Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log: Please Help Diagnose - Backdoor.trojan / Trojan Horse Etc.


  • This topic is locked This topic is locked
30 replies to this topic

#1 jfriel

jfriel

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 02 August 2008 - 04:52 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:45:48 PM, on 8/2/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\dbssys\DBSNTS.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\WinLivePatch.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\program files\internet explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Enterprise\CommAgent\CommAgent.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\Dit.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\dbssys\DBSRUN.exe
c:\dbssys\DBSValidReceive.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Agent\Desktop\HJT\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 78.42.196.237 DBS-SMTP-SERVER
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [WatchGuard Mobile VPN with SSL] "C:\Program Files\WatchGuard\WatchGuard Mobile VPN with SSL\wgsslvpnc.exe" /noconnect
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [DBSRUN] c:\dbssys\DBSRUN.exe
O4 - HKLM\..\Policies\Explorer\Run: [] 
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1213265367109
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1213265359328
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://ebanking.northernbank.co.uk/html/ac...B/e-Safekey.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A172FF56-0C5C-4D28-B6A0-F781ECF2D37C}: NameServer = 195.238.50.254,195.238.40.44
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3595A04-AD22-4DD1-AE44-599279609BC9}: NameServer = 213.42.20.20,195.229.241.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: DBSNTS - Cipherbase - c:\dbssys\DBSNTS.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NT Live Support Provider (NTLiveService) - Unknown owner - C:\WINDOWS\system32\WinLivePatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Systemadmin Event Notification - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\CommAgent\CommAgent.exe
O23 - Service: Webroot SpySweeper Service (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
O23 - Service: Ent58ComServer (WindowsEntServer2008) - Unknown owner - C:\WINDOWS\EntSver.exe (file missing)

--
End of file - 10106 bytes

BC AdBot (Login to Remove)

 


#2 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:05:03 PM

Posted 10 August 2008 - 10:42 PM

Hello and welcome to BC

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. We aim to provide the valuable service known to come from BC to every member we can, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay.

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.


If you already preformed the steps above We still need to see the current state of the machine fresh scan and logs are still necessary

click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt



Next
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post back with dss reports main.txt, extra.txt and Kaspersky report.

Regards
SNOWHITE
Posted Image

#3 jfriel

jfriel
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 13 August 2008 - 01:43 PM

STEP 1 LOGS (MAIN.TXT EXTRA.TXT)

Deckard's System Scanner v20071014.68
Run by Agent on 2008-08-13 21:06:40
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
23: 2008-08-13 18:06:48 UTC - RP91 - Deckard's System Scanner Restore Point
22: 2008-08-12 20:03:02 UTC - RP90 - System Checkpoint
21: 2008-08-11 19:23:04 UTC - RP89 - System Checkpoint
20: 2008-08-10 17:35:39 UTC - RP88 - System Checkpoint
19: 2008-08-09 16:45:24 UTC - RP87 - System Checkpoint


-- First Restore Point --
1: 2008-07-22 09:30:20 UTC - RP69 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Agent.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:08:15 PM, on 8/13/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\dbssys\DBSNTS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\program files\internet explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Enterprise\CommAgent\CommAgent.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\WINDOWS\Dit.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\dbssys\DBSValidReceive.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
c:\dbssys\DBSRUN.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\Agent\Desktop\dss.exe
C:\DOCUME~1\Agent\Desktop\HJT\Agent.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sichost.exe
O1 - Hosts: 78.42.196.237 DBS-SMTP-SERVER
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IESuper - {1A49F431-2A2E-41a5-9080-0F41D1A3AEC2} - (no file)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools_200885_7822.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MiniFlashGetBHO - {C74E94A7-B7BD-4891-9328-455395BCC7AD} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [WatchGuard Mobile VPN with SSL] "C:\Program Files\WatchGuard\WatchGuard Mobile VPN with SSL\wgsslvpnc.exe" /noconnect
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [DBSRUN] c:\dbssys\DBSRUN.exe
O8 - Extra context menu item: 使用迷你快车下载 - C:\Program Files\FlashGet Network\FlashGet Mini\GetUrl.htm
O8 - Extra context menu item: 使用迷你快车下载该网页FLV - C:\Program Files\FlashGet Network\FlashGet Mini\FlashGetFlvdetector.htm
O8 - Extra context menu item: 使用迷你快车下载全部链接 - C:\Program Files\FlashGet Network\FlashGet Mini\GetAllUrl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1213265367109
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1213265359328
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://ebanking.northernbank.co.uk/html/ac...B/e-Safekey.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A172FF56-0C5C-4D28-B6A0-F781ECF2D37C}: NameServer = 195.238.50.254,195.238.40.44
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3595A04-AD22-4DD1-AE44-599279609BC9}: NameServer = 213.42.20.20,195.229.241.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: DBSNTS - Cipherbase - c:\dbssys\DBSNTS.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SYSEEM32 - JPEG ?? - C:\Program Files\WINDOWS\SYSEEM32\ALG.EXE
O23 - Service: Systemadmin Event Notification - Unknown owner - C:\Program.exe (file missing)
O23 - Service: mspx (TOlb) - Unknown owner - C:\WINDOWS\system32\toolba.exe (file missing)
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\CommAgent\CommAgent.exe
O23 - Service: Webroot SpySweeper Service (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
O23 - Service: Ent58ComServer (WindowsEntServer2008) - Unknown owner - C:\WINDOWS\EntSver.exe (file missing)

--
End of file - 11070 bytes

-- File Associations -----------------------------------------------------------

.bat - batfile - shell\edit\command - %SystemRoot%\System32\NOTEPAD.EXE %1"
.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
.ini - inifile - shell\open\command - %SystemRoot%\System32\NOTEPAD.EXE %1"
.pif - piffile - shell\open\command - "%1" %*"
.scr - unable to read key


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 TVALZ (TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Driver) - c:\windows\system32\drivers\tvalz.sys <Not Verified; TOSHIBA Corporation; TOSHIBA Common Modules>
R1 Tosrfcom (Bluetooth RFCOMM from TOSHIBA) - c:\windows\system32\drivers\tosrfcom.sys <Not Verified; TOSHIBA Corporation; Bluetooth RFCOMM Driver>
R2 FdRedir - c:\program files\common files\protector suite ql\drivers\fdredir.sys <Not Verified; UPEK Inc.; Protector Suite QL>
R2 FileDisk2 (FileDisk Protector Kernel Driver) - c:\program files\common files\protector suite ql\drivers\filedisk.sys <Not Verified; UPEK Inc.; Protector Suite QL>
R2 smihlp (SMI helper driver) - c:\program files\protector suite ql\smihlp.sys <Not Verified; UPEK Inc.; Protector Suite QL>
R3 Iviaspi (IVI ASPI Shell) - c:\windows\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
R3 tap0901 (TAP-Win32 Adapter V9) - c:\windows\system32\drivers\tap0901.sys <Not Verified; The OpenVPN Project; TAP-Win32 Virtual Network Driver>
R3 tosporte (Bluetooth Port Driver from Toshiba) - c:\windows\system32\drivers\tosporte.sys <Not Verified; TOSHIBA Corporation; TOSHIBA Bluetooth Port Emulation Driver>
R3 tosrfec (Bluetooth ACPI from TOSHIBA) - c:\windows\system32\drivers\tosrfec.sys <Not Verified; TOSHIBA Corporation; TOSHIBA Bluetooth EC Driver>

S2 yvpqhbvb - c:\windows\system32\drivers\acyyzv.sys (file missing)
S3 CardReaderFilter (Card Reader Filter) - c:\windows\system32\drivers\usbcrft.sys <Not Verified; ICSI Technology Ltd.; USB Card Reader and FlashDisk>
S3 DRMUP8WS66 (1F80N8) - c:\windows\15aymbo.txt
S3 RESSDT - c:\windows\system32\ssdtti.sys (file missing)
S3 toshidpt (TOSHIBA Bluetooth HID port driver) - c:\windows\system32\drivers\toshidpt.sys <Not Verified; TOSHIBA Corporation.; TOSHIBA Bluetooth HID Mini Port Driver>
S3 Tosrfbd (Bluetooth RFBUS from TOSHIBA) - c:\windows\system32\drivers\tosrfbd.sys <Not Verified; TOSHIBA CORPORATION; Bluetooth BUS Driver(WindowsXP,Windows2000)>
S3 Tosrfbnp (Bluetooth RFBNEP from TOSHIBA) - c:\windows\system32\drivers\tosrfbnp.sys <Not Verified; TOSHIBA Corporation; Bluetooth RFBNEP Driver from TOSHIBA>
S3 Tosrfhid (Bluetooth RFHID from TOSHIBA) - c:\windows\system32\drivers\tosrfhid.sys <Not Verified; TOSHIBA Corporation.; Bluetooth HID Driver from TOSHIBA>
S3 tosrfnds (Bluetooth Personal Area Network from TOSHIBA) - c:\windows\system32\drivers\tosrfnds.sys <Not Verified; TOSHIBA Corporation.; Bluetooth BNEP Driver from TOSHIBA>
S3 TosRfSnd (Bluetooth Audio Device (WDM) from TOSHIBA) - c:\windows\system32\drivers\tosrfsnd.sys <Not Verified; TOSHIBA Corporation; Bluetooth Audio Driver>
S3 Tosrfusb (Bluetooth USB Controller) - c:\windows\system32\drivers\tosrfusb.sys <Not Verified; TOSHIBA CORPORATION; Microsoft® Windows NT® Operating System>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 DBSNTS - c:\dbssys\dbsnts.exe <Not Verified; Cipherbase; DBSNTS>
R2 WebrootCommAgentService (Webroot CommAgent Service) - c:\program files\webroot\enterprise\commagent\commagent.exe <Not Verified; Webroot Software, Inc.; CommAgent>

S2 SYSEEM32 - c:\program files\windows\syseem32\alg.exe <Not Verified; JPEG ??; JPEG ??>
S2 Systemadmin Event Notification - c:\program files\$winnt$log.ini
S2 TOlb (mspx) - c:\windows\system32\toolba.exe (file missing)
S2 WindowsEntServer2008 (Ent58ComServer) - c:\windows\entsver.exe (file missing)
S3 Cwbrxd (Client Access Express Remote Command) - c:\windows\cwbrxd.exe <Not Verified; IBM Corporation; IBM® AS/400® Client Access Express for Windows®>
S4 msfox (msfoix) - c:\windows\system32\msfox.exe (file missing)
S4 RMTCS (Remote Tracking Client Service) - c:\windows\system32\rapimgr.exe <Not Verified; ; srv ????>
S4 TrackingSS (Distributed Link Tracking Client Service) - c:\windows\system32\service.exe <Not Verified; ; srv ????>
S4 Windows Disk Manager - c:\windows\system32\mmso.exe -u (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\IFX0102\4&38462492&0
Manufacturer:
Name:
PNP Device ID: ACPI\IFX0102\4&38462492&0
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\TOS620A\2&DABA3FF&0
Manufacturer:
Name:
PNP Device ID: ACPI\TOS620A\2&DABA3FF&0
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-08-08 18:46:55 376 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job
2008-08-02 22:35:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-07-13 and 2008-08-13 -----------------------------

2008-08-12 21:42:22 28672 --a------ C:\WINDOWS\TIEMZUW6.exe
2008-08-12 21:42:22 61440 -rahs---- C:\WINDOWS\NMR8J5.exe <Not Verified; drw.kills; kav.exe>
2008-08-12 21:42:20 61440 -r-hs---- C:\WINDOWS\3TBUZDHVDH.exe <Not Verified; drw.kills; kav.exe>
2008-08-12 21:14:54 61440 -rahs---- C:\WINDOWS\Q6Q3DFEFQ.exe <Not Verified; drw.kills; kav.exe>
2008-08-12 21:14:54 28672 --a------ C:\WINDOWS\2ZHT4DU6PV.exe
2008-08-12 21:14:52 61440 -r-hs---- C:\WINDOWS\MKCFUS3D.exe <Not Verified; drw.kills; kav.exe>
2008-08-10 16:34:58 0 d-------- C:\Program Files\WINDOWS
2008-08-09 21:08:57 21060 -----n--- C:\WINDOWS\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
2008-08-09 21:08:56 10368 -----n--- C:\WINDOWS\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
2008-08-09 21:08:14 204800 --a------ C:\WINDOWS\system32\IVIresizeW7.dll
2008-08-09 21:08:14 188416 --a------ C:\WINDOWS\system32\IVIresizePX.dll
2008-08-09 21:08:14 192512 --a------ C:\WINDOWS\system32\IVIresizeP6.dll
2008-08-09 21:08:14 192512 --a------ C:\WINDOWS\system32\IVIresizeM6.dll
2008-08-09 21:08:14 200704 --a------ C:\WINDOWS\system32\IVIresizeA6.dll
2008-08-09 21:08:14 20480 --a------ C:\WINDOWS\system32\IVIresize.dll
2008-08-09 21:08:05 0 d-------- C:\Program Files\InterVideo
2008-08-07 22:04:39 0 d-------- C:\Documents and Settings\Agent\Application Data\DivX
2008-08-07 14:43:22 0 d-------- C:\Documents and Settings\Agent\Application Data\TuneUp Software
2008-08-07 14:42:57 0 d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-08-07 14:42:39 0 d-------- C:\Program Files\TuneUp Utilities 2008
2008-08-07 13:54:05 0 d-------- C:\Documents and Settings\Agent\Application Data\Symantec
2008-08-07 12:46:15 0 d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2008-08-07 11:41:29 0 d--h----- C:\WINDOWS\PIF
2008-08-07 09:07:06 0 d-------- C:\WINDOWS\Sun
2008-08-06 21:59:03 0 d-------- C:\Program Files\Norton 360
2008-08-06 20:41:42 0 --a------ C:\WINDOWS\system32\admshare.dat
2008-08-06 20:41:36 0 d-------- C:\Documents and Settings\Agent\Application Data\BITS
2008-08-06 15:45:17 28672 --a------ C:\WINDOWS\0J2I866WRL3.exe
2008-08-06 15:45:15 61440 --ahs---- C:\WINDOWS\9ZGP3LV3.exe <Not Verified; drw.kills; kav.exe>
2008-08-03 15:10:38 0 d-------- C:\Documents and Settings\LocalService\Application Data\Talkback
2008-08-01 21:10:39 339456 --a------ C:\WINDOWS\system32\$Caterpill.dll
2008-07-31 11:03:39 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-07-31 09:32:13 0 d-------- C:\Documents and Settings\Agent\Application Data\Apple Computer
2008-07-31 09:31:38 0 d-------- C:\Program Files\iPod
2008-07-31 09:31:32 0 d-------- C:\Program Files\iTunes
2008-07-31 09:31:12 0 d-------- C:\Program Files\Bonjour
2008-07-31 09:30:20 0 d-------- C:\Program Files\QuickTime
2008-07-31 09:30:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-31 09:29:39 0 d-------- C:\Program Files\Apple Software Update
2008-07-31 09:29:00 0 d-------- C:\Program Files\Common Files\Apple
2008-07-31 09:29:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-07-31 08:53:55 0 d-------- C:\Documents and Settings\LocalService\Application Data\Mozilla
2008-07-30 16:27:16 0 d-------- C:\Program Files\DivX
2008-07-28 22:26:44 0 d-------- C:\WINDOWS\system32\shellexec
2008-07-28 22:26:37 51536 ---hs---- C:\WINDOWS\system32\winload.dll <Not Verified; Microsoft Corporation; >
2008-07-26 16:57:37 0 d-------- C:\WINDOWS\pss
2008-07-25 02:27:36 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-07-23 13:10:11 0 d-------- C:\Documents and Settings\Agent\Application Data\Sun
2008-07-23 13:07:18 0 d-------- C:\Program Files\Java
2008-07-23 13:01:39 0 d-------- C:\Program Files\Common Files\Java
2008-07-21 15:55:36 22 --a------ C:\WINDOWS\home.vbs
2008-07-21 15:05:59 176128 --a------ C:\WINDOWS\system32\DBSAgent.dll <Not Verified; Cipherbase; AgentWrapper>
2008-07-20 16:12:38 0 d-------- C:\HP LJ1320
2008-07-19 19:11:50 36864 --a------ C:\WINDOWS\system32\DBSHook.dll <Not Verified; Cipherbase; DBSHook>
2008-07-19 19:11:49 32768 --a------ C:\WINDOWS\system32\Base64.dll <Not Verified; Alvaro Redondo; Base64 Encoding Library v2>
2008-07-19 15:28:05 0 d-------- C:\HP LJ1320 PCL5 Driver
2008-07-18 12:03:49 0 d-------- C:\Documents and Settings\Agent\Application Data\ScanSoft
2008-07-18 12:01:08 0 d-------- C:\Program Files\Common Files\ScanSoft Shared
2008-07-18 12:01:02 0 d-------- C:\Program Files\ScanSoft
2008-07-18 12:01:02 0 d-------- C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-07-17 21:35:42 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-07-17 16:28:46 0 d-------- C:\HP-UPD4_5-PCL6-32
2008-07-17 15:19:15 0 d-------- C:\HP LJ1320 PCL6 Driver
2008-07-14 14:34:15 17408 --a------ C:\WINDOWS\system32\drivers\USBCRFT.SYS <Not Verified; ICSI Technology Ltd.; USB Card Reader and FlashDisk>
2008-07-14 14:34:14 266240 -r------- C:\WINDOWS\Dit.DLL <Not Verified; ICSI; Customized Icon Resource>
2008-07-14 14:34:13 61440 --a------ C:\WINDOWS\DitExp.exe <Not Verified; ICSI; Customized Icon and Label>
2008-07-14 14:34:13 90112 --a------ C:\WINDOWS\Dit.exe <Not Verified; ICSI Technology Ltd.; Customized Icon and Label>


-- Find3M Report ---------------------------------------------------------------

2008-08-13 21:07:49 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-08-13 21:06:13 0 d-------- C:\Documents and Settings\Agent\Application Data\Skype
2008-08-13 17:38:17 0 d-------- C:\Program Files\DBS SalesTrack
2008-08-13 16:05:28 0 d-------- C:\Documents and Settings\Agent\Application Data\skypePM
2008-08-12 18:53:35 56341 --a------ C:\WINDOWS\DBS SalesTrack Uninstaller.exe
2008-08-09 21:08:04 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-08-08 09:10:27 0 d-------- C:\Documents and Settings\Agent\Application Data\Mozilla
2008-08-07 14:40:03 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-07 12:15:37 0 d-------- C:\Program Files\Symantec
2008-08-07 12:11:52 0 d-------- C:\Program Files\Common Files
2008-08-06 18:03:21 0 d-------- C:\Program Files\Symantec AntiVirus
2008-08-02 02:25:30 682496 ---hs---- C:\Program Files\$winnt$log.ini
2008-07-19 15:08:56 0 d-------- C:\Documents and Settings\Agent\Application Data\Adobe
2008-07-07 15:12:17 176128 --a------ C:\WINDOWS\system32\AgentWrapper.dll <Not Verified; Cipherbase; AgentWrapper>
2008-07-06 06:30:34 0 d-------- C:\Program Files\Common Files\snp2std
2008-07-06 06:30:30 0 d-------- C:\Program Files\U.S. Robotics
2008-07-06 06:26:37 0 d-------- C:\Documents and Settings\Agent\Application Data\InstallShield
2008-06-23 21:05:20 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-23 18:44:58 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-06-23 18:36:08 0 d-------- C:\Program Files\Skype
2008-06-23 18:36:02 0 d-------- C:\Program Files\Common Files\Skype
2008-06-18 11:39:30 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-06-17 10:16:44 1160 --a------ C:\WINDOWS\mozver.dat
2008-06-17 10:09:37 0 d-------- C:\Program Files\Toshiba
2008-06-16 08:13:34 0 d-------- C:\Documents and Settings\Agent\Application Data\Macromedia
2008-06-16 07:46:07 0 d-------- C:\Program Files\Windows Live
2008-06-16 07:36:39 0 d-------- C:\Program Files\Yahoo!
2008-06-15 19:00:11 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-15 18:22:01 0 d-------- C:\Documents and Settings\Agent\Application Data\TeamViewer
2008-06-15 17:44:24 0 d-------- C:\Documents and Settings\Agent\Application Data\MSNInstaller
2008-06-15 17:19:58 0 d-------- C:\Program Files\Hewlett-Packard
2008-06-15 17:10:02 0 d-------- C:\Documents and Settings\Agent\Application Data\Talkback
2008-06-15 17:09:29 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-15 17:06:27 0 d-------- C:\Program Files\Canon
2008-06-15 16:54:00 0 d-------- C:\Documents and Settings\Agent\Application Data\Canon
2008-06-15 16:47:55 0 d-------- C:\Program Files\Common Files\InstallShield
2008-06-12 13:56:52 62 --ahs---- C:\Documents and Settings\Agent\Application Data\desktop.ini
2008-06-12 10:27:44 0 -rahs---- C:\MSDOS.SYS
2008-06-12 10:27:44 0 -rahs---- C:\IO.SYS
2008-06-12 10:27:44 0 --a------ C:\CONFIG.SYS
2008-06-12 10:27:44 0 --a------ C:\AUTOEXEC.BAT
2008-06-12 10:24:18 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-06-11 03:07:20 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-06-11 03:03:26 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-06-11 03:03:26 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-06-11 03:03:20 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-06-11 03:03:20 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX>
2008-06-11 03:03:20 815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX>
2008-06-11 03:03:20 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX>
2008-06-11 03:03:18 683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX>
2008-05-23 01:18:54 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1A49F431-2A2E-41a5-9080-0F41D1A3AEC2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{385AB8C6-FB22-4D17-8834-064E2BA0A6F0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C74E94A7-B7BD-4891-9328-455395BCC7AD}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [03/23/2006 12:17 PM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [03/23/2006 12:13 PM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [03/23/2006 12:17 PM]
"RTHDCPL"="RTHDCPL.EXE" [05/09/2006 12:53 PM C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 05:43 PM C:\WINDOWS\Alcmtr.exe]
"AGRSMMSG"="AGRSMMSG.exe" [06/30/2006 04:32 AM C:\WINDOWS\agrsmmsg.exe]
"PSQLLauncher"="C:\Program Files\Protector Suite QL\launcher.exe" [05/05/2006 04:36 PM]
"Client Access Service"="C:\Program Files\IBM\Client Access\cwbsvstr.exe" [05/02/2001 04:10 AM]
"Client Access Help Update"="C:\Program Files\IBM\Client Access\cwbinhlp.exe" [05/02/2001 04:10 AM]
"Client Access Check Version"="C:\Program Files\IBM\Client Access\cwbckver.exe" [05/02/2001 04:10 AM]
"Client Access Express Welcome"="C:\Program Files\IBM\Client Access\cwbwlwiz.exe" [05/02/2001 04:10 AM]
"00THotkey"="C:\WINDOWS\system32\00THotkey.exe" [04/24/2006 05:09 PM]
"000StTHK"="000StTHK.exe" [06/23/2001 03:28 AM C:\WINDOWS\system32\000StTHK.exe]
"Dit"="Dit.exe" [08/05/2004 07:28 PM C:\WINDOWS\Dit.exe]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [07/10/2008 09:47 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05/27/2008 10:50 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/10/2008 10:51 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/10/2007 08:59 AM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [01/29/2008 05:38 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WatchGuard Mobile VPN with SSL"="C:\Program Files\WatchGuard\WatchGuard Mobile VPN with SSL\wgsslvpnc.exe" [02/22/2008 11:41 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/14/2008 04:42 AM]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 10:34 AM]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [08/30/2007 04:43 PM]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [05/30/2008 03:54 PM]
"DBSRUN"="c:\dbssys\DBSRUN.exe" [08/09/2008 05:21 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sichost.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
psqlpwd.dll 05/05/2006 04:48 PM 40448 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360safe.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360safebox.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360tray.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avp.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CCenter.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Rav.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavMon.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavMonD.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavStub.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavTask.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwcfg.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwmain.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwProxy.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwsrv.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwstub.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\runiep.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\safeboxTray.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SmartUp.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Agent^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Agent\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=C:\WINDOWS\pss\Bluetooth Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
"C:\Program Files\D-Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Funshion]
C:\Program Files\Funshion Online\Funshion\Funshion.exe /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
C:\Program Files\ltmoh\Ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2std]
C:\WINDOWS\vsnp2std.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnp2std]
C:\WINDOWS\tsnp2std.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Webroot Spy Sweeper, Enterprise Edition]
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc
Tpooler Tpooler
Application Application
Tpoggoler Tpoggoler
rvpqhb rvpqhb
ASP.NET ASP.NET

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
napagent
hkmsvc
SystamlogSve

*Newly Created Service* - COMHOST



-- Hosts -----------------------------------------------------------------------

78.42.196.237 DBS-SMTP-SERVER


-- End of Deckard's System Scanner: finished at 2008-08-13 21:08:54 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 CPU T5600 @ 1.83GHz
Percentage of Memory in Use: 49%
Physical Memory (total/avail): 1015.11 MiB / 511.86 MiB
Pagefile Memory (total/avail): 2444.11 MiB / 1945.7 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1925.64 MiB

C: is Fixed (NTFS) - 58.59 GiB total, 13.92 GiB free.
D: is Fixed (NTFS) - 15.93 GiB total, 15.55 GiB free.
E: is CDROM (CDFS)
F: is CDROM (No Media)
I: is Fixed (NTFS) - 372.61 GiB total, 311.18 GiB free.

