Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Malware Keeps Popping Up


  • This topic is locked This topic is locked
17 replies to this topic

#1 andyrint

andyrint

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 22 January 2007 - 02:43 PM

Hi folks,

I've tried using Ad-Aware, spy sweep and spy bot to remove the unwanted red icon with a white 'x'. But none have succeeded :thumbsup: Every few minutes it pops up a balloon saying 'Windows has detected spyware infection..." When I click on it, it downloads 'Registry cleaner 2.5 setup' which proceeds to scan and then asks me to buy it.

I've run HijackThis 1.99 and below is the log it created. If someone could help me identify the malware I could probably find instructions for it's removal.

Thanks in advance.
Andy

Logfile of HijackThis v1.99.1
Scan saved at 19:21:13, on 22/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\msasvc.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\oracle\ora92\bin\omtsreco.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctpmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctpmon.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\logon.scr
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HJT\analyse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.24.74.3:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.trema.com;172.24.*;*.tremaone.com;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SpywareBot] "C:\Program Files\SpywareBot\SpywareBot.exe" -boot
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctpmon] ctpmon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Startup Guru] "C:\Program Files\StartupGuru\startupguru.exe" /B
O4 - Startup: BMS.lnk = ?
O4 - Startup: taskmgr.exe.lnk = C:\WINDOWS\system32\taskmgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Outlook 2003.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1168440378449
O16 - DPF: {68CDB19A-6305-4589-8C35-41E3502CD451} (Siebel Option Pack for IE 7.5.3) - http://customerservices.trema.com/service_...lOptionPack.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1168849323825
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.trema.com
O17 - HKLM\Software\..\Telephony: DomainName = corp.trema.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.trema.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.trema.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - c:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - c:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

BC AdBot (Login to Remove)

 


#2 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 22 January 2007 - 04:37 PM

You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HiJackThis – mark them, close IE, click fix checked

O4 - HKCU\..\Run: [ctpmon] ctpmon.exe

DownLoad http://www.downloads.subratam.org/KillBox.zip or
http://www.thespykiller.co.uk/files/killbox.exe

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\system32\ctpmon.exe

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new hijack log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#3 andyrint

andyrint
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 23 January 2007 - 08:35 AM

Hi MFDnSC,

Thanks for that - it worked a treat! the annoying (and potentially career changing!) little red circle has been zapped :thumbsup:

Here is the new log from HijackThis - just in case!!

Logfile of HijackThis v1.99.1
Scan saved at 13:33:44, on 23/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\msasvc.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\oracle\ora92\bin\omtsreco.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
\lonfs01\BMS-MAIN\Vobuild.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HJT\analyse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.24.74.3:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.trema.com;172.24.*;*.tremaone.com;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SpywareBot] "C:\Program Files\SpywareBot\SpywareBot.exe" -boot
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Startup Guru] "C:\Program Files\StartupGuru\startupguru.exe" /B
O4 - HKCU\..\Run: [ctpmon] ctpmon.exe
O4 - Startup: BMS.lnk = ?
O4 - Startup: taskmgr.exe.lnk = C:\WINDOWS\system32\taskmgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Outlook 2003.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1168440378449
O16 - DPF: {68CDB19A-6305-4589-8C35-41E3502CD451} (Siebel Option Pack for IE 7.5.3) - http://customerservices.trema.com/service_...lOptionPack.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1168849323825
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.trema.com
O17 - HKLM\Software\..\Telephony: DomainName = corp.trema.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.trema.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.trema.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - c:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - c:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

Many many thanks!
Andy

#4 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 23 January 2007 - 09:51 AM

Download http://downloads.andymanchesta.com/RemovalTools/SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
· Restart your computer
· After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
· Instead of Windows loading as normal, the Advanced Options Menu should appear;
· Select the first option, to run Windows in Safe Mode, then press Enter.
· Choose your usual account.
· Open the extracted SDFix folder and double click RunThis.bat to start the script.
· Type Y to begin the cleanup process.
· It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
· Press any Key and it will restart the PC.
· When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
· Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
· Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
==================

Download Superantispyware

http://www.superantispyware.com/superantis...efreevspro.html

Install it and double-click the icon on your desktop to run it.
· It will ask if you want to update the program definitions, click Yes.
· Under Configuration and Preferences, click the Preferences button.
· Click the Scanning Control tab.
· Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
· On the main screen, under Scan for Harmful Software click Scan your computer.
· On the left check C:\Fixed Drive.
· On the right, under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan. Please be patient while it scans your computer.
· After the scan is complete a summary box will appear. Click OK.
· Make sure everything in the white box has a check next to it, then click Next.
· It will quarantine what it found and if it asks if you want to reboot, click Yes.
· To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
· Click close and close again to exit the program.
· Please paste that information here for me with a new HijackThis log.
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#5 andyrint

andyrint
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 23 January 2007 - 03:01 PM

Hi MFDnSC,

Ok - done all that, here are the logs...

