Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Astakiller + Smitfraude + Virtumonde, hijacked IE, plus "Personal Settings" (C:RECYCLER?) and "Windows - No Disk" popups


  • This topic is locked This topic is locked
15 replies to this topic

#1 jbostrom

jbostrom

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 13 April 2009 - 07:53 PM

Sad story background (See below for list of specific symptoms/actions. HJ and DDS Logs attached)
For about a decade I relied on Norton or McAffee for virus protection. Then a week ago, right after a popup saying "Norton Live Update requires a system start," I got this other annoying popup: "Windows- Disk Missing.' It just wouldn't go away except in Safe Mode. It's deep. It comes on right after the Windows splash screen, before the desktop, and stays after the desktop closes when shutting down. I researched this on the net. It's something that interprets any empty external drives (CD, DVD, flash drive, etc) as an error. Several intelligent sites said it was caused by a bug in Norton Live Update. So I called Norton and asked about it. They of course insisted that it had nothing to do with them. But they nicely upgraded my recently renewed Internet Security 2008 subscription to IS 2009. However, after installing IS 2009, and finding the popup bug still there, the Norton guy says, "Let's remove all trace of Norton software. That will prove it's not Norton that's causing this bug." He uses the remote Removal Tool. And the popup is still there. But then, he REFUSES TO REINSTALL NORTON! Says I have to "contact Microsoft to fix the "Windows problem" first. Suddenly insists, insanely, that the "Windows" bug will "keep Norton from installing properly." $*&$*%!**!!

Long story short, I had no virus protection for a week. I got rid of the popup somehow, but the price was new major virus infections. And Norton now wants $100 to remove these viruses before they'll reinstall the software I paid them for. I just cancelled Norton forever, demanding and getting a refund. Now working with Spybot and HijackThis. Please help.

Specific symptoms and actions I've taken:
  • Molasses-like general slowness, especially in Standard Mode.
  • Three weird-named dll's running in msconfig STARTUP tab:

    - rundll32.exe "C:\WINDOWS/system32\gileriji.dll",b
    - Rundll32.exe "C:\WINDOWS\system32\zefuboso.dll",s
    -Rundll32.exe "c:\windows\system32.nijajudi.dll",a

    plus iexplore and a blank process with a blank command.
    I couldn't find any online reference to the three weird ones, don't trust anything blank, and don't want IE running at startup - I use Firefox. So I unchecked all five of these. This was the first thing I did.
  • The original "Windows-No Disk" popup is back again in Standard Mode, after a week without it.
  • In Standard Mode I get a blue popup in the top left corner saying only "Personalized Settings." This is linked to the process explorer.exe. Killing this popup window the first time gave me a brief popup mentioning C:/RECYCLER. After that, killing it killed the desktop (status bar, systray, and all icons, but not the screen background image nor a working Firefox window.)
  • Even in Safe Mode, Internet Explorer (which I almost never use) self-starts with various alarming ads for "Registry Protector" and "Super Virus Cleaner" etc. When this happens I immediately kill the IEXPLORE process with Task Mgr.
  • Ran Spybot. It found, mainly, 3 bots - Astakiller, Smitfraud, and Virtumonde,. I don't know if these are removed or not now that I'm in Safe Mode, but they kept coming back immediately when I ran it in Standard Mode. Also TinyBar and a couple others, though those seem gone now.
  • Moved exclusively to Safe Mode.
  • Ran VundoFix in Safe Mode. It said it didn't find anything.
  • Spybot ran automatically on Safe Mode reboot today but after a long full scan in a popup, didn't return any results, just opened the normal Spybot app screen.
  • Installed latest version of HijackThis and ran it (Safe Mode.) HJ_4-13.log attached.
  • Re-ran msconfig and unchecked more "Unknown" SERVICES:

    Machine Debug Manager
    Office Source Engine
    Remote Packet Capture Protocol v.0 (experimental)

  • Ran DDS in Safe Mode (DOS.txt below, attach.txt attached.)

DDS (Ver_09-03-16.01) - NTFSx86 NETWORK
Run by HP_Administrator at 19:03:24.75 on Mon 04/13/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1268 [GMT -4:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\twext.exe,c:\windows\system32\twex.exe,
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\yayyWqPI.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {31f1aa71-214a-3de9-b724-93ea604ecd19}: {91dce406-ae39-427b-9ed3-a41217aa1f13} - c:\windows\system32\fwvjqc.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {eaaa63d3-b4ab-40ad-8b56-1689d80c3d49} - c:\windows\system32\geBrqnKb.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [Restore Desktop] "c:\program files\restore desktop\Restore Desktop.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
uRun: [Google Update] "c:\documents and settings\hp_administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [RestoreDesktop] c:\program files\restore desktop\RestoreDesktop.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [SpybotDeletingB3995] command.com /c del "c:\windows\system32\twain32\local.ds"
uRunOnce: [SpybotDeletingD6115] cmd.exe /c del "c:\windows\system32\twain32\local.ds"
uRunOnce: [SpybotDeletingB3761] command.com /c del "c:\windows\system32\twain32\user.ds"
uRunOnce: [SpybotDeletingD6731] cmd.exe /c del "c:\windows\system32\twain32\user.ds"
uRunOnce: [SpybotDeletingB1417] command.com /c del "c:\windows\system32\twain32\user.ds.lll"
uRunOnce: [SpybotDeletingD196] cmd.exe /c del "c:\windows\system32\twain32\user.ds.lll"
uRunOnce: [SpybotDeletingB4002] command.com /c del "c:\windows\system32\twain32\local.ds"
uRunOnce: [SpybotDeletingD3953] cmd.exe /c del "c:\windows\system32\twain32\local.ds"
uRunOnce: [SpybotDeletingB8733] command.com /c del "c:\windows\system32\twain32\user.ds"
uRunOnce: [SpybotDeletingD6160] cmd.exe /c del "c:\windows\system32\twain32\user.ds"
uRunOnce: [SpybotDeletingB9088] command.com /c del "c:\windows\system32\twain32\user.ds.lll"
uRunOnce: [SpybotDeletingD4192] cmd.exe /c del "c:\windows\system32\twain32\user.ds.lll"
uRunOnce: [SpybotDeletingB5315] command.com /c del "c:\program files\online services\peoplepc\utilities\AtlBrowser.exe"
uRunOnce: [SpybotDeletingD9733] cmd.exe /c del "c:\program files\online services\peoplepc\utilities\AtlBrowser.exe"
uRunOnce: [SpybotDeletingB3666] command.com /c del "c:\windows\system32\twain_32\local.ds"
uRunOnce: [SpybotDeletingD1387] cmd.exe /c del "c:\windows\system32\twain_32\local.ds"
uRunOnce: [SpybotDeletingB3586] command.com /c del "c:\windows\system32\twain_32\user.ds"
uRunOnce: [SpybotDeletingD9984] cmd.exe /c del "c:\windows\system32\twain_32\user.ds"
uRunOnce: [SpybotDeletingB2573] command.com /c del "c:\windows\system32\twext.exe"
uRunOnce: [SpybotDeletingD9233] cmd.exe /c del "c:\windows\system32\twext.exe"
uRunOnce: [SpybotDeletingB8675] command.com /c del "c:\windows\system32\wejotena.dll_old"
uRunOnce: [SpybotDeletingD5572] cmd.exe /c del "c:\windows\system32\wejotena.dll_old"
uRunOnce: [SpybotDeletingB6307] command.com /c del "c:\windows\system32\patozeva.dll_old"
uRunOnce: [SpybotDeletingD2168] cmd.exe /c del "c:\windows\system32\patozeva.dll_old"
uRunOnce: [SpybotDeletingB1092] command.com /c del "c:\windows\system32\yayyWqPI.dll"
uRunOnce: [SpybotDeletingD101] cmd.exe /c del "c:\windows\system32\yayyWqPI.dll"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [HP Lamp] c:\program files\hewlett-packard\hp precisionscan\precisionscan\HPLamp.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [BtcMouseMaestro] "c:\program files\hp optical 4 button usb mouse\KMaestro.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [QuickTime Task] "c:\program files\quicktime alternative\QTTask.exe" -atboottime
mRun: [Internet Explorer Service] iexplore.exe
mRun: [CPMfba56704] Rundll32.exe "c:\windows\system32\nijajudi.dll",a
mRun: [f8965498] rundll32.exe "c:\windows\system32\iwkonfmq.dll",b
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000003}\_SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~2.lnk - c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\epsons~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Open With JPEGCompress - c:\program files\jpegcompress\owjc.dll/CONTEXT_HANDLE.HTM
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: boimah.com\www
Trusted Zone: localhost
Trusted Zone: macromedia.com\www
Trusted Zone: uuforum.org\www
Trusted Zone: youtube.com\www
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
DPF: {0F7A9297-7268-11D1-B81A-00A076C01B0A} - hxxp://www.cartesianinc.com/Products/CPCViewAX/Sdk/CpcViewAX.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: yayyWqPI - yayyWqPI.dll
AppInit_DLLs: PROGRA~1\Google\GOOGLE~1\GOEC62~1 c:\windows\system32\wejotena.dll c:\windows\system32\nijajudi.dll c:\windows\system32\patozeva.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\nijajudi.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\nijajudi.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\yayyWqPI.dll
SEH: {127e2dbb-5eb2-ce0a-cb14-3bc7bc8b115f}: {f511b8cb-7cb3-41bc-a0ec-2be5bbd2e721} - c:\windows\system32\fwvjqc.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\geBrqnKb
LSA: Notification Packages = cli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\uy40l73n.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\hp_administrator\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\np793esk32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npitunes.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin2.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin3.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin4.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin5.dll

============= SERVICES / DRIVERS ===============

S0 epstwnt;epstwnt;c:\windows\system32\drivers\epstwnt.mpd --> c:\windows\system32\drivers\epstwnt.mpd [?]
S2 EktronExtensibilityServer;Ektron Extensibility Server;c:\program files\ektron\plugins\service\extensionservice.exe --> c:\program files\ektron\plugins\service\ExtensionService.exe [?]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 SHARSHTL;Shuttle Sharer;c:\windows\system32\drivers\sharshtl.sys --> c:\windows\system32\drivers\sharshtl.sys [?]
S2 Windows Firewall;Windows Firewall;c:\program files\common files\system\firewall.exe [2009-3-27 78336]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-6-13 29744]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-1-25 42000]

=============== Created Last 30 ================

2009-04-13 15:53 <DIR> --d----- c:\program files\Trend Micro
2009-04-13 15:02 1,404,540 ---sh--- c:\windows\system32\qmfnokwi.ini
2009-04-13 15:02 75,264 a------- c:\windows\system32\iwkonfmq.dll
2009-04-13 14:59 61,440 a------- c:\windows\system32\ufwdqwxo.exe
2009-04-13 14:57 99,840 a------- c:\windows\system32\fwvjqc.dll
2009-04-13 14:57 99,840 a------- c:\windows\system32\yscbhcpx.dll
2009-04-12 20:00 <DIR> --d----- C:\VundoFix Backups
2009-04-12 19:55 14,913 a--sh--- c:\windows\system32\bKnqrBeg.ini2
2009-04-12 18:02 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-12 18:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-12 15:50 61,440 a------- c:\windows\system32\rvduojhf.exe
2009-04-12 15:49 121 ---sh--- c:\windows\system32\feulqoai.ini
2009-04-12 15:48 74,752 a------- c:\windows\system32\iaoqluef.dll
2009-04-12 15:47 99,840 a------- c:\windows\system32\etntlj.dll
2009-04-12 15:46 99,840 a------- c:\windows\system32\hxrybtef.dll
2009-04-12 15:41 14,913 a--sh--- c:\windows\system32\bKnqrBeg.ini
2009-04-11 18:26 2,560 a------- c:\windows\system32\hgGAtTmk.dll
2009-04-11 18:11 118,282 a------- C:\s.exe
2009-04-10 20:14 142,346 a------- C:\is.exe
2009-04-10 19:36 142,346 a------- C:\i.exe
2009-04-10 19:17 142,346 a------- C:\if.exe
2009-04-10 06:47 237,056 a------- c:\windows\system32\fccdddDU.dll
2009-04-09 06:47 236,544 a------- c:\windows\system32\wvUmnolj.dll
2009-04-08 19:21 41,984 a--sh--- c:\windows\system32\wobovizu.exe
2009-04-08 06:46 237,568 a------- c:\windows\system32\geBrqnKb.dll
2009-04-07 06:45 237,056 a------- c:\windows\system32\rqRIcyVl.dll
2009-04-06 06:45 237,568 a------- c:\windows\system32\jkkJcDtS.dll
2009-04-05 19:13 <DIR> --d----- c:\windows\system32\twain32
2009-04-05 06:43 237,056 a------- c:\windows\system32\khfGvtTJ.dll
2009-04-04 06:42 237,568 a------- c:\windows\system32\efcYSkkI.dll
2009-04-03 06:40 237,568 a------- c:\windows\system32\geBqPJCr.dll
2009-04-03 06:34 35,840 -------- c:\windows\system32\yayyWqPI.dll
2009-04-01 00:58 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Inkscape
2009-03-31 23:31 <DIR> --d----- c:\program files\Inkscape
2009-03-31 17:57 118,282 ---shr-- c:\windows\iexplore.exe
2009-03-28 01:10 <DIR> --d----- c:\windows\LMI16F.tmp
2009-03-27 17:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PCSettings
2009-03-27 17:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-03-27 17:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-03-27 16:34 <DIR> --d----- c:\windows\LMI1.tmp
2009-03-27 14:40 142,874 ---shr-- c:\windows\Service.exe
2009-03-19 18:19 <DIR> --dsh--- c:\windows\system32\twain_32

==================== Find3M ====================

2009-04-10 07:18 109,056 a--sh--- c:\windows\system32\mesolozu.dll
2009-04-09 07:19 69,632 a--sh--- c:\windows\system32\zabuwupo.dll
2009-04-09 07:18 108,544 a--sh--- c:\windows\system32\nijajudi.dll
2009-04-08 19:17 107,520 a--sh--- c:\windows\system32\pebofesi.dll
2009-04-08 19:17 102,912 -------- c:\windows\system32\hapoyulu.dll
2009-04-08 19:09 70,381 a--sh--- c:\windows\system32\neyawoka.dll
2009-02-11 10:59 1,901 a------- c:\windows\panose.bin
2009-02-09 06:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-02-09 06:19 1,846,272 a------- c:\windows\system32\dllcache\win32k.sys
2009-01-25 23:52 139,784 a------- c:\windows\hpoins15.dat
2009-01-16 12:16 79,764 a---h--- c:\windows\system32\mlfcache.dat
2008-04-02 16:58 1,820 a------- c:\docume~1\hp_adm~1\applic~1\wklnhst.dat
2009-01-08 19:00 72,939 a--sh--- c:\windows\system32\gikakopo.dll
2009-01-09 07:19 69,632 a--sh--- c:\windows\system32\mofosuyo.dll
2009-01-08 19:00 72,939 a--sh--- c:\windows\system32\pojelone.dll
2009-01-09 07:19 69,632 a--sh--- c:\windows\system32\rijuzahu.dll
2009-01-09 07:19 69,632 a--sh--- c:\windows\system32\zefuboso.dll
2009-01-08 19:00 72,939 a--sh--- c:\windows\system32\zinupuwu.dll

============= FINISH: 19:07:33.12 ===============

The problems seem mainly to reside in Standard Mode processes, but I can't seem to clean them from Safe Mode.

