Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help Removing Gebcd.exe Vundo


  • Please log in to reply
22 replies to this topic

#1 Bryan11108

Bryan11108

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 11 January 2008 - 03:44 PM

Many thanks in advance for the help!

I have not been able to remove gebcd.exe from my system.
I have used both ComboFix and Vundo Fix with no luck.

My Hijack This log is found below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:41:06 PM, on 1/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Real\RealPlayer\RealPlay .exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher .exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect .exe
C:\Program Files\TomTom HOME\TomTomHOME.exe
C:\Program Files\Dell\QuickSet\quickset .exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\TomTom HOME\TomTomHOME .exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\AllTracksGone\alltracksgone.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\AllTracksGone\alltracksgone .exe
C:\Program Files\DellSupport\DSAgnt .exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Bryan Lewis\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdoclc.dll/dnserror.htm
F3 - REG:win.ini: load=C:\WINDOWS\system32\gebcd.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QBReminderFlash] "C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe" -startup
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [AllTracksGone] C:\Program Files\AllTracksGone\alltracksgone .exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AllTracksGone 2005.lnk = C:\Program Files\AllTracksGone\alltracksgone.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111...all/xscan53.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9027 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 12 January 2008 - 07:06 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Bryan11108
My name is Richie and i'll be helping you to fix your problems.

Please move HijackThis to a permanent folder on the hard drive such as C:\HJT.
Create a new folder and place HijackThis.exe inside that folder so that the backups of log changes it creates are saved in the same folder and can be used to reverse any line entry deletion if found to be necessary.
If you run Hijackthis from the desktop, the files it removes will not be backed up properly.

How to create a new folder named HJT
1. Click Start/My Computer,in the 'My Computer' window,open the window in which you want to create the new folder,click on Local Disk C:
2. From the 'File' menu choose 'New'.
3. From the 'New' menu choose 'Folder'.
4. Type the folder name: HJT
5. Then press Enter.

If you need help,follow the info in the link below:
http://russelltexas.com/malware/createhjtfolder.htm


Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 4'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java version.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.


If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,not for private use.
Using this tool incorrectly could render your system/pc inoperable.

Now download Combofix by sUBs and save to your desktop:
Note
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Now go to:
C:\HJT\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 Bryan11108

Bryan11108
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 12 January 2008 - 09:29 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:25:15 AM, on 1/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\TomTom HOME\TomTomHOME.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect .exe
C:\WINDOWS\system32\igfxpers .exe
C:\Program Files\Dell\QuickSet\quickset .exe
C:\WINDOWS\system32\hkcmd .exe
C:\Program Files\AllTracksGone\alltracksgone.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\DellSupport\DSAgnt .exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon .exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\abc.bat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdoclc.dll/dnserror.htm
F3 - REG:win.ini: load=C:\WINDOWS\system32\gebcd.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4CE17F8E-6669-4D5E-BEAE-1239B4AEF2DC} - C:\WINDOWS\system32\gebcd.dll
O2 - BHO: CInternetExplorerAssistant - {59693FA9-25A3-4D8C-BB03-35658A5D83DA} - C:\PROGRA~1\INTERN~2\INTERN~1.DLL
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QBReminderFlash] "C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe" -startup
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [AllTracksGone] C:\Program Files\AllTracksGone\alltracksgone.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AllTracksGone 2005.lnk = C:\Program Files\AllTracksGone\alltracksgone.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111...all/xscan53.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9592 bytes

#4 Bryan11108

Bryan11108
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 12 January 2008 - 09:30 AM

The combfix txt file was too large to cut and paste.
I am attempting to attach.

Attached Files



#5 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 12 January 2008 - 09:48 AM

Download RenV.exe to your desktop,double click to run it:
http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe
When its finished it will produce a Log.
Please post the contents of that Log into your next reply.
Posted Image
Posted Image

#6 Bryan11108

Bryan11108
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 12 January 2008 - 04:20 PM

Ran on Sat 01/12/2008 - 16:08:59.39



----a-w		   313,472 2008-01-12 20:54:54  C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe

----a-w		   492,544 2008-01-12 20:54:39  C:\Program Files\AllTracksGone\alltracksgone .exe

----a-w			81,920 2008-01-12 20:53:11  C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe

----a-w		   106,496 2008-01-12 20:53:33  C:\Program Files\Corel\Corel Photo Album 6\MediaDetect .exe

----a-w			53,248 2008-01-12 20:53:23  C:\Program Files\CyberLink\PowerDVD\DVDLauncher .exe

----a-w		   684,032 2008-01-12 20:53:30  C:\Program Files\Dell\QuickSet\quickset .exe

----a-w		   460,784 2008-01-12 20:54:46  C:\Program Files\DellSupport\DSAgnt .exe

----a-w		   385,024 2008-01-12 20:53:22  C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe

----a-w		   267,064 2008-01-12 20:53:49  C:\Program Files\iTunes\iTunesHelper .exe

----a-w		   144,784 2008-01-12 20:54:24  C:\Program Files\Java\jre1.6.0_04\bin\jusched .exe

----a-w		 1,121,792 2008-01-10 18:32:25  C:\Program Files\McAfee\SpamKiller\MSKDetct .exe

----a-w		 1,694,208 2008-01-12 20:54:36  C:\Program Files\Messenger\msmsgs .exe

----a-w			26,112 2008-01-12 20:53:10  C:\Program Files\Real\RealPlayer\RealPlay .exe

----a-w		   729,178 2008-01-12 12:48:42  C:\Program Files\Synaptics\SynTP\SynTPEnh .exe

----a-w		 3,718,312 2008-01-12 20:53:41  C:\Program Files\TomTom HOME\TomTomHOME .exe

----a-w		 1,393,928 2008-01-11 03:07:13  C:\Program Files\Trend Micro\Internet Security\UfSeAgnt .exe

----a-w		   492,808 2008-01-12 20:55:07  C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon .exe

----a-w		   208,952 2008-01-12 20:53:55  C:\WINDOWS\ime\imjp8_1\IMJPMIG .EXE

----a-w			44,032 2008-01-12 20:53:59  C:\WINDOWS\ime\imkr6_1\IMEKRMIG .EXE

----a-w			77,824 2008-01-12 20:54:08  C:\WINDOWS\system32\hkcmd .exe

----a-w		   114,688 2008-01-12 20:54:13  C:\WINDOWS\system32\igfxpers .exe

----a-w			94,208 2008-01-12 20:54:05  C:\WINDOWS\system32\igfxtray .exe



 Entries:			   22  (22)

 Directories:			0  Files:			22

 Bytes:		 12,705,410  Blocks:	   24,820


#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 12 January 2008 - 04:25 PM

Posted Image
Refering to the picture above, drag Log.txt into RenV.exe
When finished, it shall produce a new log for you.
Post that log in your next reply.

Run this online virus/spyware scan using Internet Explorer:
Kaspersky WebScanner
Next click Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
• Scan using the following Anti-Virus database:
• Standard
• Scan Options:
• Scan Archives
• Scan Mail Bases
• Click OK
• Now under select a target to scan:
• Select My Computer
• This will start the program and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste the contents of that file into your next reply.

If the above link doesn't work,try this:
http://www.kaspersky.com/kos/english/kavwebscan.html
Posted Image
Posted Image

#8 Bryan11108

Bryan11108
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 12 January 2008 - 06:05 PM

Ran on Sat 01/12/2008 - 17:28:43.54



------w		 1,393,928 2008-01-11 03:07:13  C:\Program Files\Trend Micro\Internet Security\UfSeAgnt .exe

------w		   492,808 2008-01-12 20:55:07  C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon .exe



 Entries:				2  (2)

 Directories:			0  Files:			 2

 Bytes:		  1,886,736  Blocks:		3,686


#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 13 January 2008 - 04:46 AM

Post the Kaspersky WebScanner results please.
Posted Image
Posted Image

#10 Bryan11108

Bryan11108
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 13 January 2008 - 08:11 AM

Sorry, it took all night for the scan to be completed.

