Scan process completed.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:02:21 PM, on 1/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\WINDOWS\system32\ezSP_Px .exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F3 - REG:win.ini: load=C:\WINDOWS\system32\rqonl.exe
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px .exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [SansaDispatch] C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKCU\..\Run: [QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\RunOnce: [DelayShred] "C:\Program Files\McAfee.com\Shredder\SHRED32.EXE" /q C:\DOCUME~1\JEFFRO~1\LOCALS~1\TEMPOR~1\Content.SH! D:\TEMPOR~1\ANTIPH~1.SH! D:\TEMPOR~1\Content.SH!
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O23 - Service: McAfee Application Installer Cleanup (0162421200054302) (0162421200054302mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\016242~1.EXE (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\VmGateway.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe

--
End of file - 10202 bytes

#13 dsdaddie

dsdaddie
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 14 January 2008 - 08:03 AM

Hi Lusitano

After the most recent ComboFix My PC is slow and locking up. On CF's reboot and subsiquent reboot I recieved an error

P-07-0100irql:1fsysver oxff00024
"NT_KERNEL_ERROE_1256"
"KMODE_EXCEPTION_NOT_HANDLED"

Once again getting popups, even w/o IE running.
Jeff

#14 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:07:17 AM

Posted 14 January 2008 - 12:28 PM

Hello,

Please uninstall any of the following program(s) using Add/Remove Programs if they are present. To do this, go to Start > Settings > Control Panel and double-click on Add/Remove Programs. From within Add/Remove Programs highlight each one and select Remove.

Full Tilt Poker
- Read about that software here <-


Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Now, close any open browsers.
  • Open notepad and copy/paste the text in the quotebox below into it:
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AB07E4D1-CF05-4351-8F30-A60F5DD5CDD9}]
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=-

File::
C:\WINDOWS\system32\rqonl.dll
C:\WINDOWS\system32\rqonl.exe

Folder::
C:\WINDOWS\system32\40253ac9
C:\VundoFix Backups

RenV::
----a-w		   582,992 2008-01-11 20:41:14  C:\Program Files\McAfee.com\Agent\mcagent .exe
----a-w			35,992 2008-01-04 12:08:14  C:\Program Files\SiteAdvisor\6253\SiteAdv .exe
----a-w			98,304 2008-01-04 12:07:19  C:\Program Files\Sony\HotKey Utility\HKserv .exe
----a-w		   167,936 2008-01-04 12:07:14  C:\Program Files\Sony\VAIO Power Management\SPMgr .exe
----a-w		   135,168 2008-01-04 12:07:27  C:\Program Files\Sony\VAIO Update 2\VAIOUpdt .exe
----a-w		   204,288 2008-01-04 12:09:04  C:\Program Files\Windows Media Player\WMPNSCFG .exe
----a-w			28,672 2008-01-04 12:07:34  C:\WINDOWS\SONYSYS\VAIO Recovery\PartSeal .exe
----a-w			15,360 2008-01-11 20:40:40  C:\WINDOWS\system32\ctfmon .exe
----a-w		   382,976 2008-01-11 20:40:37  C:\WINDOWS\system32\ezSP_Px .exe
----a-w			99,840 2008-01-04 12:07:54  C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I2H1 .EXE
IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
  • Save this as CFScript.txt, in the same location as ComboFix.exe
    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Post them along with a new HijackThis log.
Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#15 dsdaddie

dsdaddie
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 14 January 2008 - 05:30 PM