Please help me clean my machine! Thank you!

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:13 PM

Posted 15 April 2009 - 10:21 PM

Hello jbostrom,


I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..

I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed :!:
This is somewhat suicidal in today's digital world. :thumbup2:
That's why I want you to install one first!!

Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus !

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply.

Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirus scan is not present which should be able to deal with most and prevent further reinfection.

*****************

I see that you are running msconfig means that you may have selectively removed some items in the past from the startup procedure.

This can be bad if they are malware, so we would like you to reenable those startup entries by doing the following:

Please click on start, then run, and type msconfig and then press enter. When the window opens click on the startup tab and make sure there are checkmarks in every entry. Then press ok until you are out of the program.
If it asks to reboot, do not reboot. It is not necessary to reboot to get the items to show up in HijackThis.

*****************

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy and Paste the entire Malwarebytes' Anti-Malware report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.

If you encounter this message:"c:\program files\malwarebytes' Anti-Malware\mbamext.dll Unable to register the dll/ocx: RegSvr32 failed with exit code 0x5" Click on ignore mbamext.dll



*****************

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

Edited by SifuMike, 16 April 2009 - 01:27 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 jbostrom

jbostrom
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 16 April 2009 - 06:17 PM

Thank you SifuMike!
First, re: QUOTE: I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed :!: This is somewhat suicidal in today's digital world. wacko.gif END QUOTE
"Never" scanned previously? Hardly. I've had consistent Antivirus for over fifteen years until, as my original post detailed, a Norton tech uninstalled my paid Internet Security, and then refused to re-install it. The next week was one of the busiest weeks I've ever had, but I'm not going to let that be an excuse ever again for going without protection. Not even one day, after this.

I had a very hard time being patient waiting for a reply so I looked up other support on this problem and installed MBAM and ran it a day or so ago. That seemed to take care of it, as Avira didn't find anything on first scan when I ran it today:
-----------------------
Avira AntiVir Personal
Report file date: Thursday, April 16, 2009 17:35

Scanning for 1284893 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 2) [5.1.2600]
Boot mode : Normally booted
Username : HP_Administrator
Computer name : HP

Version information:
BUILD.DAT : 9.0.0.386 17962 Bytes 3/11/2009 15:55:00
AVSCAN.EXE : 9.0.3.3 464641 Bytes 2/24/2009 16:13:26
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 14:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 15:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 14:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 16:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 00:33:26
ANTIVIR2.VDF : 7.1.2.105 513536 Bytes 3/3/2009 11:41:14
ANTIVIR3.VDF : 7.1.2.127 110592 Bytes 3/5/2009 18:58:20
Engineversion : 8.2.0.100
AEVDF.DLL : 8.1.1.0 106868 Bytes 1/27/2009 21:36:42
AESCRIPT.DLL : 8.1.1.56 352634 Bytes 2/27/2009 00:01:56
AESCN.DLL : 8.1.1.7 127347 Bytes 2/12/2009 15:44:25
AERDL.DLL : 8.1.1.3 438645 Bytes 10/29/2008 22:24:41
AEPACK.DLL : 8.1.3.10 397686 Bytes 3/4/2009 17:06:10
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/27/2009 00:01:56
AEHEUR.DLL : 8.1.0.100 1618295 Bytes 2/25/2009 19:49:16
AEHELP.DLL : 8.1.2.2 119158 Bytes 2/27/2009 00:01:56
AEGEN.DLL : 8.1.1.24 336244 Bytes 3/4/2009 17:06:10
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 18:32:40
AECORE.DLL : 8.1.6.6 176501 Bytes 2/17/2009 18:22:44
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 18:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 12:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 14:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 18:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 14:32:09
AVARKT.DLL : 9.0.0.1 292609 Bytes 2/9/2009 11:52:24
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 14:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 19:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 12:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 14:32:10
RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2/9/2009 15:45:45
RCTEXT.DLL : 9.0.35.0 87297 Bytes 3/11/2009 19:55:12

Configuration settings for the scan:
Jobname.............................: Short system scan after installation
Configuration file..................: c:\program files\avira\antivir desktop\setupprf.dat
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: Intelligent file selection
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Thursday, April 16, 2009 17:35

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avconfig.exe' - '1' Module(s) have been scanned
Scan process 'notepad.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'Acrobat.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'cmd.exe' - '1' Module(s) have been scanned
Scan process 'setup.exe' - '1' Module(s) have been scanned
Scan process 'presetup.exe' - '1' Module(s) have been scanned
Scan process 'avira_antivir_personal_en.exe' - '1' Module(s) have been scanned
Scan process 'taskmgr.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'cidaemon.exe' - '1' Module(s) have been scanned
Scan process 'hpsysdrv.exe' - '1' Module(s) have been scanned
Scan process 'ALCXMNTR.EXE' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'dllhost.exe' - '1' Module(s) have been scanned
Scan process 'ehmsas.exe' - '1' Module(s) have been scanned
Scan process 'FNPLicensingService.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'mcrdsvc.exe' - '1' Module(s) have been scanned
Scan process 'firewall.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'MDM.EXE' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'inetinfo.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ehSched.exe' - '1' Module(s) have been scanned
Scan process 'ehrecvr.exe' - '1' Module(s) have been scanned
Scan process 'cisvc.exe' - '1' Module(s) have been scanned
Scan process 'CCC.exe' - '1' Module(s) have been scanned
Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned
Scan process 'GoogleDesktop.exe' - '1' Module(s) have been scanned
Scan process 'RestoreDesktop.exe' - '1' Module(s) have been scanned
Scan process 'LinksysAgent.exe' - '1' Module(s) have been scanned
Scan process 'GoogleUpdate.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'MOM.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'GoogleDesktop.exe' - '1' Module(s) have been scanned
Scan process 'Kmaestro.exe' - '1' Module(s) have been scanned
Scan process 'kbd.exe' - '1' Module(s) have been scanned
Scan process 'acrotray.exe' - '1' Module(s) have been scanned
Scan process 'GoogleDesktop.exe' - '1' Module(s) have been scanned
Scan process 'HPLamp.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned
Scan process 'ehtray.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
69 processes with 69 modules were scanned

Starting master boot sector scan:

Start scanning boot sectors:

Starting to scan executable files (registry).
The registry was scanned ( '82' files ).



End of the scan: Thursday, April 16, 2009 17:35
Used time: 00:14 Minute(s)

The scan has been done completely.

0 Scanned directories
514 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
514 Files not concerned
3 Archives were scanned
0 Warnings
0 Notes
------------------------------
However on reboot, Avira did find one bad item. It had "deny access" as default solution but I chose "delete" as that seemed more final. I can't remember what it was, should have written it down.

As for MBAM, as I said I did this first. Four scans on the 24th and one today, just of the flash drive, to make sure it wasn't the problem.
Here they are
--------
MBAM 1 - FULL SCAN ALL DRIVES
--------
Malwarebytes' Anti-Malware 1.36
Database version: 1981
Windows 5.1.2600 Service Pack 2

4/14/2009 7:16:25 AM
mbam-log-2009-04-14 (07-16-25).txt

Scan type: Full Scan (D:\|E:\|G:\|H:\|I:\|J:\|R:\|S:\|T:\|U:\|)
Objects scanned: 92012
Time elapsed: 2 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 9
Registry Keys Infected: 17
Registry Values Infected: 16
Registry Data Items Infected: 5
Folders Infected: 3
Files Infected: 33

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\geBrqnKb.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ijisseir.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\iwkonfmq.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\nijajudi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\slhnil.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\yayyWqPI.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\yscbhcpx.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\fwvjqc.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\wpcpffqf.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4d9e8bbc-20ff-46e5-9587-532a9e09ef32} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4d9e8bbc-20ff-46e5-9587-532a9e09ef32} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yayywqpi (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{eaaa63d3-b4ab-40ad-8b56-1689d80c3d49} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{eaaa63d3-b4ab-40ad-8b56-1689d80c3d49} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{80d65db5-9e80-4014-8c4c-4a7a8b182c02} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28abc5c0-4fcb-11cf-aax5-81cx1c635612} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f8965498 (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmfba56704 (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{80d65db5-9e80-4014-8c4c-4a7a8b182c02} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{80d65db5-9e80-4014-8c4c-4a7a8b182c02} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingb1092 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingd101 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingb3666 (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingd1387 (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingb3586 (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingd9984 (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingb2573 (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingd9233 (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\gebrqnkb -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\nijajudi.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\gebrqnkb -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\system32\twext.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,C:\WINDOWS\system32\twex.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\twain_32 (Backdoor.Bot) -> Delete on reboot.
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twain32 (Backdoor.Bot) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\slhnil.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\yayyWqPI.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\geBrqnKb.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\bKnqrBeg.ini (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\bKnqrBeg.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iaoqluef.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\feulqoai.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ijisseir.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\riessiji.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iwkonfmq.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\qmfnokwi.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\nijajudi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\yscbhcpx.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\fwvjqc.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\wpcpffqf.dll (Trojan.Vundo) -> Delete on reboot.
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\iexplore.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twain_32\local.ds (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\twain_32\user.ds (Backdoor.Bot) -> Delete on reboot.
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini (Trojan.Agent) -> Quarantined and deleted successfully.
C:\i.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\s.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Service.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\iexplore.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twext.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\geBqPJCr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jkkJcDtS.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqRIcyVl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\efcYSkkI.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hgGAtTmk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wvUmnolj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fccdddDU.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\khfGvtTJ.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\f.zip (Worm.Archive) -> Quarantined and deleted successfully.

_______
MBAM 2 - REPEAT FULL SCAN ALL DRIVES
--------
Malwarebytes' Anti-Malware 1.36
Database version: 1981
Windows 5.1.2600 Service Pack 2

4/14/2009 9:51:51 AM
mbam-log-2009-04-14 (09-51-51).txt

Scan type: Full Scan (C:\|D:\|G:\|H:\|I:\|J:\|R:\|S:\|T:\|U:\|)
Objects scanned: 338320
Time elapsed: 55 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 22

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\RECYCLER\S-1-5-21-2161186958-1183498316-1727870324-1008\Dc827.exe (Backdoor.SdBot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1108\A0070883.exe (Backdoor.SdBot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1109\A0070947.exe (Backdoor.SdBot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1109\A0071279.exe (Backdoor.SdBot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072530.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072601.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072604.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072608.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072617.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072619.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072620.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072623.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072626.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072627.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072628.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dhcoebpd.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rvduojhf.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ufwdqwxo.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wobovizu.exe (Trojan.Vundo.V) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\DU3YGYPJ\CAD8YDHR (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WWSFU70T\CASTSH0F (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Y94KLQW3\CA9KA1X3 (Trojan.Vundo) -> Quarantined and deleted successfully.