------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, January 13, 2008 8:09:38 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/01/2008
Kaspersky Anti-Virus database records: 475760
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 50533
Number of viruses found: 12
Number of infected objects: 211
Number of suspicious objects: 0
Duration of the scan process: 08:22:54

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_50e417e0-e461-474b-96e2-077b80325612 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\InboxLOG.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\OutboxLOG.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Mozilla\Firefox\Profiles\m0ao5g9f.default\cert8.db Object is locked skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Mozilla\Firefox\Profiles\m0ao5g9f.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Mozilla\Firefox\Profiles\m0ao5g9f.default\history.dat Object is locked skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Mozilla\Firefox\Profiles\m0ao5g9f.default\key3.db Object is locked skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Mozilla\Firefox\Profiles\m0ao5g9f.default\parent.lock Object is locked skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Mozilla\Firefox\Profiles\m0ao5g9f.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Mozilla\Firefox\Profiles\m0ao5g9f.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk/[From "Lorrie Stone" <l_stone_ez@webtv.com>][Date Tue, 14 Aug 2007 16:27:43 +0000]/text/[From Good Erection <esstaley@winning.com>][Date Wed, 15 Aug 2007 08:36:56 +0300]/UNNAMED/[From "Curtis J. Cox" <sjnwgllvab@axberg.dk>][Date Thu, 16 Aug 2007 04:27:26 -0800]/text/[From <maryg@rivercommunity.ca>][Date Wed, 15 Aug 2007 16:35:12 +0300]/UNNAMED/[From "Alej ... /[From " ... /[From "Prostate C ... /[From "Jane Goddard" <darcey.davie@karmdal.dk>][Date Wed, 29 Aug 2007 14:28:22 - ... /game.exe Infected: Trojan-Downloader.Win32.Agent.cnh skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk/[From "Lorrie Stone" <l_stone_ez@webtv.com>][Date Tue, 14 Aug 2007 16:27:43 +0000]/text/[From Good Erection <esstaley@winning.com>][Date Wed, 15 Aug 2007 08:36:56 +0300]/UNNAMED/[From "Curtis J. Cox" <sjnwgllvab@axberg.dk>][Date Thu, 16 Aug 2007 04:27:26 -0800]/text/[From <maryg@rivercommunity.ca>][Date Wed, 15 Aug 2007 16:35:12 +0300]/UNNAMED/[From "Alej ... /[From " ... /[From "Prostate C ... /[From "Jane Goddard" <darcey.davie@karmdal.dk>][Date Wed, 29 Aug 2007 14:28:22 -0100]/game.zip Infected: Trojan-Downloader.Win32.Agent.cnh skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk/[From "Lorrie Stone" <l_stone_ez@webtv.com>][Date Tue, 14 Aug 2007 16:27:43 +0000]/text/[From Good Erection <esstaley@winning.com>][Date Wed, 15 Aug 2007 08:36:56 +0300]/UNNAMED/[From "Curtis J. Cox" <sjnwgllvab@axberg.dk>][Date Thu, 16 Aug 2007 04:27:26 -0800]/text/[From <maryg@rivercommunity.ca>][Date Wed, 15 Aug 2007 16:35:12 +0300]/UNNAMED/[From "Alej ... /[From " ... /[From "Prostate Cance ... /[From "Jane Goddard" <darcey.davie@karmdal.dk>][Date Wed, 29 Aug 2007 14:28:22 -0100]/text Infected: Trojan-Downloader.Win32.Agent.cnh skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk/[From "Lorrie Stone" <l_stone_ez@webtv.com>][Date Tue, 14 Aug 2007 16:27:43 +0000]/text/[From Good Erection <esstaley@winning.com>][Date Wed, 15 Aug 2007 08:36:56 +0300]/UNNAMED/[From "Curtis J. Cox" <sjnwgllvab@axberg.dk>][Date Thu, 16 Aug 2007 04:27:26 -0800]/text/[From <maryg@rivercommunity.ca>][Date Wed, 15 Aug 2007 16:35:12 +0300]/UNNAMED/[From "Alej ... /[From " ... /[From "Prostate Cancer Information" <prostatecancer@mx1.lilymedia.com>][Date Tue, 28 Aug 2007 22:38:02 -0700]/UNNAMED Infected: Trojan-Downloader.Win32.Agent.cnh skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk/[From "Lorrie Stone" <l_stone_ez@webtv.com>][Date Tue, 14 Aug 2007 16:27:43 +0000]/text/[From Good Erection <esstaley@winning.com>][Date Wed, 15 Aug 2007 08:36:56 +0300]/UNNAMED/[From "Curtis J. Cox" <sjnwgllvab@axberg.dk>][Date Thu, 16 Aug 2007 04:27:26 -0800]/text/[From <maryg@rivercommunity.ca>][Date Wed, 15 Aug 2007 16:35:12 +0300]/UNNAMED/[From "Alej ... /[From " ... /[From "Prosta ... ... /[From "Adelia Fidela" <tsvmu9irwib@academy.com>][Date Wed, 29 Aug 2007 04:29:23 +0300]/UNNAMED Infected: Trojan-Downloader.Win32.Agent.cnh skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk/[From "Lorrie Stone" <l_stone_ez@webtv.com>][Date Tue, 14 Aug 2007 16:27:43 +0000]/text/[From Good Erection <esstaley@winning.com>][Date Wed, 15 Aug 2007 08:36:56 +0300]/UNNAMED/[From "Curtis J. Cox" <sjnwgllvab@axberg.dk>][Date Thu, 16 Aug 2007 04:27:26 -0800]/text/[From <maryg@rivercommunity.ca>][Date Wed, 15 Aug 2007 16:35:12 +0300]/UNNAMED/[From "Alej ... /[From " ... /[From "Prosta ... /[From "Theron Booker" <luggmedicalnek@gmedical.com>][Date Tue, 28 Aug 2007 18:29:42 -0200]/UNNAMED Infected: Trojan-Downloader.Win32.Agent.cnh skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk/[From "Lorrie Stone" <l_stone_ez@webtv.com>][Date Tue, 14 Aug 2007 16:27:43 +0000]/text/[From Good Erection <esstaley@winning.com>][Date Wed, 15 Aug 2007 08:36:56 +0300]/UNNAMED/[From "Curtis J. Cox" <sjnwgllvab@axberg.dk>][Date Thu, 16 Aug 2007 04:27:26 -0800]/text/[From <maryg@rivercommunity.ca>][Date Wed, 15 Aug 2007 16:35:12 +0300]/UNNAMED/[From "Alej ... /[From " ... /[From "Prostate Cancer I ... /[From "Debbra Brandi" <dvav9pird@gm.com>][Date Tue, 28 Aug 2007 16:53:52 +0200]/UNNAMED Infected: Trojan-Downloader.Win32.Agent.cnh skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk/[From "Lorrie Stone" <l_stone_ez@webtv.com>][Date Tue, 14 Aug 2007 16:27:43 +0000]/text/[From Good Erection <esstaley@winning.com>][Date Wed, 15 Aug 2007 08:36:56 +0300]/UNNAMED/[From "Curtis J. Cox" <sjnwgllvab@axberg.dk>][Date Thu, 16 Aug 2007 04:27:26 -0800]/text/[From <maryg@rivercommunity.ca>][Date Wed, 15 Aug 2007 16:35:12 +0300]/UNNAMED/[From "Alej ... /[From " ... /[From "Prostate Cancer Information" <prostatecancer@mx1.lilymedia.com>][Date Mon, 27 Aug 2007 20:23:11 -0700]/UNNAMED Infected: Trojan-Downloader.Win32.Agent.cnh skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk/[From "Lorrie Stone" <l_stone_ez@webtv.com>][Date Tue, 14 Aug 2007 16:27:43 +0000]/text/[From Good Erection <esstaley@winning.com>][Date Wed, 15 Aug 2007 08:36:56 +0300]/UNNAMED/[From "Curtis J. Cox" <sjnwgllvab@axberg.dk>][Date Thu, 16 Aug 2007 04:27:26 -0800]/text/[From <maryg@rivercommunity.ca>][Date Wed, 15 Aug 2007 16:35:12 +0300]/UNNAMED/[From "Alej ... /[From "M&I Ma . ... /[ ... /[From "Gary Lewis" <FrankchinaGonzalez@greatscores.com>][Date Mon, 27 Aug 2007 11:00:39 +0500]/UNNAMED Infected: Trojan-Downloader.Win32.Agent.cnh skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk/[From "Lorrie Stone" <l_stone_ez@webtv.com>][Date Tue, 14 Aug 2007 16:27:43 +0000]/text/[From Good Erection <esstaley@winning.com>][Date Wed, 15 Aug 2007 08:36:56 +0300]/UNNAMED/[From "Curtis J. Cox" <sjnwgllvab@axberg.dk>][Date Thu, 16 Aug 2007 04:27:26 -0800]/text/[From <maryg@rivercommunity.ca>][Date Wed, 15 Aug 2007 16:35:12 +0300]/UNNAMED/[From "Alej ... /[From "M&I Ma . ... /[From "Sheila Swanson" <kidfundaciosergibeh@fundaciosergi.org>][Date Sun, 26 Aug 2007 15:02:36 -0100]/UNNAMED Infected: Trojan-Downloader.Win32.Agent.cnh skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk/[From "Lorrie Stone" <l_stone_ez@webtv.com>][Date Tue, 14 Aug 2007 16:27:43 +0000]/text/[From Good Erection <esstaley@winning.com>][Date Wed, 15 Aug 2007 08:36:56 +0300]/UNNAMED/[From "Curtis J. Cox" <sjnwgllvab@axberg.dk>][Date Thu, 16 Aug 2007 04:27:26 -0800]/text/[From <maryg@rivercommunity.ca>][Date Wed, 15 Aug 2007 16:35:12 +0300]/UNNAMED/[From "Alej ... /[From "M&I Ma ... /[From "Restaurant Search" <restaurants@mx4.edoracreditservices.com>][Date Sat, 25 Aug 2007 19:11:29 -0700]/text Infected: Trojan-Downloader.Win32.Agent.cnh skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk/[From "Lorrie Stone" <l_stone_ez@webtv.com>][Date Tue, 14 Aug 2007 16:27:43 +0000]/text/[From Good Erection <esstaley@winning.com>][Date Wed, 15 Aug 2007 08:36:56 +0300]/UNNAMED/[From "Curtis J. Cox" <sjnwgllvab@axberg.dk>][Date Thu, 16 Aug 2007 04:27:26 -0800]/text/[From <maryg@rivercommunity.ca>][Date Wed, 15 Aug 2007 16:35:12 +0300]/UNNAMED/[From "Alej ... /[From "M&I Marshall & Ilsle ... /[From "Kristie Ott" <TamiyukiGipson@wikipedia.org>][Date Sat, 25 Aug 2007 21:15:51 +0500]/UNNAMED Infected: Trojan-Downloader.Win32.Agent.cnh skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk/[From "Lorrie Stone" <l_stone_ez@webtv.com>][Date Tue, 14 Aug 2007 16:27:43 +0000]/text/[From Good Erection <esstaley@winning.com>][Date Wed, 15 Aug 2007 08:36:56 +0300]/UNNAMED/[From "Curtis J. Cox" <sjnwgllvab@axberg.dk>][Date Thu, 16 Aug 2007 04:27:26 -0800]/text/[From <maryg@rivercommunity.ca>][Date Wed, 15 Aug 2007 16:35:12 +0300]/UNNAMED/[From "Alej ... /[From "M&I Marshall & Ilsle . ... /[From "Alma Margot" <biepl9dcxj@halliburton.com>][Date Sat, 25 Aug 2007 17:56:42 -0500]/UNNAMED Infected: Trojan-Downloader.Win32.Agent.cnh skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk/[From "Lorrie Stone" <l_stone_ez@webtv.com>][Date Tue, 14 Aug 2007 16:27:43 +0000]/text/[From Good Erection <esstaley@winning.com>][Date Wed, 15 Aug 2007 08:36:56 +0300]/UNNAMED/[From "Curtis J. Cox" <sjnwgllvab@axberg.dk>][Date Thu, 16 Aug 2007 04:27:26 -0800]/text/[From <maryg@rivercommunity.ca>][Date