Here's the latest.
ComboFix 08-01-04.1 - Jeff Robinson 2008-01-14 13:49:02.7 - NTFSx86
Running from: C:\Documents and Settings\Jeff Robinson\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jeff Robinson\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\rqonl.dll
C:\WINDOWS\system32\rqonl.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\pos10.tmp
C:\pos100.tmp
C:\pos101.tmp
C:\pos102.tmp
C:\pos103.tmp
C:\pos104.tmp
C:\pos105.tmp
C:\pos106.tmp
C:\pos107.tmp
C:\pos108.tmp
C:\pos109.tmp
C:\pos10A.tmp
C:\pos10B.tmp
C:\pos10C.tmp
C:\pos10D.tmp
C:\pos10E.tmp
C:\pos10F.tmp
C:\pos11.tmp
C:\pos110.tmp
C:\pos111.tmp
C:\pos112.tmp
C:\pos113.tmp
C:\pos114.tmp
C:\pos115.tmp
C:\pos116.tmp
C:\pos117.tmp
C:\pos118.tmp
C:\pos119.tmp
C:\pos11A.tmp
C:\pos11B.tmp
C:\pos11C.tmp
C:\pos11D.tmp
C:\pos11E.tmp
C:\pos11F.tmp
C:\pos12.tmp
C:\pos120.tmp
C:\pos121.tmp
C:\pos122.tmp
C:\pos123.tmp
C:\pos124.tmp
C:\pos125.tmp
C:\pos126.tmp
C:\pos127.tmp
C:\pos128.tmp
C:\pos129.tmp
C:\pos12A.tmp
C:\pos12B.tmp
C:\pos12C.tmp
C:\pos12D.tmp
C:\pos12E.tmp
C:\pos12F.tmp
C:\pos13.tmp
C:\pos130.tmp
C:\pos131.tmp
C:\pos132.tmp
C:\pos133.tmp
C:\pos134.tmp
C:\pos135.tmp
C:\pos136.tmp
C:\pos137.tmp
C:\pos138.tmp
C:\pos139.tmp
C:\pos13A.tmp
C:\pos13B.tmp
C:\pos13C.tmp
C:\pos13D.tmp
C:\pos13E.tmp
C:\pos13F.tmp
C:\pos14.tmp
C:\pos140.tmp
C:\pos141.tmp
C:\pos142.tmp
C:\pos143.tmp
C:\pos144.tmp
C:\pos145.tmp
C:\pos146.tmp
C:\pos147.tmp
C:\pos148.tmp
C:\pos149.tmp
C:\pos14A.tmp
C:\pos14B.tmp
C:\pos14C.tmp
C:\pos14D.tmp
C:\pos14E.tmp
C:\pos14F.tmp
C:\pos15.tmp
C:\pos150.tmp
C:\pos151.tmp
C:\pos152.tmp
C:\pos153.tmp
C:\pos154.tmp
C:\pos155.tmp
C:\pos156.tmp
C:\pos157.tmp
C:\pos158.tmp
C:\pos159.tmp
C:\pos15A.tmp
C:\pos15B.tmp
C:\pos15C.tmp
C:\pos15D.tmp
C:\pos15E.tmp
C:\pos15F.tmp
C:\pos16.tmp
C:\pos160.tmp
C:\pos161.tmp
C:\pos162.tmp
C:\pos163.tmp
C:\pos164.tmp
C:\pos165.tmp
C:\pos166.tmp
C:\pos167.tmp
C:\pos168.tmp
C:\pos169.tmp
C:\pos16A.tmp
C:\pos16B.tmp
C:\pos16C.tmp
C:\pos16D.tmp
C:\pos16E.tmp
C:\pos16F.tmp
C:\pos17.tmp
C:\pos170.tmp
C:\pos171.tmp
C:\pos172.tmp
C:\pos173.tmp
C:\pos174.tmp
C:\pos175.tmp
C:\pos176.tmp
C:\pos177.tmp
C:\pos178.tmp
C:\pos179.tmp
C:\pos17A.tmp
C:\pos17B.tmp
C:\pos17C.tmp
C:\pos17D.tmp
C:\pos17E.tmp
C:\pos17F.tmp
C:\pos18.tmp
C:\pos180.tmp
C:\pos181.tmp
C:\pos182.tmp
C:\pos183.tmp
C:\pos184.tmp
C:\pos185.tmp
C:\pos186.tmp
C:\pos187.tmp
C:\pos188.tmp
C:\pos189.tmp
C:\pos18A.tmp
C:\pos18B.tmp
C:\pos18C.tmp
C:\pos18D.tmp
C:\pos18E.tmp
C:\pos18F.tmp
C:\pos19.tmp
C:\pos190.tmp
C:\pos191.tmp
C:\pos192.tmp
C:\pos193.tmp
C:\pos194.tmp
C:\pos195.tmp
C:\pos196.tmp
C:\pos197.tmp
C:\pos198.tmp
C:\pos199.tmp
C:\pos19A.tmp
C:\pos19B.tmp
C:\pos19C.tmp
C:\pos19D.tmp
C:\pos19E.tmp
C:\pos19F.tmp
C:\pos1A.tmp
C:\pos1A0.tmp
C:\pos1A1.tmp
C:\pos1A2.tmp
C:\pos1A3.tmp
C:\pos1A4.tmp
C:\pos1A5.tmp
C:\pos1A6.tmp
C:\pos1A7.tmp
C:\pos1A8.tmp
C:\pos1A9.tmp
C:\pos1AA.tmp
C:\pos1AB.tmp
C:\pos1AC.tmp
C:\pos1AD.tmp
C:\pos1AE.tmp
C:\pos1AF.tmp
C:\pos1B.tmp
C:\pos1B0.tmp
C:\pos1B1.tmp
C:\pos1B2.tmp
C:\pos1B3.tmp
C:\pos1B4.tmp
C:\pos1B5.tmp
C:\pos1B6.tmp
C:\pos1B7.tmp
C:\pos1B8.tmp
C:\pos1B9.tmp
C:\pos1BA.tmp
C:\pos1BB.tmp
C:\pos1BC.tmp
C:\pos1BD.tmp
C:\pos1BE.tmp
C:\pos1BF.tmp
C:\pos1C.tmp
C:\pos1C0.tmp
C:\pos1C1.tmp
C:\pos1C2.tmp
C:\pos1C3.tmp
C:\pos1C4.tmp
C:\pos1C5.tmp
C:\pos1C6.tmp
C:\pos1C7.tmp
C:\pos1C8.tmp
C:\pos1C9.tmp
C:\pos1CA.tmp
C:\pos1CB.tmp
C:\pos1CC.tmp
C:\pos1CD.tmp
C:\pos1CE.tmp
C:\pos1CF.tmp
C:\pos1D.tmp
C:\pos1D0.tmp
C:\pos1D1.tmp
C:\pos1D2.tmp
C:\pos1D3.tmp
C:\pos1D4.tmp
C:\pos1D5.tmp
C:\pos1D6.tmp
C:\pos1D7.tmp
C:\pos1D8.tmp
C:\pos1D9.tmp
C:\pos1DA.tmp
C:\pos1DB.tmp
C:\pos1DC.tmp
C:\pos1DD.tmp
C:\pos1DE.tmp
C:\pos1DF.tmp