SDFix Report.txt:

SDFix: Version 1.62

23/01/2007 - 16:56:10.54

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
MsaSvc

Path:
C:\WINDOWS\system32\msasvc.exe

MsaSvc Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File


***************************

SuperAntiSpyware Log:

SUPERAntiSpyware Scan Log
Generated 01/23/2007 at 07:12 PM

Application Version : 3.5.1016

Core Rules Database Version : 3170
Trace Rules Database Version: 1180

Scan type : Complete Scan
Total Scan Time : 01:19:51

Memory items scanned : 532
Memory threats detected : 0
Registry items scanned : 7333
Registry threats detected : 38
File items scanned : 170627
File threats detected : 127

Adware.Tracking Cookie
C:\Documents and Settings\arintoul\Cookies\arintoul@1068632757[1].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@accelerator-media[1].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@ad.adition[2].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@ad.admarketplace[2].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@ad.tbn[1].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@ads.accelerator-media[1].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@ads.as4x.tmcs.ticketmaster[1].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@ads.as4x.tmcs[2].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@ads.channel4[1].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@ads.cnn[1].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@ads.gamershell[1].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@ads.monster[1].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@ads.neowin[1].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@ads.touregypt[1].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@bannersng.yell[1].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@blue1.bannerconnect[1].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@campaign.indieclick[1].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@centrica.usertracking[1].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@clicks.uknetguide.co[1].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@clicktracks.newcitymedia[2].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@creativeby.viewpoint[2].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@cts.metricsdirect[1].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@Cucusoft-All-Media-Player[1].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@dealtime.co[1].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@eboz[1].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@esamultimedia.esa[1].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@hardwarezone[1].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@icc.intellisrv[1].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@itracker[1].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@itracker[2].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@kanoodle[2].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@media.adshadow[1].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@optimost[1].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@partner2profit[1].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@qnsr[2].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@roiservice[2].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@shopbizrate.co[1].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@sitestats.tiscali.co[1].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@smileycentral[1].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@stat.allofmp3[1].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@stats.cricket4[2].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@stats.esomniture[2].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@stats[1].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@streamit.hardwarezone[2].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@summitmedia.co[1].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@torrent-hitz[1].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@tracker.netklix[2].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@tracker[1].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@tracking.foxnews[2].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@usads.vibrantmedia[1].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@warlog[2].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@windowsmedia[1].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@www.ccracks[2].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@www.crackz[1].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@www.crack[2].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@www.dgm2[1].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@www.google.dealtime.co[1].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@www.mystats[2].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@www.short-media[2].txt
C:\Documents and Settings\arintoul\Cookies\andrewr@www.utmedia.co[1].txt
C:\Documents and Settings\arintoul\Cookies\arintoul@ad1.emediate[2].txt
C:\Documents and Settings\arintoul\Cookies\arintoul@adbrite[2].txt
C:\Documents and Settings\arintoul\Cookies\arintoul@adinterax[2].txt
C:\Documents and Settings\arintoul\Cookies\arintoul@ads.as4x.tmcs.ticketmaster[1].txt
C:\Documents and Settings\arintoul\Cookies\arintoul@ads.as4x.tmcs[1].txt
C:\Documents and Settings\arintoul\Cookies\arintoul@ads.cnn[2].txt
C:\Documents and Settings\arintoul\Cookies\arintoul@ads.ft[1].txt
C:\Documents and Settings\arintoul\Cookies\arintoul@ads.monster[2].txt
C:\Documents and Settings\arintoul\Cookies\arintoul@ads.planetactive[1].txt
C:\Documents and Settings\arintoul\Cookies\arintoul@ads.realtechnetwork[2].txt
C:\Documents and Settings\arintoul\Cookies\arintoul@campaign.indieclick[1].txt
C:\Documents and Settings\arintoul\Cookies\arintoul@clickmusic[2].txt
C:\Documents and Settings\arintoul\Cookies\arintoul@clicktorrent[1].txt
C:\Documents and Settings\arintoul\Cookies\arintoul@icc.intellisrv[2].txt
C:\Documents and Settings\arintoul\Cookies\arintoul@itxt.vibrantmedia[1].txt
C:\Documents and Settings\arintoul\Cookies\arintoul@kanoodle[1].txt
C:\Documents and Settings\arintoul\Cookies\arintoul@media1.gcn[2].txt
C:\Documents and Settings\arintoul\Cookies\arintoul@mysa.liveadulthost[1].txt
C:\Documents and Settings\arintoul\Cookies\arintoul@partner2profit[2].txt
C:\Documents and Settings\arintoul\Cookies\arintoul@r-kimedia.co[1].txt
C:\Documents and Settings\arintoul\Cookies\arintoul@redorbit[2].txt
C:\Documents and Settings\arintoul\Cookies\arintoul@roiservice[2].txt
C:\Documents and Settings\arintoul\Cookies\arintoul@s.clickability[2].txt
C:\Documents and Settings\arintoul\Cookies\arintoul@sdc.rbistats[1].txt
C:\Documents and Settings\arintoul\Cookies\arintoul@tracking.dc-storm[1].txt
C:\Documents and Settings\arintoul\Cookies\arintoul@tracking.sms[1].txt
C:\Documents and Settings\arintoul\Cookies\arintoul@unitedmedia[1].txt
C:\Documents and Settings\arintoul\Cookies\arintoul@winfixer[2].txt
C:\Documents and Settings\arintoul\Cookies\arintoul@www.dgm2[2].txt
C:\Documents and Settings\arintoul\Cookies\arintoul@www.hxtrack[1].txt
C:\Documents and Settings\arintoul\Cookies\arintoul@www.mediaatlantic[1].txt
C:\Documents and Settings\arintoul\Cookies\arintoul@www.romnation[1].txt
C:\Documents and Settings\arintoul\Cookies\arintoul@www.unitedmedia[1].txt
C:\Documents and Settings\arintoul\Cookies\arintoul@www.winfixer[2].txt