\\.\PHYSICALDRIVE0 - HTS541080G9SA00 - 74.53 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 58.59 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 15.93 GiB - D:

\\.\PHYSICALDRIVE1 - ST340063 3A USB Device - 372.61 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 372.61 GiB - I:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Agent\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=OMSC-JFRIEL
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Agent
LOGONSERVER=\\OMSC-JFRIEL
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\sqlany50\win32;C:\PROGRA~1\IBM\CLIENT~1;C:\PROGRA~1\IBM\CLIENT~1\Shared;C:\PROGRA~1\IBM\CLIENT~1\Emulator;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f02
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
SESSIONNAME=Console
SQLANY=c:\sqlany50
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Agent\LOCALS~1\Temp
TMP=C:\DOCUME~1\Agent\LOCALS~1\Temp
USERDOMAIN=OMSC-JFRIEL
USERNAME=Agent
USERPROFILE=C:\Documents and Settings\Agent
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Agent (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL10.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL11.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL12.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL13.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL2.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL23.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL3.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL4.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL5.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL6.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL7.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL8.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL9.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\Emulator\DeIsL1.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\Emulator\DeIsL2.isu"
--> MsiExec.exe /I{8A42F680-2DD6-11D4-9A8C-0040F6982C20}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) --> MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-6884-0000-0000-000000000103}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
Apple Mobile Device Support --> MsiExec.exe /I{35B91753-5789-4517-9CF1-2CCE3A8CF4F1}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
AV --> MsiExec.exe /I{F4DB525F-A986-4249-B98B-42A8066251CA}
Bluetooth Stack for Windows by Toshiba --> MsiExec.exe /X{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
Canon ScanGear Starter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{18A5DFF2-8A95-49F3-873F-743CB5549F3D}\SETUP.EXE" -l0x9 anything
ccCommon --> MsiExec.exe /I{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
DAEMON Tools --> MsiExec.exe /I{3DED3A72-61A8-4B87-98A5-EF0BC8038AA0}
DBS SalesTrack --> C:\WINDOWS\DBS SalesTrack Uninstaller.exe
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
GearDrvs --> MsiExec.exe /I{228F6876-A313-40A3-91C0-C3CBE6997D09}
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\Documents and Settings\Agent\Desktop\HJT\HijackThis.exe" /uninstall
IBM AS/400 Client Access Express for Windows --> "C:\Program Files\IBM\Client Access\cwbinarp.exe"
Image Resizer Powertoy for Windows XP --> MsiExec.exe /I{1CB92574-96F2-467B-B793-5CEB35C40C29}
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_27A6 PCI\VEN_8086&DEV_27A2
Intel® PRO Network Connections Drivers --> Prounstl.exe
InterVideo WinDVD Creator 2 --> "C:\Program Files\InstallShield Installation Information\{2FCE4FC5-6930-40E7-A4F1-F862207424EF}\setup.exe" REMOVEALL
iTunes --> MsiExec.exe /I{EF6C4600-306D-4F6A-A119-C2A877D25B4A}
Java 2 Runtime Environment, SE v1.4.2_15 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142150}
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Lernout & Hauspie TruVoice American English TTS Engine --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\tv_enua.inf, Uninstall
LiveUpdate 3.2 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
LiveUpdate Notice (Symantec Corporation) --> MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Milquote II --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BB987EE0-1586-11D2-AECD-00A0C9399173}\setup.exe"
Mozilla Firefox (3.0.1) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Multi-Card Reader & Flash Disk --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{83F3EED2-DDE2-4434-8FBE-9D2A1E7C2BC9}\SETUP.exe" -l0x9 -wUninst
Norton 360 --> MsiExec.exe /I{21829177-4DED-4209-AD08-490B3AC9C01A}
Norton 360 --> MsiExec.exe /I{2D617065-1C52-4240-B5BC-C0AE12157777}
Norton 360 --> MsiExec.exe /I{63A6E9A9-A190-46D4-9430-2DB28654AFD8}
Norton 360 (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{2D617065-1C52-4240-B5BC-C0AE12157777}_1_0_0_184\{2D617065-1C52-4240-B5BC-C0AE12157777}.exe" /X
Norton 360 Help --> MsiExec.exe /I{1CA941F1-5006-487E-9FD4-09F812A7D6B8}
Norton Confidential Browser Component --> MsiExec.exe /I{4843B611-8FCB-4428-8C23-31D0A5EAE164}
Norton Confidential Web Authentification Component --> MsiExec.exe /I{3074EB89-1BCA-4AEF-AFF4-EFB4634C1923}
Norton Confidential Web Protection Component --> MsiExec.exe /I{D353CC51-430D-4C6F-9B7E-52003DA1E05A}
OMSG Milquote II XP Kodak Image Update --> MsiExec.exe /I{87338D45-03DF-4DB9-8715-EFDCD027FE1D}
PaperPort 9.0 --> MsiExec.exe /I{8EE2086B-9C3D-43AB-8E8D-B02395254E77}
QuickTime --> MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175}
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Skype 3.8 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
SuppSoft --> MsiExec.exe /I{022DA2C3-81C7-4003-A6BC-1BB147B20097}
Sybase SQL Anywhere 5.0 --> c:\sqlany50\win32\setup.exe -u
Symantec Technical Support Controls --> MsiExec.exe /I{92B1B3CC-EC78-45B8-96D0-8B3F11495864}
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
Topaz SigPlus Basic 3.61 --> C:\WINDOWS\SigPlus\Tools\UNWISE.EXE C:\WINDOWS\SigPlus\Tools\SIGPLUSREADER.LOG
TOSHIBA Software Modem --> Tosmreg -U
TuneUp Utilities 2008 --> MsiExec.exe /I{5888428E-699C-4E71-BF71-94EE06B497DA}
USR Mini Cam for Skype --> C:\Program Files\InstallShield Installation Information\{75438C0E-9925-412E-AD85-D0E71C6CE2ED}\setup.exe -runfromtemp -l0x0009 -removeonly -u
WatchGuard Mobile VPN with SSL client 10 --> "C:\Program Files\WatchGuard\WatchGuard Mobile VPN with SSL\unins000.exe"
Webroot Spy Sweeper Enterprise Client --> MsiExec.exe /X{697836DE-03BB-4C4C-9B06-CAFC93D0A506}
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG


-- Application Event Log -------------------------------------------------------

Event Record #/Type3545 / Success
Event Submitted/Written: 08/13/2008 01:02:55 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type3525 / Success
Event Submitted/Written: 08/13/2008 08:57:52 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type3491 / Error
Event Submitted/Written: 08/13/2008 00:50:46 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application 3tbuzdhvdh.exe, version 2.0.0.104, faulting module 3tbuzdhvdh.exe, version 2.0.0.104, fault address 0x00000003.
Processing media-specific event for [3tbuzdhvdh.exe!ws!]

Event Record #/Type3490 / Error
Event Submitted/Written: 08/13/2008 00:50:41 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application 3tbuzdhvdh.exe, version 2.0.0.104, faulting module 3tbuzdhvdh.exe, version 2.0.0.104, fault address 0x00000003.
Processing media-specific event for [3tbuzdhvdh.exe!ws!]

Event Record #/Type3489 / Error
Event Submitted/Written: 08/13/2008 00:44:44 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application 3tbuzdhvdh.exe, version 2.0.0.104, faulting module 3tbuzdhvdh.exe, version 2.0.0.104, fault address 0x00000003.
Processing media-specific event for [3tbuzdhvdh.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type6115 / Error
Event Submitted/Written: 08/13/2008 08:45:58 PM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 10.10.8.13 for the Network Card with network address 00FF0D07D5E0 has been
denied by the DHCP server 10.10.8.254 (The DHCP Server sent a DHCPNACK message).

Event Record #/Type6105 / Error
Event Submitted/Written: 08/13/2008 02:26:09 PM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 10.10.8.21 for the Network Card with network address 00FF0D07D5E0 has been
denied by the DHCP server 10.10.8.254 (The DHCP Server sent a DHCPNACK message).

Event Record #/Type6098 / Error
Event Submitted/Written: 08/13/2008 01:08:18 PM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 10.10.8.2 for the Network Card with network address 00FF0D07D5E0 has been
denied by the DHCP server 10.10.8.254 (The DHCP Server sent a DHCPNACK message).

Event Record #/Type6080 / Error
Event Submitted/Written: 08/13/2008 01:00:51 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The yvpqhbvb service failed to start due to the following error:
%%2

Event Record #/Type6079 / Error
Event Submitted/Written: 08/13/2008 01:00:51 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The SYSEEM32 service terminated unexpectedly. It has done this 1 time(s).



-- End of Deckard's System Scanner: finished at 2008-08-13 21:08:54 ------------

#4 jfriel

jfriel
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 13 August 2008 - 01:45 PM

STEP 2 LOGS (Main.txt / Extra.txt)

Deckard's System Scanner v20071014.68
Run by Agent on 2008-08-13 21:17:09
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 5 Restore Point(s) --
23: 2008-08-13 18:06:48 UTC - RP91 - Deckard's System Scanner Restore Point
22: 2008-08-12 20:03:02 UTC - RP90 - System Checkpoint
21: 2008-08-11 19:23:04 UTC - RP89 - System Checkpoint
20: 2008-08-10 17:35:39 UTC - RP88 - System Checkpoint
19: 2008-08-09 16:45:24 UTC - RP87 - System Checkpoint


-- First Restore Point --
1: 2008-07-22 09:30:20 UTC - RP69 - System Checkpoint


Performed disk cleanup.



-- HijackThis (run as Agent.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:17:44 PM, on 8/13/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\dbssys\DBSNTS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Enterprise\CommAgent\CommAgent.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\WINDOWS\Dit.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\dbssys\DBSValidReceive.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
c:\dbssys\DBSRUN.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\program files\internet explorer\IEXPLORE.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\luall.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Documents and Settings\Agent\desktop\dss.exe
C:\DOCUME~1\Agent\Desktop\HJT\Agent.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sichost.exe
O1 - Hosts: 78.42.196.237 DBS-SMTP-SERVER
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IESuper - {1A49F431-2A2E-41a5-9080-0F41D1A3AEC2} - (no file)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools_200885_7822.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MiniFlashGetBHO - {C74E94A7-B7BD-4891-9328-455395BCC7AD} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [WatchGuard Mobile VPN with SSL] "C:\Program Files\WatchGuard\WatchGuard Mobile VPN with SSL\wgsslvpnc.exe" /noconnect
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [DBSRUN] c:\dbssys\DBSRUN.exe
O8 - Extra context menu item: 使用迷你快车下载 - C:\Program Files\FlashGet Network\FlashGet Mini\GetUrl.htm
O8 - Extra context menu item: 使用迷你快车下载该网页FLV - C:\Program Files\FlashGet Network\FlashGet Mini\FlashGetFlvdetector.htm
O8 - Extra context menu item: 使用迷你快车下载全部链接 - C:\Program Files\FlashGet Network\FlashGet Mini\GetAllUrl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1213265367109
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1213265359328
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://ebanking.northernbank.co.uk/html/ac...B/e-Safekey.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A172FF56-0C5C-4D28-B6A0-F781ECF2D37C}: NameServer = 195.238.50.254,195.238.40.44
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3595A04-AD22-4DD1-AE44-599279609BC9}: NameServer = 213.42.20.20,195.229.241.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: DBSNTS - Cipherbase - c:\dbssys\DBSNTS.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SYSEEM32 - JPEG ?? - C:\Program Files\WINDOWS\SYSEEM32\ALG.EXE
O23 - Service: Systemadmin Event Notification - Unknown owner - C:\Program.exe (file missing)
O23 - Service: mspx (TOlb) - Unknown owner - C:\WINDOWS\system32\toolba.exe (file missing)
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\CommAgent\CommAgent.exe
O23 - Service: Webroot SpySweeper Service (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
O23 - Service: Ent58ComServer (WindowsEntServer2008) - Unknown owner - C:\WINDOWS\EntSver.exe (file missing)

--
End of file - 11693 bytes

-- File Associations -----------------------------------------------------------

.bat - batfile - shell\edit\command - %SystemRoot%\System32\NOTEPAD.EXE %1"
.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
.ini - inifile - shell\open\command - %SystemRoot%\System32\NOTEPAD.EXE %1"
.pif - piffile - shell\open\command - "%1" %*"
.scr - unable to read key


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 TVALZ (TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Driver) - c:\windows\system32\drivers\tvalz.sys <Not Verified; TOSHIBA Corporation; TOSHIBA Common Modules>
R1 Tosrfcom (Bluetooth RFCOMM from TOSHIBA) - c:\windows\system32\drivers\tosrfcom.sys <Not Verified; TOSHIBA Corporation; Bluetooth RFCOMM Driver>
R2 FdRedir - c:\program files\common files\protector suite ql\drivers\fdredir.sys <Not Verified; UPEK Inc.; Protector Suite QL>
R2 FileDisk2 (FileDisk Protector Kernel Driver) - c:\program files\common files\protector suite ql\drivers\filedisk.sys <Not Verified; UPEK Inc.; Protector Suite QL>
R2 smihlp (SMI helper driver) - c:\program files\protector suite ql\smihlp.sys <Not Verified; UPEK Inc.; Protector Suite QL>
R3 Iviaspi (IVI ASPI Shell) - c:\windows\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
R3 tap0901 (TAP-Win32 Adapter V9) - c:\windows\system32\drivers\tap0901.sys <Not Verified; The OpenVPN Project; TAP-Win32 Virtual Network Driver>
R3 tosporte (Bluetooth Port Driver from Toshiba) - c:\windows\system32\drivers\tosporte.sys <Not Verified; TOSHIBA Corporation; TOSHIBA Bluetooth Port Emulation Driver>
R3 tosrfec (Bluetooth ACPI from TOSHIBA) - c:\windows\system32\drivers\tosrfec.sys <Not Verified; TOSHIBA Corporation; TOSHIBA Bluetooth EC Driver>

S2 yvpqhbvb - c:\windows\system32\drivers\acyyzv.sys (file missing)
S3 CardReaderFilter (Card Reader Filter) - c:\windows\system32\drivers\usbcrft.sys <Not Verified; ICSI Technology Ltd.; USB Card Reader and FlashDisk>
S3 DRMUP8WS66 (1F80N8) - c:\windows\15aymbo.txt
S3 RESSDT - c:\windows\system32\ssdtti.sys (file missing)
S3 toshidpt (TOSHIBA Bluetooth HID port driver) - c:\windows\system32\drivers\toshidpt.sys <Not Verified; TOSHIBA Corporation.; TOSHIBA Bluetooth HID Mini Port Driver>
S3 Tosrfbd (Bluetooth RFBUS from TOSHIBA) - c:\windows\system32\drivers\tosrfbd.sys <Not Verified; TOSHIBA CORPORATION; Bluetooth BUS Driver(WindowsXP,Windows2000)>
S3 Tosrfbnp (Bluetooth RFBNEP from TOSHIBA) - c:\windows\system32\drivers\tosrfbnp.sys <Not Verified; TOSHIBA Corporation; Bluetooth RFBNEP Driver from TOSHIBA>
S3 Tosrfhid (Bluetooth RFHID from TOSHIBA) - c:\windows\system32\drivers\tosrfhid.sys <Not Verified; TOSHIBA Corporation.; Bluetooth HID Driver from TOSHIBA>
S3 tosrfnds (Bluetooth Personal Area Network from TOSHIBA) - c:\windows\system32\drivers\tosrfnds.sys <Not Verified; TOSHIBA Corporation.; Bluetooth BNEP Driver from TOSHIBA>
S3 TosRfSnd (Bluetooth Audio Device (WDM) from TOSHIBA) - c:\windows\system32\drivers\tosrfsnd.sys <Not Verified; TOSHIBA Corporation; Bluetooth Audio Driver>
S3 Tosrfusb (Bluetooth USB Controller) - c:\windows\system32\drivers\tosrfusb.sys <Not Verified; TOSHIBA CORPORATION; Microsoft® Windows NT® Operating System>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 DBSNTS - c:\dbssys\dbsnts.exe <Not Verified; Cipherbase; DBSNTS>
R2 WebrootCommAgentService (Webroot CommAgent Service) - c:\program files\webroot\enterprise\commagent\commagent.exe <Not Verified; Webroot Software, Inc.; CommAgent>

S2 SYSEEM32 - c:\program files\windows\syseem32\alg.exe <Not Verified; JPEG ??; JPEG ??>
S2 Systemadmin Event Notification - c:\program files\$winnt$log.ini
S2 TOlb (mspx) - c:\windows\system32\toolba.exe (file missing)
S2 WindowsEntServer2008 (Ent58ComServer) - c:\windows\entsver.exe (file missing)
S3 Cwbrxd (Client Access Express Remote Command) - c:\windows\cwbrxd.exe <Not Verified; IBM Corporation; IBM® AS/400® Client Access Express for Windows®>
S4 msfox (msfoix) - c:\windows\system32\msfox.exe (file missing)
S4 RMTCS (Remote Tracking Client Service) - c:\windows\system32\rapimgr.exe <Not Verified; ; srv ????>
S4 TrackingSS (Distributed Link Tracking Client Service) - c:\windows\system32\service.exe <Not Verified; ; srv ????>
S4 Windows Disk Manager - c:\windows\system32\mmso.exe -u (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\IFX0102\4&38462492&0
Manufacturer:
Name:
PNP Device ID: ACPI\IFX0102\4&38462492&0
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\TOS620A\2&DABA3FF&0
Manufacturer:
Name:
PNP Device ID: ACPI\TOS620A\2&DABA3FF&0
Service:


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\winlogon.exe (pid 1112)
2006-05-05 16:48:24 40448 --a------ C:\WINDOWS\system32\psqlpwd.dll <Not Verified; UPEK Inc.; Protector Suite QL>
2006-05-05 16:32:56 251904 --a------ C:\Program Files\Protector Suite QL\infra.dll <Not Verified; UPEK Inc.; Protector Suite QL>
2006-05-05 16:48:18 882688 --a------ C:\Program Files\Protector Suite QL\homefus2.dll <Not Verified; UPEK Inc.; Protector Suite QL>
2006-05-05 16:48:16 5632 --a------ C:\WINDOWS\system32\biologon.dll <Not Verified; Microsoft Corporation; Microsoft Windows Operating System>
2006-05-05 16:44:44 2548736 --a------ C:\Program Files\Protector Suite QL\homepass.dll <Not Verified; UPEK Inc.; Protector Suite QL>
2006-05-05 16:43:30 1549312 --a------ C:\Program Files\Protector Suite QL\bio.dll <Not Verified; UPEK Inc.; Protector Suite QL>
2006-05-05 16:33:02 103936 --a------ C:\Program Files\Protector Suite QL\remote.dll <Not Verified; UPEK Inc.; Protector Suite QL>
2008-04-14 04:42:38 95368 --a------ C:\WINDOWS\system32\acyyzv.dll
2006-05-05 17:00:46 1384448 --a------ C:\Program Files\Protector Suite QL\mysafe.dll <Not Verified; UPEK Inc.; Protector Suite QL>
2001-05-02 04:10:00 24576 --a------ C:\Program Files\IBM\Client Access\Shared\cwbnetnt.dll <Not Verified; IBM Corporation; IBM® AS/400® Client Access Express for Windows®>

C:\WINDOWS\system32\svchost.exe (pid 1584)
2007-07-24 15:17:08 147456 --a------ C:\Program Files\Bonjour\mdnsNSP.dll <Not Verified; Apple Inc.; Bonjour>

C:\WINDOWS\system32\svchost.exe (pid 1892)
2008-04-14 04:42:38 95880 --a------ C:\WINDOWS\system32\byaiuv.dll
2008-04-14 04:42:38 95368 --a------ C:\WINDOWS\system32\acyyzv.dll
2007-07-24 15:17:08 147456 --a------ C:\Program Files\Bonjour\mdnsNSP.dll <Not Verified; Apple Inc.; Bonjour>

C:\WINDOWS\system32\svchost.exe (pid 632)
2008-04-14 04:42:38 95368 --a------ C:\WINDOWS\system32\acyyzv.dll
2007-07-24 15:17:08 147456 --a------ C:\Program Files\Bonjour\mdnsNSP.dll <Not Verified; Apple Inc.; Bonjour>

C:\WINDOWS\system32\svchost.exe (pid 880)
2008-08-02 10:34:49 339456 --a------ C:\WINDOWS\system32\$Caterpill.dll
2007-07-24 15:17:08 147456 --a------ C:\Program Files\Bonjour\mdnsNSP.dll <Not Verified; Apple Inc.; Bonjour>
2008-04-14 04:42:38 95368 --a------ C:\WINDOWS\system32\acyyzv.dll

C:\WINDOWS\system32\svchost.exe (pid 1828)
2008-04-14 04:42:38 95880 --a------ C:\WINDOWS\system32\fjrccl.dll
2008-04-14 04:42:38 95368 --a------ C:\WINDOWS\system32\acyyzv.dll
2007-07-24 15:17:08 147456 --a------ C:\Program Files\Bonjour\mdnsNSP.dll <Not Verified; Apple Inc.; Bonjour>

C:\WINDOWS\system32\svchost.exe (pid 2204)
2008-04-14 04:42:38 95368 --a------ C:\WINDOWS\system32\acyyzv.dll

C:\WINDOWS\explorer.exe (pid 3360)
2008-04-14 04:42:38 95368 --a------ C:\WINDOWS\system32\acyyzv.dll


-- Scheduled Tasks -------------------------------------------------------------

2008-08-08 18:46:55 376 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job
2008-08-02 22:35:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-07-13 and 2008-08-13 -----------------------------