C:\pos1E.tmp
C:\pos1E0.tmp
C:\pos1E1.tmp
C:\pos1E2.tmp
C:\pos1E3.tmp
C:\pos1E4.tmp
C:\pos1E5.tmp
C:\pos1E6.tmp
C:\pos1E7.tmp
C:\pos1E8.tmp
C:\pos1E9.tmp
C:\pos1EA.tmp
C:\pos1EB.tmp
C:\pos1EC.tmp
C:\pos1ED.tmp
C:\pos1EE.tmp
C:\pos1EF.tmp
C:\pos1F.tmp
C:\pos1F0.tmp
C:\pos1F1.tmp
C:\pos1F2.tmp
C:\pos1F3.tmp
C:\pos1F4.tmp
C:\pos1F5.tmp
C:\pos1F6.tmp
C:\pos1F7.tmp
C:\pos1F8.tmp
C:\pos1F9.tmp
C:\pos1FA.tmp
C:\pos1FB.tmp
C:\pos1FC.tmp
C:\pos1FD.tmp
C:\pos1FE.tmp
C:\pos1FF.tmp
C:\pos20.tmp
C:\pos200.tmp
C:\pos201.tmp
C:\pos202.tmp
C:\pos203.tmp
C:\pos204.tmp
C:\pos205.tmp
C:\pos206.tmp
C:\pos207.tmp
C:\pos208.tmp
C:\pos209.tmp
C:\pos20A.tmp
C:\pos20B.tmp
C:\pos20C.tmp
C:\pos20D.tmp
C:\pos20E.tmp
C:\pos20F.tmp
C:\pos21.tmp
C:\pos210.tmp
C:\pos211.tmp
C:\pos212.tmp
C:\pos213.tmp
C:\pos214.tmp
C:\pos215.tmp
C:\pos216.tmp
C:\pos217.tmp
C:\pos218.tmp
C:\pos219.tmp
C:\pos21A.tmp
C:\pos21B.tmp
C:\pos21C.tmp
C:\pos21D.tmp
C:\pos21E.tmp
C:\pos21F.tmp
C:\pos22.tmp
C:\pos220.tmp
C:\pos221.tmp
C:\pos222.tmp
C:\pos223.tmp
C:\pos224.tmp
C:\pos225.tmp
C:\pos226.tmp
C:\pos227.tmp
C:\pos228.tmp
C:\pos229.tmp
C:\pos22A.tmp
C:\pos22C.tmp
C:\pos22D.tmp
C:\pos22E.tmp
C:\pos22F.tmp
C:\pos23.tmp
C:\pos230.tmp
C:\pos231.tmp
C:\pos232.tmp
C:\pos233.tmp
C:\pos234.tmp
C:\pos235.tmp
C:\pos236.tmp
C:\pos237.tmp
C:\pos238.tmp
C:\pos239.tmp
C:\pos23A.tmp
C:\pos23B.tmp
C:\pos23C.tmp
C:\pos23D.tmp
C:\pos23E.tmp
C:\pos23F.tmp
C:\pos24.tmp
C:\pos240.tmp
C:\pos241.tmp
C:\pos242.tmp
C:\pos243.tmp
C:\pos244.tmp
C:\pos245.tmp
C:\pos246.tmp
C:\pos247.tmp
C:\pos248.tmp
C:\pos249.tmp
C:\pos24A.tmp
C:\pos24D.tmp
C:\pos24E.tmp
C:\pos24F.tmp
C:\pos25.tmp
C:\pos250.tmp
C:\pos251.tmp
C:\pos253.tmp
C:\pos254.tmp
C:\pos257.tmp
C:\pos258.tmp
C:\pos259.tmp
C:\pos25A.tmp
C:\pos25B.tmp
C:\pos25D.tmp
C:\pos25E.tmp
C:\pos25F.tmp
C:\pos26.tmp
C:\pos260.tmp
C:\pos261.tmp
C:\pos262.tmp
C:\pos263.tmp
C:\pos264.tmp
C:\pos265.tmp
C:\pos266.tmp
C:\pos267.tmp
C:\pos268.tmp
C:\pos269.tmp
C:\pos26A.tmp
C:\pos26B.tmp
C:\pos26C.tmp
C:\pos26D.tmp
C:\pos26E.tmp
C:\pos26F.tmp
C:\pos27.tmp
C:\pos270.tmp
C:\pos271.tmp
C:\pos272.tmp
C:\pos274.tmp
C:\pos275.tmp
C:\pos276.tmp
C:\pos277.tmp
C:\pos278.tmp
C:\pos279.tmp
C:\pos27A.tmp
C:\pos27B.tmp
C:\pos27C.tmp
C:\pos27D.tmp
C:\pos27E.tmp
C:\pos27F.tmp
C:\pos28.tmp
C:\pos280.tmp
C:\pos281.tmp
C:\pos282.tmp
C:\pos283.tmp
C:\pos284.tmp
C:\pos285.tmp
C:\pos286.tmp
C:\pos287.tmp
C:\pos288.tmp
C:\pos289.tmp
C:\pos28A.tmp
C:\pos28B.tmp
C:\pos28C.tmp
C:\pos28D.tmp
C:\pos28E.tmp
C:\pos28F.tmp
C:\pos29.tmp
C:\pos290.tmp
C:\pos291.tmp
C:\pos292.tmp
C:\pos293.tmp
C:\pos294.tmp
C:\pos295.tmp
C:\pos296.tmp
C:\pos297.tmp
C:\pos298.tmp
C:\pos299.tmp
C:\pos29A.tmp
C:\pos29B.tmp
C:\pos29C.tmp
C:\pos29D.tmp
C:\pos29E.tmp
C:\pos29F.tmp
C:\pos2A.tmp
C:\pos2A0.tmp
C:\pos2A1.tmp
C:\pos2A2.tmp
C:\pos2A3.tmp
C:\pos2A4.tmp
C:\pos2A5.tmp
C:\pos2A6.tmp
C:\pos2A7.tmp
C:\pos2A8.tmp
C:\pos2A9.tmp
C:\pos2AA.tmp
C:\pos2AB.tmp
C:\pos2AC.tmp
C:\pos2AD.tmp
C:\pos2AE.tmp
C:\pos2AF.tmp
C:\pos2B0.tmp
C:\pos2B1.tmp
C:\pos2B2.tmp
C:\pos2B3.tmp
C:\pos2B4.tmp
C:\pos2B5.tmp
C:\pos2B6.tmp
C:\pos2B7.tmp
C:\pos2B8.tmp
C:\pos2B9.tmp
C:\pos2BA.tmp
C:\pos2BB.tmp
C:\pos2BC.tmp
C:\pos2BD.tmp
C:\pos2BE.tmp
C:\pos2BF.tmp
C:\pos2C.tmp
C:\pos2C0.tmp
C:\pos2C1.tmp
C:\pos2C2.tmp
C:\pos2C3.tmp
C:\pos2C4.tmp
C:\pos2C5.tmp
C:\pos2C6.tmp
C:\pos2C7.tmp
C:\pos2C8.tmp
C:\pos2C9.tmp
C:\pos2CA.tmp
C:\pos2CB.tmp
C:\pos2CC.tmp
C:\pos2CD.tmp
C:\pos2CE.tmp
C:\pos2CF.tmp
C:\pos2D.tmp
C:\pos2D0.tmp
C:\pos2D1.tmp
C:\pos2D2.tmp
C:\pos2D3.tmp
C:\pos2D4.tmp
C:\pos2D5.tmp
C:\pos2D6.tmp
C:\pos2D7.tmp
C:\pos2D8.tmp
C:\pos2D9.tmp
C:\pos2DA.tmp
C:\pos2DB.tmp
C:\pos2DC.tmp
C:\pos2DD.tmp
C:\pos2DE.tmp