Trojan.Media-Codec
HKCR\650ef38e.axb8
HKCR\650ef38e.axb8\CLSID
HKCR\650ef38f.ds45
HKCR\650ef38f.ds45\CLSID
HKCR\6fa10094.vcsd
HKCR\6fa10094.vcsd\CLSID
HKCR\767960fa.ccas
HKCR\767960fa.ccas\CLSID
HKCR\767960fb.2345
HKCR\767960fb.2345\CLSID
HKCR\7fe62cc2.bctp
HKCR\7fe62cc2.bctp\CLSID
HKCR\877faba2.2dfh
HKCR\877faba2.2dfh\CLSID
HKCR\8dcb614a.afbs
HKCR\8dcb614a.afbs\CLSID
HKCR\94ad4b18.3hpo
HKCR\94ad4b18.3hpo\CLSID
HKCR\BprintingHost.Serv
HKCR\BprintingHost.Serv\CLSID
HKCR\BprintingHost.Serv\CLSID\{38ca2fcd-7d7e-11db-96a0-00e08161165f}
HKCR\c5621605.dhcp
HKCR\c5621605.dhcp\CLSID
HKCR\Svshost12.varh
HKCR\Svshost12.varh\CLSID
HKCR\Svshost13.fpol
HKCR\Svshost13.fpol\CLSID
HKCR\Svshost14.knbs
HKCR\Svshost14.knbs\CLSID
HKCR\Svshost15.kbns
HKCR\Svshost15.kbns\CLSID
HKCR\Svshostt.arty
HKCR\Svshostt.arty\CLSID
HKCR\Svshostt.arty\CLSID#d3
HKCR\Svshostt.arty\CLSID#d4
HKCR\Svshostt.arty\CLSID#d1
HKCR\Svshostt.arty\CLSID#d2