2008-08-12 21:42:22 28672 --a------ C:\WINDOWS\TIEMZUW6.exe
2008-08-12 21:42:22 61440 -rahs---- C:\WINDOWS\NMR8J5.exe <Not Verified; drw.kills; kav.exe>
2008-08-12 21:42:20 61440 -r-hs---- C:\WINDOWS\3TBUZDHVDH.exe <Not Verified; drw.kills; kav.exe>
2008-08-12 21:14:54 61440 -rahs---- C:\WINDOWS\Q6Q3DFEFQ.exe <Not Verified; drw.kills; kav.exe>
2008-08-12 21:14:54 28672 --a------ C:\WINDOWS\2ZHT4DU6PV.exe
2008-08-12 21:14:52 61440 -r-hs---- C:\WINDOWS\MKCFUS3D.exe <Not Verified; drw.kills; kav.exe>
2008-08-10 16:34:58 0 d-------- C:\Program Files\WINDOWS
2008-08-09 21:08:57 21060 -----n--- C:\WINDOWS\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
2008-08-09 21:08:56 10368 -----n--- C:\WINDOWS\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
2008-08-09 21:08:14 204800 --a------ C:\WINDOWS\system32\IVIresizeW7.dll
2008-08-09 21:08:14 188416 --a------ C:\WINDOWS\system32\IVIresizePX.dll
2008-08-09 21:08:14 192512 --a------ C:\WINDOWS\system32\IVIresizeP6.dll
2008-08-09 21:08:14 192512 --a------ C:\WINDOWS\system32\IVIresizeM6.dll
2008-08-09 21:08:14 200704 --a------ C:\WINDOWS\system32\IVIresizeA6.dll
2008-08-09 21:08:14 20480 --a------ C:\WINDOWS\system32\IVIresize.dll
2008-08-09 21:08:05 0 d-------- C:\Program Files\InterVideo
2008-08-07 22:04:39 0 d-------- C:\Documents and Settings\Agent\Application Data\DivX
2008-08-07 14:43:22 0 d-------- C:\Documents and Settings\Agent\Application Data\TuneUp Software
2008-08-07 14:42:57 0 d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-08-07 14:42:39 0 d-------- C:\Program Files\TuneUp Utilities 2008
2008-08-07 13:54:05 0 d-------- C:\Documents and Settings\Agent\Application Data\Symantec
2008-08-07 12:46:15 0 d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2008-08-07 11:41:29 0 d--h----- C:\WINDOWS\PIF
2008-08-07 09:07:06 0 d-------- C:\WINDOWS\Sun
2008-08-06 21:59:03 0 d-------- C:\Program Files\Norton 360
2008-08-06 20:41:42 0 --a------ C:\WINDOWS\system32\admshare.dat
2008-08-06 20:41:36 0 d-------- C:\Documents and Settings\Agent\Application Data\BITS
2008-08-06 15:45:17 28672 --a------ C:\WINDOWS\0J2I866WRL3.exe
2008-08-06 15:45:15 61440 --ahs---- C:\WINDOWS\9ZGP3LV3.exe <Not Verified; drw.kills; kav.exe>
2008-08-03 15:10:38 0 d-------- C:\Documents and Settings\LocalService\Application Data\Talkback
2008-08-01 21:10:39 339456 --a------ C:\WINDOWS\system32\$Caterpill.dll
2008-07-31 11:03:39 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-07-31 09:32:13 0 d-------- C:\Documents and Settings\Agent\Application Data\Apple Computer
2008-07-31 09:31:38 0 d-------- C:\Program Files\iPod
2008-07-31 09:31:32 0 d-------- C:\Program Files\iTunes
2008-07-31 09:31:12 0 d-------- C:\Program Files\Bonjour
2008-07-31 09:30:20 0 d-------- C:\Program Files\QuickTime
2008-07-31 09:30:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-31 09:29:39 0 d-------- C:\Program Files\Apple Software Update
2008-07-31 09:29:00 0 d-------- C:\Program Files\Common Files\Apple
2008-07-31 09:29:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-07-31 08:53:55 0 d-------- C:\Documents and Settings\LocalService\Application Data\Mozilla
2008-07-30 16:27:16 0 d-------- C:\Program Files\DivX
2008-07-28 22:26:44 0 d-------- C:\WINDOWS\system32\shellexec
2008-07-28 22:26:37 51536 ---hs---- C:\WINDOWS\system32\winload.dll <Not Verified; Microsoft Corporation; >
2008-07-26 16:57:37 0 d-------- C:\WINDOWS\pss
2008-07-25 02:27:36 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-07-23 13:10:11 0 d-------- C:\Documents and Settings\Agent\Application Data\Sun
2008-07-23 13:07:18 0 d-------- C:\Program Files\Java
2008-07-23 13:01:39 0 d-------- C:\Program Files\Common Files\Java
2008-07-21 15:55:36 22 --a------ C:\WINDOWS\home.vbs
2008-07-21 15:05:59 176128 --a------ C:\WINDOWS\system32\DBSAgent.dll <Not Verified; Cipherbase; AgentWrapper>
2008-07-20 16:12:38 0 d-------- C:\HP LJ1320
2008-07-19 19:11:50 36864 --a------ C:\WINDOWS\system32\DBSHook.dll <Not Verified; Cipherbase; DBSHook>
2008-07-19 19:11:49 32768 --a------ C:\WINDOWS\system32\Base64.dll <Not Verified; Alvaro Redondo; Base64 Encoding Library v2>
2008-07-19 15:28:05 0 d-------- C:\HP LJ1320 PCL5 Driver
2008-07-18 12:03:49 0 d-------- C:\Documents and Settings\Agent\Application Data\ScanSoft
2008-07-18 12:01:08 0 d-------- C:\Program Files\Common Files\ScanSoft Shared
2008-07-18 12:01:02 0 d-------- C:\Program Files\ScanSoft
2008-07-18 12:01:02 0 d-------- C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-07-17 21:35:42 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-07-17 16:28:46 0 d-------- C:\HP-UPD4_5-PCL6-32
2008-07-17 15:19:15 0 d-------- C:\HP LJ1320 PCL6 Driver
2008-07-14 14:34:15 17408 --a------ C:\WINDOWS\system32\drivers\USBCRFT.SYS <Not Verified; ICSI Technology Ltd.; USB Card Reader and FlashDisk>
2008-07-14 14:34:14 266240 -r------- C:\WINDOWS\Dit.DLL <Not Verified; ICSI; Customized Icon Resource>
2008-07-14 14:34:13 61440 --a------ C:\WINDOWS\DitExp.exe <Not Verified; ICSI; Customized Icon and Label>
2008-07-14 14:34:13 90112 --a------ C:\WINDOWS\Dit.exe <Not Verified; ICSI Technology Ltd.; Customized Icon and Label>


-- Find3M Report ---------------------------------------------------------------

2008-08-13 21:07:49 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-08-13 21:06:13 0 d-------- C:\Documents and Settings\Agent\Application Data\Skype
2008-08-13 17:38:17 0 d-------- C:\Program Files\DBS SalesTrack
2008-08-13 16:05:28 0 d-------- C:\Documents and Settings\Agent\Application Data\skypePM
2008-08-12 18:53:35 56341 --a------ C:\WINDOWS\DBS SalesTrack Uninstaller.exe
2008-08-09 21:08:04 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-08-08 09:10:27 0 d-------- C:\Documents and Settings\Agent\Application Data\Mozilla
2008-08-07 14:40:03 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-07 12:15:37 0 d-------- C:\Program Files\Symantec
2008-08-07 12:11:52 0 d-------- C:\Program Files\Common Files
2008-08-06 18:03:21 0 d-------- C:\Program Files\Symantec AntiVirus
2008-08-02 02:25:30 682496 ---hs---- C:\Program Files\$winnt$log.ini
2008-07-19 15:08:56 0 d-------- C:\Documents and Settings\Agent\Application Data\Adobe
2008-07-07 15:12:17 176128 --a------ C:\WINDOWS\system32\AgentWrapper.dll <Not Verified; Cipherbase; AgentWrapper>
2008-07-06 06:30:34 0 d-------- C:\Program Files\Common Files\snp2std
2008-07-06 06:30:30 0 d-------- C:\Program Files\U.S. Robotics
2008-07-06 06:26:37 0 d-------- C:\Documents and Settings\Agent\Application Data\InstallShield
2008-06-23 21:05:20 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-23 18:44:58 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-06-23 18:36:08 0 d-------- C:\Program Files\Skype
2008-06-23 18:36:02 0 d-------- C:\Program Files\Common Files\Skype
2008-06-18 11:39:30 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-06-17 10:16:44 1160 --a------ C:\WINDOWS\mozver.dat
2008-06-17 10:09:37 0 d-------- C:\Program Files\Toshiba
2008-06-16 08:13:34 0 d-------- C:\Documents and Settings\Agent\Application Data\Macromedia
2008-06-16 07:46:07 0 d-------- C:\Program Files\Windows Live
2008-06-16 07:36:39 0 d-------- C:\Program Files\Yahoo!
2008-06-15 19:00:11 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-15 18:22:01 0 d-------- C:\Documents and Settings\Agent\Application Data\TeamViewer
2008-06-15 17:44:24 0 d-------- C:\Documents and Settings\Agent\Application Data\MSNInstaller
2008-06-15 17:19:58 0 d-------- C:\Program Files\Hewlett-Packard
2008-06-15 17:10:02 0 d-------- C:\Documents and Settings\Agent\Application Data\Talkback
2008-06-15 17:09:29 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-15 17:06:27 0 d-------- C:\Program Files\Canon
2008-06-15 16:54:00 0 d-------- C:\Documents and Settings\Agent\Application Data\Canon
2008-06-15 16:47:55 0 d-------- C:\Program Files\Common Files\InstallShield
2008-06-12 13:56:52 62 --ahs---- C:\Documents and Settings\Agent\Application Data\desktop.ini
2008-06-12 10:27:44 0 -rahs---- C:\MSDOS.SYS
2008-06-12 10:27:44 0 -rahs---- C:\IO.SYS
2008-06-12 10:27:44 0 --a------ C:\CONFIG.SYS
2008-06-12 10:27:44 0 --a------ C:\AUTOEXEC.BAT
2008-06-12 10:24:18 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-06-11 03:07:20 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-06-11 03:03:26 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-06-11 03:03:26 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-06-11 03:03:20 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-06-11 03:03:20 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX>
2008-06-11 03:03:20 815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX>
2008-06-11 03:03:20 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX>
2008-06-11 03:03:18 683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX>
2008-05-23 01:18:54 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1A49F431-2A2E-41a5-9080-0F41D1A3AEC2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{385AB8C6-FB22-4D17-8834-064E2BA0A6F0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C74E94A7-B7BD-4891-9328-455395BCC7AD}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [03/23/2006 12:17 PM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [03/23/2006 12:13 PM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [03/23/2006 12:17 PM]
"RTHDCPL"="RTHDCPL.EXE" [05/09/2006 12:53 PM C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 05:43 PM C:\WINDOWS\Alcmtr.exe]
"AGRSMMSG"="AGRSMMSG.exe" [06/30/2006 04:32 AM C:\WINDOWS\agrsmmsg.exe]
"PSQLLauncher"="C:\Program Files\Protector Suite QL\launcher.exe" [05/05/2006 04:36 PM]
"Client Access Service"="C:\Program Files\IBM\Client Access\cwbsvstr.exe" [05/02/2001 04:10 AM]
"Client Access Help Update"="C:\Program Files\IBM\Client Access\cwbinhlp.exe" [05/02/2001 04:10 AM]
"Client Access Check Version"="C:\Program Files\IBM\Client Access\cwbckver.exe" [05/02/2001 04:10 AM]
"Client Access Express Welcome"="C:\Program Files\IBM\Client Access\cwbwlwiz.exe" [05/02/2001 04:10 AM]
"00THotkey"="C:\WINDOWS\system32\00THotkey.exe" [04/24/2006 05:09 PM]
"000StTHK"="000StTHK.exe" [06/23/2001 03:28 AM C:\WINDOWS\system32\000StTHK.exe]
"Dit"="Dit.exe" [08/05/2004 07:28 PM C:\WINDOWS\Dit.exe]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [07/10/2008 09:47 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05/27/2008 10:50 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/10/2008 10:51 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/10/2007 08:59 AM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [01/29/2008 05:38 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WatchGuard Mobile VPN with SSL"="C:\Program Files\WatchGuard\WatchGuard Mobile VPN with SSL\wgsslvpnc.exe" [02/22/2008 11:41 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/14/2008 04:42 AM]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 10:34 AM]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [08/30/2007 04:43 PM]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [05/30/2008 03:54 PM]
"DBSRUN"="c:\dbssys\DBSRUN.exe" [08/09/2008 05:21 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sichost.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
psqlpwd.dll 05/05/2006 04:48 PM 40448 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360safe.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360safebox.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360tray.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avp.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CCenter.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Rav.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavMon.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavMonD.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavStub.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavTask.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwcfg.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwmain.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwProxy.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwsrv.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwstub.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\runiep.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\safeboxTray.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SmartUp.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Agent^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Agent\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=C:\WINDOWS\pss\Bluetooth Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
"C:\Program Files\D-Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Funshion]
C:\Program Files\Funshion Online\Funshion\Funshion.exe /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
C:\Program Files\ltmoh\Ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2std]
C:\WINDOWS\vsnp2std.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnp2std]
C:\WINDOWS\tsnp2std.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Webroot Spy Sweeper, Enterprise Edition]
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc
Tpooler Tpooler
Application Application
Tpoggoler Tpoggoler
rvpqhb rvpqhb
ASP.NET ASP.NET

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
napagent
hkmsvc
SystamlogSve

*Newly Created Service* - COMHOST



-- Hosts -----------------------------------------------------------------------

78.42.196.237 DBS-SMTP-SERVER


-- End of Deckard's System Scanner: finished at 2008-08-13 21:20:28 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 CPU T5600 @ 1.83GHz
Percentage of Memory in Use: 55%
Physical Memory (total/avail): 1015.11 MiB / 450.77 MiB
Pagefile Memory (total/avail): 2444.11 MiB / 1919.81 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1902.7 MiB

C: is Fixed (NTFS) - 58.59 GiB total, 13.91 GiB free.
D: is Fixed (NTFS) - 15.93 GiB total, 15.55 GiB free.
E: is CDROM (CDFS)
F: is CDROM (No Media)
I: is Fixed (NTFS) - 372.61 GiB total, 311.18 GiB free.

\\.\PHYSICALDRIVE0 - HTS541080G9SA00 - 74.53 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 58.59 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 15.93 GiB - D:

\\.\PHYSICALDRIVE1 - ST340063 3A USB Device - 372.61 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 372.61 GiB - I:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Agent\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=OMSC-JFRIEL
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Agent
LOGONSERVER=\\OMSC-JFRIEL
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\sqlany50\win32;C:\PROGRA~1\IBM\CLIENT~1;C:\PROGRA~1\IBM\CLIENT~1\Shared;C:\PROGRA~1\IBM\CLIENT~1\Emulator;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f02
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
SESSIONNAME=Console
SQLANY=c:\sqlany50
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Agent\LOCALS~1\Temp
TMP=C:\DOCUME~1\Agent\LOCALS~1\Temp
USERDOMAIN=OMSC-JFRIEL
USERNAME=Agent
USERPROFILE=C:\Documents and Settings\Agent
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Agent (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL10.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL11.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL12.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL13.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL2.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL23.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL3.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL4.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL5.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL6.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL7.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL8.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL9.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\Emulator\DeIsL1.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\Emulator\DeIsL2.isu"
--> MsiExec.exe /I{8A42F680-2DD6-11D4-9A8C-0040F6982C20}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) --> MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-6884-0000-0000-000000000103}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
Apple Mobile Device Support --> MsiExec.exe /I{35B91753-5789-4517-9CF1-2CCE3A8CF4F1}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
AV --> MsiExec.exe /I{F4DB525F-A986-4249-B98B-42A8066251CA}
Bluetooth Stack for Windows by Toshiba --> MsiExec.exe /X{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
Canon ScanGear Starter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{18A5DFF2-8A95-49F3-873F-743CB5549F3D}\SETUP.EXE" -l0x9 anything
ccCommon --> MsiExec.exe /I{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
DAEMON Tools --> MsiExec.exe /I{3DED3A72-61A8-4B87-98A5-EF0BC8038AA0}
DBS SalesTrack --> C:\WINDOWS\DBS SalesTrack Uninstaller.exe
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
GearDrvs --> MsiExec.exe /I{228F6876-A313-40A3-91C0-C3CBE6997D09}
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\Documents and Settings\Agent\Desktop\HJT\HijackThis.exe" /uninstall
IBM AS/400 Client Access Express for Windows --> "C:\Program Files\IBM\Client Access\cwbinarp.exe"
Image Resizer Powertoy for Windows XP --> MsiExec.exe /I{1CB92574-96F2-467B-B793-5CEB35C40C29}
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_27A6 PCI\VEN_8086&DEV_27A2
Intel® PRO Network Connections Drivers --> Prounstl.exe
InterVideo WinDVD Creator 2 --> "C:\Program Files\InstallShield Installation Information\{2FCE4FC5-6930-40E7-A4F1-F862207424EF}\setup.exe" REMOVEALL
iTunes --> MsiExec.exe /I{EF6C4600-306D-4F6A-A119-C2A877D25B4A}
Java 2 Runtime Environment, SE v1.4.2_15 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142150}
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Lernout & Hauspie TruVoice American English TTS Engine --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\tv_enua.inf, Uninstall
LiveUpdate 3.2 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
LiveUpdate Notice (Symantec Corporation) --> MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Milquote II --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BB987EE0-1586-11D2-AECD-00A0C9399173}\setup.exe"
Mozilla Firefox (3.0.1) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Multi-Card Reader & Flash Disk --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{83F3EED2-DDE2-4434-8FBE-9D2A1E7C2BC9}\SETUP.exe" -l0x9 -wUninst
Norton 360 --> MsiExec.exe /I{21829177-4DED-4209-AD08-490B3AC9C01A}
Norton 360 --> MsiExec.exe /I{2D617065-1C52-4240-B5BC-C0AE12157777}
Norton 360 --> MsiExec.exe /I{63A6E9A9-A190-46D4-9430-2DB28654AFD8}
Norton 360 (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{2D617065-1C52-4240-B5BC-C0AE12157777}_1_0_0_184\{2D617065-1C52-4240-B5BC-C0AE12157777}.exe" /X
Norton 360 Help --> MsiExec.exe /I{1CA941F1-5006-487E-9FD4-09F812A7D6B8}
Norton Confidential Browser Component --> MsiExec.exe /I{4843B611-8FCB-4428-8C23-31D0A5EAE164}
Norton Confidential Web Authentification Component --> MsiExec.exe /I{3074EB89-1BCA-4AEF-AFF4-EFB4634C1923}
Norton Confidential Web Protection Component --> MsiExec.exe /I{D353CC51-430D-4C6F-9B7E-52003DA1E05A}
OMSG Milquote II XP Kodak Image Update --> MsiExec.exe /I{87338D45-03DF-4DB9-8715-EFDCD027FE1D}
PaperPort 9.0 --> MsiExec.exe /I{8EE2086B-9C3D-43AB-8E8D-B02395254E77}
QuickTime --> MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175}
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Skype 3.8 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
SuppSoft --> MsiExec.exe /I{022DA2C3-81C7-4003-A6BC-1BB147B20097}
Sybase SQL Anywhere 5.0 --> c:\sqlany50\win32\setup.exe -u
Symantec Technical Support Controls --> MsiExec.exe /I{92B1B3CC-EC78-45B8-96D0-8B3F11495864}
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
Topaz SigPlus Basic 3.61 --> C:\WINDOWS\SigPlus\Tools\UNWISE.EXE C:\WINDOWS\SigPlus\Tools\SIGPLUSREADER.LOG
TOSHIBA Software Modem --> Tosmreg -U
TuneUp Utilities 2008 --> MsiExec.exe /I{5888428E-699C-4E71-BF71-94EE06B497DA}
USR Mini Cam for Skype --> C:\Program Files\InstallShield Installation Information\{75438C0E-9925-412E-AD85-D0E71C6CE2ED}\setup.exe -runfromtemp -l0x0009 -removeonly -u
WatchGuard Mobile VPN with SSL client 10 --> "C:\Program Files\WatchGuard\WatchGuard Mobile VPN with SSL\unins000.exe"
Webroot Spy Sweeper Enterprise Client --> MsiExec.exe /X{697836DE-03BB-4C4C-9B06-CAFC93D0A506}
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG


-- Application Event Log -------------------------------------------------------

Event Record #/Type3545 / Success
Event Submitted/Written: 08/13/2008 01:02:55 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type3525 / Success
Event Submitted/Written: 08/13/2008 08:57:52 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type3491 / Error
Event Submitted/Written: 08/13/2008 00:50:46 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application 3tbuzdhvdh.exe, version 2.0.0.104, faulting module 3tbuzdhvdh.exe, version 2.0.0.104, fault address 0x00000003.
Processing media-specific event for [3tbuzdhvdh.exe!ws!]

Event Record #/Type3490 / Error
Event Submitted/Written: 08/13/2008 00:50:41 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application 3tbuzdhvdh.exe, version 2.0.0.104, faulting module 3tbuzdhvdh.exe, version 2.0.0.104, fault address 0x00000003.
Processing media-specific event for [3tbuzdhvdh.exe!ws!]

Event Record #/Type3489 / Error
Event Submitted/Written: 08/13/2008 00:44:44 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application 3tbuzdhvdh.exe, version 2.0.0.104, faulting module 3tbuzdhvdh.exe, version 2.0.0.104, fault address 0x00000003.
Processing media-specific event for [3tbuzdhvdh.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type6115 / Error
Event Submitted/Written: 08/13/2008 08:45:58 PM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 10.10.8.13 for the Network Card with network address 00FF0D07D5E0 has been
denied by the DHCP server 10.10.8.254 (The DHCP Server sent a DHCPNACK message).

Event Record #/Type6105 / Error
Event Submitted/Written: 08/13/2008 02:26:09 PM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 10.10.8.21 for the Network Card with network address 00FF0D07D5E0 has been
denied by the DHCP server 10.10.8.254 (The DHCP Server sent a DHCPNACK message).

Event Record #/Type6098 / Error
Event Submitted/Written: 08/13/2008 01:08:18 PM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 10.10.8.2 for the Network Card with network address 00FF0D07D5E0 has been
denied by the DHCP server 10.10.8.254 (The DHCP Server sent a DHCPNACK message).

Event Record #/Type6080 / Error
Event Submitted/Written: 08/13/2008 01:00:51 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The yvpqhbvb service failed to start due to the following error:
%%2

Event Record #/Type6079 / Error
Event Submitted/Written: 08/13/2008 01:00:51 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The SYSEEM32 service terminated unexpectedly. It has done this 1 time(s).



-- End of Deckard's System Scanner: finished at 2008-08-13 21:20:28 ------------

#5 jfriel

jfriel
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 14 August 2008 - 03:39 AM

STEP 3 - KASPERSKY SCAN RESULTS

KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, August 14, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, August 13, 2008 19:00:42
Records in database: 1090281
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
E:\
F:\
I:\
Scan statistics
Files scanned 111941
Threat name 11
Infected objects 19
Suspicious objects 0
Duration of the scan 02:52:44

File name Threat name Threats count
C:\Documents and Settings\Agent\My Documents\My Download Programs\vnc-3.3.7-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 2
C:\Documents and Settings\Agent\My Documents\REINSTALL\Applications\Utilities\vnc-3.3.7-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 2
C:\Program Files\Symantec AntiVirus\mm1.exe Infected: Trojan-Downloader.Win32.Agent.yvp 1
C:\Program Files\Symantec AntiVirus\qq.exe Infected: Backdoor.Win32.Hupigon.cvkc 1
C:\Program Files\Symantec AntiVirus\webdown.vbs Infected: Trojan-Downloader.VBS.Small.l 1
C:\WINDOWS\0J2I866WRL3.exe Infected: Trojan-Downloader.Win32.Agent.wvn 1
C:\WINDOWS\15AYMBO.txt Infected: Rootkit.Win32.Agent.bqx 1
C:\WINDOWS\2ZHT4DU6PV.exe Infected: Trojan-Downloader.Win32.Agent.wvn 1
C:\WINDOWS\3TBUZDHVDH.exe Infected: Trojan.Win32.AntiAV.er 1
C:\WINDOWS\9ZGP3LV3.exe Infected: Trojan.Win32.AntiAV.dg 1
C:\WINDOWS\MKCFUS3D.exe Infected: Trojan.Win32.AntiAV.er 1
C:\WINDOWS\NMR8J5.exe Infected: Trojan.Win32.AntiAV.er 1
C:\WINDOWS\Q6Q3DFEFQ.exe Infected: Trojan.Win32.AntiAV.er 1
C:\WINDOWS\system32\config\systemprofile\vistaXA.exe Infected: Trojan-Downloader.Win32.Agent.zrh 1
C:\WINDOWS\system32\service.exe Infected: Backdoor.Win32.Small.fkj 1
C:\WINDOWS\system32\sovlost.exe Infected: Trojan-Clicker.Win32.Small.aal 1
C:\WINDOWS\TIEMZUW6.exe Infected: Trojan-Downloader.Win32.Agent.wvn 1
The selected area was scanned.

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:03 PM

Posted 15 August 2008 - 11:37 AM

Hi jfriel,

I am farbar. I am going to assist you with your problem. Please give me some time to look it over and I will get back to you as soon as possible.

A quick look at your logs shows your computer is heavily infected. Please limit the use of it to a minimum, preferably disconnect it from internet and refrain from any system changes.

Thanks.