C:\pos2DF.tmp
C:\pos2E.tmp
C:\pos2E0.tmp
C:\pos2E1.tmp
C:\pos2E2.tmp
C:\pos2E3.tmp
C:\pos2E4.tmp
C:\pos2E5.tmp
C:\pos2E6.tmp
C:\pos2E7.tmp
C:\pos2E8.tmp
C:\pos2E9.tmp
C:\pos2EA.tmp
C:\pos2EB.tmp
C:\pos2EC.tmp
C:\pos2ED.tmp
C:\pos2EE.tmp
C:\pos2EF.tmp
C:\pos2F.tmp
C:\pos2F0.tmp
C:\pos2F1.tmp
C:\pos2F2.tmp
C:\pos2F3.tmp
C:\pos2F4.tmp
C:\pos2F5.tmp
C:\pos2F6.tmp
C:\pos2F7.tmp
C:\pos2F8.tmp
C:\pos2F9.tmp
C:\pos2FA.tmp
C:\pos2FB.tmp
C:\pos2FC.tmp
C:\pos2FD.tmp
C:\pos2FE.tmp
C:\pos2FF.tmp
C:\pos30.tmp
C:\pos300.tmp
C:\pos301.tmp
C:\pos302.tmp
C:\pos303.tmp
C:\pos304.tmp
C:\pos305.tmp
C:\pos306.tmp
C:\pos307.tmp
C:\pos308.tmp
C:\pos309.tmp
C:\pos30A.tmp
C:\pos30B.tmp
C:\pos30C.tmp
C:\pos30D.tmp
C:\pos30E.tmp
C:\pos30F.tmp
C:\pos31.tmp
C:\pos310.tmp
C:\pos311.tmp
C:\pos312.tmp
C:\pos313.tmp
C:\pos314.tmp
C:\pos315.tmp
C:\pos316.tmp
C:\pos317.tmp
C:\pos318.tmp
C:\pos319.tmp
C:\pos31A.tmp
C:\pos31B.tmp
C:\pos31C.tmp
C:\pos31D.tmp
C:\pos31E.tmp
C:\pos31F.tmp
C:\pos32.tmp
C:\pos320.tmp
C:\pos321.tmp
C:\pos322.tmp
C:\pos323.tmp
C:\pos324.tmp
C:\pos325.tmp
C:\pos326.tmp
C:\pos327.tmp
C:\pos328.tmp
C:\pos329.tmp
C:\pos32A.tmp
C:\pos32B.tmp
C:\pos32C.tmp
C:\pos32D.tmp
C:\pos32E.tmp
C:\pos32F.tmp
C:\pos33.tmp
C:\pos330.tmp
C:\pos331.tmp
C:\pos332.tmp
C:\pos333.tmp
C:\pos334.tmp
C:\pos335.tmp
C:\pos336.tmp
C:\pos337.tmp
C:\pos338.tmp
C:\pos339.tmp
C:\pos33A.tmp
C:\pos33B.tmp
C:\pos33C.tmp
C:\pos33D.tmp
C:\pos33E.tmp
C:\pos33F.tmp
C:\pos34.tmp
C:\pos340.tmp
C:\pos341.tmp
C:\pos342.tmp
C:\pos343.tmp
C:\pos344.tmp
C:\pos345.tmp
C:\pos346.tmp
C:\pos347.tmp
C:\pos348.tmp
C:\pos349.tmp
C:\pos34A.tmp
C:\pos34B.tmp
C:\pos34C.tmp
C:\pos34D.tmp
C:\pos34E.tmp
C:\pos34F.tmp
C:\pos35.tmp
C:\pos350.tmp
C:\pos351.tmp
C:\pos352.tmp
C:\pos353.tmp
C:\pos354.tmp
C:\pos355.tmp
C:\pos356.tmp
C:\pos357.tmp
C:\pos358.tmp
C:\pos359.tmp
C:\pos35A.tmp
C:\pos35B.tmp
C:\pos35C.tmp
C:\pos35D.tmp
C:\pos35E.tmp
C:\pos35F.tmp
C:\pos36.tmp
C:\pos360.tmp
C:\pos361.tmp
C:\pos362.tmp
C:\pos363.tmp
C:\pos364.tmp
C:\pos365.tmp
C:\pos366.tmp
C:\pos367.tmp
C:\pos368.tmp
C:\pos369.tmp
C:\pos36A.tmp
C:\pos36B.tmp
C:\pos36C.tmp
C:\pos36D.tmp
C:\pos36E.tmp
C:\pos36F.tmp
C:\pos37.tmp
C:\pos370.tmp
C:\pos371.tmp
C:\pos372.tmp
C:\pos373.tmp
C:\pos374.tmp
C:\pos375.tmp
C:\pos376.tmp
C:\pos377.tmp
C:\pos378.tmp
C:\pos379.tmp
C:\pos37A.tmp
C:\pos37B.tmp
C:\pos37C.tmp
C:\pos37D.tmp
C:\pos37E.tmp
C:\pos37F.tmp
C:\pos38.tmp
C:\pos380.tmp
C:\pos381.tmp
C:\pos382.tmp
C:\pos383.tmp
C:\pos384.tmp
C:\pos385.tmp
C:\pos386.tmp
C:\pos387.tmp
C:\pos388.tmp
C:\pos389.tmp
C:\pos38A.tmp
C:\pos38B.tmp
C:\pos38C.tmp
C:\pos38D.tmp
C:\pos38E.tmp
C:\pos38F.tmp
C:\pos39.tmp
C:\pos390.tmp
C:\pos391.tmp
C:\pos392.tmp
C:\pos393.tmp
C:\pos394.tmp
C:\pos395.tmp
C:\pos396.tmp
C:\pos397.tmp
C:\pos398.tmp
C:\pos399.tmp
C:\pos39A.tmp
C:\pos39B.tmp
C:\pos39C.tmp
C:\pos39D.tmp
C:\pos39E.tmp
C:\pos39F.tmp
C:\pos3A.tmp
C:\pos3A0.tmp
C:\pos3A1.tmp
C:\pos3A2.tmp
C:\pos3A3.tmp
C:\pos3A4.tmp
C:\pos3A5.tmp
C:\pos3A6.tmp
C:\pos3A7.tmp
C:\pos3A8.tmp
C:\pos3A9.tmp
C:\pos3AA.tmp
C:\pos3AB.tmp
C:\pos3AC.tmp
C:\pos3AD.tmp
C:\pos3AE.tmp
C:\pos3AF.tmp
C:\pos3B.tmp
C:\pos3B0.tmp
C:\pos3B1.tmp
C:\pos3B2.tmp
C:\pos3B3.tmp
C:\pos3B4.tmp
C:\pos3B5.tmp
C:\pos3B6.tmp
C:\pos3B7.tmp
C:\pos3B8.tmp
C:\pos3B9.tmp
C:\pos3BA.tmp
C:\pos3BB.tmp
C:\pos3BC.tmp
C:\pos3BD.tmp
C:\pos3BE.tmp
C:\pos3BF.tmp
C:\pos3C.tmp
C:\pos3C0.tmp
C:\pos3C1.tmp
C:\pos3C2.tmp
C:\pos3C3.tmp
C:\pos3C4.tmp
C:\pos3C5.tmp
C:\pos3C6.tmp
C:\pos3C7.tmp
C:\pos3C8.tmp
C:\pos3C9.tmp
C:\pos3CA.tmp
C:\pos3CB.tmp
C:\pos3CC.tmp
C:\pos3CD.tmp
C:\pos3CE.tmp
C:\pos3CF.tmp
C:\pos3D.tmp
C:\pos3D0.tmp
C:\pos3D1.tmp
C:\pos3D2.tmp
C:\pos3D3.tmp
C:\pos3D4.tmp
C:\pos3D5.tmp