_______
MBAM 3 = FULL SCAN ALL DRIVES
--------
Malwarebytes' Anti-Malware 1.36
Database version: 1981
Windows 5.1.2600 Service Pack 2

4/14/2009 10:10:35 AM
mbam-log-2009-04-14 (10-10-35).txt

Scan type: Full Scan (F:\|G:\|H:\|I:\|J:\|R:\|S:\|T:\|U:\|)
Objects scanned: 77883
Time elapsed: 2 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

--------
MBAM 4 - QUICK SCAN (HARD DRIVE ONLY? OR MAYBE THIS WAS INTERRUPTED?)
--------
Malwarebytes' Anti-Malware 1.36
Database version: 1981
Windows 5.1.2600 Service Pack 2

4/14/2009 10:26:08 AM
mbam-log-2009-04-14 (10-26-08).txt

Scan type: Quick Scan
Objects scanned: 89790
Time elapsed: 14 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

--------
MBAM 5 - QUICK SCAN OF REMOVABLE FLASH DRIVE
--------
Malwarebytes' Anti-Malware 1.36
Database version: 1981
Windows 5.1.2600 Service Pack 2

4/16/2009 5:48:34 PM
mbam-log-2009-04-16 (17-48-34).txt

Scan type: Quick Scan
Objects scanned: 1
Time elapsed: 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

----------
OK. Now re: your suggestion to renenable the weird msconfig Startup items. I'm really leery of enabling those things again, especially when neither of us seem to know what they are. It doesn't seem sensible that the anti virus program wouldn't pick them up unless they're enabled in Startup. If there's a malware file there, shouldn't it get scanned and recognized even if it's not enabled in Startup? It seems like asking for trouble, especially now that everything seems clean, to re-enable it. Also, I've disenabled at least a dozen, maybe more, old processes from things I no longer use, like old printers. Why put them back? I'm just going to have to take them out again.

-----
Here is the Security Check file:

Results of screen317's Security Check version 0.98.3
Windows XP Service Pack 2
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````

Windows Firewall Enabled!
AviraAntiVirPersonal-FreeAntivirus
TaxCutPremium2006
TaxCutPremium+State+Efile 2007
Antivirus out of date!
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````

Spybot - Search & Destroy
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java™ 6 Update 11
Java™ SE Runtime Environment 6 Update 1
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Out of date Java installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````

Avira Antivir avgnt.exe
Avira Antivir avguard.exe
Spybot SDHelper is disabled!
Malwarebytes' Anti-Malware mbam.exe
Common Files System firewall.exe
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````