Wed, 15 Aug 2007 16:35:12 +0300]/UNNAMED/[From "Alej ... /[From "M&I Marshall & Ilsle .. ... /[From "Raymond P. Nadeau" <Raymond@bestbuy.com>][Date Sat, 25 Aug 2007 23:56:40 +0400]/UNNAMED Infected: Trojan-Downloader.Win32.Agent.cnh skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk/[From "Lorrie Stone" <l_stone_ez@webtv.com>][Date Tue, 14 Aug 2007 16:27:43 +0000]/text/[From Good Erection <esstaley@winning.com>][Date Wed, 15 Aug 2007 08:36:56 +0300]/UNNAMED/[From "Curtis J. Cox" <sjnwgllvab@axberg.dk>][Date Thu, 16 Aug 2007 04:27:26 -0800]/text/[From <maryg@rivercommunity.ca>][Date Wed, 15 Aug 2007 16:35:12 +0300]/UNNAMED/[From "Alej ... /[From "M&I Marshall & Ilsle .. ... /[Fr ... /[From "redjane" <redjane@g2kgames.net>][Date Sat, 25 Aug 2007 15:59:31 +0200]/UNNAMED Infected: Trojan-Downloader.Win32.Agent.cnh skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk/[From "Lorrie Stone" <l_stone_ez@webtv.com>][Date Tue, 14 Aug 2007 16:27:43 +0000]/text/[From Good Erection <esstaley@winning.com>][Date Wed, 15 Aug 2007 08:36:56 +0300]/UNNAMED/[From "Curtis J. Cox" <sjnwgllvab@axberg.dk>][Date Thu, 16 Aug 2007 04:27:26 -0800]/text/[From <maryg@rivercommunity.ca>][Date Wed, 15 Aug 2007 16:35:12 +0300]/UNNAMED/[From "Alej ... /[From "M&I Marshall & Ilsle .. ... /[From "Quality watches" <xbenkelman@berlin.com>][Date Fri, 24 Aug 2007 15:34:47 -0300]/UNNAMED Infected: Trojan-Downloader.Win32.Agent.cnh skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk/[From "Lorrie Stone" <l_stone_ez@webtv.com>][Date Tue, 14 Aug 2007 16:27:43 +0000]/text/[From Good Erection <esstaley@winning.com>][Date Wed, 15 Aug 2007 08:36:56 +0300]/UNNAMED/[From "Curtis J. Cox" <sjnwgllvab@axberg.dk>][Date Thu, 16 Aug 2007 04:27:26 -0800]/text/[From <maryg@rivercommunity.ca>][Date Wed, 15 Aug 2007 16:35:12 +0300]/UNNAMED/[From "Alej ... /[From "M&I Marshall & Ilsle ... ... /[From "Forest F. Barry" <Forest@boomtown.net>][Date Fri, 24 Aug 2007 15:21:14 +0400]/UNNAMED Infected: Trojan-Downloader.Win32.Agent.cnh skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk/[From "Lorrie Stone" <l_stone_ez@webtv.com>][Date Tue, 14 Aug 2007 16:27:43 +0000]/text/[From Good Erection <esstaley@winning.com>][Date Wed, 15 Aug 2007 08:36:56 +0300]/UNNAMED/[From "Curtis J. Cox" <sjnwgllvab@axberg.dk>][Date Thu, 16 Aug 2007 04:27:26 -0800]/text/[From <maryg@rivercommunity.ca>][Date Wed, 15 Aug 2007 16:35:12 +0300]/UNNAMED/[From "Alej ... /[From "M&I Marshall & Ilsle ... /[From " ... /[From Gino <Burton@brandywinechurch.com>][Date Wed, 22 Aug 2007 06:24:19 -0800]/text Infected: Trojan-Downloader.Win32.Agent.cnh skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk/[From "Lorrie Stone" <l_stone_ez@webtv.com>][Date Tue, 14 Aug 2007 16:27:43 +0000]/text/[From Good Erection <esstaley@winning.com>][Date Wed, 15 Aug 2007 08:36:56 +0300]/UNNAMED/[From "Curtis J. Cox" <sjnwgllvab@axberg.dk>][Date Thu, 16 Aug 2007 04:27:26 -0800]/text/[From <maryg@rivercommunity.ca>][Date Wed, 15 Aug 2007 16:35:12 +0300]/UNNAMED/[From "Alej ... /[From "M&I Marshall & Ilsle ... /[From "Francis" <ytbcxhkilet@herborner-pumpen.com>][Date Tue, 21 Aug 2007 18:34:18 -0800]/UNNAMED Infected: Trojan-Downloader.Win32.Agent.cnh skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk/[From "Lorrie Stone" <l_stone_ez@webtv.com>][Date Tue, 14 Aug 2007 16:27:43 +0000]/text/[From Good Erection <esstaley@winning.com>][Date Wed, 15 Aug 2007 08:36:56 +0300]/UNNAMED/[From "Curtis J. Cox" <sjnwgllvab@axberg.dk>][Date Thu, 16 Aug 2007 04:27:26 -0800]/text/[From <maryg@rivercommunity.ca>][Date Wed, 15 Aug 2007 16:35:12 +0300]/UNNAMED/[From "Alej ... /[From "M&I Marshall & Ilsley Bank" <clientdepmnt.refFC237991569771G.gps@mibank.com>][Date Tue, 21 Aug 2007 15:15:49 -0600]/UNNAMED Infected: Trojan-Downloader.Win32.Agent.cnh skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk/[From "Lorrie Stone" <l_stone_ez@webtv.com>][Date Tue, 14 Aug 2007 16:27:43 +0000]/text/[From Good Erection <esstaley@winning.com>][Date Wed, 15 Aug 2007 08:36:56 +0300]/UNNAMED/[From "Curtis J. Cox" <sjnwgllvab@axberg.dk>][Date Thu, 16 Aug 2007 04:27:26 -0800]/text/[From <maryg@rivercommunity.ca>][Date Wed, 15 Aug 2007 16:35:12 +0300]/UNNAMED/[From "Aleja ... /[From ... /[From Windows Re ... /[From "Julius Castle" <julius_castle_dz@csc.com>][Date Tue, 21 Aug 2007 11:18:34 -0700]/UNNAMED Infected: Trojan-Downloader.Win32.Agent.cnh skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk/[From "Lorrie Stone" <l_stone_ez@webtv.com>][Date Tue, 14 Aug 2007 16:27:43 +0000]/text/[From Good Erection <esstaley@winning.com>][Date Wed, 15 Aug 2007 08:36:56 +0300]/UNNAMED/[From "Curtis J. Cox" <sjnwgllvab@axberg.dk>][Date Thu, 16 Aug 2007 04:27:26 -0800]/text/[From <maryg@rivercommunity.ca>][Date Wed, 15 Aug 2007 16:35:12 +0300]/UNNAMED/[From "Aleja ... /[From ... /[From Windows Reg Cleaner <WindowsRegCleaner@eloylacharitehosting.com>][Date Tue, 21 Aug 2007 04:42:08 -0400]/UNNAMED Infected: Trojan-Downloader.Win32.Agent.cnh skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk/[From "Lorrie Stone" <l_stone_ez@webtv.com>][Date Tue, 14 Aug 2007 16:27:43 +0000]/text/[From Good Erection <esstaley@winning.com>][Date Wed, 15 Aug 2007 08:36:56 +0300]/UNNAMED/[From "Curtis J. Cox" <sjnwgllvab@axberg.dk>][Date Thu, 16 Aug 2007 04:27:26 -0800]/text/[From <maryg@rivercommunity.ca>][Date Wed, 15 Aug 2007 16:35:12 +0300]/UNNAMED/[From "Aleja ... /[From "B ... /[From Windows Reg Cleaner <WindowsRegCleaner@dornerkasandrarack.net>][Date Mon, 20 Aug 2007 23:16:18 -0400]/UNNAMED Infected: Trojan-Downloader.Win32.Agent.cnh skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk/[From "Lorrie Stone" <l_stone_ez@webtv.com>][Date Tue, 14 Aug 2007 16:27:43 +0000]/text/[From Good Erection <esstaley@winning.com>][Date Wed, 15 Aug 2007 08:36:56 +0300]/UNNAMED/[From "Curtis J. Cox" <sjnwgllvab@axberg.dk>][Date Thu, 16 Aug 2007 04:27:26 -0800]/text/[From <maryg@rivercommunity.ca>][Date Wed, 15 Aug 2007 16:35:12 +0300]/UNNAMED/[From "Aleja ... /[From "Bank of the West ... /[From "Blanca Kiser" <solvig.davie@midtgraduering.dk>][Date Tue, 21 Aug 2007 00:11:35 -0200]/UNNAMED Infected: Trojan-Downloader.Win32.Agent.cnh skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk/[From "Lorrie Stone" <l_stone_ez@webtv.com>][Date Tue, 14 Aug 2007 16:27:43 +0000]/text/[From Good Erection <esstaley@winning.com>][Date Wed, 15 Aug 2007 08:36:56 +0300]/UNNAMED/[From "Curtis J. Cox" <sjnwgllvab@axberg.dk>][Date Thu, 16 Aug 2007 04:27:26 -0800]/text/[From <maryg@rivercommunity.ca>][Date Wed, 15 Aug 2007 16:35:12 +0300]/UNNAMED/[From "Aleja ... /[From "Bank of the West" <cor ... /[From "Marco Parke ... /[From brlewis@sys-x.com][Date Mon, 20 Aug 2007 21:03:21 +0300]/UNNAMED Infected: Trojan-Downloader.Win32.Agent.cnh skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk/[From "Lorrie Stone" <l_stone_ez@webtv.com>][Date Tue, 14 Aug 2007 16:27:43 +0000]/text/[From Good Erection <esstaley@winning.com>][Date Wed, 15 Aug 2007 08:36:56 +0300]/UNNAMED/[From "Curtis J. Cox" <sjnwgllvab@axberg.dk>][Date Thu, 16 Aug 2007 04:27:26 -0800]/text/[From <maryg@rivercommunity.ca>][Date Wed, 15 Aug 2007 16:35:12 +0300]/UNNAMED/[From "Aleja ... /[From "Bank of the West" <cor ... /[From "Marco Parker" <wood-fuel.com@whotto.com>][Date Mon, 20 Aug 2007 13:20:40 +0200]/UNNAMED Infected: Trojan-Downloader.Win32.Agent.cnh skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk/[From "Lorrie Stone" <l_stone_ez@webtv.com>][Date Tue, 14 Aug 2007 16:27:43 +0000]/text/[From Good Erection <esstaley@winning.com>][Date Wed, 15 Aug 2007 08:36:56 +0300]/UNNAMED/[From "Curtis J. Cox" <sjnwgllvab@axberg.dk>][Date Thu, 16 Aug 2007 04:27:26 -0800]/text/[From <maryg@rivercommunity.ca>][Date Wed, 15 Aug 2007 16:35:12 +0300]/UNNAMED/[From "Aleja ... /[From "Bank of the West" <corporateclie ... /[From "Anne S. Mora" <Anne@telus.com>][Date Sun, 19 Aug 2007 21:21:44 +0100]/UNNAMED Infected: Trojan-Downloader.Win32.Agent.cnh skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk/[From "Lorrie Stone" <l_stone_ez@webtv.com>][Date Tue, 14 Aug 2007 16:27:43 +0000]/text/[From Good Erection <esstaley@winning.com>][Date Wed, 15 Aug 2007 08:36:56 +0300]/UNNAMED/[From "Curtis J. Cox" <sjnwgllvab@axberg.dk>][Date Thu, 16 Aug 2007 04:27:26 -0800]/text/[From <maryg@rivercommunity.ca>][Date Wed, 15 Aug 2007 16:35:12 +0300]/UNNAMED/[From "Aleja ... /[From "Bank of the West" <corporateclients.ref2188683335057.bow@bankofthewest.com>][Date Sun, 19 Aug 2007 17:44:04 +0200]/UNNAMED Infected: Trojan-Downloader.Win32.Agent.cnh skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk/[From "Lorrie Stone" <l_stone_ez@webtv.com>][Date Tue, 14 Aug 2007 16:27:43 +0000]/text/[From Good Erection <esstaley@winning.com>][Date Wed, 15 Aug 2007 08:36:56 +0300]/UNNAMED/[From "Curtis J. Cox" <sjnwgllvab@axberg.dk>][Date Thu, 16 Aug 2007 04:27:26 -0800]/text/[From <maryg@rivercommunity.ca>][Date Wed, 15 Aug 2007 16:35:12 +0300]/UNNAMED/[From "Alejandra Foley" <sporti ... /[From CysticFibro ... /[From "L ... /[From brlewis@neonramp.com][Date Fri, 17 Aug 2007 20:52:39 -0400]/UNNAMED Infected: Trojan-Downloader.Win32.Agent.cnh skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk/[From "Lorrie Stone" <l_stone_ez@webtv.com>][Date Tue, 14 Aug 2007 16:27:43 +0000]/text/[From Good Erection <esstaley@winning.com>][Date Wed, 15 Aug 2007 08:36:56 +0300]/UNNAMED/[From "Curtis J. Cox" <sjnwgllvab@axberg.dk>][Date Thu, 