C:\pos3D6.tmp
C:\pos3D7.tmp
C:\pos3D8.tmp
C:\pos3D9.tmp
C:\pos3DA.tmp
C:\pos3DB.tmp
C:\pos3DC.tmp
C:\pos3DD.tmp
C:\pos3DE.tmp
C:\pos3DF.tmp
C:\pos3E.tmp
C:\pos3E0.tmp
C:\pos3E1.tmp
C:\pos3E2.tmp
C:\pos3E3.tmp
C:\pos3E4.tmp
C:\pos3E5.tmp
C:\pos3E6.tmp
C:\pos3E7.tmp
C:\pos3E8.tmp
C:\pos3E9.tmp
C:\pos3EA.tmp
C:\pos3EB.tmp
C:\pos3EC.tmp
C:\pos3ED.tmp
C:\pos3EE.tmp
C:\pos3EF.tmp
C:\pos3F.tmp
C:\pos3F0.tmp
C:\pos3F1.tmp
C:\pos3F2.tmp
C:\pos3F3.tmp
C:\pos3F4.tmp
C:\pos4.tmp
C:\pos40.tmp
C:\pos41.tmp
C:\pos42.tmp
C:\pos43.tmp
C:\pos44.tmp
C:\pos45.tmp
C:\pos46.tmp
C:\pos47.tmp
C:\pos48.tmp
C:\pos49.tmp
C:\pos4A.tmp
C:\pos4B.tmp
C:\pos4C.tmp
C:\pos4D.tmp
C:\pos4E.tmp
C:\pos4F.tmp
C:\pos5.tmp
C:\pos50.tmp
C:\pos51.tmp
C:\pos52.tmp
C:\pos53.tmp
C:\pos54.tmp
C:\pos55.tmp
C:\pos56.tmp
C:\pos57.tmp
C:\pos58.tmp
C:\pos59.tmp
C:\pos5A.tmp
C:\pos5B.tmp
C:\pos5C.tmp
C:\pos5D.tmp
C:\pos5E.tmp
C:\pos5F.tmp
C:\pos6.tmp
C:\pos60.tmp
C:\pos61.tmp
C:\pos62.tmp
C:\pos63.tmp
C:\pos64.tmp
C:\pos65.tmp
C:\pos66.tmp
C:\pos67.tmp
C:\pos68.tmp
C:\pos69.tmp
C:\pos6A.tmp
C:\pos6B.tmp
C:\pos6C.tmp
C:\pos6D.tmp
C:\pos6E.tmp
C:\pos6F.tmp
C:\pos7.tmp
C:\pos70.tmp
C:\pos71.tmp
C:\pos72.tmp
C:\pos73.tmp
C:\pos74.tmp
C:\pos75.tmp
C:\pos76.tmp
C:\pos77.tmp
C:\pos78.tmp
C:\pos79.tmp
C:\pos7A.tmp
C:\pos7B.tmp
C:\pos7C.tmp
C:\pos7D.tmp
C:\pos7E.tmp
C:\pos7F.tmp
C:\pos8.tmp
C:\pos80.tmp
C:\pos81.tmp
C:\pos82.tmp
C:\pos83.tmp
C:\pos84.tmp
C:\pos85.tmp
C:\pos86.tmp
C:\pos87.tmp
C:\pos88.tmp
C:\pos89.tmp
C:\pos8A.tmp
C:\pos8B.tmp
C:\pos8C.tmp
C:\pos8D.tmp
C:\pos8E.tmp
C:\pos8F.tmp
C:\pos9.tmp
C:\pos90.tmp
C:\pos91.tmp
C:\pos92.tmp
C:\pos93.tmp
C:\pos94.tmp
C:\pos95.tmp
C:\pos96.tmp
C:\pos97.tmp
C:\pos98.tmp
C:\pos99.tmp
C:\pos9A.tmp
C:\pos9B.tmp
C:\pos9C.tmp
C:\pos9D.tmp
C:\pos9E.tmp
C:\pos9F.tmp
C:\posA.tmp
C:\posA0.tmp
C:\posA1.tmp
C:\posA2.tmp
C:\posA3.tmp
C:\posA4.tmp
C:\posA5.tmp
C:\posA6.tmp
C:\posA7.tmp
C:\posA8.tmp
C:\posA9.tmp
C:\posAA.tmp
C:\posAB.tmp
C:\posAC.tmp
C:\posAD.tmp
C:\posAE.tmp
C:\posAF.tmp
C:\posB.tmp
C:\posB0.tmp
C:\posB1.tmp
C:\posB2.tmp
C:\posB3.tmp
C:\posB4.tmp
C:\posB5.tmp
C:\posB6.tmp
C:\posB7.tmp
C:\posB8.tmp
C:\posB9.tmp
C:\posBA.tmp
C:\posBB.tmp
C:\posBC.tmp
C:\posBD.tmp
C:\posBE.tmp
C:\posBF.tmp
C:\posC.tmp
C:\posC0.tmp
C:\posC1.tmp
C:\posC2.tmp
C:\posC3.tmp
C:\posC4.tmp
C:\posC5.tmp
C:\posC6.tmp
C:\posC7.tmp
C:\posC8.tmp
C:\posC9.tmp
C:\posCA.tmp
C:\posCB.tmp
C:\posCC.tmp
C:\posCD.tmp
C:\posCE.tmp
C:\posCF.tmp
C:\posD.tmp
C:\posD0.tmp
C:\posD1.tmp
C:\posD2.tmp
C:\posD3.tmp
C:\posD4.tmp
C:\posD5.tmp
C:\posD6.tmp
C:\posD7.tmp
C:\posD8.tmp
C:\posD9.tmp
C:\posDA.tmp
C:\posDB.tmp
C:\posDC.tmp
C:\posDD.tmp
C:\posDE.tmp
C:\posDF.tmp
C:\posE.tmp
C:\posE0.tmp
C:\posE1.tmp
C:\posE2.tmp
C:\posE3.tmp
C:\posE4.tmp
C:\posE5.tmp
C:\posE6.tmp
C:\posE7.tmp
C:\posE8.tmp
C:\posE9.tmp
C:\posEA.tmp
C:\posEB.tmp
C:\posEC.tmp
C:\posED.tmp
C:\posEE.tmp
C:\posEF.tmp
C:\posF.tmp
C:\posF0.tmp
C:\posF1.tmp
C:\posF2.tmp
C:\posF3.tmp
C:\posF4.tmp
C:\posF5.tmp
C:\posF6.tmp
C:\posF7.tmp
C:\posF8.tmp
C:\posF9.tmp
C:\posFA.tmp
C:\posFB.tmp
C:\posFC.tmp
C:\posFD.tmp
C:\posFE.tmp
C:\posFF.tmp
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\MBK\LogOnHook.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\WINDOWS\system32\40253ac9\
C:\WINDOWS\system32\cbruhjhc.dll
C:\WINDOWS\system32\chjhurbc.ini
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\ezSP_Px .exe
C:\WINDOWS\system32\fwjkdznh.dll
C:\WINDOWS\system32\fwjkdznh.dllbox
C:\WINDOWS\system32\lnoqr.ini
C:\WINDOWS\system32\lnoqr.ini2
C:\WINDOWS\system32\rqonl.dll
C:\WINDOWS\system32\rqonl.exe
C:\WINDOWS\system32\tfksnnuc.dll
C:\WINDOWS\system32\ufxjccok.dll
C:\WINDOWS\system32\windows