Scan took 24 seconds.
`````````End of Log```````````


Re: above:: I enabled Windows Firewall for the first time a week after losing Norton. Should have done it immediately but was so used to having it off, not to conflict with Norton, that I forgot. And I was really upset at Norton, not thinking straight.
Can't believe I have out of date Java. I keep getting popups from Firefox that it's being updated. Maybe it's just that the old versions aren't auto-uninstalled.
Not sure what the SP 2 pack for Windows being out of date is either, but I hesitate to let Microsoft put any "auto updates" on my machine since about a year or two ago when they got all invasive about version authentication. I have a lot of legacy software I don't want them messing with, stuff I've long forgotten where I got it, stuff imported from long-dead other computers. And I HATE the new Office. If I had any time to learn it, I'd go Linux totally.

----------------
NEW HJ LOG (actually DDS - I'm assuming that's what you meant. If not I'll get you a full HJ log.)
-------------------
DDS (Ver_09-03-16.01) - NTFSx86
Run by HP_Administrator at 19:01:11.21 on Thu 04/16/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1299 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\System\firewall.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\HP Optical 4 Button USB Mouse\KMaestro.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Restore Desktop\RestoreDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\ALCXMNTR.EXE
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\SecurityCheck.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [Restore Desktop] "c:\program files\restore desktop\Restore Desktop.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
uRun: [Google Update] "c:\documents and settings\hp_administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [RestoreDesktop] c:\program files\restore desktop\RestoreDesktop.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [HP Lamp] c:\program files\hewlett-packard\hp precisionscan\precisionscan\HPLamp.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [BtcMouseMaestro] "c:\program files\hp optical 4 button usb mouse\KMaestro.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [QuickTime Task] "c:\program files\quicktime alternative\QTTask.exe" -atboottime
mRun: [Internet Explorer Service] iexplore.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000003}\_SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~2.lnk - c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\epsons~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Open With JPEGCompress - c:\program files\jpegcompress\owjc.dll/CONTEXT_HANDLE.HTM
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: boimah.com\www
Trusted Zone: localhost
Trusted Zone: macromedia.com\www
Trusted Zone: uuforum.org\www
Trusted Zone: youtube.com\www
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
DPF: {0F7A9297-7268-11D1-B81A-00A076C01B0A} - hxxp://www.cartesianinc.com/Products/CPCViewAX/Sdk/CpcViewAX.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: PROGRA~1\Google\GOOGLE~1\GOEC62~1 c:\windows\system32\wejotena.dll c:\windows\system32\patozeva.dll
LSA: Notification Packages = cli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\uy40l73n.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\hp_administrator\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\np793esk32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npitunes.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin2.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin3.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin4.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin5.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-4-16 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-4-16 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-4-16 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-4-16 55640]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Windows Firewall;Windows Firewall;c:\program files\common files\system\firewall.exe [2009-3-27 78336]
S0 epstwnt;epstwnt;c:\windows\system32\drivers\epstwnt.mpd --> c:\windows\system32\drivers\epstwnt.mpd [?]
S2 SHARSHTL;Shuttle Sharer;c:\windows\system32\drivers\sharshtl.sys --> c:\windows\system32\drivers\sharshtl.sys [?]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-6-13 29744]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-1-25 42000]
S4 EktronExtensibilityServer;Ektron Extensibility Server;c:\program files\ektron\plugins\service\extensionservice.exe --> c:\program files\ektron\plugins\service\ExtensionService.exe [?]

=============== Created Last 30 ================

2009-04-16 17:31 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-04-16 17:31 <DIR> --d----- c:\program files\Avira
2009-04-16 17:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-04-15 17:53 139,784 -------- c:\windows\hpoins15.dat.temp
2009-04-15 17:53 1,039 -------- c:\windows\hpomdl15.dat.temp
2009-04-14 07:10 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Malwarebytes
2009-04-14 07:10 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-14 07:10 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-14 07:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-14 07:10 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-13 21:55 664 a------- c:\windows\system32\d3d9caps.dat
2009-04-13 15:53 <DIR> --d----- c:\program files\Trend Micro
2009-04-12 20:00 <DIR> --d----- C:\VundoFix Backups
2009-04-12 18:02 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-12 18:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-12 15:47 99,840 a------- c:\windows\system32\etntlj.dll
2009-04-12 15:46 99,840 a------- c:\windows\system32\hxrybtef.dll
2009-04-10 20:14 142,346 a------- C:\is.exe
2009-04-10 19:17 142,346 a------- C:\if.exe
2009-04-01 00:58 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Inkscape
2009-03-31 23:31 <DIR> --d----- c:\program files\Inkscape
2009-03-28 01:10 <DIR> --d----- c:\windows\LMI16F.tmp
2009-03-27 17:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PCSettings
2009-03-27 17:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-03-27 17:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-03-27 16:34 <DIR> --d----- c:\windows\LMI1.tmp

==================== Find3M ====================

2009-04-16 17:51 139,771 a------- c:\windows\hpoins15.dat
2009-04-10 07:18 109,056 a--sh--- c:\windows\system32\mesolozu.dll
2009-04-09 07:19 69,632 a--sh--- c:\windows\system32\zabuwupo.dll
2009-04-08 19:17 107,520 a--sh--- c:\windows\system32\pebofesi.dll
2009-04-08 19:17 102,912 a------- c:\windows\system32\hapoyulu.dll
2009-04-08 19:09 70,381 a--sh--- c:\windows\system32\neyawoka.dll
2009-02-11 10:59 1,901 a------- c:\windows\panose.bin
2009-02-09 06:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-02-09 06:19 1,846,272 a------- c:\windows\system32\dllcache\win32k.sys
2008-04-02 16:58 1,820 a------- c:\docume~1\hp_adm~1\applic~1\wklnhst.dat
2009-01-08 19:00 72,939 a--sh--- c:\windows\system32\gikakopo.dll
2009-01-09 07:19 69,632 a--sh--- c:\windows\system32\mofosuyo.dll
2009-01-08 19:00 72,939 a--sh--- c:\windows\system32\pojelone.dll
2009-01-09 07:19 69,632 a--sh--- c:\windows\system32\rijuzahu.dll
2009-01-09 07:19 69,632 a--sh--- c:\windows\system32\zefuboso.dll
2009-01-08 19:00 72,939 a--sh--- c:\windows\system32\zinupuwu.dll

============= FINISH: 19:02:13.54 ===============

I'm not attaching the ATTACH.TXT file as I don't see an Attachment icon.

Thanks for your help. I tried to enroll in the School to pay it forward but there were no openings.
JB

#4 jbostrom

jbostrom
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 16 April 2009 - 06:22 PM

Oh I forgot. I also ran Kapersky on the 14th. This was before I got the message about not doing anything until I was contacted. Here is the result:

KASPERSKY ONLINE SCANNER 7.0 REPORT
Tuesday, April 14, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, April 14, 2009 03:37:08
Records in database: 2042195
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Critical Areas:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS

Scan statistics:
Files scanned: 99101
Threat name: 9
Infected objects: 28
Suspicious objects: 0
Duration of the scan: 04:22:58


File name / Threat name / Threats count
C:\WINDOWS\system32\yayyWqPI.dll/C:\WINDOWS\system32\yayyWqPI.dll Infected: Trojan.Win32.Monderb.apmj 3
C:\WINDOWS\system32\geBrqnKb.dll/C:\WINDOWS\system32\geBrqnKb.dll Infected: Trojan.Win32.Monder.byqv 3
C:\WINDOWS\system32\iwkonfmq.dll/C:\WINDOWS\system32\iwkonfmq.dll Infected: Trojan.Win32.Monder.bzrp 8
C:\Program Files\Online Services\AOL\United States\AOL90\comps\toolbar\toolbr.EXE Infected: not-a-virus:AdWare.Win32.SearchIt.t 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\91QIYCNZ\CA3U6HFZ Infected: Trojan.Win32.Monder.byvt 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\DU3YGYPJ\CAD8YDHR Infected: Trojan.Win32.Monder.byee 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\DU3YGYPJ\CAM74PMF Infected: Trojan.Win32.Monder.byxv 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WWSFU70T\CA942HPJ Infected: Trojan.Win32.Monder.byqv 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WWSFU70T\CASTSH0F Infected: Trojan.Win32.Monder.bydn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Y94KLQW3\CA9KA1X3 Infected: Trojan.Win32.Monder.bydn 1
C:\WINDOWS\system32\dhcoebpd.exe Infected: Trojan-Downloader.Win32.FraudLoad.vohb 1
C:\WINDOWS\system32\geBrqnKb.dll Infected: Trojan.Win32.Monder.byqv 1
C:\WINDOWS\system32\ijisseir.dll Infected: Trojan.Win32.Monder.bzrp 1
C:\WINDOWS\system32\iwkonfmq.dll Infected: Trojan.Win32.Monder.bzrp 1
C:\WINDOWS\system32\rvduojhf.exe Infected: Trojan-Downloader.Win32.FraudLoad.vohb 1
C:\WINDOWS\system32\ufwdqwxo.exe Infected: Trojan-Downloader.Win32.FraudLoad.vohb 1
C:\WINDOWS\system32\yayyWqPI.dll Infected: Trojan.Win32.Monderb.apmj 1

The selected area was scanned.

#5 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:13 PM

Posted 16 April 2009 - 06:56 PM

H jbostrom.

My you are inpatient. :thumbup2:

Now re: your suggestion to renenable the weird msconfig Startup items. I'm really leery of enabling those things again, especially when neither of us seem to know what they are. It doesn't seem sensible that the anti virus program wouldn't pick them up unless they're enabled in Startup. If there's a malware file there, shouldn't it get scanned and recognized even if it's not enabled in Startup? It seems like asking for trouble, especially now that everything seems clean, to re-enable it. Also, I've disenabled at least a dozen, maybe more, old processes from things I no longer use, like old printers. Why put them back? I'm just going to have to take them out again


I cant remove what I cant see and that is way I told you to reenable all the stuff you have disabled.
You can disable them (the old processes) when we are finished. If you dont do this then I cant find all the malware on your computer- simple as that.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 13.
  • Click the "Download" button to the right.
  • At the Select Platform and Language for your download drop down box
    Select Windows and Mult-Language
  • Check the box that says: "Accept License Agreement" then press Continue ( Selecting Windows will give you the 32 bit version. )
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u13-windows-i586-p.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 5
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 8
    J2SE Runtime Environment 5.0 Update 9
    Java™ 6 Update 11
    Java™ 6 Update 2
    Java™ 6 Update 3
    Java™ 6 Update 5
    Java™ 6 Update 7
    Java™ SE Runtime Environment 6 Update 1
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
Since you are still infected, we will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your Avira Antivir Antivirus and Spybot Teatimer before running ComboFix, as they will prevent it from running.

To disable Avira Antivirus:  
Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: Posted Image )
  • right click it-> untick the option AntiVir Guard enable.
  • You should now see a closed, white umbrella on a red background (looks to this: Posted Image )
You succesfully disabled the AntiVir Guard.


We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy
Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log.

Edited by SifuMike, 16 April 2009 - 07:01 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 jbostrom

jbostrom
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 16 April 2009 - 10:52 PM

We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

[*]Click Posted Image and then on "Advanced Mode"
Posted Image
[*]You may be presented with a warning dialog. If so, press Posted Image
[*]Click on Posted Image
[*]Click on Posted Image
[*]Uncheck this checkbox:
Posted Image


None of the above images from billy-oneal.com are showing up on my computer. Now that I'm quoting I can see the URL's (which give 404's BTW), so I can deduce that you're indicating Tools/Resident/Tea Timer. I remember that, and I already had Tea Timer unchecked in order to run other virus programs. You might want to check those images though. It might be something in the way I have BleepingComputer set up that keeps me from seeing these images, but it's just a blank.

#7 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:13 PM

Posted 16 April 2009 - 11:04 PM

I can see them OK, so it must be something you have on your computer.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 jbostrom

jbostrom
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 17 April 2009 - 02:59 AM

I did the Java update. To print the instructions on Combofix I had to reinstall my printer drivers. Combofix scares the bejeezus out of me. My first reaction is, what do you mean, "as you're still infected?" Didn't Avira show I'm clean? On the other hand, there still is very strange behavior - Firefox won't snap to urls when I click on links. I've taken to pinging sites in CMD just to see if my connection is ok, and ipconfiging all the time. It's like it can't handle two tabs let alone three or four. I used to have seven or eight tabs open, maybe ten, in each of two or three windows, with no problems in speed or performance. Now it's like having dial-up.
I'm also getting back that wierd popup. It finally went away after I disabled the four extra "media center" drives on this HP Media Center PC - smart media xD, MMC/SD, Compact Flash, and Memory Sitck/ PRO. I've never even seen media that would fit in those slots, certainly never used it. But when I reinstalled the printer driver, the popup came back. In My Computer/Manage/Disk Management, the HP 4280 All in ONe printer is listed under DISK DRIVES because it's thru a USB port.

Anyway, the main thing is I can't download Combofix from any of the three sites in the how to document. The URL's just won't take.

And what about those startup processes? When should I put them back, and do you want me to run a MAMB or Avira scan afterwards and or HJ log? I could do that while waiting to figure out how to download Combofix.

Please first tell me though how you know I'm infected, and WITH WHAT, that Combofix is supposed to fix that Avira and MAMB haven't already.

Thanks

#9 jbostrom

jbostrom
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 17 April 2009 - 03:14 AM

I got ComboFix downloaded. The thing is, clicking on a link no longer works most of the time. I ether get a new tab with a blank URL, or sometimes it has "about.com" in it. What finally worked was right-clicking the link, clicking COPY, and then Pasting it into the URL line, and hitting the arrow at the right. That works fast. i wonder if it's my mouse?

The other thing is that I have this very deep popup process,, the wierd Windows-No Disk thing, which is keyed the crsss.exe process. It's running right on the desktop, and I really don't want to run something as potentially explosive as ComboFix while that is still right there. It comes on even before the desktop, right after the splash screen, and stays on the desktop after all the icons have disappeared, right until final blackout. It's deep. Have you ever researched that? There's a lot on it, but no one seems to have a final solution or even a coherent explanation. It's been baffling people for years. The exact popup is:

------------------------------------------------------------------------------------------------------------------x
Windows - No Disk [blue top banner ]
red circle with white X, then "Excpetion Processing Mesage c0000013 Parameters 75b6f9c 4 75b6f9c 75b6f9c
Cancel - Try Again - Continue (buttons)
-------------------------------------------------------------------------------------------------------------------

You have to click it four times before it goes away. Each time, it beeps really loud. And then it comes back in like four seconds. Doesn't matter which button or the x you click.

JB

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:13 PM

Posted 17 April 2009 - 06:37 AM

None of the above images from billy-oneal.com are showing up on my computer.

You are right. It is not showing on my computer now. It may be the images have been moved to another folder.
I made an inquiry and found the images have been accidently deleted, but will be stored in a few days.


The other thing is that I have this very deep popup process,, the wierd Windows-No Disk thing, which is keyed the crsss.exe process. It's running right on the desktop, and I really don't want to run something as potentially explosive as ComboFix while that is still right there. It comes on even before the desktop, right after the splash screen, and stays on the desktop after all the icons have disappeared, right until final blackout. It's deep. Have you ever researched that? There's a lot on it, but no one seems to have a final solution or even a coherent explanation. It's been baffling people for years. The exact popup is:

------------------------------------------------------------------------------------------------------------------x
Windows - No Disk [blue top banner ]
red circle with white X, then "Excpetion Processing Mesage c0000013 Parameters 75b6f9c 4 75b6f9c 75b6f9c
Cancel - Try Again - Continue (buttons)


This is not caused by malware. My expertise is malware removal, so you will have to go the Windows XP forum for that problem. I did a google search and found this: http://www.google.com/search?hl=en&q=E...G=Google+Search Seems to occur in varying situations.





And what about those startup processes? When should I put them back, and do you want me to run a MAMB or Avira scan afterwards and or HJ log? I could do that while waiting to figure out how to download Combofix.



I will tell you when to disable them. I will need to see them when you post a Hijackthis log.
Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult. Do not run any antimalare or antivirus scans on your own.

Combofix is safe under the hands of a trained malware professional. It is a heavy duty tool and used only when we need it.



and I really don't want to run something as potentially explosive as ComboFix while that is still right there


I dont fix Windows problems, only malware problems.

We can run an alternate tool, but it involves more work for me.

Let me know what you decide.

Edited by SifuMike, 17 April 2009 - 04:54 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 jbostrom

jbostrom
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 18 April 2009 - 12:22 AM