Malware.SpywareBot
HKU\S-1-5-21-8915387-770665135-1062434389-22727\Software\SpywareBot
C:\Program Files\SpywareBot\DataBaseNew.ref
C:\Program Files\SpywareBot\Log\log_2007_01_22_15_56_49.log
C:\Program Files\SpywareBot\Log\log_2007_01_22_15_56_50.log
C:\Program Files\SpywareBot\Log\log_2007_01_22_15_57_08.log
C:\Program Files\SpywareBot\Log\log_2007_01_22_17_00_35.log
C:\Program Files\SpywareBot\Log\log_2007_01_22_18_35_21.log
C:\Program Files\SpywareBot\Log\log_2007_01_22_18_47_21.log
C:\Program Files\SpywareBot\Log\log_2007_01_23_13_23_44.log
C:\Program Files\SpywareBot\Log\log_2007_01_23_13_32_25.log
C:\Program Files\SpywareBot\Log
C:\Program Files\SpywareBot\Quarantine
C:\Program Files\SpywareBot\Registry Backups
C:\Program Files\SpywareBot\Settings\CustomScan.stg
C:\Program Files\SpywareBot\Settings\IgnoreList.stg
C:\Program Files\SpywareBot\Settings\ScanInfo.stg
C:\Program Files\SpywareBot\Settings\ScanResults.stg
C:\Program Files\SpywareBot\Settings\SelectedFolders.stg
C:\Program Files\SpywareBot\Settings\Settings.stg
C:\Program Files\SpywareBot\Settings
C:\Program Files\SpywareBot\SpywareBot.exe
C:\Program Files\SpywareBot
C:\MY DOWNLOADS\SETUP.EXE

Trojan.Rustock/LZX32
C:\WINDOWS\system32:lzx32.sys

Trojan.Unknown Origin
C:\DOCUMENTS AND SETTINGS\ARINTOUL\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\47Y837VZ\SYVMJTGUE[1].TXT

Trojan.SpySheriff
C:\DOCUMENTS AND SETTINGS\ARINTOUL\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\47Y837VZ\UNXHHRFBLI[1].HTM
C:\DOCUMENTS AND SETTINGS\ARINTOUL\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\6T78GOF5\GMSFPMM[1].HTM
C:\DOCUMENTS AND SETTINGS\ARINTOUL\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\DA5U4VW3\CVFCLZWJZ[1].HTM
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3136F22D-795D-47DA-9882-1975C88EE065}\RP1\A0000147.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3136F22D-795D-47DA-9882-1975C88EE065}\RP1\A0000148.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3136F22D-795D-47DA-9882-1975C88EE065}\RP1\A0000149.EXE

Trojan.Downloader-IBM/Shell
C:\DOCUMENTS AND SETTINGS\ARINTOUL\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\6T78GOF5\RKQAXHUR[1].TXT

Trojan.IBM/Shell
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WEB FOLDERS\IBM00001.DLL
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WEB FOLDERS\IBM00002.DLL

****************************************

HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 19:52:26, on 23/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\oracle\ora92\bin\omtsreco.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\ConTEXT\ConTEXT.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\logon.scr
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HJT\analyse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.24.74.3:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.trema.com;172.24.*;*.tremaone.com;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Startup Guru] "C:\Program Files\StartupGuru\startupguru.exe" /B
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - Startup: BMS.lnk = ?
O4 - Startup: taskmgr.exe.lnk = C:\WINDOWS\system32\taskmgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Outlook 2003.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1168440378449
O16 - DPF: {68CDB19A-6305-4589-8C35-41E3502CD451} (Siebel Option Pack for IE 7.5.3) - http://customerservices.trema.com/service_...lOptionPack.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1168849323825
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.trema.com
O17 - HKLM\Software\..\Telephony: DomainName = corp.trema.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.trema.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.trema.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - c:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - c:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

Thanks
Andy

#6 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 23 January 2007 - 03:55 PM

IE - Block Third party cookies
1. Click on the Tools button on the Internet Explorer tool bar.
2. Highlight and click on Internet options at the bottom of the Tools menu.
3. Select the Privacy Tab of the Internet Options menu.
4. Select the Advanced... button at the bottom of the screen.
5. Select override automatic cookie handling button.
6. To block third party cookies select block under "Third-party cookies".
7. Select "always allow session cookies".
8. Click on the OK button at the bottom of the screen.
====================
With all of that we need to do a couple more

=======================

Please download: http://www.uploads.ejvindh.net/rustbfix.exe and save it to your desktop.

Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of those logs along with a new HijackThis log from normal mode.
==========================

1. Download this file :

http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply

Note:
Do not mouseclick combofix's window while its running. That may cause it to stall
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#7 andyrint

andyrint
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 26 January 2007 - 08:06 AM

Hi MFDnSC,

Sorry for the late reply - I wasn't expecting to do more! Here are the logs....

************************* Rustock.b-fix -- By ejvindh *************************
26/01/2007 12:49:56.13

******************* Pre-run Status of system *******************

Rootkit driver PE386 is found. Starting the unload-procedure....

Rustock.b-ADS attached to the System32-folder:
No streams found.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************************* End of Logfile ********************************





"arintoul" - 07-01-26 13:00:06 Service Pack 2
ComboFix 07-01-25 - Running from: "C:\Program Files\Mozilla Firefox"

((((((((((((((((((((((((((((((( Files Created from 2006-12-26 to 2007-01-26 ))))))))))))))))))))))))))))))))))


2007-01-26 12:54 <DIR> d-------- C:\avenger
2007-01-26 12:53 0 --a------ C:\backup.reg
2007-01-26 12:49 96 --a------ C:\avexport.bat
2007-01-26 12:49 336 --a------ C:\reboot.bat
2007-01-26 12:49 19,814 --a------ C:\reboot.exe
2007-01-26 12:49 126,976 --a------ C:\zip.exe
2007-01-26 12:49 <DIR> d-------- C:\Rustbfix
2007-01-24 08:29 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2007-01-23 17:04 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-01-23 17:04 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-01-23 17:04 <DIR> d-------- C:\DOCUME~1\arintoul\Application Data\SUPERAntiSpyware.com
2007-01-23 17:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\SUPERAntiSpyware.com
2007-01-23 16:52 <DIR> d-------- C:\SDFix
2007-01-23 13:28 <DIR> d-------- C:\!KillBox
2007-01-22 18:51 <DIR> d-------- C:\Program Files\HJT
2007-01-22 16:52 155,648 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-01-22 15:56 78,488 --a------ C:\WINDOWS\system32\XMD5.dll
2007-01-22 15:56 101,888 --a------ C:\WINDOWS\system32\vb6stkit.dll
2007-01-22 15:12 <DIR> d-------- C:\Program Files\StartMan
2007-01-22 14:39 <DIR> d-------- C:\Program Files\Lavasoft
2007-01-22 14:39 <DIR> d-------- C:\DOCUME~1\arintoul\Application Data\Lavasoft
2007-01-22 11:49 90,112 --------- C:\WINDOWS\SDUnInst.exe
2007-01-22 11:49 <DIR> d-------- C:\Program Files\Software by Design
2007-01-22 11:02 <DIR> d-------- C:\WINDOWS\pss
2007-01-22 10:04 <DIR> d-------- C:\Program Files\Microsoft Virtual PC
2007-01-22 09:59 619,771 --a------ C:\WINDOWS\system32\RegistryCleanerSetup.exe
2007-01-18 14:15 <DIR> d-------- C:\DOCUME~1\arintoul\Application Data\Scooter Software
2007-01-18 14:14 <DIR> d-------- C:\Program Files\Beyond Compare 2
2007-01-18 13:58 642,560 --a------ C:\WINDOWS\system32\GSPROP32.DLL
2007-01-18 13:58 423,016 --a------ C:\WINDOWS\system32\GSW32.EXE
2007-01-18 13:58 242,816 --a------ C:\WINDOWS\system32\GSWAG32.DLL
2007-01-18 13:58 152,688 --a------ C:\WINDOWS\system32\GSWDLL32.DLL
2007-01-18 13:58 110,592 --a------ C:\WINDOWS\system32\GSJPG32.DLL
2007-01-18 13:57 94,267 --a------ C:\WINDOWS\system32\etc-1-0-12-1.dll
2007-01-18 13:57 81,986 --a------ C:\WINDOWS\system32\etc-1-0-12.dll
2007-01-18 13:57 1,265,716 --a------ C:\WINDOWS\system32\cxlib-1-6.dll
2007-01-18 13:57 1,249,334 --a------ C:\WINDOWS\system32\cxlibw-1-6.dll
2007-01-18 13:57 1,175,552 --a------ C:\WINDOWS\system32\cxlibw7-1-6.dll