16 Aug 2007 04:27:26 -0800]/text/[From <maryg@rivercommunity.ca>][Date Wed, 15 Aug 2007 16:35:12 +0300]/UNNAMED/[From "Alejandra Foley" <sporti ... /[From CysticFibro ... /[From "Lilly Travis" <brlewis@g2kgames.net>][Date Fri, 17 Aug 2007 14:34:11 -0500]/text Infected: Trojan-Downloader.Win32.Agent.cnh skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk/[From "Lorrie Stone" <l_stone_ez@webtv.com>][Date Tue, 14 Aug 2007 16:27:43 +0000]/text/[From Good Erection <esstaley@winning.com>][Date Wed, 15 Aug 2007 08:36:56 +0300]/UNNAMED/[From "Curtis J. Cox" <sjnwgllvab@axberg.dk>][Date Thu, 16 Aug 2007 04:27:26 -0800]/text/[From <maryg@rivercommunity.ca>][Date Wed, 15 Aug 2007 16:35:12 +0300]/UNNAMED/[From "Alejandra Foley" <sporti ... /[From CysticFibrosis <CysticFibrosis@stablersergionetworks.net>][Date Thu, 16 Aug 2007 23:14:21 -0400]/UNNAMED Infected: Trojan-Downloader.Win32.Agent.cnh skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk/[From "Lorrie Stone" <l_stone_ez@webtv.com>][Date Tue, 14 Aug 2007 16:27:43 +0000]/text/[From Good Erection <esstaley@winning.com>][Date Wed, 15 Aug 2007 08:36:56 +0300]/UNNAMED/[From "Curtis J. Cox" <sjnwgllvab@axberg.dk>][Date Thu, 16 Aug 2007 04:27:26 -0800]/text/[From <maryg@rivercommunity.ca>][Date Wed, 15 Aug 2007 16:35:12 +0300]/UNNAMED/[From "Alejandra Foley" <sporting@saf ... /[From "Stanley R. Jordan" <mudxicvoxkv@columbia-stmarys.org>][Date Fri, 17 Aug 2007 02:57:22 -0800]/text Infected: Trojan-Downloader.Win32.Agent.cnh skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk/[From "Lorrie Stone" <l_stone_ez@webtv.com>][Date Tue, 14 Aug 2007 16:27:43 +0000]/text/[From Good Erection <esstaley@winning.com>][Date Wed, 15 Aug 2007 08:36:56 +0300]/UNNAMED/[From "Curtis J. Cox" <sjnwgllvab@axberg.dk>][Date Thu, 16 Aug 2007 04:27:26 -0800]/text/[From <maryg@rivercommunity.ca>][Date Wed, 15 Aug 2007 16:35:12 +0300]/UNNAMED/[From "Alejandra Foley" <sporting@safe ... / ... /[From "Jacki Powell" <smithcneezui@electroind.com>][Date Fri, 17 Aug 2007 09:22:04 +0000]/UNNAMED Infected: Trojan-Downloader.Win32.Agent.cnh skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk/[From "Lorrie Stone" <l_stone_ez@webtv.com>][Date Tue, 14 Aug 2007 16:27:43 +0000]/text/[From Good Erection <esstaley@winning.com>][Date Wed, 15 Aug 2007 08:36:56 +0300]/UNNAMED/[From "Curtis J. Cox" <sjnwgllvab@axberg.dk>][Date Thu, 16 Aug 2007 04:27:26 -0800]/text/[From <maryg@rivercommunity.ca>][Date Wed, 15 Aug 2007 16:35:12 +0300]/UNNAMED/[From "Alejandra Foley" <sporting@safe ... /[From ... /[From "Margaretta Man" <hbf00run@laposte.net>][Date Thu, 16 Aug 2007 12:14:47 -0500]/UNNAMED Infected: Trojan-Downloader.Win32.Agent.cnh skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk/[From "Lorrie Stone" <l_stone_ez@webtv.com>][Date Tue, 14 Aug 2007 16:27:43 +0000]/text/[From Good Erection <esstaley@winning.com>][Date Wed, 15 Aug 2007 08:36:56 +0300]/UNNAMED/[From "Curtis J. Cox" <sjnwgllvab@axberg.dk>][Date Thu, 16 Aug 2007 04:27:26 -0800]/text/[From <maryg@rivercommunity.ca>][Date Wed, 15 Aug 2007 16:35:12 +0300]/UNNAMED/[From "Alejandra Foley" <sporting@safe ... /[From "Clinton Crandall" <jondasprofilbeh@dasprofil.net>][Date Thu, 16 Aug 2007 11:31:48 -0100]/UNNAMED Infected: Trojan-Downloader.Win32.Agent.cnh skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk/[From "Lorrie Stone" <l_stone_ez@webtv.com>][Date Tue, 14 Aug 2007 16:27:43 +0000]/text/[From Good Erection <esstaley@winning.com>][Date Wed, 15 Aug 2007 08:36:56 +0300]/UNNAMED/[From "Curtis J. Cox" <sjnwgllvab@axberg.dk>][Date Thu, 16 Aug 2007 04:27:26 -0800]/text/[From <maryg@rivercommunity.ca>][Date Wed, 15 Aug 2007 16:35:12 +0300]/UNNAMED/[From "Alejandra Foley" <sporting@safe ... /[From "E ... /[From "Henry B. Powell" <ifbjwp@kuhnbelz.com>][Date Thu, 16 Aug 2007 16:20:49 +0530]/text Infected: Trojan-Downloader.Win32.Agent.cnh skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk/[From "Lorrie Stone" <l_stone_ez@webtv.com>][Date Tue, 14 Aug 2007 16:27:43 +0000]/text/[From Good Erection <esstaley@winning.com>][Date Wed, 15 Aug 2007 08:36:56 +0300]/UNNAMED/[From "Curtis J. Cox" <sjnwgllvab@axberg.dk>][Date Thu, 16 Aug 2007 04:27:26 -0800]/text/[From <maryg@rivercommunity.ca>][Date Wed, 15 Aug 2007 16:35:12 +0300]/UNNAMED/[From "Alejandra Foley" <sporting@safe ... /[From "Elvin Horn" <ElvinbombproofBooth@arstechnica.com>][Date Wed, 15 Aug 2007 19:17:34 +0600]/UNNAMED Infected: Trojan-Downloader.Win32.Agent.cnh skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk/[From "Lorrie Stone" <l_stone_ez@webtv.com>][Date Tue, 14 Aug 2007 16:27:43 +0000]/text/[From Good Erection <esstaley@winning.com>][Date Wed, 15 Aug 2007 08:36:56 +0300]/UNNAMED/[From "Curtis J. Cox" <sjnwgllvab@axberg.dk>][Date Thu, 16 Aug 2007 04:27:26 -0800]/text/[From <maryg@rivercommunity.ca>][Date Wed, 15 Aug 2007 16:35:12 +0300]/UNNAMED/[From "Alejandra Foley" <sporting@saferbuild.com>][Date Wed, 15 Aug 2007 18:20:56 -0100]/UNNAMED Infected: Trojan-Downloader.Win32.Agent.cnh skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk/[From "Lorrie Stone" <l_stone_ez@webtv.com>][Date Tue, 14 Aug 2007 16:27:43 +0000]/text/[From Good Erection <esstaley@winning.com>][Date Wed, 15 Aug 2007 08:36:56 +0300]/UNNAMED/[From "Curtis J. Cox" <sjnwgllvab@axberg.dk>][Date Thu, 16 Aug 2007 04:27:26 -0800]/text/[From <maryg@rivercommunity.ca>][Date Wed, 15 Aug 2007 16:35:12 +0300]/UNNAMED Infected: Trojan-Downloader.Win32.Agent.cnh skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk/[From "Lorrie Stone" <l_stone_ez@webtv.com>][Date Tue, 14 Aug 2007 16:27:43 +0000]/text/[From Good Erection <esstaley@winning.com>][Date Wed, 15 Aug 2007 08:36:56 +0300]/UNNAMED/[From "Curtis J. Cox" <sjnwgllvab@axberg.dk>][Date Thu, 16 Aug 2007 04:27:26 -0800]/text Infected: Trojan-Downloader.Win32.Agent.cnh skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk/[From "Lorrie Stone" <l_stone_ez@webtv.com>][Date Tue, 14 Aug 2007 16:27:43 +0000]/text/[From Good Erection <esstaley@winning.com>][Date Wed, 15 Aug 2007 08:36:56 +0300]/UNNAMED Infected: Trojan-Downloader.Win32.Agent.cnh skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk/[From "Lorrie Stone" <l_stone_ez@webtv.com>][Date Tue, 14 Aug 2007 16:27:43 +0000]/text Infected: Trojan-Downloader.Win32.Agent.cnh skipped
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk Mail Berkeley mbox: infected - 42 skipped
C:\Documents and Settings\Bryan Lewis\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Bryan Lewis\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Bryan Lewis\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Bryan Lewis\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Bryan Lewis\Local Settings\Temporary Internet Files\2314.exe/data0006 Infected: Trojan-Downloader.Win32.VB.caw skipped
C:\Documents and Settings\Bryan Lewis\Local Settings\Temporary Internet Files\2314.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Bryan Lewis\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Bryan Lewis\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Bryan Lewis\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\4F.tmp Infected: Trojan-Downloader.Win32.PurityScan.dx skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\8F.tmp Infected: Trojan-Downloader.Win32.Small.hml skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\A0000311.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\A0000699.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000031.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000032.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000164.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000167.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000168.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000170.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000171.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000172.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000173.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000175.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000176.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000177.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000178.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000179.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000183.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000184.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000187.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000194.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000195.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000287.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000292.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000294.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000295.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000296.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000297.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000299.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000300.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000301.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000303.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000304.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000305.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000308.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000309.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000310.