I replied around noon but my reply seems to have disappeared from the thread. This is a more or less a duplicate post. Please delete the other copy if you find it.

I really appreciate the time and care you're putting into this and i value your opinion. I suppose any malware that corrupts Windows - could be called a "Windows problem," but I don't understand what it is about this "Windows - No Disk" popup that makes you dismiss it as not malware. Any malware can have the word "Windows" added to its popup banner. And this popup acts exactly like malware. I'd call it "lurkware" - it apparently comes mainly from an application hidden in flash drives. This installs an "autorun.inf" into Windows which then somehow starts checking not only the flash drive, every 3 seconds, to see if the precious product is currently in the slot - and if it's not there, complaining 'No Disk!" - but also somehow gets used by Windows to extend the check to every external hard drive on the system, including printers connected via USB, which Windows lists as "drives" in My Computer/Manage/Disk Mgmt.

This piece of work is incredibly annoying and hardware-deep - how many processes pop up right over the initital Windows splash screen and stay in view until the final Windows splash screen goes black? It's has been kicking around for two years, roughly coinciding with the popular flash drive explosion, and finding a permanent solution to it would make you and any others who helped heroes to hundreds of people who've posted on the sites you briefly Googled.

I'm also concerned that this popup is a big red flag re: your cautions about not having anything running on the desktop while starting Combofix. It doesn't seem isolated, but somehow connected with other hung-up processes, particularly internet connectivity - clicking on one of the three buttons in the popup is sometimes the only thing that frees the logjam of other "stuck" processes - like several"processes suddenly "Not responding, or URL's that won't deliver a page in Firefox or IE, even when the relevant site returns a ping immediately with 0% failure - which I'm getting more and more of. Unfortunately, clicking the buttons doesn't also make the popup go away.

I'm also confused why you want me to delete the Combofix icon that I downloaded to the desktop. I've never used it, it's just sitting there waiting to be clicked. And I got it from the BleepingComputer Combofix info site you suggested. As I mentioned, just clicking the link to the download didn't work, so I right-clicked the link, copied the link location, and pasted it into the URL line. Then the download started. Why would this have to be deleted? is Combofix date-sensitive to time of download? That's all I can figure, and it seems strange.

Finally, a new development. When I went to disable Alvira prior to running Combofix, I noticed that the main screen said no full scan had been done yet. That floored me. So I ran a full scan. It found 226 "detections." Most of them appear to be already quarantined stuff, some from long ago, from programs I don't even have any more like Spam Filter, but some apparently new. On these I let the default repair action, "deny access," run. Is that what I should choose on Alvira repairs, or Delete or Quarnatine? What's most effective?
Report here:
-------------
Avira AntiVir Personal
Report file date: Friday, April 17, 2009 10:06

Scanning for 1355611 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 2) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : HP

Version information:
BUILD.DAT : 9.0.0.387 17962 Bytes 3/24/2009 11:04:00
AVSCAN.EXE : 9.0.3.3 464641 Bytes 2/24/2009 16:13:26
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 14:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 15:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 14:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 16:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 00:33:26
ANTIVIR2.VDF : 7.1.3.63 1588224 Bytes 4/16/2009 03:22:24
ANTIVIR3.VDF : 7.1.3.65 6656 Bytes 4/16/2009 03:22:24
Engineversion : 8.2.0.143
AEVDF.DLL : 8.1.1.0 106868 Bytes 1/27/2009 21:36:42
AESCRIPT.DLL : 8.1.1.75 373113 Bytes 4/17/2009 03:22:28
AESCN.DLL : 8.1.1.10 127348 Bytes 4/17/2009 03:22:27
AERDL.DLL : 8.1.1.3 438645 Bytes 10/29/2008 22:24:41
AEPACK.DLL : 8.1.3.12 397687 Bytes 4/17/2009 03:22:27
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/27/2009 00:01:56
AEHEUR.DLL : 8.1.0.116 1708407 Bytes 4/17/2009 03:22:26
AEHELP.DLL : 8.1.2.2 119158 Bytes 2/27/2009 00:01:56
AEGEN.DLL : 8.1.1.34 340340 Bytes 4/17/2009 03:22:25
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 18:32:40
AECORE.DLL : 8.1.6.9 176500 Bytes 4/17/2009 03:22:24
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 18:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 12:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 14:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 18:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 14:32:09
AVARKT.DLL : 9.0.0.1 292609 Bytes 2/9/2009 11:52:24
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 14:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 19:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 12:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 14:32:10
RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2/9/2009 15:45:45
RCTEXT.DLL : 9.0.35.0 87297 Bytes 3/11/2009 19:55:12

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Friday, April 17, 2009 10:06

Starting search for hidden objects.
'74576' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'cidaemon.exe' - '1' Module(s) have been scanned
Scan process 'hpqste08.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'dllhost.exe' - '1' Module(s) have been scanned
Scan process 'FNPLicensingService.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'OUTLOOK.EXE' - '1' Module(s) have been scanned
Scan process 'hpsysdrv.exe' - '1' Module(s) have been scanned
Scan process 'ALCXMNTR.EXE' - '1' Module(s) have been scanned
Scan process 'ehmsas.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'mcrdsvc.exe' - '1' Module(s) have been scanned
Scan process 'firewall.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'taskmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'MDM.EXE' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'inetinfo.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ehSched.exe' - '1' Module(s) have been scanned
Scan process 'ehrecvr.exe' - '1' Module(s) have been scanned
Scan process 'cisvc.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned
Scan process 'CCC.exe' - '1' Module(s) have been scanned
Scan process 'GoogleDesktop.exe' - '1' Module(s) have been scanned
Scan process 'RestoreDesktop.exe' - '1' Module(s) have been scanned
Scan process 'LinksysAgent.exe' - '1' Module(s) have been scanned
Scan process 'GoogleUpdate.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'GoogleDesktop.exe' - '1' Module(s) have been scanned
Scan process 'MOM.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'Kmaestro.exe' - '1' Module(s) have been scanned
Scan process 'kbd.exe' - '1' Module(s) have been scanned
Scan process 'acrotray.exe' - '1' Module(s) have been scanned
Scan process 'GoogleDesktop.exe' - '1' Module(s) have been scanned
Scan process 'HPLamp.exe' - '1' Module(s) have been scanned
Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned
Scan process 'HPBootOp.exe' - '1' Module(s) have been scanned
Scan process 'ehtray.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
64 processes with 64 modules were scanned

Starting master boot sector scan:

Start scanning boot sectors:

Starting to scan executable files (registry).
The registry was scanned ( '79' files ).


Starting the file scan:

Begin scan in 'C:\' <HP_PAVILION>
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eZulaHotText.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk3.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0LQ7O12J\a[1].exe
[DETECTION] Contains recognition pattern of the WORM/SdBot.118282 worm
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0LQ7O12J\bestsearchnet[1].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2VM1I1MX\pldr8[1].htm
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\OLD C\Program Files\Adobe\Acrobat 7.0\Setup Files\AcroPro\EFG\Data1.cab
[0] Archive type: CAB (Microsoft)
--> Dist_JP2KLib.dll
[WARNING] The file could not be written!
--> SaveAsRTF.fra
[WARNING] The file could not be written!
--> SaveAsXML.api
[WARNING] The file could not be written!
--> brt0402.lex
[WARNING] The file could not be written!
--> Designer_JP2KLib.DLL
[WARNING] The file could not be written!
--> Print03.html2
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\OLD C\Program Files\Adobe\Acrobat 7.0\Setup Files\AcroPro\EFG_\Data1.cab
[0] Archive type: CAB (Microsoft)
--> Dist_JP2KLib.dll
[WARNING] The file could not be written!
--> SaveAsRTF.fra
[WARNING] The file could not be written!
--> SaveAsXML.api
[WARNING] The file could not be written!
--> brt0402.lex
[WARNING] The file could not be written!
--> Designer_JP2KLib.DLL
[WARNING] The file could not be written!
--> Print03.html2
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\00007105
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\00007105
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\001042F3
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\001042F3
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\002114E1
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\002114E1
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\003B64C4
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\003B64C4
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\00585EA4
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\00585EA4
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\023C632C.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\023C632C.exe
[DETECTION] Is the TR/Drop.Small.MR.2 Trojan
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\02530913.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\02530913.exe
[DETECTION] Is the TR/Dldr.Small.WJ Trojan
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\030325B5
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\030325B5
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\031377A3
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\031377A3
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\06FA7034
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\06FA7034
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\07DB413C
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\07DB413C
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\081634FC
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\081634FC
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\08472AC6
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\08472AC6
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\08757694
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\08757694
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\08AF6A53
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\08AF6A53
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\08AF6B13
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\08AF6B13
[DETECTION] Contains recognition pattern of the WORM/Netsky.HB worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\08E0601D
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\08E0601D
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\090857F2
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\090857F2
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0D6E2954
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0D6E2954
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0D952129
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0D952129
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0DA522B1
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0DA522B1
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0DA91D13
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0DA91D13
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0DB96F01
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0DB96F01
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0DCD6AEC
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0DCD6AEC
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0DDD3CDA
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0DDD3CDA
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0DFA6653
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0DFA6653
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0E15069D
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0E15069D
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0E176033
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0E176033
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0E1E0492
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0E1E0492
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0E2B5C1D
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0E2B5C1D
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0E2F5680
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0E2F5680
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0E3C7E72
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0E3C7E72
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0E492663
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0E492663
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0E597851
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0E597851
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0E6D743C
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0E6D743C
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0E7A1C2D
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0E7A1C2D
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0E87441F
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0E87441F
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0E97160D
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0E97160D
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0EA867FB
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0EA867FB
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0EC237DE
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0EC237DE
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0ECF5FD0
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0ECF5FD0
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0EDC07C2
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0EDC07C2
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0EFE1C2F
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0EFE1C2F
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0F9E257F
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0F9E257F
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0FB54B65
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0FB54B65
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0FCB714C
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0FCB714C
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\10F55E05
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\10F55E05
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\194E6A6E
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\194E6A6E
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\1E4F3769
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\1E4F3769
[DETECTION] Contains recognition pattern of the WORM/Mytob.ER worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\24EB3B4C
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\24EB3B4C
[DETECTION] Is the TR/Drop.Small.MR.2 Trojan
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\24EE6548
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\24EE6548
[DETECTION] Is the TR/Dldr.Small.WJ Trojan
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\285823B1
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\285823B1
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\2B44327A
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\2B44327A
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\2B540468
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\2B540468
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\2C0B339F
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\2C0B339F
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\2C3F5365
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\2C3F5365
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\2C674B3A
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\2C674B3A
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\2D8D0DF7
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\2D8D0DF7
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\3F2C7973
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\3F2C7973
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\533C3CAD
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\533C3CAD
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\541120D8.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\541120D8.exe
[DETECTION] Is the TR/Dldr.Small.akz Trojan
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\58330937
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\58330937
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\58492F1E
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\58492F1E
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\5F90059E
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\5F90059E
[DETECTION] Is the TR/Drop.Small.MR.2 Trojan
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\5F965997
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\5F965997
[DETECTION] Is the TR/Dldr.Small.WJ Trojan
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\5FF234A6
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\5FF234A6
[DETECTION] Contains recognition pattern of the WORM/Mytob.EM worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\5FF55EA2
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\5FF55EA2
[DETECTION] Contains recognition pattern of the WORM/Mytob.ER worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\60A20FE4
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\60A20FE4
[DETECTION] Contains recognition pattern of the WORM/Mytob.EM worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\692B05F4
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\692B05F4
[DETECTION] Contains recognition pattern of the WORM/Mytob.EM worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\69BE6752
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\69BE6752
[DETECTION] Contains recognition pattern of the WORM/Mytob.ER worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\6B97128E
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\6B97128E
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\6C4119D3
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\6C4119D3
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\6EC536AE
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\6EC536AE
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\798B7936
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\798B7936
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7D170C38
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7D170C38
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7D3B5A11
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7D3B5A11
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7D4C2BFF
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7D4C2BFF
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7D5C7DED
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7D5C7DED
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7D6C4FDB