Edited by farbar, 15 August 2008 - 11:38 AM.


#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:03 PM

Posted 16 August 2008 - 01:28 AM

Hi again,

Your computer is infected with multiple sources of nasty infections: Rootkits genarator, Backdoor Trojans and worms.

Malicious rootkits are dangerous malwares. They can't be detected with the usual detection methods and they are hard to remove. You may read more on rootkits here: http://en.wikipedia.org/wiki/Rootkit

A backdoor Trojan can allow an attacker to gain control of the system, log keystrokes, steal passwords, access personal data, send malevolent outgoing traffic, and close the security warning messages displayed by some anti-virus and security programs.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Many experts in the security community believe that once infected with this type of infection, the best course of action would be a reformat and reinstall of the Operating System. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We may try to clean this computer but there is no guaranties that it would succeed. Besides we don't know to what extend the system files and functions are damaged by the infections and whether they are repairable afterwards. I strongly recommend you to backup the data you want to keep to an external drive (CD, DVD, flash drive, or external hard drive), reformat your entire hard drive and reinstall Windows.

If you decided to clean the computer move on to the removal part.


Removal Instructions

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Some of our fixes will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.
  • Please tell me if you recognize these servers:

    195.238.50.254,195.238.40.44
    Hughes Network Systems GmbH
    Germany

    213.42.20.20,195.229.241.222
    Emirates Telecommunication Corporation
    descr: P.O. Box 1150 Dubai UAE

  • You have the latest version of Java and it is good. Please remove the older versions:
    Click "start" and then "Control Panel" icon.
    Please doubleclick the "Add or Remove Programs" icon
    A list of programs installed will be "populated" this may take a bit of time.
    Uninstall the following by clicking on the following entries and selecting "remove":

    Java 2 Runtime Environment, SE v1.4.2_15

    Additional instructions can be found here if needed.

  • Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

  • Please download SDFix by AndyManchesta and save it to your desktop.
    When using this tool, you must use the Administrator's account or an account with "Administrative rights"
    • Double click SDFix.exe and it will extract the files to %systemdrive%
    • (this is the drive that contains the Windows Directory, typically C:\SDFix).
    • DO NOT use it just yet.
  • Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

    Scan with DrWeb-CureIt as follows:
    • Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
    • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
    • Once the short scan has finished, Click Options > Change settings
    • Choose the "Scan tab" and UNcheck "Heuristic analysis"
    • Back at the main window, click "Custom Scan", then Select drives (a red dot will show which drives have been chosen).
    • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
    • When done, a message will be displayed at the bottom advising if any viruses were found.
    • Click "Yes to all" if it asks if you want to cure/move the file.
    • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
      (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
    • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
    • Save the DrWeb.csv report to your desktop.
    • Exit Dr.Web Cureit when done.
    • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
    • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
  • Reboot your computer in "Safe Mode" again.

    Open the SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
    • Copy and paste the contents of the results file Report.txt in your next reply.
  • Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sichost.exe
    O2 - BHO: IESuper - {1A49F431-2A2E-41a5-9080-0F41D1A3AEC2} - (no file)
    O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools_200885_7822.dll
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O23 - Service: SYSEEM32 - JPEG ?? - C:\Program Files\WINDOWS\SYSEEM32\ALG.EXE
    O23 - Service: mspx (TOlb) - Unknown owner - C:\WINDOWS\system32\toolba.exe (file missing)
    O23 - Service: Systemadmin Event Notification - Unknown owner - C:\Program.exe (file missing)
    O23 - Service: Ent58ComServer (WindowsEntServer2008) - Unknown owner - C:\WINDOWS\EntSver.exe (file missing)


    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

  • Please download the OTMoveIt2 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt2.exe to run it.
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      SYSEEM32 <deleteservice>
      TOlb <deleteservice>
      WindowsEntServer2008 <deleteservice>
      C:\Program Files\Symantec AntiVirus\mm1.exe
      C:\Program Files\Symantec AntiVirus\qq.exe
      C:\Program Files\Symantec AntiVirus\webdown.vbs 
      C:\WINDOWS\0J2I866WRL3.exe
      C:\WINDOWS\15AYMBO.txt
      C:\WINDOWS\2ZHT4DU6PV.exe
      C:\WINDOWS\3TBUZDHVDH.exe
      C:\WINDOWS\9ZGP3LV3.exe
      C:\WINDOWS\MKCFUS3D.exe
      C:\WINDOWS\NMR8J5.exe
      C:\WINDOWS\Q6Q3DFEFQ.exe
      C:\WINDOWS\system32\config\systemprofile\vistaXA.exe
      C:\WINDOWS\system32\service.exe
      C:\WINDOWS\system32\sovlost.exe
      C:\WINDOWS\TIEMZUW6.exe
      C:\WINDOWS\system32\sichost.exe
      C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools_200885_7822.dll
      C:\Program Files\WINDOWS\SYSEEM32\ALG.EXE
    • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTMoveIt2
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

  • Download Deckard's Association File Tool daft.exe and save it to your desktop.
    • Double click on it and click Run.
    • Click on the Scan button.
    • If it finds faulty file associations, they will appear in red beside a checkbox. If this occurs, just place a checkmark (tick) in the boxes in question.
    • Click the Fix button.
    • Reboot and Scan again to check if the associations are OK.
  • Please make a fresh Hijackthis log and copy and paste it into your replay. (main.txt).

    In your next reply:
    • The log of DrWeb.
    • The log of SDFix.
    • OTMoveIt log.
    • A fresh Hijackthis log.
    • Tell me about those servers.


#8 jfriel

jfriel
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 16 August 2008 - 10:28 AM

OK - all that took a while but i am going to fight to clean this Laptop if at all possible - i am working in a remote location and need to be online most of the day connected to a VPN so unplugging is not really an option for a long period of time. OK as per instructed here are the logs in order;

1. DRWEB LOG

dbsnts.exe;c:\dbssys;Probably BACKDOOR.Trojan;;
dbsrun.exe;c:\dbssys;Probably BACKDOOR.Trojan;;
$caterpill.dll;c:\windows\system32;BackDoor.BlackHole.2402;Deleted.;
rapimgr.exe;c:\windows\system32;BackDoor.Attack.47;Deleted.;
service.exe;c:\windows\system32;BackDoor.Attack.49;Deleted.;
SDFix.exe\SDFix\apps\Process.exe;C:\Documents and Settings\Agent\Desktop\SDFix.exe;Tool.Prockill;;
SDFix.exe;C:\Documents and Settings\Agent\Desktop;Archive contains infected objects;;
8F2ABEC4d01\SDFix\apps\Process.exe;C:\Documents and Settings\Agent\Local Settings\Application Data\Mozilla\Firefox\Profiles\5p9287rr.default\Cache\8F2ABEC4d01;Tool.Prockill;;
8F2ABEC4d01;C:\Documents and Settings\Agent\Local Settings\Application Data\Mozilla\Firefox\Profiles\5p9287rr.default\Cache;Archive contains infected objects;Moved.;
vnc-3.3.7-x86_win32.exe\data005;C:\Documents and Settings\Agent\My Documents\My Download Programs\vnc-3.3.7-x86_win32.exe;Program.RemoteAdmin;;
vnc-3.3.7-x86_win32.exe;C:\Documents and Settings\Agent\My Documents\My Download Programs;Archive contains infected objects;;
vnc-3.3.7-x86_win32.exe\data005;C:\Documents and Settings\Agent\My Documents\REINSTALL\Applications\Utilities\vnc-3.3.7-x86_win32.exe;Program.RemoteAdmin;;
vnc-3.3.7-x86_win32.exe;C:\Documents and Settings\Agent\My Documents\REINSTALL\Applications\Utilities;Archive contains infected objects;;
wmiprves[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\01ODKHOL;Trojan.Click.origin;Incurable.Moved.;
wmiprves[2].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\01ODKHOL;Trojan.Click.origin;Incurable.Moved.;
discover[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\WRMF8D8P;Trojan.Click.5002;Deleted.;
discover[2].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\WRMF8D8P;Trojan.Click.5002;Deleted.;
pifCrawl.exe;C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08};Trojan.Swizzor.based;Deleted.;
TFTP19816;C:\Program Files\Symantec AntiVirus;BackDoor.Pigeon.6620;Deleted.;
TFTP56864;C:\Program Files\Symantec AntiVirus;BackDoor.Pigeon.6620;Deleted.;
webdown.vbs;C:\Program Files\Symantec AntiVirus;Trojan.DownLoader.588;Deleted.;
Process.exe;C:\SDFix\apps;Tool.Prockill;;
A0009588.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP69;Trojan.Click.origin;Incurable.Moved.;
A0009589.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP69;Trojan.Click.5002;Deleted.;
A0009631.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP70;Trojan.Click.origin;Incurable.Moved.;
A0009632.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP70;Trojan.Click.5002;Deleted.;
A0009766.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP71;Trojan.Click.origin;Incurable.Moved.;
A0009767.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP71;Trojan.Click.5002;Deleted.;
A0009832.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP72;Trojan.Click.origin;Incurable.Moved.;
A0009833.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP72;Trojan.Click.5002;Deleted.;
A0009878.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP73;Trojan.Click.origin;Incurable.Moved.;
A0009879.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP73;Trojan.Click.5002;Deleted.;
A0009903.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP73;Trojan.Click.origin;Incurable.Moved.;
A0009904.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP73;Trojan.Click.5002;Deleted.;
A0009972.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP74;Trojan.Click.origin;Incurable.Moved.;
A0009973.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP74;Trojan.Click.5002;Deleted.;
A0010007.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP75;Trojan.Click.origin;Incurable.Moved.;
A0010008.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP75;Trojan.Click.5002;Deleted.;
A0010052.vbs;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP76;Trojan.DownLoader.588;Deleted.;
A0010053.EXE;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP76;Trojan.MulDrop.origin;Incurable.Moved.;
A0010054.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP76;Trojan.Click.origin;Incurable.Moved.;
A0010055.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP76;Trojan.Click.5002;Deleted.;
A0010901.exe;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP76;Trojan.MulDrop.17830;Deleted.;
A0010914.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP76;Trojan.Click.origin;Incurable.Moved.;
A0010915.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP76;Trojan.Click.5002;Deleted.;
A0011904.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP77;Trojan.Click.origin;Incurable.Moved.;
A0011905.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP77;Trojan.Click.5002;Deleted.;
A0012907.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP77;Trojan.Click.origin;Incurable.Moved.;
A0012908.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP77;Trojan.Click.5002;Deleted.;
A0013909.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP77;Trojan.Click.origin;Incurable.Moved.;
A0013910.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP77;Trojan.Click.5002;Deleted.;
A0014908.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP78;Trojan.Click.origin;Incurable.Moved.;
A0014909.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP78;Trojan.Click.5002;Deleted.;
A0015910.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP78;Trojan.Click.origin;Incurable.Moved.;
A0015911.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP78;Trojan.Click.5002;Deleted.;
A0015949.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP78;Trojan.Click.origin;Incurable.Moved.;
A0015950.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP78;Trojan.Click.5002;Deleted.;
A0015953.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP78;Trojan.Click.origin;Incurable.Moved.;
A0015954.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP78;Trojan.Click.5002;Deleted.;
A0016009.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP79;Trojan.Click.origin;Incurable.Moved.;
A0016010.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP79;Trojan.Click.5002;Deleted.;
A0016020.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP79;Trojan.Click.origin;Incurable.Moved.;
A0016021.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP79;Trojan.Click.5002;Deleted.;
A0016061.dll;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP79;BackDoor.BlackHole.2402;Deleted.;
A0017022.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP79;Trojan.Click.origin;Incurable.Moved.;
A0017023.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP79;Trojan.Click.5002;Deleted.;
A0017049.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP79;Trojan.Click.origin;Incurable.Moved.;
A0017050.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP79;Trojan.Click.5002;Deleted.;
A0017070.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP80;Trojan.Click.origin;Incurable.Moved.;
A0017071.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP80;Trojan.Click.5002;Deleted.;
A0018051.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP80;Trojan.Click.origin;Incurable.Moved.;
A0018052.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP80;Trojan.Click.5002;Deleted.;
A0019057.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP80;Trojan.Click.origin;Incurable.Moved.;
A0019058.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP80;Trojan.Click.5002;Deleted.;
A0020053.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP80;Trojan.Click.origin;Incurable.Moved.;
A0020054.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP80;Trojan.Click.5002;Deleted.;
A0020070.exe;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP80;BackDoor.Pigeon.12989;Deleted.;
A0020071.exe;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP80;BackDoor.Pigeon.12989;Deleted.;
A0020072.exe;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP80;BackDoor.IRC.Sdbot.3467;Deleted.;
A0020106.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP81;Trojan.Click.origin;Incurable.Moved.;
A0020107.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP81;Trojan.Click.5002;Deleted.;
A0020184.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP81;Trojan.Click.origin;Incurable.Moved.;
A0020185.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP81;Trojan.Click.5002;Deleted.;
A0020192.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP81;Trojan.Click.origin;Incurable.Moved.;
A0020193.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP81;Trojan.Click.5002;Deleted.;
A0020200.dll;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP81;Adware.Cinmus.origin;;
A0023194.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.Click.origin;Incurable.Moved.;
A0023195.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.Click.5002;Deleted.;
A0023205.exe;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.PWS.Legmir.1561;Deleted.;
A0023206.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.Click.origin;Incurable.Moved.;
A0023207.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.Click.5002;Deleted.;
A0023225.dll;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;BackDoor.Hbeat.origin;Incurable.Moved.;
A0023236.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.Click.origin;Incurable.Moved.;
A0023237.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.Click.5002;Deleted.;
A0024239.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.Click.origin;Incurable.Moved.;
A0024240.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.Click.5002;Deleted.;
A0024366.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP83;Trojan.Click.origin;Incurable.Moved.;
A0024367.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP83;Trojan.Click.5002;Deleted.;
A0024587.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Trojan.Click.origin;Incurable.Moved.;
A0024589.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Trojan.Click.5002;Deleted.;
A0025589.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Trojan.Click.origin;Incurable.Moved.;
A0025590.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Trojan.Click.5002;Deleted.;
A0025634.exe;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Trojan.DownLoad.3423;Deleted.;
A0025635.exe;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;DDoS.Attack.17;Deleted.;
A0025636.exe;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Trojan.MulDrop.17438;Deleted.;
A0025637.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Trojan.Click.origin;Incurable.Moved.;
A0025638.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Trojan.Click.5002;Deleted.;
A0026590.dll;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Win32.HLLW.Autoruner.2539;Deleted.;
A0026593.dll;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Win32.HLLW.Autoruner.2539;Deleted.;
A0026594.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Trojan.Click.origin;Incurable.Moved.;
A0026597.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Trojan.Click.5002;Deleted.;
A0027029.dll;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Win32.HLLW.Autoruner.2539;Deleted.;
A0027965.dll;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Win32.HLLW.Autoruner.2539;Deleted.;
A0027967.dll;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Win32.HLLW.Autoruner.2539;Deleted.;
A0028966.dll;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Win32.HLLW.Autoruner.2539;Deleted.;
A0028968.dll;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Win32.HLLW.Autoruner.2539;Deleted.;
A0030969.dll;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Win32.HLLW.Autoruner.2539;Deleted.;
A0030971.dll;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Win32.HLLW.Autoruner.2539;Deleted.;
A0031326.dll;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Win32.HLLW.Autoruner.2539;Deleted.;
A0032260.dll;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Win32.HLLW.Autoruner.2539;Deleted.;
A0032262.dll;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Win32.HLLW.Autoruner.2539;Deleted.;
A0032617.dll;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Win32.HLLW.Autoruner.2539;Deleted.;
A0032619.dll;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Win32.HLLW.Autoruner.2539;Deleted.;
A0032627.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Trojan.Click.origin;Incurable.Moved.;
A0032629.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Trojan.Click.5002;Deleted.;
A0032644.exe;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;DDoS.Attack.17;Deleted.;
A0032645.exe;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Win32.HLLW.Autoruner.2538;Deleted.;
A0032646.exe;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Win32.HLLW.Autoruner.2538;Deleted.;
A0032648.exe;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Trojan.PWS.Gamania.10691;Deleted.;
A0032649.exe;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Trojan.PWS.Gamania.12992;Deleted.;
data003\data003;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84\A0032652.exe\data003;Adware.Cinmus.origin;;
data003;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84\A0032652.exe;Archive contains infected objects;;
A0032652.exe;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Archive contains infected objects;Moved.;
data003\data003;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84\A0032653.exe\data003;Adware.Cinmus.origin;;
data003;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84\A0032653.exe;Archive contains infected objects;;
A0032653.exe;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Archive contains infected objects;Moved.;
A0032654.exe\data002;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84\A0032654.exe;Adware.Sogou.115;;
A0032654.exe;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Archive contains infected objects;Moved.;
A0032662.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Trojan.Click.origin;Incurable.Moved.;
A0032663.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Trojan.Click.5002;Deleted.;
A0033548.dll;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Win32.HLLW.Autoruner.2539;Deleted.;
A0033550.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Trojan.Click.origin;Incurable.Moved.;
A0033551.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Trojan.Click.5002;Deleted.;
A0033558.dll;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Win32.HLLW.Autoruner.2539;Deleted.;
A0033559.dll;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Win32.HLLW.Autoruner.2539;Deleted.;
A0033560.exe;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Win32.HLLW.Autoruner.2539;Deleted.;
A0033577.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Trojan.Click.origin;Incurable.Moved.;
A0033578.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Trojan.Click.5002;Deleted.;
A0033741.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Trojan.Click.origin;Incurable.Moved.;
A0033742.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Trojan.Click.5002;Deleted.;
A0033744.exe;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;BackDoor.Hbeat.origin;Incurable.Moved.;
A0033745.sys;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Trojan.Click.18161;Deleted.;
A0033756.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Trojan.Click.origin;Incurable.Moved.;
A0033757.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Trojan.Click.5002;Deleted.;
A0033795.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Trojan.Click.origin;Incurable.Moved.;
A0033796.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP84;Trojan.Click.5002;Deleted.;
A0033840.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP85;Trojan.Click.origin;Incurable.Moved.;
A0033841.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP85;Trojan.Click.5002;Deleted.;
A0033860.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP85;Trojan.Click.origin;Incurable.Moved.;
A0033861.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP85;Trojan.Click.5002;Deleted.;
A0033992.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP85;Trojan.Click.origin;Incurable.Moved.;
A0033994.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP85;Trojan.Click.5002;Deleted.;
A0034005.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP85;Trojan.Click.origin;Incurable.Moved.;
A0034007.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP85;Trojan.Click.5002;Deleted.;
A0034013.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP85;Trojan.Click.origin;Incurable.Moved.;
A0034014.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP85;Trojan.Click.5002;Deleted.;
A0034035.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP85;Trojan.Click.origin;Incurable.Moved.;
A0034036.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP85;Trojan.Click.5002;Deleted.;
A0034138.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP85;Trojan.Click.origin;Incurable.Moved.;
A0034139.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP85;Trojan.Click.5002;Deleted.;
A0034296.dll;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP86;BackDoor.Siggen.21;Deleted.;
A0034338.exe;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP86;Trojan.PWS.Gamania.12994;Deleted.;
A0034346.exe;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP86;Trojan.PWS.Gamania.12993;Deleted.;
A0034597.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.Click.origin;Incurable.Moved.;
A0034598.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.Click.5002;Deleted.;
A0034612.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.Click.origin;Incurable.Moved.;
A0034613.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.Click.5002;Deleted.;
A0034653.exe;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.PWS.Legmir.1561;Deleted.;
A0034799.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.Click.origin;Incurable.Moved.;
A0034800.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.Click.5002;Deleted.;
A0034865.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP90;Trojan.Click.origin;Incurable.Moved.;
A0034866.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP90;Trojan.Click.5002;Deleted.;
A0035795.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP90;Trojan.Click.origin;Incurable.Moved.;
A0035796.old;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP90;Trojan.Click.5002;Deleted.;
A0035814.exe;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP90;Trojan.PWS.Legmir.2085;Deleted.;
A0035867.dll;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP91;Trojan.DownLoad.3557;Deleted.;
A0035868.dll;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP91;BackDoor.PcClient.593;Deleted.;
A0035869.dll;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP91;BackDoor.PcClient.593;Deleted.;
A0035872.dll;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP91;BackDoor.PcClient.593;Deleted.;
A0035875.dll;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP91;Trojan.DownLoad.3557;Deleted.;
A0035876.dll;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP91;BackDoor.PcClient.593;Deleted.;
A0035877.dll;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP91;BackDoor.PcClient.593;Deleted.;
A0035906.dll;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP91;BackDoor.PcClient.593;Deleted.;
A0037262.dll;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;BackDoor.BlackHole.2402;Deleted.;
A0037263.exe;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;BackDoor.Attack.47;Deleted.;
A0037264.exe;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;BackDoor.Attack.49;Deleted.;
A0037265.exe;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.Swizzor.based;Deleted.;
A0037266.vbs;C:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoader.588;Deleted.;
0J2I866WRL3.exe;C:\WINDOWS;Trojan.DownLoad.2082;Deleted.;
2ZHT4DU6PV.exe;C:\WINDOWS;Trojan.DownLoad.2082;Deleted.;
9ZGP3LV3.exe;C:\WINDOWS;Trojan.MulDrop.17438;Deleted.;
TIEMZUW6.exe;C:\WINDOWS;Trojan.DownLoad.2082;Deleted.;
ntdns.sys;C:\WINDOWS\system32;Trojan.Click.origin;Incurable.Moved.;
ntdosdrv.sys;C:\WINDOWS\system32;Trojan.Click.5002;Deleted.;
perfs.exe;C:\WINDOWS\system32;Trojan.PWS.Legmir.1561;Deleted.;
sovlost.exe;C:\WINDOWS\system32;Trojan.Click.19765;Deleted.;
winload.dll;C:\WINDOWS\system32;BackDoor.Hbeat.origin;Incurable.Moved.;
vistaXA.exe;C:\WINDOWS\system32\config\systemprofile;Win32.HLLW.Autoruner.2538;Deleted.;
drmdbg.exe;I:\4OD;Trojan.DownLoad.2082;Deleted.;
DivXInstaller.exe;I:\DIVX;Trojan.DownLoad.2082;Deleted.;
drmdbg.exe;I:\FreeMe2;Trojan.DownLoad.2082;Deleted.;
photoshop_cs2_keygen.exe;I:\Photoshop CS\Serials\Crack;Trojan.DownLoad.2082;Deleted.;
Droplet Template.exe;I:\Program Files\Adobe\Adobe Photoshop CS2\Required;Trojan.DownLoad.2082;Deleted.;
Constrain 350, Make JPG 30.exe;I:\Program Files\Adobe\Adobe Photoshop CS2\Samples\Droplets\ImageReady Droplets;Trojan.DownLoad.2082;Deleted.;
Constrain to 200x200 pixels.exe;I:\Program Files\Adobe\Adobe Photoshop CS2\Samples\Droplets\ImageReady Droplets;Trojan.DownLoad.2082;Deleted.;
Constrain to 64X64 pixels.exe;I:\Program Files\Adobe\Adobe Photoshop CS2\Samples\Droplets\ImageReady Droplets;Trojan.DownLoad.2082;Deleted.;
Make Button.exe;I:\Program Files\Adobe\Adobe Photoshop CS2\Samples\Droplets\ImageReady Droplets;Trojan.DownLoad.2082;Deleted.;
Make GIF (128 colors).exe;I:\Program Files\Adobe\Adobe Photoshop CS2\Samples\Droplets\ImageReady Droplets;Trojan.DownLoad.2082;Deleted.;
Make GIF (32, no dither).exe;I:\Program Files\Adobe\Adobe Photoshop CS2\Samples\Droplets\ImageReady Droplets;Trojan.DownLoad.2082;Deleted.;
Make GIF (64 colors).exe;I:\Program Files\Adobe\Adobe Photoshop CS2\Samples\Droplets\ImageReady Droplets;Trojan.DownLoad.2082;Deleted.;
Make JPEG (quality 10).exe;I:\Program Files\Adobe\Adobe Photoshop CS2\Samples\Droplets\ImageReady Droplets;Trojan.DownLoad.2082;Deleted.;
Make JPEG (quality 30).exe;I:\Program Files\Adobe\Adobe Photoshop CS2\Samples\Droplets\ImageReady Droplets;Trojan.DownLoad.2082;Deleted.;
Make JPEG (quality 60).exe;I:\Program Files\Adobe\Adobe Photoshop CS2\Samples\Droplets\ImageReady Droplets;Trojan.DownLoad.2082;Deleted.;
Metal Slide Thumbnail.exe;I:\Program Files\Adobe\Adobe Photoshop CS2\Samples\Droplets\ImageReady Droplets;Trojan.DownLoad.2082;Deleted.;
Multi-Size Save.exe;I:\Program Files\Adobe\Adobe Photoshop CS2\Samples\Droplets\ImageReady Droplets;Trojan.DownLoad.2082;Deleted.;
Rounded Rect Thumbnail.exe;I:\Program Files\Adobe\Adobe Photoshop CS2\Samples\Droplets\ImageReady Droplets;Trojan.DownLoad.2082;Deleted.;
Slide Thumbnail.exe;I:\Program Files\Adobe\Adobe Photoshop CS2\Samples\Droplets\ImageReady Droplets;Trojan.DownLoad.2082;Deleted.;
Unsharp Mask.exe;I:\Program Files\Adobe\Adobe Photoshop CS2\Samples\Droplets\ImageReady Droplets;Trojan.DownLoad.2082;Deleted.;
Aged Photo.exe;I:\Program Files\Adobe\Adobe Photoshop CS2\Samples\Droplets\Photoshop Droplets;Trojan.DownLoad.2082;Deleted.;
Conditional Mode Change.exe;I:\Program Files\Adobe\Adobe Photoshop CS2\Samples\Droplets\Photoshop Droplets;Trojan.DownLoad.2082;Deleted.;
Constrain to 300 pixels.exe;I:\Program Files\Adobe\Adobe Photoshop CS2\Samples\Droplets\Photoshop Droplets;Trojan.DownLoad.2082;Deleted.;
Constrain to 64 pixels.exe;I:\Program Files\Adobe\Adobe Photoshop CS2\Samples\Droplets\Photoshop Droplets;Trojan.DownLoad.2082;Deleted.;
Drop Shadow Frame.exe;I:\Program Files\Adobe\Adobe Photoshop CS2\Samples\Droplets\Photoshop Droplets;Trojan.DownLoad.2082;Deleted.;
Make Button.exe;I:\Program Files\Adobe\Adobe Photoshop CS2\Samples\Droplets\Photoshop Droplets;Trojan.DownLoad.2082;Deleted.;
Make Sepia Tone.exe;I:\Program Files\Adobe\Adobe Photoshop CS2\Samples\Droplets\Photoshop Droplets;Trojan.DownLoad.2082;Deleted.;
Save As JPEG Medium.exe;I:\Program Files\Adobe\Adobe Photoshop CS2\Samples\Droplets\Photoshop Droplets;Trojan.DownLoad.2082;Deleted.;
Save As Photoshop PDF.exe;I:\Program Files\Adobe\Adobe Photoshop CS2\Samples\Droplets\Photoshop Droplets;Trojan.DownLoad.2082;Deleted.;
BitLord.exe;I:\Program Files\BitLord;Trojan.DownLoad.2082;Deleted.;
uninst.exe;I:\Program Files\BitLord;Trojan.DownLoad.2082;Deleted.;
iBrowseOffline.exe;I:\Program Files\iBrowseOffline;Trojan.DownLoad.2082;Deleted.;
Uninstall iBrowseOffline.exe;I:\Program Files\iBrowseOffline\Uninstall_iBrowseOffline;Trojan.DownLoad.2082;Deleted.;
Picasa2.scr;I:\Program Files\Picasa2;Trojan.DownLoad.2082;Deleted.;
PicasaMediaDetector.exe;I:\Program Files\Picasa2;Trojan.DownLoad.2082;Deleted.;
PicasaUpdate.exe;I:\Program Files\Picasa2;Trojan.DownLoad.2082;Deleted.;
setup.exe;I:\Program Files\Picasa2;Trojan.DownLoad.2082;Deleted.;
Uninstall.exe;I:\Program Files\Picasa2;Trojan.DownLoad.2082;Deleted.;
PicasaCD.exe;I:\Program Files\Picasa2\cdautorun;Trojan.DownLoad.2082;Deleted.;
PicasaRestore.exe;I:\Program Files\Picasa2\cdautorun;Trojan.DownLoad.2082;Deleted.;
BackupTool.exe;I:\Program Files\SmartFTP Client;Trojan.DownLoad.2082;Deleted.;
SmartFTP.exe;I:\Program Files\SmartFTP Client;Trojan.DownLoad.2082;Deleted.;
SPUAnnounce.exe;I:\Program Files\Sony\Sony Picture Utility\Announce;Trojan.DownLoad.2082;Deleted.;
SPUBrowser.exe;I:\Program Files\Sony\Sony Picture Utility\Browser;Trojan.DownLoad.2082;Deleted.;
SPUDiscMaker.exe;I:\Program Files\Sony\Sony Picture Utility\DataDiscMaker;Trojan.DownLoad.2082;Deleted.;
SPUDCFImporter.exe;I:\Program Files\Sony\Sony Picture Utility\Importer\DCF;Trojan.DownLoad.2082;Deleted.;
SPUInit.exe;I:\Program Files\Sony\Sony Picture Utility\InitTool;Trojan.DownLoad.2082;Deleted.;
SPULocaleSetting.exe;I:\Program Files\Sony\Sony Picture Utility\InitTool;Trojan.DownLoad.2082;Deleted.;
SPUMapview.exe;I:\Program Files\Sony\Sony Picture Utility\Mapview;Trojan.DownLoad.2082;Deleted.;
PPMusicTransfer.exe;I:\Program Files\Sony\Sony Picture Utility\Music Transfer;Trojan.DownLoad.2082;Deleted.;
SPUVolumeWatcher.exe;I:\Program Files\Sony\Sony Picture Utility\VolumeWatcher;Trojan.DownLoad.2082;Deleted.;
DM_Observer_windows_1_2.exe;I:\sites\sclarkeandson.co.uk\html\services\online\downloads;Trojan.DownLoad.2082;Deleted.;
A0024262.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024263.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024264.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024265.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024266.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024267.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024268.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024269.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024270.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024271.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024272.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024273.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024274.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024275.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024276.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024277.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024278.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024279.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024280.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024281.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024282.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024283.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024284.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024285.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024286.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024287.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024288.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024289.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024290.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024291.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024292.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024293.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024294.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024295.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024296.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024297.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024298.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024299.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024300.scr;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024301.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024302.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024303.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024304.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024305.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024306.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024307.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024308.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024309.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024310.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024311.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024312.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024313.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024314.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024315.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0024316.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP82;Trojan.DownLoad.2082;Deleted.;
A0034534.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034535.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034536.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034537.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034538.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034539.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034540.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034541.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034542.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034543.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034544.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034545.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034546.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034547.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034548.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034549.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034550.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034551.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034552.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034553.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034554.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034555.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034556.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034557.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034558.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034559.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034560.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034561.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034562.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034563.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034564.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034565.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034566.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034567.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034568.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034569.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034570.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034571.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034572.scr;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034573.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034574.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034575.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034576.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034577.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034578.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034579.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034580.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034581.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034582.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034583.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034584.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034585.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034586.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034587.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034588.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP88;Trojan.DownLoad.2082;Deleted.;
A0034725.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034726.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034727.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034728.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034729.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034730.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034731.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034732.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034733.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034734.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034735.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034736.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034737.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034738.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034739.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034740.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034741.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034742.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034743.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034744.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034745.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034746.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034747.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034748.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034749.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034750.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034751.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034752.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034753.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034754.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034755.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034756.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034757.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034758.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034759.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034760.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034761.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034762.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034763.scr;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034764.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034765.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034766.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034767.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034768.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034769.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034770.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034771.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034772.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034773.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034774.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034775.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034776.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034777.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034778.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034779.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034802.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034803.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034804.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034805.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034806.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034807.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034808.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034809.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034810.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034811.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034812.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034813.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034814.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034815.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034816.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034817.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034818.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034819.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034820.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034821.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034822.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034823.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034824.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034825.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034826.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034827.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034828.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034829.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034830.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034831.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034832.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034833.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034834.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034835.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034836.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034837.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034838.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034839.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034840.scr;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034841.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034842.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034843.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034844.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034845.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034846.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034847.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034848.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034849.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034850.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034851.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034852.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034853.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034854.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034855.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0034856.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP89;Trojan.DownLoad.2082;Deleted.;
A0036918.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP91;Trojan.DownLoad.2082;Deleted.;
A0036923.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP91;Trojan.DownLoad.2082;Deleted.;
A0036924.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP91;Trojan.DownLoad.2082;Deleted.;
A0037277.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037278.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037279.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037280.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037281.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037282.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037283.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037284.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037285.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037286.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037287.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037288.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037289.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037290.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037291.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037292.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037293.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037294.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037295.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037296.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037297.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037298.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037299.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037300.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037301.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037302.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037303.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037304.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037305.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037306.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037307.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037308.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037309.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037310.scr;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037311.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037312.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037313.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037314.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037315.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037316.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037317.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037318.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037319.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037320.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037321.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037322.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037323.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037324.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037325.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037326.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037327.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;
A0037328.exe;I:\System Volume Information\_restore{61D0BB07-F121-4F8C-ACD8-61421B8532C8}\RP93;Trojan.DownLoad.2082;Deleted.;