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000317.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000360.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000362.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000369.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000372.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000376.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000377.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000678.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000681.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000682.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000683.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000684.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000685.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000686.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000687.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000688.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000689.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000691.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000695.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000696.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0000697.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\AdobeUpdateManager.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\AdobeUpdateManager.RB1 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\AdobeUpdateManager.RB2 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\AdobeUpdateManager.RB3 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\AdobeUpdateManager.RB4 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\alltracksgone .RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\alltracksgone .RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\alltracksgone .RB1 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\alltracksgone.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\alltracksgone.RB1 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\alltracksgone.RB2 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\alltracksgone.RB3 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\alltracksgone.RB4 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\DSAgnt.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\DSAgnt.RB1 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\DSAgnt.RB2 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\DSAgnt.RB3 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\DVDLauncher.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\DVDLauncher.RB1 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\hkcmd.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\hkcmd.RB1 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\iFrmewrk.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\ifrmewrk.RB1 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\ifrmewrk.RB2 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\igfxpers.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\igfxpers.RB1 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\igfxtray.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\igfxtray.RB1 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\igfxtray.RB2 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\imekrmig.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\imjpmig.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\issch.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\issch.RB1 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\issch.RB2 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\isuspm .RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\isuspm.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\isuspm.RB1 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\iTunesHelper.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\iTunesHelper.RB1 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\iTunesHelper.RB2 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\jusched.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\JUSCHED.RB1 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\MediaDetect.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\msmsgs.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\msmsgs.RB1 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\msmsgs.RB2 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\msmsgs.RB3 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\MSMSGS.RB4 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\QTTask .RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\QTTask .RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\QTTask .RB1 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\QTTask.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\quickset .RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\quickset .RB1 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\RCX92.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\RCXA4.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\RCXA7.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\RCXAA.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\RCXAD.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\RCXB3.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\RCXB6.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\RCXBC.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\RealPlay.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\RealPlay.RB1 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\RealPlay.RB2 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\REALPLAY.RB3 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\RealPlay.RB4 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\RealPlay.RB5 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\SynTPEnh.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\SynTPEnh.RB1 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\tfswctrl.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\TMAS_OEMon.exe.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\TomTomHOME.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\TomTomHOME.RB1 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\TomTomHOME.RB2 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\TomTomHOME.RB3 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\TomTomHOME.RB4 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\UfSeAgnt.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\wuauclt.RB0 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\C9.tmp Infected: Trojan-Downloader.Win32.PurityScan.ez skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\CC.tmp Infected: Trojan-Downloader.Win32.PurityScan.ez skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\gebcd.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\gebcd_b78.VIR Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\gebcd_c2c.VIR Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\MSKDetct.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\wuauclt.exe Infected: Trojan-Downloader.Win32.PurityScan.ez skipped
C:\Program Files\Trend Micro\Internet Security\Trusted.dat Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1281OinAdmin.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.fg skipped
C:\QooBox\Quarantine\C\Program Files\Temporary\kernInst.exe.vir Infected: Trojan.Win32.Agent.dwb skipped
C:\QooBox\Quarantine\C\WINDOWS\b122.exe.vir Infected: Trojan-Downloader.Win32.Agent.haq skipped
C:\QooBox\Quarantine\C\WINDOWS\df87173.exe.vir Infected: Trojan-Clicker.Win32.VB.vx skipped
C:\QooBox\Quarantine\C\WINDOWS\hg173.exe.vir Infected: Trojan-Clicker.Win32.VB.vx skipped
C:\QooBox\Quarantine\C\WINDOWS\mrofinu1000106.exe.vir Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\QooBox\Quarantine\C\WINDOWS\mrofinu1239.exe.vir Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\QooBox\Quarantine\C\WINDOWS\mrofinu572.exe.vir Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\QooBox\Quarantine\C\WINDOWS\troy44 .exe.vir Infected: Trojan-Clicker.Win32.VB.yh skipped
C:\QooBox\Quarantine\catchme2008-01-10_230124.03.zip/UfSeAgnt.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\catchme2008-01-10_230124.03.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\VundoFix Backups\gebcd.exe.bad Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\VundoFix Backups\hkcmd.exe.bad Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\VundoFix Backups\igfxpers.exe.bad Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\VundoFix Backups\igfxtray.exe.bad Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\VundoFix Backups\tfswctrl.exe.bad Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\VundoFix Backups\troy44.exe.bad Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ime\imjp8_1\imjpmig.exe.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\WINDOWS\ime\imkr6_1\imekrmig.exe.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\WINDOWS\mrofinu572.exe.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{5B4292DF-86EE-4685-A45A-D0EE765EFAF4}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\ardCo17\ardCo172314.exe Infected: Trojan-Downloader.Win32.VB.caw skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\core.cache.dsk Object is locked skipped
C:\WINDOWS\system32\drivers\sfloppyy.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\T30DebugLogFile.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 13 January 2008 - 09:12 AM