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7D6C4FDB
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7D7D21C9
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7D7D21C9
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7D8D73B7
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7D8D73B7
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7DA16FA1
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7DA16FA1
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7DB46B8C
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7DB46B8C
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7DC43D7A
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7DC43D7A
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7DD50F68
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7DD50F68
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7DE56156
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7DE56156
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7DF95D40
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7DF95D40
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7E100327
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7E100327
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7E237F12
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7E237F12
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7E335100
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7E335100
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7E474CEA
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7E474CEA
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7E5B48D4
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7E5B48D4
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7E6E44BF
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7E6E44BF
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7E8240A9
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7E8240A9
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7E953C94
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7E953C94
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7EA36485
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7EA36485
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7EB66070
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7EB66070
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7ECA5C5A
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7ECA5C5A
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7EDA2E48
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7EDA2E48
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7EEA0036
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7EEA0036
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7EF72828
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7EF72828
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7F3C19DC
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7F3C19DC
[DETECTION] Contains recognition pattern of the W95/Spaces.1445.B Windows virus
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7F7039A3
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7F7039A3
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7F810B91
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7F810B91
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7F94077B
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7F94077B
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7FA55969
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7FA55969
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7FB85554
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7FB85554
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7FCC513E
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7FCC513E
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7FDF4D29
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7FDF4D29
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7FF01F17
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7FF01F17
[DETECTION] Contains recognition pattern of the WORM/Gibe.C.1 worm
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\03981169.tmp
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\03981169.tmp
[DETECTION] Is the TR/Drop.SurfSide.A Trojan
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\03A20F5E.tmp
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\03A20F5E.tmp
[DETECTION] Is the TR/Drop.SurfSide.A Trojan
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\03AF3750.exe
[DETECTION] Contains recognition pattern of the ADSPY/AdSpy.Gen adware or spyware
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\03BF093E.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\03BF093E.exe
[DETECTION] Is the TR/Dyfuca.AK.2 Trojan
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\03C2333A.exe
[DETECTION] Contains recognition pattern of the ADSPY/AdSpy.Gen adware or spyware
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\03D30528.frD
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\03D30528.frD
[DETECTION] Contains recognition pattern of the ADSPY/Winad.Z adware or spyware
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\03DD031D.tmp
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\03DD031D.tmp
[DETECTION] Contains recognition pattern of the ADSPY/WebSearch.X adware or spyware
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2837399F.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2837399F.exe
[DETECTION] Contains recognition pattern of the ADSPY/Apropos.B.2 adware or spyware
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3EF23B95.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3EF23B95.exe
[DETECTION] Is the TR/Dldr.Ist.15360.A Trojan
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3F58319D.dll
[DETECTION] Is the TR/BHO.Gen Trojan
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\427D16EC.tmp
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\427D16EC.tmp
[DETECTION] Is the TR/Bagle.CR Trojan
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4B4E63A3.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4B4E63A3.exe
[DETECTION] Is the TR/Drop.WinAD.F.1 Trojan
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\78F074CE.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\78F074CE.exe
[DETECTION] Contains recognition pattern of the DR/Cichi.252888 dropper
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\78F31ECB.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\78F31ECB.exe
[DETECTION] Is the TR/Dldr.Ist.15360.A Trojan
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\78F972C4.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\78F972C4.exe
[DETECTION] Contains recognition pattern of the ADSPY/eZula.AH.1 adware or spyware
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\790370B9.exe
[DETECTION] Contains HEUR/Malware suspicious code
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\79061AB5.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\79061AB5.exe
[DETECTION] Contains recognition pattern of the ADSPY/Adstart.D adware or spyware
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\790A44B2.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\790A44B2.exe
[DETECTION] Is the TR/Ruledor.G Trojan
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\791342A7.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\791342A7.exe
[DETECTION] Contains recognition pattern of the ADSPY/Adstart.D adware or spyware
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\79176CA3.dll
[DETECTION] Is the TR/BHO.Gen Trojan
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\791A16A0.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\791A16A0.exe
[DETECTION] Contains recognition pattern of the ADSPY/ISearch.A adware or spyware
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\79241495.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\79241495.exe
[DETECTION] Contains recognition pattern of the ADSPY/Adstart.I adware or spyware
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\79273E91.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\79273E91.exe
[DETECTION] Contains recognition pattern of the ADSPY/Adstart.D adware or spyware
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\792A688E.dll
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\792A688E.dll
[DETECTION] Contains recognition pattern of the DIAL/301260 dialer
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\792A688E.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\792A688E.exe
[DETECTION] Contains recognition pattern of the ADSPY/Winad.Z.5 adware or spyware
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\79346683.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\79346683.exe
[DETECTION] Contains recognition pattern of the ADSPY/Adstart.I adware or spyware
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7937107F.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7937107F.exe
[DETECTION] Contains recognition pattern of the ADSPY/Adstart.D adware or spyware
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\793B3A7C.EXE
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\793B3A7C.EXE
[DETECTION] Is the TR/Drop.SurfSide.A Trojan
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\79410E74.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\79410E74.exe
[DETECTION] Contains recognition pattern of the ADSPY/WebRebate.N.3 adware or spyware
C:\OLD D\Program Files\InboxCop\spool\jbostrom!pop-server.si.rr.com\deleted\eixd.jbostrom!pop-se_1050512_171412__new
[0] Archive type: MIME
--> file0.mim
[1] Archive type: MIME
--> file1.html
[DETECTION] Contains recognition pattern of the WORM/Netsky.P.Expl worm
C:\OLD D\Program Files\InboxCop\spool\jbostrom!pop-server.si.rr.com\deleted\eixd.jbostrom!pop-se_1050512_171543__new
[0] Archive type: MIME
--> file0.mim
[1] Archive type: MIME
--> file1.html
[DETECTION] Contains recognition pattern of the WORM/Netsky.P.Expl worm
C:\OLD D\Program Files\InboxCop\spool\jbostrom!pop-server.si.rr.com\parsedmsgs\jbostrom!pop-se_1050512_171116\msg-485635-39.html
[DETECTION] Contains HEUR/HTML.Malware suspicious code
C:\OLD D\Program Files\InboxCop\spool\jbostrom!pop-server.si.rr.com\parsedmsgs\jbostrom!pop-se_1050512_171354\msg-485635-55.html
[DETECTION] Contains HEUR/HTML.Malware suspicious code
C:\OLD D\Program Files\InboxCop\spool\jbostrom!pop-server.si.rr.com\parsedmsgs\jbostrom!pop-se_1050512_171402\msg-485635-61.html
[DETECTION] Contains recognition pattern of the PHISH/Ebayfraud.EL phishing file/email
C:\OLD D\Program Files\InboxCop\spool\jbostrom!pop-server.si.rr.com\parsedmsgs\jbostrom!pop-se_1050512_171412\msg-485635-70.html
[DETECTION] Contains recognition pattern of the EXP/Iframe.FileDldr exploit
C:\OLD D\Program Files\InboxCop\spool\jbostrom!pop-server.si.rr.com\parsedmsgs\jbostrom!pop-se_1050512_171543\msg-485635-84.html
[DETECTION] Contains recognition pattern of the EXP/Iframe.FileDldr exploit
C:\OLD D\Program Files\InboxCop\spool\jbostrom!pop-server.si.rr.com\spam\eixd.jbostrom!pop-se_1050512_171116__new
[0] Archive type: MIME
--> file0.html
[DETECTION] Contains HEUR/HTML.Malware suspicious code
C:\OLD D\Program Files\InboxCop\spool\jbostrom!pop-server.si.rr.com\spam\eixd.jbostrom!pop-se_1050512_171354__new
[0] Archive type: MIME
--> file0.html
[DETECTION] Contains HEUR/HTML.Malware suspicious code
C:\OLD D\Program Files\InboxCop\spool\jbostrom!pop-server.si.rr.com\spam\eixd.jbostrom!pop-se_1050512_171402__new
[0] Archive type: MIME
[DETECTION] Contains recognition pattern of the PHISH/Ebayfraud.EL phishing file/email
--> file0.html
[DETECTION] Contains recognition pattern of the PHISH/Ebayfraud.EL phishing file/email
C:\OLD G\Program FIles\SpamSafe\spool\jbostrom!pop-server.si.rr.com\deleted\jbostrom!pop-se_1051023_144039__new
[0] Archive type: MIME
--> file0.mim
[1] Archive type: MIME
--> file1.html
[DETECTION] Contains recognition pattern of the WORM/Netsky.P.Expl worm
C:\OLD G\Program FIles\SpamSafe\spool\jbostrom!pop-server.si.rr.com\deleted\jbostrom!pop-se_1051023_144237__new
[0] Archive type: MIME
--> file0.mim
[1] Archive type: MIME
--> file1.html
[DETECTION] Contains recognition pattern of the WORM/Netsky.P.Expl worm
C:\OLD G\Program FIles\SpamSafe\spool\jbostrom!pop-server.si.rr.com\deleted\jbostrom!pop-se_1051024_112745__new
[0] Archive type: MIME
--> file0.mim
[1] Archive type: MIME
--> file1.html
[DETECTION] Contains recognition pattern of the WORM/Netsky.P.Expl worm
C:\OLD G\Program FIles\SpamSafe\spool\jbostrom!pop-server.si.rr.com\deleted\jbostrom!pop-se_1051024_113104__new
[0] Archive type: MIME
--> file0.mim
[1] Archive type: MIME
--> file1.html
[DETECTION] Contains recognition pattern of the WORM/Netsky.P.Expl worm
C:\OLD G\Program FIles\SpamSafe\spool\jbostrom!pop-server.si.rr.com\deleted\jbostrom!pop-se_1051024_113256__new
[0] Archive type: MIME
--> file0.mim
[1] Archive type: MIME
--> file1.html
[DETECTION] Contains recognition pattern of the WORM/Netsky.P.Expl worm
C:\OLD G\Program FIles\SpamSafe\spool\jbostrom!pop-server.si.rr.com\parsedmsgs\jbostrom!pop-se_1051023_144039\msg-3268-4.html
[DETECTION] Contains recognition pattern of the EXP/Iframe.FileDldr exploit
C:\OLD G\Program FIles\SpamSafe\spool\jbostrom!pop-server.si.rr.com\parsedmsgs\jbostrom!pop-se_1051023_144237\msg-3268-23.html
[DETECTION] Contains recognition pattern of the EXP/Iframe.FileDldr exploit
C:\OLD G\Program FIles\SpamSafe\spool\jbostrom!pop-server.si.rr.com\parsedmsgs\jbostrom!pop-se_1051024_112745\msg-3636-2.html
[DETECTION] Contains recognition pattern of the EXP/Iframe.FileDldr exploit
C:\OLD G\Program FIles\SpamSafe\spool\jbostrom!pop-server.si.rr.com\parsedmsgs\jbostrom!pop-se_1051024_113104\msg-3636-32.html
[DETECTION] Contains recognition pattern of the EXP/Iframe.FileDldr exploit
C:\OLD G\Program FIles\SpamSafe\spool\jbostrom!pop-server.si.rr.com\parsedmsgs\jbostrom!pop-se_1051024_113256\msg-3636-51.html
[DETECTION] Contains recognition pattern of the EXP/Iframe.FileDldr exploit
C:\OLD G\Program FIles\SpamSafe\training\spam\jbostrom!pop-se_1050606_100150__new
[0] Archive type: MIME
[DETECTION] Contains recognition pattern of the HTML/Spoofing.Gen HTML script virus
--> file0.html
[DETECTION] Contains recognition pattern of the HTML/Spoofing.Gen HTML script virus
C:\OLD G\Program FIles\SpamSafe\training\spam\jbostrom!pop-se_1050606_100239__new
[0] Archive type: MIME
--> file0.html
[DETECTION] Is the TR/Spy.HTML.Paylap.ET Trojan
C:\OLD G\Program FIles\SpamSafe\training\spam\jbostrom!pop-se_1050629_120123__new
[0] Archive type: MIME
--> file0.html
[DETECTION] Contains HEUR/HTML.Malware suspicious code
C:\OLD G\Program FIles\SpamSafe\training\spam\jbostrom!pop-se_1050728_104716__new
[0] Archive type: MIME
[DETECTION] Contains recognition pattern of the HTML/Spoofing.Gen HTML script virus
--> file0.html
[DETECTION] Contains recognition pattern of the HTML/Spoofing.Gen HTML script virus
C:\OLD G\Program FIles\SpamSafe\training\spam\jbostrom!pop-se_1050804_134412__new
[0] Archive type: MIME
--> file0.html
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
C:\OLD G\Program FIles\SpamSafe\training\spam\jbostrom!pop-se_1050804_193449__new
[0] Archive type: MIME
--> file0.html
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
C:\OLD G\Program FIles\SpamSafe\training\spam\jbostrom!pop-se_1050814_173448__new
[0] Archive type: MIME
[DETECTION] Contains recognition pattern of the HTML/Spoofing.Gen HTML script virus
--> file0.html
[DETECTION] Contains recognition pattern of the HTML/Spoofing.Gen HTML script virus
C:\OLD G\Program FIles\SpamSafe\training\spam\jbostrom!pop-se_1050826_171846__new
[DETECTION] Contains HEUR/HTML.Malware suspicious code
C:\OLD G\Program FIles\SpamSafe\training\spam\jbostrom!pop-se_1050829_215553__new
[0] Archive type: MIME
--> file0.html
[DETECTION] Contains recognition pattern of the HTML/Spoofing.Gen HTML script virus
C:\OLD G\Program FIles\SpamSafe\training\spam\jbostrom!pop-se_1050904_092159__new
[0] Archive type: MIME
[DETECTION] Contains HEUR/HTML.Malware suspicious code
--> file0.html
[DETECTION] Contains HEUR/HTML.Malware suspicious code
C:\OLD G\Program FIles\SpamSafe\training\spam\jbostrom!pop-se_1050905_091219__new
[0] Archive type: MIME
[DETECTION] Contains recognition pattern of the HTML/Spoofing.Gen HTML script virus
--> file0.html
[DETECTION] Contains recognition pattern of the HTML/Spoofing.Gen HTML script virus
C:\OLD G\Program FIles\SpamSafe\training\spam\jbostrom!pop-se_1050906_210543__new
[0] Archive type: MIME
[DETECTION] Contains recognition pattern of the HTML/Spoofing.Gen HTML script virus
--> file0.html
[DETECTION] Contains recognition pattern of the HTML/Spoofing.Gen HTML script virus
C:\OLD G\Program FIles\SpamSafe\training\spam\jbostrom!pop-se_1050916_195104__new
[0] Archive type: MIME
--> file0.html
[DETECTION] Contains recognition pattern of the HTML/Spoofing.Gen HTML script virus
C:\OLD G\Program FIles\SpamSafe\training\spam\jbostrom!pop-se_1050919_074633__new
[0] Archive type: MIME
[DETECTION] Contains HEUR/HTML.Malware suspicious code
--> file0.html
[DETECTION] Contains HEUR/HTML.Malware suspicious code
C:\OLD G\Program FIles\SpamSafe\training\spam\jbostrom!pop-se_1051002_052448__new
[0] Archive type: MIME
[DETECTION] Contains recognition pattern of the HTML/Spoofing.Gen HTML script virus
--> file0.html
[DETECTION] Contains recognition pattern of the HTML/Spoofing.Gen HTML script virus
C:\OLD G\Program FIles\SpamSafe\training\spam\jbostrom!pop-se_1051003_133901__new
[0] Archive type: MIME
[DETECTION] Contains recognition pattern of the HTML/Spoofing.Gen HTML script virus
--> file0.html
[DETECTION] Contains recognition pattern of the HTML/Spoofing.Gen HTML script virus
C:\Program Files\Adobe\Reader 8.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A81200000003}\Data1.cab
[0] Archive type: CAB (Microsoft)
--> JSByteCodeWin.bin
[WARNING] The file could not be written!
--> usa86.lex
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Online Services\NetscapeOnline\installnetscape.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\Program Files\Online Services\NetscapeOnline\NSSetupMV.exe
[DETECTION] Is the TR/PSW.Stealer.724081 Trojan
C:\RECYCLER\S-1-5-21-2161186958-1183498316-1727870324-1008\Dc172.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\RECYCLER\S-1-5-21-2161186958-1183498316-1727870324-1008\Dc828.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\RECYCLER\S-1-5-21-2161186958-1183498316-1727870324-1008\Dc829.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\RECYCLER\S-1-5-21-2161186958-1183498316-1727870324-1008\Dc830.exe
[DETECTION] Is the TR/Agent.bzcv.1 Trojan
C:\RECYCLER\S-1-5-21-2161186958-1183498316-1727870324-1008\Dc831.exe
[DETECTION] Is the TR/Agent.bysf Trojan
C:\RECYCLER\S-1-5-21-2161186958-1183498316-1727870324-1008\Dc833.exe
[DETECTION] Contains recognition pattern of the WORM/SdBot.49152.14 worm
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1110\A0071411.exe
[DETECTION] Contains recognition pattern of the WORM/SdBot.49152.14 worm
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1110\A0071446.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1111\A0071452.exe
[DETECTION] Contains recognition pattern of the WORM/SdBot.86016.26 worm
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1112\A0071558.exe
[DETECTION] Is the TR/Agent.bysf Trojan
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072470.exe
[DETECTION] Contains recognition pattern of the WORM/SdBot.118282 worm
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072471.exe
[DETECTION] Contains recognition pattern of the WORM/SdBot.118282 worm
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072511.exe
[DETECTION] Contains recognition pattern of the WORM/SdBot.118282 worm