2. SDFIX LOG


SDFix: Version 1.216
Run by Agent on Sat 08/16/2008 at 05:27 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\Agent\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.redtube.com\settings.sol - Deleted
C:\WINDOWS\system32\comsa32.sys - Deleted



Folder C:\Documents and Settings\Agent\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.redtube.com - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-16 17:35:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40]

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\ftp.exe"="C:\\WINDOWS\\system32\\ftp.exe:*:Enabled:File Transfer Program"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"D:2\\Program Files\\Skype\\Phone\\Skype.exe"="D:2\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"c:\\dbssys\\DBSNM.exe"="c:\\dbssys\\DBSNM.exe:*:Enabled:DBSNM"
"c:\\dbssys\\DBSSMTP.exe"="c:\\dbssys\\DBSSMTP.exe:*:Enabled:DBSSMTP"
"c:\\dbssys\\DBSBP.exe"="c:\\dbssys\\DBSBP.exe:*:Enabled:DBSBP"
"c:\\dbssys\\DBSCU.exe"="c:\\dbssys\\DBSCU.exe:*:Enabled:DBSCU"
"c:\\dbssys\\DBSMemo.exe"="c:\\dbssys\\DBSMemo.exe:*:Enabled:DBSMemo"
"c:\\dbssys\\DBSValidReceive.exe"="c:\\dbssys\\DBSValidReceive.exe:*:Enabled:DBSValidReceive"
"c:\\dbssys\\DBSRUN.exe"="c:\\dbssys\\DBSRUN.exe:*:Enabled:DBSRUN"
"c:\\dbssys\\DBSSYS.exe"="c:\\dbssys\\DBSSYS.exe:*:Enabled:DBSSYS"
"c:\\dbssys\\DBSNTS.exe"="c:\\dbssys\\DBSNTS.exe:*:Enabled:DBSNTS"
"c:\\Program Files\\DBS SalesTrack\\DBSFTP.exe"="c:\\Program Files\\DBS SalesTrack\\DBSFTP.exe:*:Enabled:DBSFTP"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\FlashGet Network\\FlashGet Mini\\FlashGetMini.exe"="C:\\Program Files\\FlashGet Network\\FlashGet Mini\\FlashGetMini.exe:*:Enabled:FlashGetMini"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 12 Aug 2008 61,440 ..SHR --- "C:\WINDOWS\3TBUZDHVDH.exe"
Tue 12 Aug 2008 61,440 ..SHR --- "C:\WINDOWS\MKCFUS3D.exe"
Tue 12 Aug 2008 61,440 A.SHR --- "C:\WINDOWS\NMR8J5.exe"
Tue 12 Aug 2008 61,440 A.SHR --- "C:\WINDOWS\Q6Q3DFEFQ.exe"
Sun 10 Aug 2008 378,368 ..SHR --- "C:\Program Files\WINDOWS\SYSEEM32\ALG.EXE"
Thu 14 Aug 2008 8,933,416 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1c63fcfe5fe95719daaa919f32918ce2\BIT8.tmp"
Thu 14 Aug 2008 7,673,177 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1df60e2d17c7a7cd18c479e61c6f5678\BITB.tmp"
Thu 14 Aug 2008 5,379,284 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\93ec224ff6e1dccf4c4dda1c5a84b777\BIT2.tmp"
Fri 8 Aug 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b04031f0b83ee952189dd8beb4ee929a\BIT1.tmp"

Finished!


3. OTMOVEIT LOG

File/Folder SYSEEM32 <deleteservice> not found.
File/Folder TOlb <deleteservice> not found.
File/Folder WindowsEntServer2008 <deleteservice> not found.
C:\Program Files\Symantec AntiVirus\mm1.exe moved successfully.
C:\Program Files\Symantec AntiVirus\qq.exe moved successfully.
File/Folder C:\Program Files\Symantec AntiVirus\webdown.vbs not found.
File/Folder C:\WINDOWS\0J2I866WRL3.exe not found.
C:\WINDOWS\15AYMBO.txt moved successfully.
File/Folder C:\WINDOWS\2ZHT4DU6PV.exe not found.
File move failed. C:\WINDOWS\3TBUZDHVDH.exe scheduled to be moved on reboot.
File/Folder C:\WINDOWS\9ZGP3LV3.exe not found.
File move failed. C:\WINDOWS\MKCFUS3D.exe scheduled to be moved on reboot.
File move failed. C:\WINDOWS\NMR8J5.exe scheduled to be moved on reboot.
File move failed. C:\WINDOWS\Q6Q3DFEFQ.exe scheduled to be moved on reboot.
File/Folder C:\WINDOWS\system32\config\systemprofile\vistaXA.exe not found.
File/Folder C:\WINDOWS\system32\service.exe not found.
File/Folder C:\WINDOWS\system32\sovlost.exe not found.
File/Folder C:\WINDOWS\TIEMZUW6.exe not found.
File/Folder C:\WINDOWS\system32\sichost.exe not found.
C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools_200885_7822.dll unregistered successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools_200885_7822.dll moved successfully.
C:\Program Files\WINDOWS\SYSEEM32\ALG.EXE moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08162008_175921

Files moved on Reboot...
File C:\WINDOWS\3TBUZDHVDH.exe not found!
File C:\WINDOWS\MKCFUS3D.exe not found!
File C:\WINDOWS\NMR8J5.exe not found!
File C:\WINDOWS\Q6Q3DFEFQ.exe not found!

4. SERVERS

They are fine - one is for my satellite internet provider (hughes) and the other is my company DNS server (dubai)

I appreciate all your help so far - if the worst comes to the worst i have a formatted replacement hard drive that i can do a fresh install on.

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:03 PM

Posted 16 August 2008 - 07:14 PM

We haven't seen so many backdoors and other Trojans on one log but we take them on.

You forget posting the Hijackthis log. Make a DSS log instead please, this time it makes just one log (main.txt).

#10 jfriel

jfriel
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 17 August 2008 - 01:11 AM

Apologies - I forgot the HJT log - i recall there were a couple of entries that did not go away after trying to fix them. Here is the DSS log;

Deckard's System Scanner v20071014.68
Run by Agent on 2008-08-17 08:57:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Agent.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:57:39 AM, on 8/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\dbssys\DBSNTS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Enterprise\CommAgent\CommAgent.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\Dit.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\dbssys\DBSRUN.exe
c:\dbssys\DBSValidReceive.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\WatchGuard\WatchGuard Mobile VPN with SSL\openvpn.exe
C:\Program Files\WatchGuard\WatchGuard Mobile VPN with SSL\wgsslvpnc.exe
C:\Program Files\WatchGuard\WatchGuard Mobile VPN with SSL\openvpn.exe
c:\sqlany50\win32\RTDSK50.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Agent\Desktop\dss.exe
C:\DOCUME~1\Agent\Desktop\HJT\Agent.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 78.42.196.237 DBS-SMTP-SERVER
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools_200885_7822.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MiniFlashGetBHO - {C74E94A7-B7BD-4891-9328-455395BCC7AD} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [WatchGuard Mobile VPN with SSL] "C:\Program Files\WatchGuard\WatchGuard Mobile VPN with SSL\wgsslvpnc.exe" /noconnect
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [DBSRUN] c:\dbssys\DBSRUN.exe
O8 - Extra context menu item: 使用迷你快车下载 - C:\Program Files\FlashGet Network\FlashGet Mini\GetUrl.htm
O8 - Extra context menu item: 使用迷你快车下载该网页FLV - C:\Program Files\FlashGet Network\FlashGet Mini\FlashGetFlvdetector.htm
O8 - Extra context menu item: 使用迷你快车下载全部链接 - C:\Program Files\FlashGet Network\FlashGet Mini\GetAllUrl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1213265367109
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1213265359328
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://ebanking.northernbank.co.uk/html/ac...B/e-Safekey.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A172FF56-0C5C-4D28-B6A0-F781ECF2D37C}: NameServer = 195.238.50.254,195.238.40.44
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3595A04-AD22-4DD1-AE44-599279609BC9}: NameServer = 213.42.20.20,195.229.241.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: DBSNTS - Cipherbase - c:\dbssys\DBSNTS.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: mspx (TOlb) - Unknown owner - C:\WINDOWS\system32\toolba.exe (file missing)
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\CommAgent\CommAgent.exe
O23 - Service: Webroot SpySweeper Service (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
O23 - Service: Ent58ComServer (WindowsEntServer2008) - Unknown owner - C:\WINDOWS\EntSver.exe (file missing)

--
End of file - 11097 bytes

-- Files created between 2008-07-17 and 2008-08-17 -----------------------------

2008-08-16 17:24:11 0 d-------- C:\WINDOWS\ERUNT
2008-08-16 13:26:11 0 d-------- C:\Documents and Settings\Agent\DoctorWeb
2008-08-10 16:34:58 0 d-------- C:\Program Files\WINDOWS
2008-08-09 21:08:57 21060 -----n--- C:\WINDOWS\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
2008-08-09 21:08:56 10368 -----n--- C:\WINDOWS\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
2008-08-09 21:08:14 204800 --a------ C:\WINDOWS\system32\IVIresizeW7.dll
2008-08-09 21:08:14 188416 --a------ C:\WINDOWS\system32\IVIresizePX.dll
2008-08-09 21:08:14 192512 --a------ C:\WINDOWS\system32\IVIresizeP6.dll
2008-08-09 21:08:14 192512 --a------ C:\WINDOWS\system32\IVIresizeM6.dll
2008-08-09 21:08:14 200704 --a------ C:\WINDOWS\system32\IVIresizeA6.dll
2008-08-09 21:08:14 20480 --a------ C:\WINDOWS\system32\IVIresize.dll
2008-08-09 21:08:05 0 d-------- C:\Program Files\InterVideo
2008-08-07 22:04:39 0 d-------- C:\Documents and Settings\Agent\Application Data\DivX
2008-08-07 14:43:22 0 d-------- C:\Documents and Settings\Agent\Application Data\TuneUp Software
2008-08-07 14:42:57 0 d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-08-07 14:42:39 0 d-------- C:\Program Files\TuneUp Utilities 2008
2008-08-07 13:54:05 0 d-------- C:\Documents and Settings\Agent\Application Data\Symantec
2008-08-07 12:46:15 0 d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2008-08-07 11:41:29 0 d--h----- C:\WINDOWS\PIF
2008-08-07 09:07:06 0 d-------- C:\WINDOWS\Sun
2008-08-06 21:59:03 0 d-------- C:\Program Files\Norton 360
2008-08-06 20:41:42 0 --a------ C:\WINDOWS\system32\admshare.dat
2008-08-06 20:41:36 0 d-------- C:\Documents and Settings\Agent\Application Data\BITS
2008-08-03 15:10:38 0 d-------- C:\Documents and Settings\LocalService\Application Data\Talkback
2008-07-31 11:03:39 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-07-31 09:32:13 0 d-------- C:\Documents and Settings\Agent\Application Data\Apple Computer
2008-07-31 09:31:38 0 d-------- C:\Program Files\iPod
2008-07-31 09:31:32 0 d-------- C:\Program Files\iTunes
2008-07-31 09:31:12 0 d-------- C:\Program Files\Bonjour
2008-07-31 09:30:20 0 d-------- C:\Program Files\QuickTime
2008-07-31 09:30:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-31 09:29:39 0 d-------- C:\Program Files\Apple Software Update
2008-07-31 09:29:00 0 d-------- C:\Program Files\Common Files\Apple
2008-07-31 09:29:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-07-31 08:53:55 0 d-------- C:\Documents and Settings\LocalService\Application Data\Mozilla
2008-07-30 16:27:16 0 d-------- C:\Program Files\DivX
2008-07-28 22:26:44 0 d-------- C:\WINDOWS\system32\shellexec
2008-07-26 16:57:37 0 d-------- C:\WINDOWS\pss
2008-07-25 02:27:36 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-07-23 13:10:11 0 d-------- C:\Documents and Settings\Agent\Application Data\Sun
2008-07-23 13:07:18 0 d-------- C:\Program Files\Java
2008-07-23 13:01:39 0 d-------- C:\Program Files\Common Files\Java
2008-07-21 15:55:36 22 --a------ C:\WINDOWS\home.vbs
2008-07-21 15:05:59 176128 --a------ C:\WINDOWS\system32\DBSAgent.dll <Not Verified; Cipherbase; AgentWrapper>
2008-07-20 16:12:38 0 d-------- C:\HP LJ1320
2008-07-19 19:11:50 36864 --a------ C:\WINDOWS\system32\DBSHook.dll <Not Verified; Cipherbase; DBSHook>
2008-07-19 19:11:49 32768 --a------ C:\WINDOWS\system32\Base64.dll <Not Verified; Alvaro Redondo; Base64 Encoding Library v2>
2008-07-19 15:28:05 0 d-------- C:\HP LJ1320 PCL5 Driver
2008-07-18 12:03:49 0 d-------- C:\Documents and Settings\Agent\Application Data\ScanSoft
2008-07-18 12:01:08 0 d-------- C:\Program Files\Common Files\ScanSoft Shared
2008-07-18 12:01:02 0 d-------- C:\Program Files\ScanSoft
2008-07-18 12:01:02 0 d-------- C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-07-17 21:35:42 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-07-17 16:28:46 0 d-------- C:\HP-UPD4_5-PCL6-32
2008-07-17 15:19:15 0 d-------- C:\HP LJ1320 PCL6 Driver