First enable the viewing of hidden files and folders,reverse the process once you've done below:
http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/

Please download OTMoveIt by OldTimer,save it to your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\QooBox
C:\VundoFix Backups
C:\WINDOWS\ime\imjp8_1\imjpmig.exe.tmp
C:\WINDOWS\ime\imkr6_1\imekrmig.exe.tmp
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\system32\ardCo17
C:\Documents and Settings\Bryan Lewis\Local Settings\Temporary Internet Files\2314.exe/data0006
C:\Documents and Settings\Bryan Lewis\Local Settings\Temporary Internet Files\2314.exe


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image
Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

Please double-click OTMoveIt.exe again to run it.
Click on the 'Cleanup' button Posted Image
When you do this a text file named cleanup.txt will be downloaded from the internet.
If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so.
When the 'Confirm' box appears click 'Yes'.
Restart your pc when prompted.

Delete the entire contents of both these folders:
C:\Program Files\Trend Micro\Internet Security\Quarantine
C:\Documents and Settings\Bryan Lewis\Application Data\Thunderbird\Profiles\bfxhizfm.Default User\Mail\pop3.PureHost.com\Junk

Click on Start/Run,type cleanmgr into the 'Open:' space,then press Ok.
Let it scan your system for files to remove.
Make sure these 3 are checked and nothing else,then press Ok.
* Temporary Files
* Temporary Internet Files
* Recycle Bin


Close any open browsers.
Double click on Combofix.exe again and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Also post a new Hijackthis log.
Posted Image
Posted Image

#12 Bryan11108

Bryan11108
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 13 January 2008 - 01:39 PM

C:\QooBox\Quarantine\Registry_backups moved successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers moved successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\dla moved successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32 moved successfully.
C:\QooBox\Quarantine\C\WINDOWS\ime\imkr6_1 moved successfully.
C:\QooBox\Quarantine\C\WINDOWS\ime\imjp8_1 moved successfully.
C:\QooBox\Quarantine\C\WINDOWS\ime moved successfully.
C:\QooBox\Quarantine\C\WINDOWS\Downloaded Program Files moved successfully.
C:\QooBox\Quarantine\C\WINDOWS moved successfully.
C:\QooBox\Quarantine\C\Temp\1cb moved successfully.
C:\QooBox\Quarantine\C\Temp moved successfully.
C:\QooBox\Quarantine\C\Program Files\Trend Micro\Internet Security\TMAS_OE moved successfully.
C:\QooBox\Quarantine\C\Program Files\Trend Micro\Internet Security moved successfully.
C:\QooBox\Quarantine\C\Program Files\Trend Micro moved successfully.
C:\QooBox\Quarantine\C\Program Files\TomTom HOME moved successfully.
C:\QooBox\Quarantine\C\Program Files\Temporary moved successfully.
C:\QooBox\Quarantine\C\Program Files\Synaptics\SynTP moved successfully.
C:\QooBox\Quarantine\C\Program Files\Synaptics moved successfully.
C:\QooBox\Quarantine\C\Program Files\Real\RealPlayer moved successfully.
C:\QooBox\Quarantine\C\Program Files\Real moved successfully.
C:\QooBox\Quarantine\C\Program Files\QuickTime moved successfully.
C:\QooBox\Quarantine\C\Program Files\Outerinfo\FF\components moved successfully.
C:\QooBox\Quarantine\C\Program Files\Outerinfo\FF moved successfully.
C:\QooBox\Quarantine\C\Program Files\Outerinfo moved successfully.
C:\QooBox\Quarantine\C\Program Files\Messenger moved successfully.
C:\QooBox\Quarantine\C\Program Files\iTunes moved successfully.
C:\QooBox\Quarantine\C\Program Files\Intel\Wireless\Bin moved successfully.
C:\QooBox\Quarantine\C\Program Files\Intel\Wireless moved successfully.
C:\QooBox\Quarantine\C\Program Files\Intel moved successfully.
C:\QooBox\Quarantine\C\Program Files\DellSupport moved successfully.
C:\QooBox\Quarantine\C\Program Files\Dell\QuickSet moved successfully.
C:\QooBox\Quarantine\C\Program Files\Dell moved successfully.
C:\QooBox\Quarantine\C\Program Files\CyberLink\PowerDVD moved successfully.
C:\QooBox\Quarantine\C\Program Files\CyberLink moved successfully.
C:\QooBox\Quarantine\C\Program Files\Corel\Corel Photo Album 6 moved successfully.
C:\QooBox\Quarantine\C\Program Files\Corel moved successfully.
C:\QooBox\Quarantine\C\Program Files\Common Files\InstallShield\UpdateService moved successfully.
C:\QooBox\Quarantine\C\Program Files\Common Files\InstallShield moved successfully.
C:\QooBox\Quarantine\C\Program Files\Common Files moved successfully.
C:\QooBox\Quarantine\C\Program Files\AllTracksGone moved successfully.
C:\QooBox\Quarantine\C\Program Files\Adobe\Acrobat 7.0\Reader moved successfully.
C:\QooBox\Quarantine\C\Program Files\Adobe\Acrobat 7.0 moved successfully.
C:\QooBox\Quarantine\C\Program Files\Adobe moved successfully.
C:\QooBox\Quarantine\C\Program Files moved successfully.
C:\QooBox\Quarantine\C\Documents and Settings\Bryan Lewis\Start Menu\Programs\Outerinfo moved successfully.
C:\QooBox\Quarantine\C\Documents and Settings\Bryan Lewis\Start Menu\Programs moved successfully.
C:\QooBox\Quarantine\C\Documents and Settings\Bryan Lewis\Start Menu moved successfully.
C:\QooBox\Quarantine\C\Documents and Settings\Bryan Lewis\Desktop moved successfully.
C:\QooBox\Quarantine\C\Documents and Settings\Bryan Lewis\Application Data\RACLE~1 moved successfully.
C:\QooBox\Quarantine\C\Documents and Settings\Bryan Lewis\Application Data moved successfully.
C:\QooBox\Quarantine\C\Documents and Settings\Bryan Lewis moved successfully.
C:\QooBox\Quarantine\C\Documents and Settings moved successfully.
C:\QooBox\Quarantine\C\ComboFix moved successfully.
C:\QooBox\Quarantine\C moved successfully.
C:\QooBox\Quarantine moved successfully.
C:\QooBox\BackEnv moved successfully.
C:\QooBox moved successfully.
C:\VundoFix Backups moved successfully.
C:\WINDOWS\ime\imjp8_1\imjpmig.exe.tmp moved successfully.
C:\WINDOWS\ime\imkr6_1\imekrmig.exe.tmp moved successfully.
C:\WINDOWS\mrofinu572.exe.tmp moved successfully.
C:\WINDOWS\system32\ardCo17 moved successfully.
File/Folder C:\Documents and Settings\Bryan Lewis\Local Settings\Temporary Internet Files\2314.exe/data0006 not found.
C:\Documents and Settings\Bryan Lewis\Local Settings\Temporary Internet Files\2314.exe moved successfully.