2007-01-16 11:26 <DIR> d-------- C:\Program Files\XML Notepad 2007
2007-01-16 10:39 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-01-16 10:36 <DIR> d-------- C:\WINDOWS\system32\CCM
2007-01-16 10:36 <DIR> d-------- C:\WINDOWS\ms
2007-01-16 10:34 <DIR> d-------- C:\WINDOWS\system32\ccmsetup
2007-01-16 09:51 <DIR> d-------- C:\Transfer
2007-01-16 09:11 <DIR> d-------- C:\My Downloads
2007-01-15 16:15 <DIR> d-------- C:\DOCUME~1\arintoul\Application Data\Help
2007-01-15 10:51 <DIR> d-------- C:\DOCUME~1\arintoul\.sqldeveloper
2007-01-15 08:41 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2007-01-15 08:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Windows Genuine Advantage
2007-01-13 03:02 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-01-12 13:31 <DIR> d-------- C:\dBAdmin328b
2007-01-12 10:36 545 --a------ C:\WINDOWS\VORC.PIF
2007-01-12 03:00 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-01-12 03:00 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-01-12 03:00 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-01-11 15:33 <DIR> d-------- C:\Program Files\Simpli Software
2007-01-11 11:54 <DIR> d-------- C:\WINDOWS\RegisteredPackages
2007-01-11 10:29 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-01-11 10:29 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-01-11 10:29 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-01-11 10:21 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2007-01-11 10:21 7,552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys
2007-01-11 10:21 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2007-01-11 10:21 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2007-01-11 10:21 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2007-01-11 10:21 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2007-01-11 10:21 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2007-01-11 10:21 4,992 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys
2007-01-11 10:21 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2007-01-11 10:21 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2007-01-11 10:21 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2007-01-11 10:20 991,232 --a------ C:\WINDOWS\system32\virtear.dll
2007-01-11 10:20 765,952 --a------ C:\WINDOWS\system\crlds3d.dll
2007-01-11 10:20 720,896 --a------ C:\WINDOWS\system32\Audio3d.dll
2007-01-11 10:20 720,896 --a------ C:\WINDOWS\system32\a3d.dll
2007-01-11 10:20 612,352 --a------ C:\WINDOWS\system32\drivers\smwdm.sys
2007-01-11 10:20 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2007-01-11 10:20 49,152 --a------ C:\WINDOWS\system32\DSndUp.exe
2007-01-11 10:20 45,056 --a------ C:\WINDOWS\system32\CleanUp.exe
2007-01-11 10:20 4,816 --a------ C:\WINDOWS\system32\drivers\aeaudio.sys
2007-01-11 10:20 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-01-11 10:20 3,744 --a------ C:\WINDOWS\system32\drivers\smsens.sys
2007-01-11 10:20 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2007-01-11 10:20 <DIR> d-------- C:\WINDOWS\VirtualEar
2007-01-11 10:20 <DIR> d-------- C:\Program Files\Analog Devices
2007-01-11 10:15 <DIR> d-------- C:\WINDOWS\system32\Dell
2007-01-11 10:15 <DIR> d-------- C:\Program Files\Dell
2007-01-11 10:03 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-01-11 10:03 <DIR> d-------- C:\DOCUME~1\arintoul\Application Data\Leadertech
2007-01-11 10:01 36,939 --a------ C:\WINDOWS\system32\insrepim.exe
2007-01-11 10:01 192,569 --a------ C:\WINDOWS\system32\msrpjt40.dll
2007-01-11 10:00 81,920 --a------ C:\WINDOWS\system32\mdt2fw95.dll
2007-01-11 10:00 32,830 --a------ C:\WINDOWS\system32\dbmsshrn.dll
2007-01-11 10:00 28,734 --a------ C:\WINDOWS\system32\dbmslpcn.dll