-- Find3M Report ---------------------------------------------------------------

2008-08-17 08:48:01 0 d-------- C:\Documents and Settings\Agent\Application Data\Skype
2008-08-16 17:59:21 0 d-------- C:\Program Files\Symantec AntiVirus
2008-08-16 17:40:55 0 d-------- C:\Documents and Settings\Agent\Application Data\skypePM
2008-08-16 09:21:01 0 d-------- C:\Program Files\DBS SalesTrack
2008-08-14 16:24:21 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-08-12 18:53:35 56341 --a------ C:\WINDOWS\DBS SalesTrack Uninstaller.exe
2008-08-09 21:08:04 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-08-08 09:10:27 0 d-------- C:\Documents and Settings\Agent\Application Data\Mozilla
2008-08-07 14:40:03 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-07 12:15:37 0 d-------- C:\Program Files\Symantec
2008-08-07 12:11:52 0 d-------- C:\Program Files\Common Files
2008-08-02 02:25:30 682496 ---hs---- C:\Program Files\$winnt$log.ini
2008-07-19 15:08:56 0 d-------- C:\Documents and Settings\Agent\Application Data\Adobe
2008-07-07 15:12:17 176128 --a------ C:\WINDOWS\system32\AgentWrapper.dll <Not Verified; Cipherbase; AgentWrapper>
2008-07-06 06:30:34 0 d-------- C:\Program Files\Common Files\snp2std
2008-07-06 06:30:30 0 d-------- C:\Program Files\U.S. Robotics
2008-07-06 06:26:37 0 d-------- C:\Documents and Settings\Agent\Application Data\InstallShield
2008-06-23 21:05:20 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-23 18:44:58 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-06-23 18:36:08 0 d-------- C:\Program Files\Skype
2008-06-23 18:36:02 0 d-------- C:\Program Files\Common Files\Skype
2008-06-18 11:39:30 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-06-17 10:16:44 1160 --a------ C:\WINDOWS\mozver.dat
2008-06-17 10:09:37 0 d-------- C:\Program Files\Toshiba
2008-06-15 17:09:29 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-12 13:56:52 62 --ahs---- C:\Documents and Settings\Agent\Application Data\desktop.ini
2008-06-12 10:27:44 0 -rahs---- C:\MSDOS.SYS
2008-06-12 10:27:44 0 -rahs---- C:\IO.SYS
2008-06-12 10:27:44 0 --a------ C:\CONFIG.SYS
2008-06-12 10:27:44 0 --a------ C:\AUTOEXEC.BAT
2008-06-12 10:24:18 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-06-11 03:07:20 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-06-11 03:03:26 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-06-11 03:03:26 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-06-11 03:03:20 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-06-11 03:03:20 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX>
2008-06-11 03:03:20 815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX>
2008-06-11 03:03:20 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX>
2008-06-11 03:03:18 683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX>
2008-05-23 01:18:54 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{385AB8C6-FB22-4D17-8834-064E2BA0A6F0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C74E94A7-B7BD-4891-9328-455395BCC7AD}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [03/23/2006 12:17 PM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [03/23/2006 12:13 PM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [03/23/2006 12:17 PM]
"RTHDCPL"="RTHDCPL.EXE" [05/09/2006 12:53 PM C:\WINDOWS\RTHDCPL.exe]
"AGRSMMSG"="AGRSMMSG.exe" [06/30/2006 04:32 AM C:\WINDOWS\agrsmmsg.exe]
"PSQLLauncher"="C:\Program Files\Protector Suite QL\launcher.exe" [05/05/2006 04:36 PM]
"Client Access Service"="C:\Program Files\IBM\Client Access\cwbsvstr.exe" [05/02/2001 04:10 AM]
"Client Access Help Update"="C:\Program Files\IBM\Client Access\cwbinhlp.exe" [05/02/2001 04:10 AM]
"Client Access Check Version"="C:\Program Files\IBM\Client Access\cwbckver.exe" [05/02/2001 04:10 AM]
"Client Access Express Welcome"="C:\Program Files\IBM\Client Access\cwbwlwiz.exe" [05/02/2001 04:10 AM]
"00THotkey"="C:\WINDOWS\system32\00THotkey.exe" [04/24/2006 05:09 PM]
"000StTHK"="000StTHK.exe" [06/23/2001 03:28 AM C:\WINDOWS\system32\000StTHK.exe]
"Dit"="Dit.exe" [08/05/2004 07:28 PM C:\WINDOWS\Dit.exe]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [07/10/2008 09:47 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05/27/2008 10:50 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/10/2008 10:51 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/10/2007 08:59 AM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [01/29/2008 05:38 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WatchGuard Mobile VPN with SSL"="C:\Program Files\WatchGuard\WatchGuard Mobile VPN with SSL\wgsslvpnc.exe" [02/22/2008 11:41 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/14/2008 04:42 AM]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 10:34 AM]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [08/30/2007 04:43 PM]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [05/30/2008 03:54 PM]
"DBSRUN"="c:\dbssys\DBSRUN.exe" [08/09/2008 05:21 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
psqlpwd.dll 05/05/2006 04:48 PM 40448 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360safe.exe]
Debugger=IFEOFILE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360safebox.exe]
Debugger=IFEOFILE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360tray.exe]
Debugger=IFEOFILE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avast.exe]
debugger=IFEOFILE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avcenter.exe]
debugger=IFEOFILE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avguard.exe]
debugger=IFEOFILE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avp.exe]
Debugger=IFEOFILE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CCenter.exe]
Debugger=IFEOFILE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\guard.exe]
debugger=IFEOFILE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kav32.exe]
debugger=IFEOFILE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kissvc.exe]
debugger=IFEOFILE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kpfw32.exe]
debugger=IFEOFILE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kpfwsvc.exe]
debugger=IFEOFILE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nod32krn.exe]
debugger=IFEOFILE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nod32kui.exe]
debugger=IFEOFILE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Rav.exe]
Debugger=IFEOFILE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavMon.exe]
Debugger=IFEOFILE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavMonD.exe]
Debugger=IFEOFILE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavStub.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavTask.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwcfg.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwmain.exe]
Debugger=IFEOFILE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwProxy.exe]
Debugger=IFEOFILE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwsrv.exe]
Debugger=IFEOFILE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwstub.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\runiep.exe]
Debugger=IFEOFILE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\safeboxTray.exe]
Debugger=IFEOFILE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\sched.exe]
debugger=IFEOFILE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SmartUp.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\wscntfy.exe]
debugger=IFEOFILE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\wuauclt.exe]
debugger=IFEOFILE

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Agent^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Agent\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=C:\WINDOWS\pss\Bluetooth Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
"C:\Program Files\D-Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Funshion]
C:\Program Files\Funshion Online\Funshion\Funshion.exe /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
C:\Program Files\ltmoh\Ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2std]
C:\WINDOWS\vsnp2std.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnp2std]
C:\WINDOWS\tsnp2std.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Webroot Spy Sweeper, Enterprise Edition]
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc
Tpooler Tpooler
Application Application
Tpoggoler Tpoggoler
rvpqhb rvpqhb
ASP.NET ASP.NET

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
napagent
hkmsvc
SystamlogSve

*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2008-08-17 08:58:07 ------------


Thanks for the assistance so far.

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:03 PM

Posted 17 August 2008 - 08:26 AM

No need to apologize, you are doing a good job.
  • Both Kaspersky and DRWEB warn about this program from RealVNC. It is a legit program but probably it could be misused if it is installed or downloaded without your consent. Tell me if it is there with your consent:

    C:\Documents and Settings\Agent\My Documents\My Download Programs\vnc-3.3.7-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 2
    C:\Documents and Settings\Agent\My Documents\REINSTALL\Applications\Utilities\vnc-3.3.7-x86_win32.exe

  • I can't find any information on this server. Please tell me if you know this server:

    O1 - Hosts: 78.42.196.237

  • Tell me if you know this service:

    O23 - Service: DBSNTS - Cipherbase - c:\dbssys\DBSNTS.exe

  • If you can not find the following file make sure that you can view all hidden files make sure that you can view all hidden files. Instructions on how to do this can be found here: How to see hidden files in Windows

    Click on this link--> virustotal

    Click the browse button and navigate to the file below in bold, then click Send File.

    c:\dbssys\DBSNTS.exe

    Please copy and paste the results of the scan in your next post.

  • Please download ATF Cleaner by Atribune & save it to your desktop.
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main "Select Files to Delete" choose: Select All.
    • Click the Empty Selected button.
    • If you use Firefox browser click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
      If you would like to keep your saved passwords, please click No at the prompt.
    • If you use Opera browser click Opera at the top and choose: Select All
    • Click the Empty Selected button.
      If you would like to keep your saved passwords, please click No at the prompt.
    • Click Exit on the Main menu to close the program.
    Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

  • Please download Malwarebytes' Anti-Malware from MajorGeeks
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully.

    You have to install the Recovery Console before running the tool because Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


    Instruction to install Recovery Console :

    Go to Microsoft's website => http://support.microsoft.com/kb/310994

    Select the download that's appropriate for your Operating System


    Posted Image


    Download the file & save it as it's originally named, next to ComboFix.exe.


    Posted Image


    Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Drag the setup package onto ComboFix.exe and drop it.
    • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
    • At the next prompt, click 'Yes' to run the full ComboFix scan.

      Posted Image
    • When the tool is finished, it will produce a report for you.
    Please copy and paste the content of C:\ComboFix.txt for further review.

  • Please copy and paste a fresh Hijackthis log to your reply.
In your next reply:
  • The scan result of Virustotal.
  • The log of MBAM.
  • The Combofix log.
  • A fresh Hijackthis log.


#12 jfriel

jfriel
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 17 August 2008 - 01:30 PM

OK have completed all the next steps ( i think the combofix one completed though i never booted into the recovery console?)

1. C:\Documents and Settings\Agent\My Documents\My Download Programs\vnc-3.3.7-x86_win32.exe this was installed by consent and is a remote admin tool for tech support guys to jumo on my machine.

2. 78.42.196.237 this is an inbuilt SMTP server for a piece of sotfware i use to track clients / report to managers etc.

3. O23 - Service: DBSNTS - Cipherbase - c:\dbssys\DBSNTS.exe - this is related to 2 above - same piece of software.

4. c:\dbssys\DBSNTS.exe the file is part of 2/3 above but the log from VirusTotal is below;

File DBSNTS.exe received on 08.17.2008 17:41:20 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 4/36 (11.12%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.8.15.0 2008.08.15 -
AntiVir 7.8.1.19 2008.08.16 HEUR/Malware
Authentium 5.1.0.4 2008.08.17 -
Avast 4.8.1195.0 2008.08.17 -
AVG 8.0.0.161 2008.08.17 -
BitDefender 7.2 2008.08.17 -
CAT-QuickHeal 9.50 2008.08.16 -
ClamAV 0.93.1 2008.08.16 -
DrWeb 4.44.0.09170 2008.08.17 BACKDOOR.Trojan
eSafe 7.0.17.0 2008.08.17 -
eTrust-Vet 31.6.6035 2008.08.15 -
Ewido 4.0 2008.08.17 -
F-Prot 4.4.4.56 2008.08.17 -
F-Secure 7.60.13501.0 2008.08.17 -
Fortinet 3.14.0.0 2008.08.17 -
GData 2.0.7306.1023 2008.08.16 -
Ikarus T3.1.1.34.0 2008.08.17 -
K7AntiVirus 7.10.417 2008.08.15 -
Kaspersky 7.0.0.125 2008.08.17 -
McAfee 5362 2008.08.15 -
Microsoft 1.3807 2008.08.17 -
NOD32v2 3362 2008.08.17 probably unknown NewHeur_PE virus
Norman 5.80.02 2008.08.15 -
Panda 9.0.0.4 2008.08.17 -
PCTools 4.4.2.0 2008.08.17 -
Prevx1 V2 2008.08.17 -
Rising 20.57.62.00 2008.08.17 -
Sophos 4.32.0 2008.08.17 -
Sunbelt 3.1.1546.1 2008.08.15 -
Symantec 10 2008.08.17 -
TheHacker 6.3.0.3.052 2008.08.17 -
TrendMicro 8.700.0.1004 2008.08.16 -
VBA32 3.12.8.3 2008.08.17 -
ViRobot 2008.8.16.1338 2008.08.16 -
VirusBuster 4.5.11.0 2008.08.17 -
Webwasher-Gateway 6.6.2 2008.08.17 Heuristic.Malware
Additional information
File size: 106496 bytes
MD5...: 7baa7a0fb6f75852f31d06625fbefcb6
SHA1..: 759f2807c68ff89f107b59165c6f89d9aa074381
SHA256: dcc3cf14ee2d7a3c17779a79ea5789cf35f18efff967c293fc6189298520b34a
SHA512: c2fb25d6975775d7d774677a4104a06882d46b30b65fa55a0cf05c7d613c6841
be2c102cd7d3c93e5b0d0a954e2b8f24fdddebb9204a8061a49603547ab4fda5
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4034e0
timedatestamp.....: 0x489da7ee (Sat Aug 09 14:21:34 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x16e9c 0x17000 5.67 973ea99ac666af96a32e3dd29eb2191a
.data 0x18000 0x1328 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110
.rsrc 0x1a000 0xbcc 0x1000 3.17 b31a7eec5c2990fe1862e66f647d8c6d

( 1 imports )
> MSVBVM60.DLL: __vbaVarTextTstLe, __vbaVarSub, __vbaVarTstGt, __vbaStrI2, __vbaVarTextCmpGe, _CIcos, _adj_fptan, __vbaVarMove, __vbaStrI4, __vbaVarVargNofree, __vbaFreeVar, __vbaLineInputStr, __vbaLenBstr, __vbaLateIdCall, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaVarIndexStore, -, __vbaFreeObjList, -, __vbaVarTextTstLt, __vbaStrErrVarCopy, _adj_fprem1, __vbaRecAnsiToUni, -, __vbaCopyBytes, __vbaResume, __vbaStrCat, __vbaError, __vbaLsetFixstr, __vbaBoolErrVar, __vbaVarTextTstEq, -, -, __vbaRecDestruct, __vbaSetSystemError, __vbaNameFile, -, __vbaHresultCheckObj, __vbaLenVar, -, _adj_fdiv_m32, __vbaAryVar, __vbaAryDestruct, __vbaVarIndexLoadRefLock, -, __vbaExitProc, __vbaFileCloseAll, -, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, -, __vbaVarIndexLoad, -, __vbaBoolVar, __vbaStrTextCmp, __vbaRefVarAry, __vbaBoolVarNull, _CIsin, __vbaErase, -, -, __vbaVargVarMove, -, -, __vbaChkstk, -, __vbaFileClose, EVENT_SINK_AddRef, __vbaVarAbs, __vbaGenerateBoundsError, -, __vbaStrCmp, -, __vbaAryConstruct2, __vbaStrTextLike, __vbaObjVar, __vbaI2I4, -, DllFunctionCall, __vbaVarOr, -, -, __vbaRedimPreserve, _adj_fpatan, __vbaFixstrConstruct, __vbaLateIdCallLd, __vbaStrR8, __vbaRedim, __vbaRecUniToAnsi, EVENT_SINK_Release, __vbaVarTextTstNe, -, -, _CIsqrt, __vbaVarAnd, EVENT_SINK_QueryInterface, __vbaVarTextCmpEq, __vbaStrUI1, __vbaExceptHandler, -, __vbaPrintFile, -, __vbaStrToUnicode, -, -, _adj_fprem, _adj_fdivr_m64, -, -, -, -, __vbaFPException, __vbaInStrVar, __vbaVarTextTstGe, __vbaUbound, __vbaStrVarVal, __vbaVarCat, __vbaDateVar, __vbaI2Var, -, -, -, _CIlog, __vbaErrorOverflow, __vbaFileOpen, -, __vbaInStr, __vbaNew2, -, -, __vbaVarTextLikeVar, _adj_fdiv_m32i, _adj_fdivr_m32i, -, __vbaStrCopy, -, __vbaI4Str, __vbaFreeStrList, __vbaVarTextTstGt, _adj_fdivr_m32, __vbaR8Var, _adj_fdiv_r, -, -, -, __vbaI4Var, -, __vbaVarAdd, __vbaAryLock, __vbaStrComp, -, __vbaStrToAnsi, __vbaVarDup, __vbaFpI4, -, __vbaVarCopy, __vbaLateMemCallLd, __vbaRecDestructAnsi, -, _CIatan, __vbaI2ErrVar, __vbaAryCopy, __vbaStrMove, -, -, _allmul, -, __vbaLateIdSt, __vbaVarTextCmpNe, _CItan, -, __vbaFPInt, __vbaAryUnlock, _CIexp, -, __vbaI4ErrVar, __vbaFreeObj, __vbaFreeStr

( 0 exports )

5. MBAM Log file

Malwarebytes' Anti-Malware 1.24
Database version: 1061
Windows 5.1.2600 Service Pack 3

8:31:33 PM 8/17/2008
mbam-log-8-17-2008 (20-31-33).txt

Scan type: Quick Scan
Objects scanned: 42677
Time elapsed: 5 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 30
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{385ab8c6-fb22-4d17-8834-064e2ba0a6f0} (Trojan.Yigather) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{385ab8c6-fb22-4d17-8834-064e2ba0a6f0} (Trojan.Yigather) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IDSCNP (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVmon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVmonD.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFWSvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwstub.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGUARD.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GUARD.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCHED.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools (Trojan.Yigather) -> Quarantined and deleted successfully.

Files Infected:
C:\bot.txt (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\d3d1caps.SRG (Stolen.Data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drmgs.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mprmsgse.axz (Adware.Cinmus) -> Quarantined and deleted successfully.


6. ComboFix Log File

ComboFix 08-08-16.01 - Agent 2008-08-17 21:01:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.542 [GMT 3:00]
Running from: C:\Documents and Settings\Agent\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Agent\Application Data\BITS
C:\Documents and Settings\Agent\Application Data\BITS\BITS.ini
C:\Documents and Settings\Agent\Application Data\macromedia\Flash Player\#SharedObjects\P282PDCE\interclick.com
C:\Documents and Settings\Agent\Application Data\macromedia\Flash Player\#SharedObjects\P282PDCE\interclick.com\ud.sol
C:\Documents and Settings\Agent\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Agent\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\All Users\zyndf16.ini
C:\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My
C:\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My
C:\Program Files\windows
C:\WINDOWS\KB611311.log
C:\WINDOWS\system32\admshare.dat
C:\WINDOWS\system32\discard.ini
C:\WINDOWS\system32\havser.ini
C:\WINDOWS\system32\sufost.ini
C:\WINDOWS\system32\tmp0_190644359334.bk

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RMTCS
-------\Legacy_TRACKINGSS
-------\Service_RESSDT


((((((((((((((((((((((((( Files Created from 2008-07-17 to 2008-08-17 )))))))))))))))))))))))))))))))
.

2008-08-17 19:13 . 2008-08-17 19:13 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-17 19:13 . 2008-08-17 19:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-17 19:13 . 2008-08-17 19:13 <DIR> d-------- C:\Documents and Settings\Agent\Application Data\Malwarebytes
2008-08-17 19:13 . 2008-07-30 20:15 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-17 19:13 . 2008-07-30 20:15 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-16 17:59 . 2008-08-16 17:59 <DIR> d-------- C:\_OTMoveIt
2008-08-16 17:26 . 2008-08-16 17:26 578,560 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll
2008-08-16 17:24 . 2008-08-16 17:24 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-16 13:26 . 2008-08-16 13:26 <DIR> d-------- C:\Documents and Settings\Agent\DoctorWeb
2008-08-16 13:17 . 2008-08-16 17:39 <DIR> d-------- C:\SDFix
2008-08-13 21:06 . 2008-08-13 21:06 <DIR> d-------- C:\Deckard
2008-08-11 18:42 . 2008-08-11 18:42 1 --a------ C:\WINDOWS\system32\000595dd.ini
2008-08-09 21:08 . 2008-08-09 21:08 <DIR> d-------- C:\Program Files\InterVideo
2008-08-09 21:08 . 2001-12-10 17:42 204,800 --a------ C:\WINDOWS\system32\IVIresizeW7.dll
2008-08-09 21:08 . 2001-12-10 17:42 200,704 --a------ C:\WINDOWS\system32\IVIresizeA6.dll
2008-08-09 21:08 . 2001-12-10 17:42 192,512 --a------ C:\WINDOWS\system32\IVIresizeP6.dll
2008-08-09 21:08 . 2001-12-10 17:42 192,512 --a------ C:\WINDOWS\system32\IVIresizeM6.dll
2008-08-09 21:08 . 2001-12-10 17:42 188,416 --a------ C:\WINDOWS\system32\IVIresizePX.dll
2008-08-09 21:08 . 2003-09-10 23:36 21,060 --------- C:\WINDOWS\system32\drivers\iviaspi.sys
2008-08-09 21:08 . 2001-12-10 17:42 20,480 --a------ C:\WINDOWS\system32\IVIresize.dll
2008-08-09 21:08 . 2003-09-19 01:47 10,368 --------- C:\WINDOWS\system32\drivers\pfc.sys
2008-08-07 22:04 . 2008-08-07 22:04 <DIR> d-------- C:\Documents and Settings\Agent\Application Data\DivX
2008-08-07 14:43 . 2008-08-07 14:43 <DIR> d-------- C:\Documents and Settings\Agent\Application Data\TuneUp Software
2008-08-07 14:43 . 2008-08-07 14:43 306,432 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-08-07 14:43 . 2007-12-20 10:41 29,440 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-08-07 14:42 . 2008-08-07 14:43 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2008-08-07 14:42 . 2008-08-07 14:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-08-07 13:54 . 2008-08-07 13:54 <DIR> d-------- C:\Documents and Settings\Agent\Application Data\Symantec
2008-08-07 12:46 . 2008-07-30 17:42 23,888 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-08-07 12:46 . 2008-07-30 17:28 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-08-07 12:46 . 2008-07-30 17:28 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-08-07 11:41 . 2008-08-07 11:41 <DIR> d--h----- C:\WINDOWS\PIF
2008-08-07 11:28 . 2008-04-14 04:42 389,120 --a------ C:\WINDOWS\system32\tmpzydf1.exe
2008-08-07 09:07 . 2008-08-07 09:07 <DIR> d-------- C:\WINDOWS\Sun
2008-08-06 23:40 . 2008-04-14 04:42 389,120 --a------ C:\WINDOWS\system32\tmpzydf4.exe
2008-08-06 21:59 . 2008-08-09 10:37 <DIR> d-------- C:\Program Files\Norton 360
2008-08-06 21:58 . 2008-08-07 12:15 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-08-06 21:58 . 2008-08-07 12:15 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-08-06 21:58 . 2008-08-07 12:15 10,671 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-08-06 21:58 . 2008-08-07 12:15 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-08-06 20:28 . 2008-08-06 23:39 16 --a------ C:\WINDOWS\system32\coh.cache
2008-08-06 19:58 . 2008-04-14 04:42 389,120 --a------ C:\WINDOWS\system32\tmpzydf5.exe
2008-08-03 15:10 . 2008-08-03 15:10 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Talkback
2008-08-03 09:43 . 2008-08-12 18:53 4,367,312 --a------ C:\Temp\DBS ST00XP setup.exe
2008-08-02 02:28 . 2008-08-02 02:25 682,496 ---hs---- C:\WINDOWS\system32\_$winnt$log.ini
2008-08-01 21:10 . 2008-08-02 10:34 250 --a------ C:\WINDOWS\system32\$Caterpill.key
2008-07-31 09:32 . 2008-08-06 17:38 <DIR> d-------- C:\Documents and Settings\Agent\Application Data\Apple Computer
2008-07-31 09:31 . 2008-07-31 09:31 <DIR> d-------- C:\Program Files\iTunes
2008-07-31 09:31 . 2008-07-31 09:31 <DIR> d-------- C:\Program Files\iPod
2008-07-31 09:31 . 2008-07-31 09:31 <DIR> d-------- C:\Program Files\Bonjour
2008-07-31 09:30 . 2008-07-31 09:31 <DIR> d-------- C:\Program Files\QuickTime
2008-07-31 09:30 . 2008-07-31 09:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-31 09:29 . 2008-07-31 09:29 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-07-31 09:29 . 2008-07-31 09:29 <DIR> d-------- C:\Program Files\Apple Software Update
2008-07-31 09:29 . 2008-07-31 09:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-07-30 16:27 . 2008-07-30 16:27 <DIR> d-------- C:\Program Files\DivX
2008-07-29 15:46 . 2008-08-12 21:34 418,721 --a------ C:\WINDOWS\system32\cgugjj.key
2008-07-29 15:32 . 2008-07-29 15:32 1 --a------ C:\WINDOWS\system32\0006bd63.ini
2008-07-29 08:49 . 2008-08-13 21:21 476,011 --a------ C:\WINDOWS\system32\acyyzv.key
2008-07-29 07:15 . 2008-07-29 07:15 1 --a------ C:\WINDOWS\system32\004e3d6.ini
2008-07-28 22:31 . 2008-07-28 22:31 1 --a------ C:\WINDOWS\system32\053dc9.ini
2008-07-28 22:28 . 2008-07-28 22:28 1 --a------ C:\WINDOWS\system32\00051a03.ini
2008-07-28 22:27 . 2008-07-28 22:27 1 --a------ C:\WINDOWS\system32\000579b4.ini
2008-07-28 22:26 . 2008-07-28 22:26 <DIR> d-------- C:\WINDOWS\system32\shellexec
2008-07-28 22:26 . 2008-07-28 22:26 47 --a------ C:\WINDOWS\system32\mmso.dlx
2008-07-26 14:51 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-23 13:07 . 2008-08-16 12:41 <DIR> d-------- C:\Program Files\Java
2008-07-23 13:01 . 2008-07-23 13:01 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-21 15:55 . 2008-07-21 15:55 22 --a------ C:\WINDOWS\home.vbs
2008-07-21 15:05 . 2008-08-09 17:21 176,128 --a------ C:\WINDOWS\system32\DBSAgent.dll
2008-07-20 16:12 . 2008-07-20 16:12 <DIR> d-------- C:\HP LJ1320
2008-07-19 19:11 . 2000-05-22 02:00 647,872 --a------ C:\WINDOWS\system32\MSCOMCT2.OCX
2008-07-19 19:11 . 2008-08-09 17:21 36,864 --a------ C:\WINDOWS\system32\DBSHook.dll
2008-07-19 19:11 . 1998-04-14 11:51 34,304 --a------ C:\WINDOWS\system32\NTSVC.ocx
2008-07-19 19:11 . 2001-06-03 06:14 32,768 --a------ C:\WINDOWS\system32\Base64.dll
2008-07-19 15:28 . 2008-07-19 15:28 <DIR> d-------- C:\HP LJ1320 PCL5 Driver
2008-07-18 12:03 . 2008-07-18 12:03 <DIR> d-------- C:\Documents and Settings\Agent\Application Data\ScanSoft
2008-07-18 12:01 . 2008-07-18 12:01 <DIR> d-------- C:\Program Files\ScanSoft
2008-07-18 12:01 . 2008-07-18 12:01 <DIR> d-------- C:\Program Files\Common Files\ScanSoft Shared
2008-07-18 12:01 . 2008-07-18 12:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-07-18 12:01 . 2003-09-24 10:36 27,019 --a------ C:\WINDOWS\maxlink.ini
2008-07-17 21:36 . 2008-07-17 21:36 47 --a------ C:\WINDOWS\system32\svohcst.dlx
2008-07-17 21:35 . 2008-07-17 21:35 1 --a------ C:\WINDOWS\system32\00051a31.ini
2008-07-17 17:05 . 2008-08-15 20:42 53 --a------ C:\Temp\reply0.bat
2008-07-17 16:28 . 2008-07-17 16:28 <DIR> d-------- C:\HP-UPD4_5-PCL6-32
2008-07-17 15:19 . 2008-07-17 15:19 <DIR> d-------- C:\HP LJ1320 PCL6 Driver