<pre>
"C:\Program Files\McAfee\MBK\LogOnHook .exe" replaces infected copy of "C:\Program Files\McAfee\MBK\LogOnHook.exe"
"C:\Program Files\McAfee\MBK\McAfeeDataBackup .exe" replaces infected copy of "C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe"
"C:\Program Files\McAfee.com\Agent\mcagent .exe" replaces infected copy of "C:\Program Files\McAfee.com\Agent\mcagent.exe"
"C:\Program Files\SanDisk\Sansa Updater\SansaDispatch .exe" replaces infected copy of "C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe"
"C:\WINDOWS\system32\ctfmon .exe" moved to QooBox
</pre>
.
.
((((((((((((((((((((((((( Files Created from 2007-12-14 to 2008-01-14 )))))))))))))))))))))))))))))))
.

2008-01-14 14:27 . 2008-01-14 14:27 337,920 --a------ C:\WINDOWS\system32\rqonl.exe
2008-01-14 14:27 . 2008-01-14 14:27 319 --ahs---- C:\WINDOWS\system32\lnoqr.ini2
2008-01-14 14:26 . 2008-01-14 14:27 382,976 --a------ C:\WINDOWS\system32\ezSP_Px .exe
2008-01-14 14:26 . 2008-01-14 14:27 334,336 --a------ C:\WINDOWS\system32\rqonl.dll
2008-01-11 15:57 . 2008-01-11 15:57 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-11 15:57 . 2008-01-11 15:57 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-11 07:31 . 2008-01-11 07:31 <DIR> d-------- C:\Documents and Settings\Jeff Robinson\Application Data\DivX
2008-01-07 21:09 . 2008-01-07 21:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Seagate
2008-01-07 21:08 . 2008-01-07 21:08 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-01-07 20:29 . 2008-01-07 20:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-07 20:28 . 2008-01-07 20:28 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-07 20:16 . 2008-01-07 20:16 630,784 --a------ C:\WINDOWS\system32\divxdec.ax
2008-01-04 19:59 . 2008-01-07 21:09 <DIR> d-------- C:\Program Files\Seagate
2008-01-04 19:16 . 2008-01-04 19:23 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-01-04 16:59 . 2008-01-04 16:59 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-01-04 16:59 . 2008-01-04 16:59 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-01-04 16:58 . 2008-01-04 16:58 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-01-04 16:58 . 2008-01-04 16:58 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-01-04 16:58 . 2008-01-04 16:58 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-01-04 16:56 . 2008-01-04 16:56 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-01-04 16:56 . 2008-01-04 16:56 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-01-04 08:40 . 2008-01-04 08:40 9 --a------ C:\WINDOWS\system32\40253ac9
2008-01-04 08:01 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-01 17:44 . 2008-01-01 17:44 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-30 20:38 . 2007-12-30 20:38 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-30 20:38 . 2007-12-30 20:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-28 17:53 . 2007-12-28 17:53 0 --a------ C:\WINDOWS\VAIOUpdt .INI
2007-12-24 12:18 . 2007-12-24 12:18 9,662 --a------ C:\WINDOWS\EPISME00.SWB
2007-12-18 08:35 . 2008-01-04 08:27 <DIR> d-------- C:\Temp
2007-12-16 13:16 . 2007-12-21 15:23 2,932 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-12-14 18:39 . 2007-12-14 18:39 <DIR> d-------- C:\Program Files\SanDisk
2007-12-14 18:38 . 2007-12-14 18:38 <DIR> d-------- C:\Documents and Settings\Jeff Robinson\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-13 15:38 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\SiteAdvisor
2008-01-10 14:55 --------- d-----w C:\Program Files\DivX
2008-01-10 13:19 --------- d-----w C:\Program Files\mobile PhoneTools
2008-01-08 02:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-07 13:07 --------- d-----w C:\Program Files\QuickTime
2008-01-07 13:07 --------- d-----w C:\Program Files\Apoint
2008-01-07 12:43 --------- d-----w C:\Program Files\Nikon
2008-01-07 12:42 --------- d-----w C:\Program Files\Common Files\Nikon
2008-01-07 12:35 --------- d-----w C:\Program Files\Full Tilt Poker
2008-01-07 00:23 --------- d-----w C:\Program Files\McAfee
2008-01-05 00:28 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-01-04 21:57 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-01-04 21:57 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-01-04 21:57 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-01-04 21:57 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-01-04 21:57 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-01-04 21:57 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-01-04 21:57 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-01-04 21:57 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-01-04 12:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-01-03 14:48 --------- d-----w C:\Program Files\jv16 PowerTools 2006
2007-12-29 03:00 382,976 ----a-w C:\WINDOWS\system32\ezSP_Px.exe
2007-12-21 20:57 --------- d-----w C:\Program Files\HomeTech42
2007-12-21 20:37 --------- d-----w C:\Program Files\SiteAdvisor
2007-12-11 14:21 23,817 ----a-w C:\Documents and Settings\Jeff Robinson\Application Data\info.dat
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-24 01:26 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLbz.DAT
2007-07-20 17:54 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2007-07-20 17:54 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLds.DAT
.
<pre>
----a-w		   582,992 2008-01-14 19:27:38  C:\Program Files\McAfee.com\Agent\mcagent .exe
------w			35,992 2008-01-04 12:08:14  C:\Program Files\SiteAdvisor\6253\SiteAdv .exe
----a-w			98,304 2008-01-04 12:07:19  C:\Program Files\Sony\HotKey Utility\HKserv .exe
----a-w		   167,936 2008-01-04 12:07:14  C:\Program Files\Sony\VAIO Power Management\SPMgr .exe
----a-w		   135,168 2008-01-04 12:07:27  C:\Program Files\Sony\VAIO Update 2\VAIOUpdt .exe
----a-w		   204,288 2008-01-04 12:09:04  C:\Program Files\Windows Media Player\WMPNSCFG .exe
----a-w			28,672 2008-01-04 12:07:34  C:\WINDOWS\SONYSYS\VAIO Recovery\PartSeal .exe
----a-w		   382,976 2008-01-14 19:27:24  C:\WINDOWS\system32\ezSP_Px .exe
----a-w			99,840 2008-01-04 12:07:54  C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I2H1 .EXE
</pre>