OTMoveIt2 v1.0.6 log created on 01132008_133708

#13 Bryan11108

Bryan11108
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 13 January 2008 - 04:23 PM

The following files could not be deleted from Trend Micro Vault because access was denied:
A0000311.exe
A0000699.exe
urqomll.dll
wuauclt.exe
urqomll.dll
edcA011065.exe
gebcd.exe

My Combofix and Hijack This logs can be found below:

ComboFix 08-01-09.2 - Bryan Lewis 2008-01-13 15:32:51.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.513 [GMT -5:00]
Running from: C:\Documents and Settings\Bryan Lewis\Desktop\ComboFix.exe
Command switches used :: and Settings\Bryan Lewis\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\system32\dcbeg.ini
C:\WINDOWS\system32\dcbeg.ini2
C:\WINDOWS\system32\gebcd.dll
C:\WINDOWS\system32\RCX48.tmp
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.

2008-01-13 16:02 . 2008-01-13 16:02 <DIR> d-------- C:\Temp\tn3
2008-01-13 16:02 . 2008-01-13 16:02 333,824 --------- C:\WINDOWS\system32\gebcd.dll
2008-01-13 13:23 . 2008-01-13 16:02 114,688 --a------ C:\WINDOWS\system32\igfxpers .exe
2008-01-13 13:23 . 2008-01-13 15:16 94,208 --a------ C:\WINDOWS\system32\igfxtray .exe
2008-01-13 13:23 . 2008-01-13 16:02 77,824 --a------ C:\WINDOWS\system32\hkcmd .exe
2008-01-12 18:18 . 2008-01-12 18:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-12 18:17 . 2008-01-12 18:17 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-12 08:07 . 2008-01-12 08:07 <DIR> d-------- C:\Program Files\Sun
2008-01-12 08:06 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-12 07:17 . 2008-01-12 09:25 <DIR> d-------- C:\HJT
2008-01-11 12:45 . 2005-10-14 21:45 135,168 --a------ C:\WINDOWS\system32\igfxres.dll
2008-01-11 12:41 . 2008-01-11 12:41 13,646 --a------ C:\WINDOWS\system32\wpa.bak
2008-01-11 12:35 . 2004-08-04 07:00 482,304 --a--c--- C:\WINDOWS\system32\dllcache\pintlgnt.ime
2008-01-11 12:34 . 2004-08-04 07:00 10,096,640 --a--c--- C:\WINDOWS\system32\dllcache\hwxcht.dll
2008-01-11 12:33 . 2004-08-04 07:00 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-01-11 12:30 . 2004-08-04 07:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2008-01-11 12:30 . 2008-01-11 12:30 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-01-11 12:30 . 2008-01-11 12:30 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-01-11 12:30 . 2008-01-11 12:30 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-01-11 12:30 . 2008-01-11 12:30 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-01-11 12:30 . 2008-01-11 12:30 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-01-11 12:30 . 2008-01-11 12:30 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-01-11 12:04 . 2004-08-04 07:00 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2008-01-11 12:04 . 2004-08-04 07:00 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll
2008-01-11 12:04 . 2004-08-04 07:00 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2008-01-11 12:04 . 2004-08-04 07:00 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll
2008-01-10 23:01 . 2008-01-13 16:01 167,545 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-10 22:27 . 2008-01-10 22:27 <DIR> d-------- C:\Program Files\InterMute
2008-01-10 15:35 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-10 14:10 . 2008-01-10 14:20 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2008-01-10 08:34 . 2007-12-16 18:29 138,512 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-10 08:34 . 2007-12-16 18:29 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-01-10 08:34 . 2007-12-16 18:29 52,368 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-01-10 08:30 . 2008-01-10 08:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-01-10 07:40 . 2008-01-13 03:05 <DIR> d-------- C:\WINDOWS\system32\edcA01
2008-01-10 07:40 . 2008-01-10 07:40 <DIR> d-------- C:\Temp\Ryuan1
2008-01-10 07:33 . 2008-01-10 07:33 <DIR> d-------- C:\Program Files\Internet Explorer Assistant
2008-01-09 23:16 . 2008-01-10 11:54 <DIR> d-------- C:\WINDOWS\system32\smvt3
2008-01-09 23:16 . 2008-01-09 23:16 <DIR> d-------- C:\WINDOWS\system32\omp2
2008-01-09 23:16 . 2008-01-09 23:16 <DIR> d-------- C:\WINDOWS\system32\ache3
2008-01-09 23:16 . 2008-01-09 23:16 <DIR> d-------- C:\Temp\cEeer12
2008-01-09 23:16 . 2008-01-13 16:02 <DIR> d-------- C:\Temp
2008-01-09 23:16 . 2008-01-09 23:16 86,016 --a------ C:\WINDOWS\system32\drivers\sfloppyy.sys
2008-01-09 22:46 . 2008-01-09 23:16 <DIR> d-------- C:\Program Files\Dot1XCfg
2007-12-16 18:29 . 2007-12-16 18:29 1,126,072 --a------ C:\WINDOWS\system32\drivers\vsapint.sys
2007-12-16 18:29 . 2007-12-16 18:29 656,648 --a------ C:\WINDOWS\system32\UfWSC.cpl
2007-12-16 18:29 . 2007-12-16 18:29 333,328 --a------ C:\WINDOWS\system32\drivers\TM_CFW.sys
2007-12-16 18:29 . 2007-12-16 18:29 202,768 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-12-16 18:29 . 2007-12-16 18:29 65,936 --a------ C:\WINDOWS\system32\drivers\tmtdi.sys
2007-12-16 18:29 . 2007-12-16 18:29 35,856 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-13 21:03 432,640 ----a-w C:\WINDOWS\system32\igfxtray.exe
2008-01-13 21:03 --------- d-----w C:\Program Files\TomTom HOME
2008-01-13 21:03 --------- d-----w C:\Program Files\iTunes
2008-01-13 21:02 --------- d-----w C:\Program Files\DellSupport
2008-01-13 21:02 --------- d-----w C:\Program Files\AllTracksGone
2008-01-13 20:15 453,120 ----a-w C:\WINDOWS\system32\igfxpers.exe
2008-01-13 20:15 416,256 ----a-w C:\WINDOWS\system32\hkcmd.exe
2008-01-12 13:06 --------- d-----w C:\Program Files\Java
2008-01-12 02:55 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-01-11 03:38 --------- d-----w C:\Program Files\QuickTime
2008-01-10 13:34 --------- d-----w C:\Program Files\Trend Micro
2008-01-10 04:16 --------- d-----w C:\Program Files\NetWaiting
2007-12-28 14:15 --------- d-----w C:\Program Files\Mozilla Sunbird
2007-12-15 22:40 --------- d-----w C:\Program Files\Motorola Phone Tools
2007-12-15 22:37 --------- d-----w C:\Program Files\LiveUpdate
2007-11-15 20:05 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-15 19:46 --------- d-----w C:\Program Files\GetData
2006-12-23 23:05 92,064 ----a-w C:\Documents and Settings\Bryan Lewis\mqdmmdm.sys
2006-12-23 23:05 9,232 ----a-w C:\Documents and Settings\Bryan Lewis\mqdmmdfl.sys
2006-12-23 23:05 79,328 ----a-w C:\Documents and Settings\Bryan Lewis\mqdmserd.sys
2006-12-23 23:05 66,656 ----a-w C:\Documents and Settings\Bryan Lewis\mqdmbus.sys
2006-12-23 23:05 6,208 ----a-w C:\Documents and Settings\Bryan Lewis\mqdmcmnt.sys
2006-12-23 23:05 5,936 ----a-w C:\Documents and Settings\Bryan Lewis\mqdmwhnt.sys
2006-12-23 23:05 4,048 ----a-w C:\Documents and Settings\Bryan Lewis\mqdmcr.sys
2006-12-23 23:05 25,600 ----a-w C:\Documents and Settings\Bryan Lewis\usbsermptxp.sys
2006-12-23 23:05 22,768 ----a-w C:\Documents and Settings\Bryan Lewis\usbsermpt.sys
2007-08-21 19:35 56 --sha-r C:\WINDOWS\system32\DCB23B4797.sys
2007-08-21 19:35 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
<pre>
----a-w		   313,472 2008-01-13 20:17:37  C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
----a-w		   492,544 2008-01-13 21:02:54  C:\Program Files\AllTracksGone\alltracksgone  .exe
----a-w		   841,216 2008-01-13 21:02:40  C:\Program Files\AllTracksGone\alltracksgone .exe
----a-w			81,920 2008-01-13 20:16:09  C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
----a-w		   106,496 2008-01-13 21:02:15  C:\Program Files\Corel\Corel Photo Album 6\MediaDetect .exe
----a-w			53,248 2008-01-13 21:02:12  C:\Program Files\CyberLink\PowerDVD\DVDLauncher .exe
----a-w		 1,053,696 2008-01-13 21:03:00  C:\Program Files\Dell\QuickSet\quickset .exe
----a-w		   460,784 2008-01-13 21:02:41  C:\Program Files\DellSupport\DSAgnt .exe
----a-w		   385,024 2008-01-13 20:16:12  C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe
----a-w		   267,064 2008-01-13 21:02:19  C:\Program Files\iTunes\iTunesHelper .exe
----a-w		   144,784 2008-01-13 21:02:35  C:\Program Files\Java\jre1.6.0_04\bin\jusched .exe
----a-w		 1,121,792 2008-01-13 20:16:28  C:\Program Files\McAfee\SpamKiller\MSKDetct .exe
----a-w		 1,694,208 2008-01-13 20:17:28  C:\Program Files\Messenger\msmsgs .exe
----a-w			26,112 2008-01-13 20:16:10  C:\Program Files\Real\RealPlayer\RealPlay .exe
----a-w		   729,178 2008-01-13 20:16:09  C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
----a-w		 3,718,312 2008-01-13 20:16:45  C:\Program Files\TomTom HOME\TomTomHOME .exe
------w		 1,393,928 2008-01-11 03:07:13  C:\Program Files\Trend Micro\Internet Security\UfSeAgnt .exe
----a-w		   492,808 2008-01-13 21:02:46  C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon .exe
----a-w		   208,952 2008-01-13 18:31:02  C:\WINDOWS\ime\imjp8_1\IMJPMIG .EXE
----a-w			44,032 2008-01-13 18:31:06  C:\WINDOWS\ime\imkr6_1\IMEKRMIG .EXE
----a-w			77,824 2008-01-13 21:02:25  C:\WINDOWS\system32\hkcmd .exe
----a-w		   114,688 2008-01-13 21:02:30  C:\WINDOWS\system32\igfxpers .exe
----a-w			94,208 2008-01-13 20:16:53  C:\WINDOWS\system32\igfxtray .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{253B3F30-FD5B-41E8-950F-094704176AED}]
2008-01-13 16:02 333824 --------- C:\WINDOWS\system32\gebcd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59693FA9-25A3-4D8C-BB03-35658A5D83DA}]
2008-01-01 21:41 274432 --a------ C:\PROGRA~1\INTERN~2\INTERN~1.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-01-13 16:02 2224128]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [ ]
"AllTracksGone"="C:\Program Files\AllTracksGone\alltracksgone .exe" [2008-01-13 16:02 492544]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2008-01-13 15:15 866304]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"Dot1XCfg"="C:\Program Files\Dot1XCfg\Dot1XCfg.exe" [ ]
"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-01-13 15:15 832512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-13 16:02 1086976]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2008-01-13 16:02 373760]
"QBReminderFlash"="C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe" [ ]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2008-01-13 16:02 421888]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe" [ ]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2008-01-13 16:04 385024]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2008-01-13 15:15 407040]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [ ]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset .exe" [2008-01-13 16:03 1053696]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2008-01-13 15:15 467968]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2008-01-13 16:03 1485824]
"TomTomHOME.exe"="C:\Program Files\TomTom HOME\TomTomHOME.exe" [2008-01-13 16:03 3718312]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-13 15:15 695808]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [ ]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2008-01-13 16:04 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2008-01-13 16:04 44032]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2008-01-13 16:03 432640]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2008-01-13 15:15 416256]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2008-01-13 15:15 453120]
"SigmatelSysTrayApp"="stsystra.exe" [2005-09-10 00:19 393216 C:\WINDOWS\stsystra.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2008-01-13 15:15 486400]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 06:00 44544]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
AllTracksGone 2005.lnk - C:\Program Files\AllTracksGone\alltracksgone.exe [2008-01-12 17:28:00]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-01-30 15:00:03]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 17:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\gebcd.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\gebcd