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-17 18:09 17,408 ----a-w C:\WINDOWS\system32\drivers\USBCRFT.SYS
2008-08-17 17:49 --------- d-----w C:\Documents and Settings\Agent\Application Data\Skype
2008-08-17 17:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-17 16:14 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-17 13:00 --------- d-----w C:\Documents and Settings\Agent\Application Data\skypePM
2008-08-17 06:48 --------- d-----w C:\Program Files\DBS SalesTrack
2008-08-16 14:59 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-08-12 15:53 56,341 ----a-w C:\WINDOWS\DBS SalesTrack Uninstaller.exe
2008-08-09 18:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-07 11:40 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-07 09:15 --------- d-----w C:\Program Files\Symantec
2008-08-01 23:25 682,496 --sh--w C:\Program Files\$winnt$log.ini
2008-07-07 12:12 176,128 ----a-w C:\WINDOWS\system32\AgentWrapper.dll
2008-07-06 21:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\e-Safekey
2008-07-06 03:30 --------- d-----w C:\Program Files\U.S. Robotics
2008-07-06 03:30 --------- d-----w C:\Program Files\Common Files\snp2std
2008-07-06 03:26 --------- d-----w C:\Documents and Settings\Agent\Application Data\InstallShield
2008-06-23 18:05 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-23 15:36 --------- d-----w C:\Program Files\Skype
2008-06-23 15:36 --------- d-----w C:\Program Files\Common Files\Skype
2008-06-23 15:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-18 17:52 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-06-18 08:39 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-06-18 08:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-06-17 07:09 --------- d-----w C:\Program Files\Toshiba
2008-06-11 00:07 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-06-11 00:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-06-11 00:07 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2008-06-11 00:07 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2008-06-11 00:07 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2008-06-11 00:04 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-06-11 00:04 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-05-22 22:18 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WatchGuard Mobile VPN with SSL"="C:\Program Files\WatchGuard\WatchGuard Mobile VPN with SSL\wgsslvpnc.exe" [2008-02-22 11:41 638976]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 04:42 15360]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 10:34 5724184]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 16:43 4670704]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-05-30 15:54 21718312]
"DBSRUN"="c:\dbssys\DBSRUN.exe" [2008-08-09 17:21 106496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 12:17 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 12:13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 12:17 118784]
"PSQLLauncher"="C:\Program Files\Protector Suite QL\launcher.exe" [2006-05-05 16:36 30208]
"Client Access Service"="C:\Program Files\IBM\Client Access\cwbsvstr.exe" [2001-05-02 04:10 20530]
"Client Access Help Update"="C:\Program Files\IBM\Client Access\cwbinhlp.exe" [2001-05-02 04:10 24576]
"Client Access Check Version"="C:\Program Files\IBM\Client Access\cwbckver.exe" [2001-05-02 04:10 49152]
"Client Access Express Welcome"="C:\Program Files\IBM\Client Access\cwbwlwiz.exe" [2001-05-02 04:10 20480]
"00THotkey"="C:\WINDOWS\system32\00THotkey.exe" [2006-04-24 17:09 253952]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 08:59 115816]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-09 12:53 16207360 C:\WINDOWS\RTHDCPL.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2006-06-30 04:32 89541 C:\WINDOWS\agrsmmsg.exe]
"000StTHK"="000StTHK.exe" [2001-06-23 03:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"Dit"="Dit.exe" [2004-08-05 19:28 90112 C:\WINDOWS\Dit.exe]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-05-05 16:48 40448 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avast.exe]
"debugger"=IFEOFILE

[HKLM\~\startupfolder\C:^Documents and Settings^Agent^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Agent\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=C:\WINDOWS\pss\Bluetooth Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 16:05 81920 C:\Program Files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
--a------ 2004-01-09 12:02 40960 C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
--------- 2005-12-16 01:41 188416 C:\Program Files\ltmoh\ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
--a------ 2004-01-09 11:47 57393 C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2std]
--a------ 2007-04-25 14:23 675840 C:\WINDOWS\vsnp2std.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 04:27 144784 C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnp2std]
--a------ 2007-04-25 14:23 258048 C:\WINDOWS\tsnp2std.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Webroot Spy Sweeper]
--a------ 2005-03-07 08:03 212480 C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2006-04-24 14:20 1448960 C:\WINDOWS\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:2\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\dbssys\\DBSNM.exe"=
"c:\\dbssys\\DBSSMTP.exe"=
"c:\\dbssys\\DBSBP.exe"=
"c:\\dbssys\\DBSCU.exe"=
"c:\\dbssys\\DBSMemo.exe"=
"c:\\dbssys\\DBSValidReceive.exe"=
"c:\\dbssys\\DBSRUN.exe"=
"c:\\dbssys\\DBSSYS.exe"=
"c:\\dbssys\\DBSNTS.exe"=
"c:\\Program Files\\DBS SalesTrack\\DBSFTP.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 DBSNTS;DBSNTS;c:\dbssys\DBSNTS.exe [2008-08-09 17:21]
R2 FdRedir;FdRedir;C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [2006-05-05 17:00]
R2 FileDisk2;FileDisk Protector Kernel Driver;C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys [2006-05-05 16:59]
R2 smihlp;SMI helper driver;C:\Program Files\Protector Suite QL\smihlp.sys [2006-05-05 16:33]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2008-04-14 04:42]
R3 tap0901;TAP-Win32 Adapter V9;C:\WINDOWS\system32\DRIVERS\tap0901.sys [2008-02-13 14:38]
S2 TOlb;mspx;C:\WINDOWS\system32\toolba.exe []
S2 WindowsEntServer2008;Ent58ComServer;C:\WINDOWS\EntSver.exe []
S2 yvpqhbvb;yvpqhbvb;C:\WINDOWS\system32\drivers\acyyzv.sys []
S3 CardReaderFilter;Card Reader Filter;C:\WINDOWS\system32\Drivers\USBCRFT.SYS [2008-08-17 21:09]
S3 DRMUP8WS66;1F80N8;C:\WINDOWS\15AYMBO.txt []
S3 SNP2STD;USB2.0 PC Camera (SNP2STD);C:\WINDOWS\system32\DRIVERS\snp2sxp.sys [2007-04-25 14:23]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-08-07 14:43]
S4 msfox;msfoix;C:\WINDOWS\system32\msfox.exe []
S4 SYSEEM32;SYSEEM32;C:\Program Files\WINDOWS\SYSEEM32\ALG.EXE []
S4 Systemadmin Event Notification;Systemadmin Event Notification;C:\Program Files\$winnt$log.ini [2008-08-02 02:25]
S4 Tpooler;Rrint Spooler;C:\WINDOWS\system32\svchost.exe [2008-04-14 04:42]
S4 Windows Disk Manager;Windows Disk Manager;C:\WINDOWS\SYSTEM32\mmso.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Tpooler REG_MULTI_SZ Tpooler
Application REG_MULTI_SZ Application
Tpoggoler REG_MULTI_SZ Tpoggoler
rvpqhb REG_MULTI_SZ rvpqhb
ASP.NET REG_MULTI_SZ ASP.NET

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
SystamlogSve

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2008-08-15 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe [2008-01-08 13:31]

2008-08-02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)
MSConfigStartUp-Funshion - C:\Program Files\Funshion Online\Funshion\Funshion.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Agent\Application Data\Mozilla\Firefox\Profiles\5p9287rr.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.co.uk
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-17 21:08:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DRMUP8WS66]
"ImagePath"="\??\C:\WINDOWS\15AYMBO.txt"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Systemadmin Event Notification]
"ImagePath"="C:\Program Files\$winnt$log.ini"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Webroot\Enterprise\CommAgent\CommAgent.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\dbssys\DBSValidReceive.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-08-17 21:14:46 - machine was rebooted [Agent]
ComboFix-quarantined-files.txt 2008-08-17 18:14:37

Pre-Run: 14,627,393,536 bytes free
Post-Run: 14,549,213,184 bytes free

329 --- E O F --- 2008-08-15 05:49:50

7. Fresh HiJackThis Log File

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:39 PM, on 8/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\dbssys\DBSNTS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Enterprise\CommAgent\CommAgent.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\Dit.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\WatchGuard\WatchGuard Mobile VPN with SSL\wgsslvpnc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\dbssys\DBSRUN.exe
c:\dbssys\DBSValidReceive.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Agent\Desktop\HJT\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 78.42.196.237 DBS-SMTP-SERVER
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MiniFlashGetBHO - {C74E94A7-B7BD-4891-9328-455395BCC7AD} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [WatchGuard Mobile VPN with SSL] "C:\Program Files\WatchGuard\WatchGuard Mobile VPN with SSL\wgsslvpnc.exe" /noconnect
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [DBSRUN] c:\dbssys\DBSRUN.exe
O8 - Extra context menu item: 使用迷你快车下载 - C:\Program Files\FlashGet Network\FlashGet Mini\GetUrl.htm
O8 - Extra context menu item: 使用迷你快车下载该网页FLV - C:\Program Files\FlashGet Network\FlashGet Mini\FlashGetFlvdetector.htm
O8 - Extra context menu item: 使用迷你快车下载全部链接 - C:\Program Files\FlashGet Network\FlashGet Mini\GetAllUrl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1213265367109
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1213265359328
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://ebanking.northernbank.co.uk/html/ac...B/e-Safekey.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A172FF56-0C5C-4D28-B6A0-F781ECF2D37C}: NameServer = 195.238.50.254,195.238.40.44
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3595A04-AD22-4DD1-AE44-599279609BC9}: NameServer = 213.42.20.20,195.229.241.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: DBSNTS - Cipherbase - c:\dbssys\DBSNTS.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: mspx (TOlb) - Unknown owner - C:\WINDOWS\system32\toolba.exe (file missing)
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\CommAgent\CommAgent.exe
O23 - Service: Webroot SpySweeper Service (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
O23 - Service: Ent58ComServer (WindowsEntServer2008) - Unknown owner - C:\WINDOWS\EntSver.exe (file missing)

--
End of file - 10300 bytes


Keep up the good work - it is much appreciated thanks.

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:03 PM

Posted 18 August 2008 - 06:20 AM

Well done.
  • Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:


    @ECHO OFF
    sc stop Tpooler
    sc delete Tpooler
    sc delete TOlb
    sc delete WindowsEntServer2008
    sc delete yvpqhbvb
    sc delete SYSEEM32
    sc delete DRMUP8WS66
    sc delete msfox
    sc delete "Windows Disk Manager"
    del remove.bat
    • Go to the File menu at the top of the Notepad and select Save as.
    • Select save in: desktop
    • Fill in File name: remove.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate and double-click remove.bat on the desktop. If everything goes well the remove.bat opens and disappears after removing the bad services.
  • If you can not find the following file make sure that you can view all hidden files please make sure that you can view all hidden files. Instructions on how to do this can be found here:

    How to see hidden files in Windows

    Please click this link--> virustotal

    Click the browse button and navigate to the files listed below in bold, then click Send File. You will only be able to have one file scanned at a time.

    C:\WINDOWS\system32\tmpzydf1.exe
    C:\WINDOWS\home.vbs
    C:\Program Files\$winnt$log.ini
    C:\WINDOWS\system32\acyyzv.key

    Please post back the results of the scan in your next post. When a file is clean we don't nee the scan resutl and just mentioning it would suffices.

  • Please run the F-Secure Online Scanner
    Note: This Scanner is for Internet Explorer Only!
    Follow the Instruction here for installation.
    Accept the License Agreement.
    Once the ActiveX installs,Click Full System Scan
    Once the download completes, the scan will begin automatically.
    The scan will take some time to finish, so please be patient.
    When the scan completes, click the Automatic cleaning (recommended) button.
    Click the Show Report button and Copy&Paste the entire report in your next reply.

  • Please make a fresh DSS log and copy and paste it into your replay. DSS makes this time just one log (main.txt).
In your next reply:
  • The scan result of Virustotal.
  • The log of F-Secure.
  • A fresh DSS log.


#14 jfriel

jfriel
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 18 August 2008 - 01:32 PM

1. VIRUSTOTAL SCAN RESULTS

File tmpzydf1.exe received on 08.18.2008 13:41:09 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/36 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.8.15.0 2008.08.18 -
AntiVir 7.8.1.19 2008.08.18 -
Authentium 5.1.0.4 2008.08.18 -
Avast 4.8.1195.0 2008.08.17 -
AVG 8.0.0.161 2008.08.18 -
BitDefender 7.2 2008.08.18 -
CAT-QuickHeal 9.50 2008.08.16 -
ClamAV 0.93.1 2008.08.18 -
DrWeb 4.44.0.09170 2008.08.18 -
eSafe 7.0.17.0 2008.08.17 -
eTrust-Vet 31.6.6035 2008.08.15 -
Ewido 4.0 2008.08.18 -
F-Prot 4.4.4.56 2008.08.18 -
F-Secure 7.60.13501.0 2008.08.18 -
Fortinet 3.14.0.0 2008.08.18 -
GData 2.0.7306.1023 2008.08.18 -
Ikarus T3.1.1.34.0 2008.08.18 -
K7AntiVirus 7.10.417 2008.08.18 -
Kaspersky 7.0.0.125 2008.08.18 -
McAfee 5362 2008.08.15 -
Microsoft 1.3807 2008.08.18 -
NOD32v2 3364 2008.08.18 -
Norman 5.80.02 2008.08.15 -
Panda 9.0.0.4 2008.08.17 -
PCTools 4.4.2.0 2008.08.17 -
Prevx1 V2 2008.08.18 -
Rising 20.58.02.00 2008.08.18 -
Sophos 4.32.0 2008.08.18 -
Sunbelt 3.1.1546.1 2008.08.15 -
Symantec 10 2008.08.18 -
TheHacker 6.3.0.5.053 2008.08.18 -
TrendMicro 8.700.0.1004 2008.08.18 -
VBA32 3.12.8.3 2008.08.18 -
ViRobot 2008.8.18.1339 2008.08.18 -
VirusBuster 4.5.11.0 2008.08.18 -
Webwasher-Gateway 6.6.2 2008.08.18 -
Additional information
File size: 389120 bytes
MD5...: 6d778e0f95447e6546553eeea709d03c
SHA1..: 811a005cf787c6ccbe0d9f1c36c1d49a9cb71fd1
SHA256: 62abed7d45040381bbced97ea7b6c697b418448fd3322fd4bfb2bbfdb6155eb4
SHA512: a9401d8b077a48c0b6dd3443e62703d53513208f49d7b44d14f722f4c5400ffa
ca59582ca066d92d68a72aa96278bed1b2c5d8f1b85d5ef964d06e979a9ac09f
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4ad05046
timedatestamp.....: 0x48025baf (Sun Apr 13 19:14:55 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1f620 0x1f800 6.58 67557095d2941262a733cea0bc7ab480
.data 0x21000 0x1ca24 0x1ca00 0.17 ac08e12c2ca9c0b872b354378edde336
.rsrc 0x3e000 0x228a0 0x22a00 3.83 1586a8d471cd77b625c608210b6f5e5f

( 3 imports )
> KERNEL32.dll: FlushConsoleInputBuffer, LoadLibraryA, InterlockedExchange, FreeLibrary, LocalAlloc, GetVDMCurrentDirectories, CmdBatNotification, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetTickCount, QueryPerformanceCounter, GetThreadLocale, GetDiskFreeSpaceExW, CompareFileTime, RemoveDirectoryW, GetCurrentDirectoryW, SetCurrentDirectoryW, TerminateProcess, WaitForSingleObject, GetExitCodeProcess, CopyFileW, SetFileAttributesW, DeleteFileW, SetFileTime, CreateDirectoryW, FillConsoleOutputAttribute, SetConsoleTextAttribute, ScrollConsoleScreenBufferW, FormatMessageW, DuplicateHandle, FlushFileBuffers, HeapReAlloc, HeapSize, GetFileAttributesExW, LocalFree, GetDriveTypeW, InitializeCriticalSection, SetConsoleCtrlHandler, GetWindowsDirectoryW, GetConsoleTitleW, GetModuleFileNameW, GetVersion, EnterCriticalSection, LeaveCriticalSection, ExpandEnvironmentStringsW, SearchPathW, WriteFile, GetVolumeInformationW, SetLastError, MoveFileW, SetConsoleTitleW, MoveFileExW, GetBinaryTypeW, GetFileAttributesW, GetCurrentThreadId, CreateProcessW, LoadLibraryW, ReadProcessMemory, SetErrorMode, GetConsoleMode, SetConsoleMode, VirtualAlloc, VirtualFree, SetEnvironmentVariableW, GetEnvironmentVariableW, GetCommandLineW, GetEnvironmentStringsW, GetLocalTime, GetTimeFormatW, FileTimeToLocalFileTime, GetDateFormatW, GetLastError, CloseHandle, SetThreadLocale, GetProcAddress, GetModuleHandleW, SetFilePointer, lstrcmpW, lstrcmpiW, HeapAlloc, GetProcessHeap, HeapFree, MultiByteToWideChar, ReadFile, WriteConsoleW, FillConsoleOutputCharacterW, SetConsoleCursorPosition, ReadConsoleW, GetConsoleScreenBufferInfo, GetStdHandle, GetFileType, VirtualQuery, RaiseException, GetCPInfo, GetConsoleOutputCP, WideCharToMultiByte, GetFileSize, CreateFileW, FindClose, FindNextFileW, FindFirstFileW, GetFullPathNameW, GetUserDefaultLCID, GetLocaleInfoW, SetLocalTime, SystemTimeToFileTime, GetSystemTime, FileTimeToSystemTime
> msvcrt.dll: __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, __initenv, _cexit, _XcptFilter, _exit, _c_exit, calloc, _wcslwr, qsort, _vsnwprintf, wcsstr, _dup2, _dup, _open_osfhandle, _close, swscanf, _ultoa, _pipe, _seh_longjmp_unwind, _setmode, wcsncmp, iswxdigit, fflush, exit, _wtol, time, srand, __set_app_type, wcsrchr, malloc, free, wcstoul, _errno, iswalpha, printf, rand, swprintf, _iob, fprintf, towlower, realloc, setlocale, _snwprintf, wcscat, _wcsupr, wcsncpy, _wpopen, fgets, _pclose, memmove, wcschr, iswspace, _tell, longjmp, wcscmp, _wcsnicmp, _wcsicmp, wcstol, iswdigit, _getch, _get_osfhandle, _controlfp, _setjmp3, _except_handler3, wcscpy, wcslen, wcsspn, towupper
> USER32.dll: GetUserObjectInformationW, GetThreadDesktop, MessageBeep, GetProcessWindowStation

( 0 exports )
ThreatExpert info: http://www.threatexpert.com/report.aspx?md...6553eeea709d03c


File home.vbs received on 08.18.2008 14:39:09 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/35 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.8.15.0 2008.08.18 -
AntiVir 7.8.1.19 2008.08.18 -
Authentium 5.1.0.4 2008.08.18 -
Avast 4.8.1195.0 2008.08.17 -
AVG 8.0.0.161 2008.08.18 -
BitDefender 7.2 2008.08.18 -
CAT-QuickHeal 9.50 2008.08.16 -
ClamAV 0.93.1 2008.08.18 -
DrWeb 4.44.0.09170 2008.08.18 -
eSafe 7.0.17.0 2008.08.17 -
eTrust-Vet 31.6.6035 2008.08.15 -
Ewido 4.0 2008.08.18 -
F-Prot 4.4.4.56 2008.08.18 -
F-Secure 7.60.13501.0 2008.08.18 -
Fortinet 3.14.0.0 2008.08.18 -
GData 2.0.7306.1023 2008.08.18 -
Ikarus T3.1.1.34.0 2008.08.18 -
K7AntiVirus 7.10.417 2008.08.18 -
Kaspersky 7.0.0.125 2008.08.18 -
McAfee 5362 2008.08.15 -
Microsoft 1.3807 2008.08.18 -
NOD32v2 3364 2008.08.18 -
Norman 5.80.02 2008.08.15 -
Panda 9.0.0.4 2008.08.17 -
PCTools 4.4.2.0 2008.08.18 -
Rising 20.58.02.00 2008.08.18 -
Sophos 4.32.0 2008.08.18 -
Sunbelt 3.1.1546.1 2008.08.15 -
Symantec 10 2008.08.18 -
TheHacker 6.3.0.5.053 2008.08.18 -
TrendMicro 8.700.0.1004 2008.08.18 -
VBA32 3.12.8.3 2008.08.18 -
ViRobot 2008.8.18.1339 2008.08.18 -
VirusBuster 4.5.11.0 2008.08.18 -
Webwasher-Gateway 6.6.2 2008.08.18 -
Additional information
File size: 22 bytes
MD5...: 73e5776fc7cf23d8fad4ea8544ab4050
SHA1..: 09f0234bb63ecaceeebdd7dc1cb402a448c4a824
SHA256: 7be57b21fb0285f9b86911e7ac655dde34db5b9092f7f2d179217dcd9065e73d
SHA512: 21b81bb7238440160720f539f0c09b07ff1ab1fc37ca49118ef73d3854f4d03c
0b3d95fc5c332477794e7143d73eee645e29e5ed8a08174928498c13e8b3b3be
PEiD..: -
PEInfo: -