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072524.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072525.exe
[DETECTION] Contains recognition pattern of the DIAL/90112 dialer
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072593.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072595.exe
[DETECTION] Contains recognition pattern of the WORM/SdBot.49152.14 worm
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072598.exe
[DETECTION] Contains recognition pattern of the WORM/SdBot.118282 worm
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072599.exe
[DETECTION] Contains recognition pattern of the WORM/Agent.142874 worm
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072600.exe
[DETECTION] Contains recognition pattern of the WORM/SdBot.118282 worm
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072602.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072603.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072606.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072607.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072618.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072624.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072640.exe
[DETECTION] Contains recognition pattern of the WORM/SdBot.86016.27 worm
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072641.exe
[DETECTION] Is the TR/Dldr.FraudLoad.vohb.11 Trojan
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072642.exe
[DETECTION] Is the TR/Dldr.FraudLoad.vohb.11 Trojan
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072643.exe
[DETECTION] Is the TR/Dldr.FraudLoad.vohb.11 Trojan
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072644.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1119\A0072845.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1133\A0074651.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\WINDOWS\system32\etntlj.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\WINDOWS\system32\gikakopo.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\WINDOWS\system32\hxrybtef.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\WINDOWS\system32\jotiwoyo.dll.tmp
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\WINDOWS\system32\lilizepu.dll.tmp
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\WINDOWS\system32\neyawoka.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\WINDOWS\system32\pojelone.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\WINDOWS\system32\vodoroye.dll.tmp
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\WINDOWS\system32\zinupuwu.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\91QIYCNZ\CA3U6HFZ
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\91QIYCNZ\CAWL49GR
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\DU3YGYPJ\CAM74PMF
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WWSFU70T\CA942HPJ
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Y94KLQW3\CAVQ21R7
[DETECTION] Is the TR/Vundo.Gen Trojan
Begin scan in 'D:\' <HP_RECOVERY>

Beginning disinfection:
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eZulaHotText.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4a5dad4d.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk3.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4a56ad5c.qua'!
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0LQ7O12J\a[1].exe
[DETECTION] Contains recognition pattern of the WORM/SdBot.118282 worm
[NOTE] The file was moved to '4a19ad4f.qua'!
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0LQ7O12J\bestsearchnet[1].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '4a5bad59.qua'!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2VM1I1MX\pldr8[1].htm
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4a4cad60.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\00007105
[NOTE] The file was moved to '4a18ad24.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\001042F3
[NOTE] The file was moved to '4a19ad24.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\002114E1
[NOTE] The file was moved to '4a1aad24.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\003B64C4
[NOTE] The file was moved to '4a1bad24.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\00585EA4
[NOTE] The file was moved to '4a1dad24.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\023C632C.exe
[NOTE] The file was moved to '4a1bad27.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\02530913.exe
[NOTE] The file was moved to '4a1dad27.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\030325B5
[NOTE] The file was moved to '4a18ad29.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\031377A3
[NOTE] The file was moved to '4a19ad29.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\06FA7034
[NOTE] The file was moved to '4a2ead2c.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\07DB413C
[NOTE] The file was moved to '4a2cad2d.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\081634FC
[NOTE] The file was moved to '4a19ad2e.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\08472AC6
[NOTE] The file was moved to '4a1cad2e.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\08757694
[NOTE] The file was moved to '4a1fad2e.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\08AF6A53
[NOTE] The file was moved to '4a29ad2e.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\08AF6B13
[NOTE] The file was moved to '4edbc44f.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\08E0601D
[NOTE] The file was moved to '4a2dad2e.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\090857F2
[NOTE] The file was moved to '4a18ad2f.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0D6E2954
[NOTE] The file was moved to '4a1ead3a.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0D952129
[NOTE] The file was moved to '4a21ad3a.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0DA522B1
[NOTE] The file was moved to '4a29ad3a.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0DA91D13
[NOTE] The file was moved to '4ed1352b.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0DB96F01
[NOTE] The file was moved to '4a2aad3a.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0DCD6AEC
[NOTE] The file was moved to '4a2bad3a.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0DDD3CDA
[NOTE] The file was moved to '4a2cad3a.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0DFA6653
[NOTE] The file was moved to '4a2ead3a.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0E15069D
[NOTE] The file was moved to '4a19ad3b.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0E176033
[NOTE] The file was moved to '4ee76bfc.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0E1E0492
[NOTE] The file was moved to '4ee663b4.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0E2B5C1D
[NOTE] The file was moved to '4a1aad3b.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0E2F5680
[NOTE] The file was moved to '4f1b7324.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0E3C7E72
[NOTE] The file was moved to '4a1bad3b.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0E492663
[NOTE] The file was moved to '4a1cad3b.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0E597851
[NOTE] The file was moved to '4a1dad3b.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0E6D743C
[NOTE] The file was moved to '4a1ead3c.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0E7A1C2D
[NOTE] The file was moved to '4a1fad3c.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0E87441F
[NOTE] The file was moved to '4a20ad3c.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0E97160D
[NOTE] The file was moved to '4a21ad3c.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0EA867FB
[NOTE] The file was moved to '4a29ad3c.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0EC237DE
[NOTE] The file was moved to '4a2bad3c.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0ECF5FD0
[NOTE] The file was moved to '4f2786d5.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0EDC07C2
[NOTE] The file was moved to '4a2cad3c.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0EFE1C2F
[NOTE] The file was moved to '4a2ead3c.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0F9E257F
[NOTE] The file was moved to '4a21ad3d.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0FB54B65
[NOTE] The file was moved to '4a2aad3d.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\0FCB714C
[NOTE] The file was moved to '4a2bad3d.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\10F55E05
[NOTE] The file was moved to '4a2ead27.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\194E6A6E
[NOTE] The file was moved to '4a1cad30.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\1E4F3769
[NOTE] The file was moved to '4a1cad3c.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\24EB3B4C
[NOTE] The file was moved to '4a2dad2b.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\24EE6548
[NOTE] The file was moved to '4f3b2ef4.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\285823B1
[NOTE] The file was moved to '4a1dad2f.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\2B44327A
[NOTE] The file was moved to '4a1cad39.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\2B540468
[NOTE] The file was moved to '4a1dad39.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\2C0B339F
[NOTE] The file was moved to '4a18ad3a.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\2C3F5365
[NOTE] The file was moved to '4a1bad3a.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\2C674B3A
[NOTE] The file was moved to '4f026bf3.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\2D8D0DF7
[NOTE] The file was moved to '4a20ad3b.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\3F2C7973
[NOTE] The file was moved to '4a1aad3d.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\533C3CAD
[NOTE] The file was moved to '4a1bad2a.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\541120D8.exe
[NOTE] The file was moved to '4a19ad2b.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\58330937
[NOTE] The file was moved to '4a1bad2f.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\58492F1E
[NOTE] The file was moved to '4a1cad2f.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\5F90059E
[NOTE] The file was moved to '4f02507e.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\5F965997
[NOTE] The file was moved to '4f04a836.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\5FF234A6
[NOTE] The file was moved to '4a2ead3d.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\5FF55EA2
[NOTE] The file was moved to '4f09b9a6.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\60A20FE4
[NOTE] The file was moved to '4a29ad27.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\692B05F4
[NOTE] The file was moved to '4a1aad30.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\69BE6752
[NOTE] The file was moved to '4a2aad30.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\6B97128E
[NOTE] The file was moved to '4a21ad39.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\6C4119D3
[NOTE] The file was moved to '4a1cad3a.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\6EC536AE
[NOTE] The file was moved to '4f04c6ad.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\798B7936
[NOTE] The file was moved to '4a20ad30.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7D170C38
[NOTE] The file was moved to '4f28d61c.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7D3B5A11
[NOTE] The file was moved to '4f292fd4.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7D4C2BFF
[NOTE] The file was moved to '4f2f278c.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7D5C7DED
[NOTE] The file was moved to '4f293ab4.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7D6C4FDB
[NOTE] The file was moved to '4a1ead3b.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7D7D21C9
[NOTE] The file was moved to '4f290115.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7D8D73B7
[NOTE] The file was moved to '4f171ecd.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7DA16FA1
[NOTE] The file was moved to '4f111685.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7DB46B8C
[NOTE] The file was moved to '4a2aad3c.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7DC43D7A
[NOTE] The file was moved to '4f116675.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7DD50F68
[NOTE] The file was moved to '4f177e2d.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7DE56156
[NOTE] The file was moved to '4a2dad3c.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7DF95D40
[NOTE] The file was moved to '4f134f9d.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7E100327
[NOTE] The file was moved to '4a19ad3d.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7E237F12
[NOTE] The file was moved to '4f255f0e.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7E335100
[NOTE] The file was moved to '4a1bad3d.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7E474CEA
[NOTE] The file was moved to '4a1cad3d.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7E5B48D4
[NOTE] The file was moved to '4a1dad3d.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7E6E44BF
[NOTE] The file was moved to '4a1ead3d.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7E8240A9
[NOTE] The file was moved to '4a20ad3d.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7E953C94
[NOTE] The file was moved to '4f678dde.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7EA36485
[NOTE] The file was moved to '4a29ad3d.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7EB66070
[NOTE] The file was moved to '4f629d4e.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7ECA5C5A
[NOTE] The file was moved to '4f629506.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7EDA2E48
[NOTE] The file was moved to '4a2cad3d.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7EEA0036
[NOTE] The file was moved to '4a2dad3d.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7EF72828
[NOTE] The file was moved to '4f62e2ae.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7F3C19DC
[NOTE] The file was moved to '4a1bad3e.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7F7039A3
[NOTE] The file was moved to '4a1fad3e.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7F810B91
[NOTE] The file was moved to '4a20ad3e.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7F94077B
[NOTE] The file was moved to '4a21ad3e.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7FA55969
[NOTE] The file was moved to '4a29ad3e.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7FB85554
[NOTE] The file was moved to '4a2aad3e.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7FCC513E
[NOTE] The file was moved to '4a2bad3e.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7FDF4D29
[NOTE] The file was moved to '4a2cad3e.qua'!
C:\OLD C\Program Files\Norton AntiVirus\Quarantine\7FF01F17
[NOTE] The file was moved to '4a2ead3e.qua'!
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\03981169.tmp
[NOTE] The file was moved to '4a21ad2b.qua'!
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\03A20F5E.tmp
[NOTE] The file was moved to '4a29ad2b.qua'!
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\03AF3750.exe
[DETECTION] Contains recognition pattern of the ADSPY/AdSpy.Gen adware or spyware
[NOTE] The file was moved to '4f772a54.qua'!
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\03BF093E.exe
[NOTE] The file was moved to '4a2aad2c.qua'!
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\03C2333A.exe
[DETECTION] Contains recognition pattern of the ADSPY/AdSpy.Gen adware or spyware
[NOTE] The file was moved to '4a2bad2c.qua'!
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\03D30528.frD
[NOTE] The file was moved to '4a2cad2c.qua'!
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\03DD031D.tmp
[NOTE] The file was moved to '4f4e0685.qua'!
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2837399F.exe
[NOTE] The file was moved to '4a1bad31.qua'!
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3EF23B95.exe
[NOTE] The file was moved to '4f4a1607.qua'!
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3F58319D.dll
[DETECTION] Is the TR/BHO.Gen Trojan
[NOTE] The file was moved to '4a1dad3f.qua'!
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\427D16EC.tmp
[NOTE] The file was moved to '4a1fad2c.qua'!
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4B4E63A3.exe
[NOTE] The file was moved to '4f7b7fad.qua'!
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\78F074CE.exe
[NOTE] The file was moved to '4a2ead32.qua'!
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\78F31ECB.exe
[NOTE] The file was moved to '4f474f13.qua'!
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\78F972C4.exe
[NOTE] The file was moved to '4f4444db.qua'!
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\790370B9.exe
[DETECTION] Contains HEUR/Malware suspicious code
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4a18ad33.qua'!
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\79061AB5.exe
[NOTE] The file was moved to '4a18ad34.qua'!
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\790A44B2.exe
[NOTE] The file was moved to '4f76ac75.qua'!
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\791342A7.exe
[NOTE] The file was moved to '4a19ad34.qua'!
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\79176CA3.dll
[DETECTION] Is the TR/BHO.Gen Trojan
[NOTE] The file was moved to '4a19ad35.qua'!
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\791A16A0.exe
[NOTE] The file was moved to '4f68b5ae.qua'!
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\79241495.exe
[NOTE] The file was moved to '4a1aad35.qua'!
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\79273E91.exe
[NOTE] The file was moved to '4a1aad36.qua'!
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\792A688E.dll
[NOTE] The file was moved to '4f8ed477.qua'!
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\792A688E.exe
[NOTE] The file was moved to '4f8f2c3f.qua'!
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\79346683.exe
[NOTE] The file was moved to '4a1bad36.qua'!
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7937107F.exe
[NOTE] The file was moved to '4f8c3daf.qua'!
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\793B3A7C.EXE
[NOTE] The file was moved to '4a1bad37.qua'!
C:\OLD C\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\79410E74.exe
[NOTE] The file was moved to '4a1cad37.qua'!
C:\OLD D\Program Files\InboxCop\spool\jbostrom!pop-server.si.rr.com\deleted\eixd.jbostrom!pop-se_1050512_171412__new
[NOTE] The file was moved to '4a60ad67.qua'!
C:\OLD D\Program Files\InboxCop\spool\jbostrom!pop-server.si.rr.com\deleted\eixd.jbostrom!pop-se_1050512_171543__new
[NOTE] The file was moved to '4a60ad68.qua'!
C:\OLD D\Program Files\InboxCop\spool\jbostrom!pop-server.si.rr.com\parsedmsgs\jbostrom!pop-se_1050512_171116\msg-485635-39.html
[DETECTION] Contains HEUR/HTML.Malware suspicious code
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4a4fad72.qua'!
C:\OLD D\Program Files\InboxCop\spool\jbostrom!pop-server.si.rr.com\parsedmsgs\jbostrom!pop-se_1050512_171354\msg-485635-55.html
[DETECTION] Contains HEUR/HTML.Malware suspicious code
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4fd0737b.qua'!
C:\OLD D\Program Files\InboxCop\spool\jbostrom!pop-server.si.rr.com\parsedmsgs\jbostrom!pop-se_1050512_171402\msg-485635-61.html
[DETECTION] Contains recognition pattern of the PHISH/Ebayfraud.EL phishing file/email
[NOTE] The file was moved to '4fef48a3.qua'!
C:\OLD D\Program Files\InboxCop\spool\jbostrom!pop-server.si.rr.com\parsedmsgs\jbostrom!pop-se_1050512_171412\msg-485635-70.html