((((((((((((((((((((((((((((( snapshot_2008-01-10_ 8.35.00.74 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-10 12:23:28 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-14 12:25:17 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-01-10 12:23:28 32,768 ------w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-14 12:25:17 32,768 ------w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6474DE1E-265F-4002-9A1E-100E1722F109}]
2008-01-14 14:27 334336 --a------ C:\WINDOWS\system32\rqonl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickClean Imonitor"="C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe" [ ]
"Yahoo! Pager"="1" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [ ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DelayShred"="C:\Program Files\McAfee.com\Shredder\SHRED32.exe" [2005-07-15 00:51 57344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [ ]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]
"SonyPowerCfg"="C:\Program Files\Sony\VAIO Power Management\SPMgr.exe" [ ]
"HKSERV.EXE"="C:\Program Files\Sony\HotKey Utility\HKserv.exe" [ ]
"VAIO Update 2"="C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" [ ]
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px .exe" [2008-01-14 14:27 382976]
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [ ]
"WatchDog"="C:\Program Files\mobile PhoneTools\WatchDog.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"EPSON Stylus Photo R200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2008-01-14 14:27 947712]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [ ]
"McAfee Backup"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [2008-01-14 14:27 4866560]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2008-01-14 14:27 360448]
"SansaDispatch"="C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe" [2008-01-14 14:27 414208]
"basicsmssmenu"="C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [ ]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\rqonl.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\rqonl