File _winnt_log.ini received on 08.18.2008 14:43:15 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 19/36 (52.78%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 42 and 60 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.8.15.0 2008.08.18 -
AntiVir 7.8.1.19 2008.08.18 BDS/Backdoor.Gen
Authentium 5.1.0.4 2008.08.18 W32/Hupigon.C.gen!Eldorado
Avast 4.8.1195.0 2008.08.18 Win32:Hupigon-FB
AVG 8.0.0.161 2008.08.18 BackDoor.Hupigon4.YYB
BitDefender 7.2 2008.08.18 GenPack:Backdoor.Hupigon.ZXD
CAT-QuickHeal 9.50 2008.08.16 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.08.18 -
DrWeb 4.44.0.09170 2008.08.18 -
eSafe 7.0.17.0 2008.08.17 -
eTrust-Vet 31.6.6035 2008.08.15 -
Ewido 4.0 2008.08.18 -
F-Prot 4.4.4.56 2008.08.18 W32/Hupigon.C.gen!Eldorado
F-Secure 7.60.13501.0 2008.08.18 Suspicious:W32/Malware!Gemini
Fortinet 3.14.0.0 2008.08.18 -
GData 2.0.7306.1023 2008.08.18 Win32:Hupigon-FB
Ikarus T3.1.1.34.0 2008.08.18 MalwareScope.Backdoor.Hupigon.17
K7AntiVirus 7.10.417 2008.08.18 -
Kaspersky 7.0.0.125 2008.08.18 -
McAfee 5362 2008.08.15 -
Microsoft 1.3807 2008.08.18 -
NOD32v2 3364 2008.08.18 probably a variant of Win32/Hupigon
Norman 5.80.02 2008.08.15 W32/DLoader.IRYV
Panda 9.0.0.4 2008.08.17 Suspicious file
PCTools 4.4.2.0 2008.08.18 Backdoor.Graybird.GEN
Prevx1 V2 2008.08.18 Malicious Software
Rising 20.58.02.00 2008.08.18 -
Sophos 4.32.0 2008.08.18 Mal/Emogen-N
Sunbelt 3.1.1546.1 2008.08.15 VIPRE.Suspicious
Symantec 10 2008.08.18 -
TheHacker 6.3.0.5.053 2008.08.18 -
TrendMicro 8.700.0.1004 2008.08.18 -
VBA32 3.12.8.3 2008.08.18 MalwareScope.Trojan-PSW.Game.16
ViRobot 2008.8.18.1339 2008.08.18 -
VirusBuster 4.5.11.0 2008.08.18 -
Webwasher-Gateway 6.6.2 2008.08.18 Trojan.Backdoor.Backdoor.Gen
Additional information
File size: 682496 bytes
MD5...: d40167a1d430a7f4254fc42766283cf1
SHA1..: eda787cc099d96d482fb7683cce7f33e474b0072
SHA256: bd8f932a333b99ef6c63a96f69e9d040e39ec11caea4f810424505c20e50b6af
SHA512: e8d837a9700ac017737708b3e8880b691087d21259a1a86d6bfc964aa87a0be2
d10abd1e6ae02043c98c9e1bfe394074d8c384d51c80422500be1cac70eecffb
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x401000
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 10 sections )
name viradd virsiz rawdsiz ntrpy md5
0x1000 0x98000 0x3e400 8.00 ad0d0717f8008f8e86014ea3894ee029
0x99000 0x6000 0x3600 7.99 0c5ff127fc509a2114bb965c241dd240
0x9f000 0x2000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
0xa1000 0x3000 0x2c00 7.98 d8a9ee781b250705cf60a9aef4036deb
0xa4000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
0xa5000 0x1000 0x200 0.21 79a746a4e77770c2caa02454e7055049
0xa6000 0xa000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0xb0000 0xf000 0xe400 5.45 f36d0cd2bbe3caf83d044e6173e111f4
.inilog 0xbf000 0x54000 0x53a00 7.93 a2129b5022a22540680f3ff81f520892
.adata 0x113000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e

( 24 imports )
> kernel32.dll: GetProcAddress, GetModuleHandleA, LoadLibraryA
> user32.dll: GetKeyboardType
> advapi32.dll: RegQueryValueExA
> oleaut32.dll: SysFreeString
> advapi32.dll: ReportEventA
> mpr.dll: WNetGetUserA
> version.dll: VerQueryValueA
> gdi32.dll: UnrealizeObject
> user32.dll: CreateWindowExA
> oleaut32.dll: SafeArrayPtrOfIndex
> comctl32.dll: ImageList_SetIconSize
> shell32.dll: ShellExecuteA
> wininet.dll: InternetReadFile
> advapi32.dll: StartServiceA
> winmm.dll: waveInUnprepareHeader
> wsock32.dll: WSACleanup
> netapi32.dll: Netbios
> msvfw32.dll: DrawDibDraw
> avicap32.dll: capCreateCaptureWindowA
> urlmon.dll: URLDownloadToFileA
> ws2_32.dll: gethostname
> advapi32.dll: SetSecurityInfo
> oleaut32.dll: VariantChangeTypeEx
> kernel32.dll: RaiseException

( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp...E666B001A2F498E
packers (Avast): ASProtect
packers (Kaspersky): PE_Patch, PE_Patch


File acyyzv.key received on 08.18.2008 14:52:11 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/35 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.8.15.0 2008.08.18 -
AntiVir 7.8.1.19 2008.08.18 -
Authentium 5.1.0.4 2008.08.18 -
Avast 4.8.1195.0 2008.08.18 -
AVG 8.0.0.161 2008.08.18 -
BitDefender 7.2 2008.08.18 -
CAT-QuickHeal 9.50 2008.08.16 -
ClamAV 0.93.1 2008.08.18 -
DrWeb 4.44.0.09170 2008.08.18 -
eSafe 7.0.17.0 2008.08.17 -
eTrust-Vet 31.6.6035 2008.08.15 -
Ewido 4.0 2008.08.18 -
F-Prot 4.4.4.56 2008.08.18 -
F-Secure 7.60.13501.0 2008.08.18 -
Fortinet 3.14.0.0 2008.08.18 -
GData 2.0.7306.1023 2008.08.18 -
Ikarus T3.1.1.34.0 2008.08.18 -
K7AntiVirus 7.10.417 2008.08.18 -
Kaspersky 7.0.0.125 2008.08.18 -
McAfee 5362 2008.08.15 -
Microsoft 1.3807 2008.08.18 -
NOD32v2 3364 2008.08.18 -
Panda 9.0.0.4 2008.08.17 -
PCTools 4.4.2.0 2008.08.18 -
Prevx1 V2 2008.08.18 -
Rising 20.58.02.00 2008.08.18 -
Sophos 4.32.0 2008.08.18 -
Sunbelt 3.1.1546.1 2008.08.15 -
Symantec 10 2008.08.18 -
TheHacker 6.3.0.5.053 2008.08.18 -
TrendMicro 8.700.0.1004 2008.08.18 -
VBA32 3.12.8.3 2008.08.18 -
ViRobot 2008.8.18.1339 2008.08.18 -
VirusBuster 4.5.11.0 2008.08.18 -
Webwasher-Gateway 6.6.2 2008.08.18 -
Additional information
File size: 476011 bytes
MD5...: 323322e0fc461d2f86e5c0c565ffadbe
SHA1..: cfb8cd9a554e2e7280fce20f3e8d8e090b185dbf
SHA256: a4698355973682239bae5d571f11b6f540fd692e1ac35b96d9a6548a21801600
SHA512: fc88164a49e111b7fb21f07b055e086bbee9a1dc613646cb2f1732e5f1a490c2
2c9485e54b0f31969cd16ffecd88f659b810cef92702f8ef3b449c4b0ac04560
PEiD..: -
PEInfo: -

2. F-SECURE LOG FILE

Scanning Report
Monday, August 18, 2008 17:41:58 - 20:56:08

Computer name: OMSC-JFRIEL
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\ I:\
Result: 10 malware found
Backdoor.Win32.Hupigon.cvkc (virus)

* C:\_OTMOVEIT\MOVEDFILES\08162008_175921\PROGRAM FILES\SYMANTEC ANTIVIRUS\QQ.EXE (Renamed & Submitted)

Hupigon.gen239 (virus)

* C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\TFTP2776 (Submitted)
* C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\TFTP3168 (Submitted)
* C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\TFTP56976 (Submitted)

Tracking Cookie (spyware)

* System

Trojan-Downloader.Win32.Agent.yvp (virus)

* C:\_OTMOVEIT\MOVEDFILES\08162008_175921\PROGRAM FILES\SYMANTEC ANTIVIRUS\MM1.EXE (Renamed & Submitted)

Trojan.Win32.Agent.yzm (virus)

* C:\DOCUMENTS AND SETTINGS\AGENT\DOCTORWEB\QUARANTINE\WINLOAD.DLL (Renamed & Submitted)

W32/Downloader (virus)

* C:\PROGRAM FILES\INTERNET EXPLORER\DOWN(1).EXE (Submitted)
* C:\PROGRAM FILES\INTERNET EXPLORER\DOWN(2).EXE (Submitted)
* C:\PROGRAM FILES\INTERNET EXPLORER\DOWN(5).EXE (Submitted)

Statistics
Scanned:

* Files: 81569
* System: 4642
* Not scanned: 16

Actions:

* Disinfected: 0
* Renamed: 3
* Deleted: 0
* None: 7
* Submitted: 9

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{74807069-98B7-4FBA-A80E-D8F383F3722C}.BIN
* C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCRST.DLL
* C:\DOCUMENTS AND SETTINGS\AGENT\LOCAL SETTINGS\TEMP\ETILQS_FOLYLR1S9TMGWWET6PYB
* C:\DOCUMENTS AND SETTINGS\AGENT\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\OUTLOOK\ARCHIVE.PST
* C:\DOCUMENTS AND SETTINGS\AGENT\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\OUTLOOK\ARCHIVE.PST
* C:\DOCUMENTS AND SETTINGS\AGENT\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\OUTLOOK\OUTLOOK.PST
* C:\DOCUMENTS AND SETTINGS\AGENT\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\OUTLOOK\OUTLOOK.PST
* C:\DOCUMENTS AND SETTINGS\AGENT\DOCTORWEB\QUARANTINE\A0010053.EXE
* C:\DOCUMENTS AND SETTINGS\AGENT\DOCTORWEB\QUARANTINE\A0023225.DLL
* C:\DOCUMENTS AND SETTINGS\AGENT\DOCTORWEB\QUARANTINE\A0033744.EXE

Options
Scanning engines:

* F-Secure USS: 2.30.0
* F-Secure Hydra: 2.8.8110, 2008-08-18
* F-Secure AVP: 7.0.171, 2008-08-17
* F-Secure Pegasus: 1.20.0, 2008-04-15
* F-Secure Blacklight: 1.0.68

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

3. DSS LOGFILE

Deckard's System Scanner v20071014.68
Run by Agent on 2008-08-18 21:26:23
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Agent.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:26:30 PM, on 8/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\dbssys\DBSNTS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Enterprise\CommAgent\CommAgent.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\Dit.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\WatchGuard\WatchGuard Mobile VPN with SSL\wgsslvpnc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\dbssys\DBSRUN.exe
c:\dbssys\DBSValidReceive.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\Agent\Desktop\dss.exe
C:\DOCUME~1\Agent\Desktop\HJT\Agent.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 78.42.196.237 DBS-SMTP-SERVER
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MiniFlashGetBHO - {C74E94A7-B7BD-4891-9328-455395BCC7AD} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [WatchGuard Mobile VPN with SSL] "C:\Program Files\WatchGuard\WatchGuard Mobile VPN with SSL\wgsslvpnc.exe" /noconnect
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [DBSRUN] c:\dbssys\DBSRUN.exe
O8 - Extra context menu item: 使用迷你快车下载 - C:\Program Files\FlashGet Network\FlashGet Mini\GetUrl.htm
O8 - Extra context menu item: 使用迷你快车下载该网页FLV - C:\Program Files\FlashGet Network\FlashGet Mini\FlashGetFlvdetector.htm
O8 - Extra context menu item: 使用迷你快车下载全部链接 - C:\Program Files\FlashGet Network\FlashGet Mini\GetAllUrl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1213265367109
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1213265359328
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://ebanking.northernbank.co.uk/html/ac...B/e-Safekey.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A172FF56-0C5C-4D28-B6A0-F781ECF2D37C}: NameServer = 195.238.50.254,195.238.40.44
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3595A04-AD22-4DD1-AE44-599279609BC9}: NameServer = 213.42.20.20,195.229.241.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: DBSNTS - Cipherbase - c:\dbssys\DBSNTS.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\CommAgent\CommAgent.exe
O23 - Service: Webroot SpySweeper Service (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe

--
End of file - 10215 bytes

-- Files created between 2008-07-18 and 2008-08-18 -----------------------------

2008-08-18 16:42:29 0 d-------- C:\fsaua.data
2008-08-17 20:58:55 68096 --a------ C:\WINDOWS\zip.exe
2008-08-17 20:58:55 49152 --a------ C:\WINDOWS\VFind.exe
2008-08-17 20:58:55 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-08-17 20:58:55 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-08-17 20:58:55 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-08-17 20:58:55 98816 --a------ C:\WINDOWS\sed.exe
2008-08-17 20:58:55 80412 --a------ C:\WINDOWS\grep.exe
2008-08-17 20:58:55 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-08-17 20:52:56 0 dr-hs---- C:\cmdcons
2008-08-17 20:52:53 0 d-------- C:\WINDOWS\setup.pss
2008-08-17 19:13:31 0 d-------- C:\Documents and Settings\Agent\Application Data\Malwarebytes
2008-08-17 19:13:27 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-17 19:13:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-16 17:24:11 0 d-------- C:\WINDOWS\ERUNT
2008-08-16 13:26:11 0 d-------- C:\Documents and Settings\Agent\DoctorWeb
2008-08-09 21:08:57 21060 -----n--- C:\WINDOWS\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
2008-08-09 21:08:56 10368 -----n--- C:\WINDOWS\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
2008-08-09 21:08:14 204800 --a------ C:\WINDOWS\system32\IVIresizeW7.dll
2008-08-09 21:08:14 188416 --a------ C:\WINDOWS\system32\IVIresizePX.dll
2008-08-09 21:08:14 192512 --a------ C:\WINDOWS\system32\IVIresizeP6.dll
2008-08-09 21:08:14 192512 --a------ C:\WINDOWS\system32\IVIresizeM6.dll
2008-08-09 21:08:14 200704 --a------ C:\WINDOWS\system32\IVIresizeA6.dll
2008-08-09 21:08:14 20480 --a------ C:\WINDOWS\system32\IVIresize.dll
2008-08-09 21:08:05 0 d-------- C:\Program Files\InterVideo
2008-08-07 22:04:39 0 d-------- C:\Documents and Settings\Agent\Application Data\DivX
2008-08-07 14:43:22 0 d-------- C:\Documents and Settings\Agent\Application Data\TuneUp Software
2008-08-07 14:42:57 0 d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-08-07 14:42:39 0 d-------- C:\Program Files\TuneUp Utilities 2008
2008-08-07 13:54:05 0 d-------- C:\Documents and Settings\Agent\Application Data\Symantec
2008-08-07 12:46:15 0 d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2008-08-07 11:41:29 0 d--h----- C:\WINDOWS\PIF
2008-08-07 09:07:06 0 d-------- C:\WINDOWS\Sun
2008-08-06 21:59:03 0 d-------- C:\Program Files\Norton 360
2008-08-03 15:10:38 0 d-------- C:\Documents and Settings\LocalService\Application Data\Talkback
2008-07-31 11:03:39 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-07-31 09:32:13 0 d-------- C:\Documents and Settings\Agent\Application Data\Apple Computer
2008-07-31 09:31:38 0 d-------- C:\Program Files\iPod
2008-07-31 09:31:32 0 d-------- C:\Program Files\iTunes
2008-07-31 09:31:12 0 d-------- C:\Program Files\Bonjour
2008-07-31 09:30:20 0 d-------- C:\Program Files\QuickTime
2008-07-31 09:30:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-31 09:29:39 0 d-------- C:\Program Files\Apple Software Update
2008-07-31 09:29:00 0 d-------- C:\Program Files\Common Files\Apple
2008-07-31 09:29:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-07-31 08:53:55 0 d-------- C:\Documents and Settings\LocalService\Application Data\Mozilla
2008-07-30 16:27:16 0 d-------- C:\Program Files\DivX
2008-07-28 22:26:44 0 d-------- C:\WINDOWS\system32\shellexec
2008-07-26 16:57:37 0 d-------- C:\WINDOWS\pss
2008-07-25 02:27:36 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-07-23 13:10:11 0 d-------- C:\Documents and Settings\Agent\Application Data\Sun
2008-07-23 13:07:18 0 d-------- C:\Program Files\Java
2008-07-23 13:01:39 0 d-------- C:\Program Files\Common Files\Java
2008-07-21 15:55:36 22 --a------ C:\WINDOWS\home.vbs
2008-07-21 15:05:59 176128 --a------ C:\WINDOWS\system32\DBSAgent.dll <Not Verified; Cipherbase; AgentWrapper>
2008-07-20 16:12:38 0 d-------- C:\HP LJ1320
2008-07-19 19:11:50 36864 --a------ C:\WINDOWS\system32\DBSHook.dll <Not Verified; Cipherbase; DBSHook>
2008-07-19 19:11:49 32768 --a------ C:\WINDOWS\system32\Base64.dll <Not Verified; Alvaro Redondo; Base64 Encoding Library v2>
2008-07-19 15:28:05 0 d-------- C:\HP LJ1320 PCL5 Driver
2008-07-18 12:03:49 0 d-------- C:\Documents and Settings\Agent\Application Data\ScanSoft
2008-07-18 12:01:08 0 d-------- C:\Program Files\Common Files\ScanSoft Shared
2008-07-18 12:01:02 0 d-------- C:\Program Files\ScanSoft
2008-07-18 12:01:02 0 d-------- C:\Documents and Settings\All Users\Application Data\ScanSoft


-- Find3M Report ---------------------------------------------------------------

2008-08-18 21:26:42 0 d-------- C:\Documents and Settings\Agent\Application Data\Skype
2008-08-18 21:25:17 0 d-------- C:\Documents and Settings\Agent\Application Data\skypePM
2008-08-18 10:23:41 0 d-------- C:\Program Files\DBS SalesTrack
2008-08-18 08:59:59 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-08-17 21:21:37 0 d-------- C:\Program Files\Messenger
2008-08-17 21:02:33 0 d-------- C:\Program Files\Common Files
2008-08-16 17:59:21 0 d-------- C:\Program Files\Symantec AntiVirus
2008-08-12 18:53:35 56341 --a------ C:\WINDOWS\DBS SalesTrack Uninstaller.exe
2008-08-09 21:08:04 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-08-08 09:10:27 0 d-------- C:\Documents and Settings\Agent\Application Data\Mozilla
2008-08-07 14:40:03 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-07 12:15:37 0 d-------- C:\Program Files\Symantec
2008-08-02 02:25:30 682496 ---hs---- C:\Program Files\$winnt$log.ini
2008-07-19 15:08:56 0 d-------- C:\Documents and Settings\Agent\Application Data\Adobe
2008-07-07 15:12:17 176128 --a------ C:\WINDOWS\system32\AgentWrapper.dll <Not Verified; Cipherbase; AgentWrapper>
2008-07-06 06:30:34 0 d-------- C:\Program Files\Common Files\snp2std
2008-07-06 06:30:30 0 d-------- C:\Program Files\U.S. Robotics
2008-07-06 06:26:37 0 d-------- C:\Documents and Settings\Agent\Application Data\InstallShield
2008-06-23 21:05:20 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-23 18:44:58 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-06-23 18:36:08 0 d-------- C:\Program Files\Skype
2008-06-23 18:36:02 0 d-------- C:\Program Files\Common Files\Skype
2008-06-18 11:39:30 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-06-17 10:16:44 1160 --a------ C:\WINDOWS\mozver.dat
2008-06-15 17:09:29 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-12 13:56:52 62 --ahs---- C:\Documents and Settings\Agent\Application Data\desktop.ini
2008-06-12 10:27:44 0 -rahs---- C:\MSDOS.SYS
2008-06-12 10:27:44 0 -rahs---- C:\IO.SYS
2008-06-12 10:27:44 0 --a------ C:\CONFIG.SYS
2008-06-12 10:27:44 0 --a------ C:\AUTOEXEC.BAT
2008-06-12 10:24:18 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-06-11 03:07:20 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-06-11 03:03:26 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-06-11 03:03:26 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-06-11 03:03:20 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-06-11 03:03:20 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX>
2008-06-11 03:03:20 815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX>
2008-06-11 03:03:20 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX>
2008-06-11 03:03:18 683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX>
2008-05-23 01:18:54 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C74E94A7-B7BD-4891-9328-455395BCC7AD}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [03/23/2006 12:17 PM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [03/23/2006 12:13 PM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [03/23/2006 12:17 PM]
"RTHDCPL"="RTHDCPL.EXE" [05/09/2006 12:53 PM C:\WINDOWS\RTHDCPL.exe]
"AGRSMMSG"="AGRSMMSG.exe" [06/30/2006 04:32 AM C:\WINDOWS\agrsmmsg.exe]
"PSQLLauncher"="C:\Program Files\Protector Suite QL\launcher.exe" [05/05/2006 04:36 PM]
"Client Access Service"="C:\Program Files\IBM\Client Access\cwbsvstr.exe" [05/02/2001 04:10 AM]
"Client Access Help Update"="C:\Program Files\IBM\Client Access\cwbinhlp.exe" [05/02/2001 04:10 AM]
"Client Access Check Version"="C:\Program Files\IBM\Client Access\cwbckver.exe" [05/02/2001 04:10 AM]
"Client Access Express Welcome"="C:\Program Files\IBM\Client Access\cwbwlwiz.exe" [05/02/2001 04:10 AM]
"00THotkey"="C:\WINDOWS\system32\00THotkey.exe" [04/24/2006 05:09 PM]
"000StTHK"="000StTHK.exe" [06/23/2001 03:28 AM C:\WINDOWS\system32\000StTHK.exe]
"Dit"="Dit.exe" [08/05/2004 07:28 PM C:\WINDOWS\Dit.exe]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [07/10/2008 09:47 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05/27/2008 10:50 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/10/2008 10:51 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/10/2007 08:59 AM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [01/29/2008 05:38 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WatchGuard Mobile VPN with SSL"="C:\Program Files\WatchGuard\WatchGuard Mobile VPN with SSL\wgsslvpnc.exe" [02/22/2008 11:41 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/14/2008 04:42 AM]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 10:34 AM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 04:43 PM]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [05/30/2008 03:54 PM]
"DBSRUN"="c:\dbssys\DBSRUN.exe" [08/09/2008 05:21 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
psqlpwd.dll 05/05/2006 04:48 PM 40448 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avast.exe]
debugger=IFEOFILE

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Agent^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Agent\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=C:\WINDOWS\pss\Bluetooth Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
"C:\Program Files\D-Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
C:\Program Files\ltmoh\Ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2std]
C:\WINDOWS\vsnp2std.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnp2std]
C:\WINDOWS\tsnp2std.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Webroot Spy Sweeper, Enterprise Edition]
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc
Tpooler Tpooler
Application Application
Tpoggoler Tpoggoler
rvpqhb rvpqhb
ASP.NET ASP.NET

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
napagent
hkmsvc
SystamlogSve

*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2008-08-18 21:26:59 ------------


Hopefully we are starting to get somewhere!! Keep up the good work.

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:03 PM

Posted 19 August 2008 - 01:56 AM

We are almost there, I hope you have got some patience left to do this too.
  • Close any open browsers.

    Open notepad and copy/paste the text in the quote box below into it:

    File::
    C:\PROGRAM FILES\INTERNET EXPLORER\DOWN(1).EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\DOWN(2).EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\DOWN(5).EXE
    C:\Program Files\$winnt$log.ini
    C:\WINDOWS\system32\_$winnt$log.ini
    C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\TFTP2776
    C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\TFTP3168
    C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\TFTP56976

    DirLook::
    C:\PROGRAM FILES\INTERNET EXPLORER

    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C74E94A7-B7BD-4891-9328-455395BCC7AD}]

    Driver::
    TOlb
    WindowsEntServer2008
    yvpqhbvb
    SYSEEM32
    DRMUP8WS66
    msfox
    Windows Disk Manager
    Systemadmin Event Notification
    Tpooler

    NetSvc::
    Tpooler


    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall



  • Please perform a BitDefender Online Virus and Malware Scan
    Click on I Agree. An ActiveX warning box will appear, Click on Install. Under Select What You Want To Check For Viruses
    Please Check My Computer and Click Ok
    Now Click On Click Here To Scan Next,
    Click on Click here to export the scan report Save it to your Desktop. Please include the Bitdefender log In your next reply.

  • Please make a fresh Hijackthis log and copy and paste it into your replay.
In your next reply:
  • The Combofix log.
  • The log of BitDefender.
  • A fresh Hijackthis log.

Edited by farbar, 19 August 2008 - 02:47 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users