R1 sfloppyy;sfloppyy;C:\WINDOWS\system32\drivers\sfloppyy.sys [2008-01-09 23:16]
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-02-27 13:31]
S3 softctrl;Software Flow Control Driver;C:\WINDOWS\system32\DRIVERS\softctrl.sys [2005-12-11 20:36]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db241f8c-c5ab-11db-bd9a-00142297f35b}]
\Shell\AutoRun\command - E:\InstallTomTomHOME.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-07 22:42:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 16:04:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\dcbeg.ini 6516 bytes
C:\WINDOWS\system32\dcbeg.ini2 6516 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
Completion time: 2008-01-13 16:09:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-13 21:09:20
.
2008-01-09 14:38:05 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:23:09 PM, on 1/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\TomTom HOME\TomTomHOME.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher .exe
C:\Program Files\Dell\QuickSet\quickset .exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\hkcmd .exe
C:\WINDOWS\system32\igfxpers .exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched .exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\DellSupport\DSAgnt .exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon .exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\AllTracksGone\alltracksgone .exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\abc.bat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F3 - REG:win.ini: load=C:\WINDOWS\system32\gebcd.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {253B3F30-FD5B-41E8-950F-094704176AED} - C:\WINDOWS\system32\gebcd.dll
O2 - BHO: CInternetExplorerAssistant - {59693FA9-25A3-4D8C-BB03-35658A5D83DA} - C:\PROGRA~1\INTERN~2\INTERN~1.DLL
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QBReminderFlash] "C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe" -startup
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset .exe .exeFiles\Dell\QuickSet\quickset.exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [AllTracksGone] C:\Program Files\AllTracksGone\alltracksgone .exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AllTracksGone 2005.lnk = C:\Program Files\AllTracksGone\alltracksgone.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111...all/xscan53.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9881 bytes

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 13 January 2008 - 05:11 PM

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following text inside the quote box below:

Files to delete:
C:\WINDOWS\system32\gebcd.dll
C:\WINDOWS\system32\gebcd.exe
C:\WINDOWS\system32\drivers\core.cache.dsk

Folders to delete:
C:\WINDOWS\system32\edcA01
C:\Temp\Ryuan1
C:\WINDOWS\system32\smvt3
C:\WINDOWS\system32\omp2
C:\WINDOWS\system32\ache3
C:\Temp\cEeer12

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.


Posted Image
Refering to the picture above, drag Log.txt into RenV.exe
When finished, it shall produce a new log for you.
Post that log in your next reply.


Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1
Do not run it just yet.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.
Do not run it just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
F3 - REG:win.ini: load=C:\WINDOWS\system32\gebcd.exe
O2 - BHO: (no name) - {253B3F30-FD5B-41E8-950F-094704176AED} - C:\WINDOWS\system32\gebcd.dll

Exit Hijackthis.

Now double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Now Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#15 Bryan11108

Bryan11108
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 13 January 2008 - 05:37 PM

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\muopkoom

*******************

Script file located at: \??\C:\Program Files\nafkctjk.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\gebcd.dll deleted successfully.


File C:\WINDOWS\system32\gebcd.exe not found!
Deletion of file C:\WINDOWS\system32\gebcd.exe failed!

Could not process line:
C:\WINDOWS\system32\gebcd.exe
Status: 0xc0000034

File C:\WINDOWS\system32\drivers\core.cache.dsk deleted successfully.
Folder C:\WINDOWS\system32\edcA01 deleted successfully.
Folder C:\Temp\Ryuan1 deleted successfully.
Folder C:\WINDOWS\system32\smvt3 deleted successfully.
Folder C:\WINDOWS\system32\omp2 deleted successfully.
Folder C:\WINDOWS\system32\ache3 deleted successfully.
Folder C:\Temp\cEeer12 deleted successfully.

Completed script processing.

*******************

Finished! Terminate.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users