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2005-12-18 21:35]
R2 Basics Service;Basics Service;"C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe" [2007-10-09 16:21]
R2 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe [2004-03-12 16:32]
S2 0162421200054302mcinstcleanup;McAfee Application Installer Cleanup (0162421200054302);C:\WINDOWS\TEMP\016242~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog []
S3 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe [2004-03-12 15:57]

.
Contents of the 'Scheduled Tasks' folder
"2006-08-02 13:32:11 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2008-01-01 06:02:00 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe.4158 0
"2005-08-11 17:05:25 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-14 14:27:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-14 14:39:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-14 19:39:03
ComboFix2.txt 2008-01-11 20:49:47
ComboFix3.txt 2008-01-10 14:19:16
ComboFix4.txt 2008-01-10 13:36:02
ComboFix5.txt 2008-01-08 19:08:12
.
2008-01-10 12:44:17 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:25:01 PM, on 1/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\WINDOWS\system32\ezSP_Px .exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F3 - REG:win.ini: load=C:\WINDOWS\system32\rqonl.exe
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px .exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [SansaDispatch] C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKCU\..\Run: [QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\RunOnce: [DelayShred] "C:\Program Files\McAfee.com\Shredder\SHRED32.EXE" /q C:\DOCUME~1\JEFFRO~1\LOCALS~1\TEMPOR~1\Content.SH! D:\TEMPOR~1\ANTIPH~1.SH! D:\TEMPOR~1\Content.SH!
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O23 - Service: McAfee Application Installer Cleanup (0162421200054302) (0162421200054302mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\016242~1.EXE (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\VmGateway.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe

--
End of file - 10346 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users