[DETECTION] Contains recognition pattern of the EXP/Iframe.FileDldr exploit
[NOTE] The file was moved to '4fee5acb.qua'!
C:\OLD D\Program Files\InboxCop\spool\jbostrom!pop-server.si.rr.com\parsedmsgs\jbostrom!pop-se_1050512_171543\msg-485635-84.html
[DETECTION] Contains recognition pattern of the EXP/Iframe.FileDldr exploit
[NOTE] The file was moved to '4fed52f3.qua'!
C:\OLD D\Program Files\InboxCop\spool\jbostrom!pop-server.si.rr.com\spam\eixd.jbostrom!pop-se_1050512_171116__new
[NOTE] The file was moved to '4a60ad69.qua'!
C:\OLD D\Program Files\InboxCop\spool\jbostrom!pop-server.si.rr.com\spam\eixd.jbostrom!pop-se_1050512_171354__new
[NOTE] The file was moved to '4fc4aa22.qua'!
C:\OLD D\Program Files\InboxCop\spool\jbostrom!pop-server.si.rr.com\spam\eixd.jbostrom!pop-se_1050512_171402__new
[DETECTION] Contains recognition pattern of the PHISH/Ebayfraud.EL phishing file/email
[NOTE] The file was moved to '4fc5a27a.qua'!
C:\OLD G\Program FIles\SpamSafe\spool\jbostrom!pop-server.si.rr.com\deleted\jbostrom!pop-se_1051023_144039__new
[NOTE] The file was moved to '4a57ad62.qua'!
C:\OLD G\Program FIles\SpamSafe\spool\jbostrom!pop-server.si.rr.com\deleted\jbostrom!pop-se_1051023_144237__new
[NOTE] The file was moved to '425d6f23.qua'!
C:\OLD G\Program FIles\SpamSafe\spool\jbostrom!pop-server.si.rr.com\deleted\jbostrom!pop-se_1051024_112745__new
[NOTE] The file was moved to '4252d5bb.qua'!
C:\OLD G\Program FIles\SpamSafe\spool\jbostrom!pop-server.si.rr.com\deleted\jbostrom!pop-se_1051024_113104__new
[NOTE] The file was moved to '425034cb.qua'!
C:\OLD G\Program FIles\SpamSafe\spool\jbostrom!pop-server.si.rr.com\deleted\jbostrom!pop-se_1051024_113256__new
[NOTE] The file was moved to '425e171b.qua'!
C:\OLD G\Program FIles\SpamSafe\spool\jbostrom!pop-server.si.rr.com\parsedmsgs\jbostrom!pop-se_1051023_144039\msg-3268-4.html
[DETECTION] Contains recognition pattern of the EXP/Iframe.FileDldr exploit
[NOTE] The file was moved to '4a4fad73.qua'!
C:\OLD G\Program FIles\SpamSafe\spool\jbostrom!pop-server.si.rr.com\parsedmsgs\jbostrom!pop-se_1051023_144237\msg-3268-23.html
[DETECTION] Contains recognition pattern of the EXP/Iframe.FileDldr exploit
[NOTE] The file was moved to '4a4fad74.qua'!
C:\OLD G\Program FIles\SpamSafe\spool\jbostrom!pop-server.si.rr.com\parsedmsgs\jbostrom!pop-se_1051024_112745\msg-3636-2.html
[DETECTION] Contains recognition pattern of the EXP/Iframe.FileDldr exploit
[NOTE] The file was moved to '424dead5.qua'!
C:\OLD G\Program FIles\SpamSafe\spool\jbostrom!pop-server.si.rr.com\parsedmsgs\jbostrom!pop-se_1051024_113104\msg-3636-32.html
[DETECTION] Contains recognition pattern of the EXP/Iframe.FileDldr exploit
[NOTE] The file was moved to '4fd51a55.qua'!
C:\OLD G\Program FIles\SpamSafe\spool\jbostrom!pop-server.si.rr.com\parsedmsgs\jbostrom!pop-se_1051024_113256\msg-3636-51.html
[DETECTION] Contains recognition pattern of the EXP/Iframe.FileDldr exploit
[NOTE] The file was moved to '424e888d.qua'!
C:\OLD G\Program FIles\SpamSafe\training\spam\jbostrom!pop-se_1050606_100150__new
[DETECTION] Contains recognition pattern of the HTML/Spoofing.Gen HTML script virus
[NOTE] The file was moved to '4a57ad64.qua'!
C:\OLD G\Program FIles\SpamSafe\training\spam\jbostrom!pop-se_1050606_100239__new
[NOTE] The file was moved to '4253c515.qua'!
C:\OLD G\Program FIles\SpamSafe\training\spam\jbostrom!pop-se_1050629_120123__new
[NOTE] The file was moved to '4257b355.qua'!
C:\OLD G\Program FIles\SpamSafe\training\spam\jbostrom!pop-se_1050728_104716__new
[DETECTION] Contains recognition pattern of the HTML/Spoofing.Gen HTML script virus
[NOTE] The file was moved to '425f0775.qua'!
C:\OLD G\Program FIles\SpamSafe\training\spam\jbostrom!pop-se_1050804_134412__new
[NOTE] The file was moved to '4a57ad65.qua'!
C:\OLD G\Program FIles\SpamSafe\training\spam\jbostrom!pop-se_1050804_193449__new
[NOTE] The file was moved to '4fcb6bd6.qua'!
C:\OLD G\Program FIles\SpamSafe\training\spam\jbostrom!pop-se_1050814_173448__new
[DETECTION] Contains recognition pattern of the HTML/Spoofing.Gen HTML script virus
[NOTE] The file was moved to '425b4b76.qua'!
C:\OLD G\Program FIles\SpamSafe\training\spam\jbostrom!pop-se_1050826_171846__new
[DETECTION] Contains HEUR/HTML.Malware suspicious code
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '425a5f8e.qua'!
C:\OLD G\Program FIles\SpamSafe\training\spam\jbostrom!pop-se_1050829_215553__new
[NOTE] The file was moved to '4a57ad66.qua'!
C:\OLD G\Program FIles\SpamSafe\training\spam\jbostrom!pop-se_1050904_092159__new
[DETECTION] Contains HEUR/HTML.Malware suspicious code
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4ff085a7.qua'!
C:\OLD G\Program FIles\SpamSafe\training\spam\jbostrom!pop-se_1050905_091219__new
[DETECTION] Contains recognition pattern of the HTML/Spoofing.Gen HTML script virus
[NOTE] The file was moved to '4245ba7f.qua'!
C:\OLD G\Program FIles\SpamSafe\training\spam\jbostrom!pop-se_1050906_210543__new
[DETECTION] Contains recognition pattern of the HTML/Spoofing.Gen HTML script virus
[NOTE] The file was moved to '4247af1f.qua'!
C:\OLD G\Program FIles\SpamSafe\training\spam\jbostrom!pop-se_1050916_195104__new
[NOTE] The file was moved to '4246a237.qua'!
C:\OLD G\Program FIles\SpamSafe\training\spam\jbostrom!pop-se_1050919_074633__new
[DETECTION] Contains HEUR/HTML.Malware suspicious code
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4a57ad67.qua'!
C:\OLD G\Program FIles\SpamSafe\training\spam\jbostrom!pop-se_1051002_052448__new
[DETECTION] Contains recognition pattern of the HTML/Spoofing.Gen HTML script virus
[NOTE] The file was moved to '42438bc0.qua'!
C:\OLD G\Program FIles\SpamSafe\training\spam\jbostrom!pop-se_1051003_133901__new
[DETECTION] Contains recognition pattern of the HTML/Spoofing.Gen HTML script virus
[NOTE] The file was moved to '4240ee78.qua'!
C:\Program Files\Online Services\NetscapeOnline\installnetscape.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4a5bad73.qua'!
C:\Program Files\Online Services\NetscapeOnline\NSSetupMV.exe
[DETECTION] Is the TR/PSW.Stealer.724081 Trojan
[NOTE] The file was moved to '4a3bad59.qua'!
C:\RECYCLER\S-1-5-21-2161186958-1183498316-1727870324-1008\Dc172.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '4a19ad69.qua'!
C:\RECYCLER\S-1-5-21-2161186958-1183498316-1727870324-1008\Dc828.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4a20ad6a.qua'!
C:\RECYCLER\S-1-5-21-2161186958-1183498316-1727870324-1008\Dc829.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4a20ad6b.qua'!
C:\RECYCLER\S-1-5-21-2161186958-1183498316-1727870324-1008\Dc830.exe
[DETECTION] Is the TR/Agent.bzcv.1 Trojan
[NOTE] The file was moved to '4a20ad6c.qua'!
C:\RECYCLER\S-1-5-21-2161186958-1183498316-1727870324-1008\Dc831.exe
[DETECTION] Is the TR/Agent.bysf Trojan
[NOTE] The file was moved to '4f889de5.qua'!
C:\RECYCLER\S-1-5-21-2161186958-1183498316-1727870324-1008\Dc833.exe
[DETECTION] Contains recognition pattern of the WORM/SdBot.49152.14 worm
[NOTE] The file was moved to '42369625.qua'!
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1110\A0071411.exe
[DETECTION] Contains recognition pattern of the WORM/SdBot.49152.14 worm
[NOTE] The file was moved to '4205dcfb.qua'!
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1110\A0071446.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '42393ddb.qua'!
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1111\A0071452.exe
[DETECTION] Contains recognition pattern of the WORM/SdBot.86016.26 worm
[NOTE] The file was moved to '4206d4b3.qua'!
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1112\A0071558.exe
[DETECTION] Is the TR/Agent.bysf Trojan
[NOTE] The file was moved to '42382423.qua'!
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072470.exe
[DETECTION] Contains recognition pattern of the WORM/SdBot.118282 worm
[NOTE] The file was moved to '4a18ad3b.qua'!
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072471.exe
[DETECTION] Contains recognition pattern of the WORM/SdBot.118282 worm
[NOTE] The file was moved to '4201ff9c.qua'!
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072511.exe
[DETECTION] Contains recognition pattern of the WORM/SdBot.118282 worm
[NOTE] The file was moved to '423b0d4c.qua'!
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072524.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '423c0504.qua'!
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072525.exe
[DETECTION] Contains recognition pattern of the DIAL/90112 dialer
[NOTE] The file was moved to '4a18ad3c.qua'!
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072593.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '423e1af5.qua'!
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072595.exe
[DETECTION] Contains recognition pattern of the WORM/SdBot.49152.14 worm
[NOTE] The file was moved to '423f12ad.qua'!
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072598.exe
[DETECTION] Contains recognition pattern of the WORM/SdBot.118282 worm
[NOTE] The file was moved to '4f309d9d.qua'!
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072599.exe
[DETECTION] Contains recognition pattern of the WORM/Agent.142874 worm
[NOTE] The file was moved to '4a18ad3d.qua'!
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072600.exe
[DETECTION] Contains recognition pattern of the WORM/SdBot.118282 worm
[NOTE] The file was moved to '42316a56.qua'!
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072602.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4232620e.qua'!
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072603.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '42337bc6.qua'!
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072606.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '423473fe.qua'!
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072607.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4a18ad3e.qua'!
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072618.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4a18ad3f.qua'!
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072624.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '42375b58.qua'!
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072640.exe
[DETECTION] Contains recognition pattern of the WORM/SdBot.86016.27 worm
[NOTE] The file was moved to '4a18ad40.qua'!
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072641.exe
[DETECTION] Is the TR/Dldr.FraudLoad.vohb.11 Trojan
[NOTE] The file was moved to '422aa8e9.qua'!
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072642.exe
[DETECTION] Is the TR/Dldr.FraudLoad.vohb.11 Trojan
[NOTE] The file was moved to '422ba031.qua'!
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072643.exe
[DETECTION] Is the TR/Dldr.FraudLoad.vohb.11 Trojan
[NOTE] The file was moved to '422cb879.qua'!
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1116\A0072644.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '422db041.qua'!
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1119\A0072845.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '422e8989.qua'!
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1133\A0074651.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4a18ad41.qua'!
C:\WINDOWS\system32\etntlj.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4a56ad85.qua'!
C:\WINDOWS\system32\gikakopo.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4a53ad7a.qua'!
C:\WINDOWS\system32\hxrybtef.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4a5aad89.qua'!
C:\WINDOWS\system32\jotiwoyo.dll.tmp
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4a5cad81.qua'!
C:\WINDOWS\system32\lilizepu.dll.tmp
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4a54ad7b.qua'!
C:\WINDOWS\system32\neyawoka.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4a61ad77.qua'!
C:\WINDOWS\system32\pojelone.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4a52ad82.qua'!
C:\WINDOWS\system32\vodoroye.dll.tmp
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4a4cad82.qua'!
C:\WINDOWS\system32\zinupuwu.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4a56ad7c.qua'!
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\91QIYCNZ\CA3U6HFZ
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4a1bad54.qua'!
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\91QIYCNZ\CAWL49GR
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4a3fad55.qua'!
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\DU3YGYPJ\CAM74PMF
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4a35ad55.qua'!
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WWSFU70T\CA942HPJ
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4a21ad55.qua'!
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Y94KLQW3\CAVQ21R7
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4a3ead56.qua'!


End of the scan: Friday, April 17, 2009 12:23
Used time: 2:15:39 Hour(s)

The scan has been done completely.

20723 Scanned directories
976665 Files were scanned
226 Viruses and/or unwanted programs were found
13 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
229 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
976424 Files not concerned
25115 Archives were scanned
19 Warnings
231 Notes
74576 Objects were scanned with rootkit scan
0 Hidden objects were found
---------------------------------

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:13 PM

Posted 18 April 2009 - 09:20 AM

I am not going to fix your Windows problem - end of story!
You read my previous post so follow that advice.

I'm also confused why you want me to delete the Combofix icon that I downloaded to the desktop. I've never used it,



That version has a bug in it.

what I should choose on Alvira repairs, or Delete or Quarnatine? What's most effective?


Always quarentine any malware that your antivirus finds. Never delete it. Sometimes (this is rare) false positives happen, and you can always restore from quarentine if it a false postive.
After several weeks, if everything on your computer is working noramlly, then you can delete the malware you quarentined.

You need to read the Avira AntiVir User Manual
http://www.free-av.com/en/documentation/index.html


Your options are
1. Run ComboFix and post the log
2. We can run an alternate removal tool, OTScanIt
3. Reformat and reload. Since this computer is quite a mess, this is the safest and will insure a totally clean computer.

Let me know what you decide.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 jbostrom

jbostrom
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 18 April 2009 - 03:38 PM

I am not going to fix your Windows problem - end of story!
You read my previous post so follow that advice.


This reply is not encouraging as a response to my latest comment. It sounds as though, if you even read it, you aren't willing to discuss the issues I raised. I believe they're very valid issues.

That version has a bug in it.

Was it only discovered in the last two days, since you gave me the link (the BleepingComputer Combofix info page) from which I downloaded it? Please ensure that page and its links are corrected.

Always quarentine any malware that your antivirus finds. Never delete it.
...read the Avira AntiVir User Manual ...

Thank you very much. Will do.

Your options are
1. Run ComboFix and post the log
2. We can run an alternate removal tool, OTScanIt
3. Reformat and reload. Since this computer is quite a mess, this is the safest and will insure a totally clean computer.

1. No way I'm going to run this with you while the No Disk popup is running and you continue to dismiss it as not malware but merely a "Windows problem."
3. Too drastic and time-consuming for now. Maybe later.
2. would be is my choice for now. Please tell me more about OTScanIT.

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:13 PM

Posted 18 April 2009 - 05:45 PM

It sounds as though, if you even read it, you aren't willing to discuss the issues I raised. I believe they're very valid issues


It sounds like you did not read my reply.

Was it only discovered in the last two days, since you gave me the link (the BleepingComputer Combofix info page) from which I downloaded it?



It the same link and updated daily. Since you are afraid to use it, you dont need to update it.


3. Too drastic and time-consuming for now. Maybe later.



It is time consuming, but you have already spent several days on this and by now you could already have had a reformat and reinstall done.

Using any tool, it wll probably several more days before we know the malware is gone.

OtScanit2 is a program to analyze NT based windows system and produce a log which I can determine the system state and whether or not malware is in the system. It does not evaluate what is found. I evaluate the log and decide what is legitimate and what is not. Then I tell you what to remove, you remove it and post several logs so I can check the status.

Note that since this computer is really screwed up, I cant give guarantees I can ever fix it. Only a reformat and reinstall can do that.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 jbostrom

jbostrom
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 19 April 2009 - 02:14 AM

It sounds like you did not read my reply.

The only reply you gave was this:

I am not going to fix your Windows problem - end of story!
You read my previous post so follow that advice.

That doesn't begin to address the issues I raised. It simply reasserts your assumptions and tells me to accept your judgment without question. I'm not a child. I don't take orders from anyone, least of all tech support personnel who can't be bothered explaining very questionable assumptions and assertions.

It the same link and updated daily. Since you are afraid to use it, you dont need to update it.

First you give me the Combofix link, and then you suddenly you tell me, without explanation, that it must be deleted. When I ask why, you say it's because there's a bug in it. And now you tell me don't bother, go ahead and use it anyway - because I'm "afraid?" Please. If this is how they teach you "experts" to help people with malware problems, I'll pass on the school.

It is time consuming, but you have already spent several days on this and by now you could already have had a reformat and reinstall done.

Are you talking about reformatting my hard drive and reinstalling all my software? I don't think you have the slightest realistic clue about how long it would take to do that.

Using any tool, it will probably several more days before we know the malware is gone.
OtScanit2 is a program to analyze NT based windows system and produce a log which I can determine the system state and whether or not malware is in the system. It does not evaluate what is found. I evaluate the log and decide what is legitimate and what is not. Then I tell you what to remove, you remove it and post several logs so I can check the status.
Note that since this computer is really screwed up, I can't give guarantees I can ever fix it. Only a reformat and reinstall can do that.

I figured the cleanup process would take a couple of days with any support tech. And I'd like to get the problem resolved ASAP. But I'm not going to be rushed into anything that doesn't make sense to me. And based on the exchanges we've had so far, I doubt you're going to become any more willing to answer my questions. That's only going to delay things further. Sorry, but as the story in my initial post shows, I've already been badly burned by following the suggestions of supposedly knowledgeable and benevolent tech "experts," only to have everything suddenly turn into The Support From Hell. I just don't do that any more.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users