2007-01-11 10:00 274,489 --a------ C:\WINDOWS\system32\ntwdblib.dll
2007-01-11 09:59 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2007-01-11 09:14 <DIR> d-------- C:\DOCUME~1\arintoul\Application Data\Adobe
2007-01-11 09:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Adobe
2007-01-11 09:13 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-01-11 09:12 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-01-11 09:09 54,784 --a------ C:\WINDOWS\system32\Inetwh32.dll
2007-01-11 09:09 47,104 --a------ C:\WINDOWS\system32\Wh2Robo.dll
2007-01-11 09:09 <DIR> d-------- C:\Program Files\Paint Shop Pro 6
2007-01-11 08:56 <DIR> d-------- C:\Program Files\Microsoft Calculator Plus
2007-01-10 18:16 <DIR> d-------- C:\quarantine
2007-01-10 17:11 <DIR> d-------- C:\Temp
2007-01-10 17:08 <DIR> d-------- C:\Program Files\ExamDiff
2007-01-10 17:03 <DIR> d-------- C:\Program Files\ConTEXT
2007-01-10 16:54 <DIR> d-------- C:\shared
2007-01-10 16:53 <DIR> d-------- C:\econophysica
2007-01-10 16:52 <DIR> d-------- C:\andy
2007-01-10 16:51 <DIR> d-------- C:\gnupg
2007-01-10 16:51 <DIR> d-------- C:\Bankfile
2007-01-10 16:50 <DIR> d-------- C:\DOCUME~1\arintoul\Application Data\Google
2007-01-10 16:49 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-01-10 16:49 <DIR> d-------- C:\Program Files\Google
2007-01-10 16:43 <DIR> d-------- C:\Program Files\allTunes
2007-01-10 16:43 <DIR> d-------- C:\DOCUME~1\arintoul\Application Data\allTunes
2007-01-10 16:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\allTunes
2007-01-10 16:38 <DIR> d-------- C:\oracle
2007-01-10 16:37 <DIR> d-------- C:\Program Files\Oracle
2007-01-10 16:27 57,856 --------- C:\WINDOWS\system32\Tngremo_.exe
2007-01-10 16:27 154,624 --------- C:\WINDOWS\system32\Tngremov.exe
2007-01-10 16:27 <DIR> d-------- C:\CA_LIC
2007-01-10 15:56 <DIR> d-------- C:\WINRICH32_stdlife
2007-01-10 15:56 <DIR> d-------- C:\Winrich32_rele
2007-01-10 15:54 <DIR> d-------- C:\Zips
2007-01-10 15:53 <DIR> d-------- C:\WINRICH32_beta
2007-01-10 15:50 <DIR> d-------- C:\WINRICH32_bernard
2007-01-10 15:50 <DIR> d-------- C:\WINRICH32_alpha
2007-01-10 15:50 <DIR> d-------- C:\WINRICH32_Agilent
2007-01-10 15:50 <DIR> d-------- C:\Odyssey.NET
2007-01-10 15:49 <DIR> d-------- C:\WINRICH32_3I
2007-01-10 15:47 <DIR> dr------- C:\My Music
2007-01-10 15:30 <DIR> d-------- C:\2Build
2007-01-10 15:17 <DIR> d-------- C:\Program Files\Microsoft ACT
2007-01-10 15:17 <DIR> d-------- C:\Program Files\HTML Help Workshop
2007-01-10 15:17 <DIR> d-------- C:\Program Files\Common Files\Merge Modules
2007-01-10 15:12 <DIR> d-------- C:\Program Files\Mozilla Firefox
2007-01-10 15:12 <DIR> d-------- C:\DOCUME~1\arintoul\Application Data\Talkback
2007-01-10 15:10 <DIR> dr--s---- C:\WINDOWS\assembly
2007-01-10 15:10 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-01-10 15:10 <DIR> d-------- C:\WINDOWS\Microsoft.NET
2007-01-10 15:02 <DIR> d-------- C:\Program Files\Crystal Decisions
2007-01-10 15:02 <DIR> d-------- C:\Program Files\Common Files\Crystal Decisions
2007-01-10 15:00 306,688 --a------ C:\WINDOWS\IsUninst.exe
2007-01-10 15:00 <DIR> d-------- C:\Program Files\MapInfo MapX
2007-01-10 14:59 <DIR> d-------- C:\WINDOWS\Crystal
2007-01-10 14:59 <DIR> d-------- C:\Program Files\Seagate Software
2007-01-10 14:59 <DIR> d-------- C:\Program Files\NotesSQL
2007-01-10 14:51 <DIR> d-------- C:\CA_APPSW
2007-01-10 14:46 18,200 --a------ C:\WINDOWS\system32\wups2.dll
2007-01-10 14:46 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-01-10 14:44 <DIR> d-------- C:\Program Files\MSDN
2007-01-10 14:44 <DIR> d-------- C:\Program Files\Microsoft Visual Studio .NET 2003
2007-01-10 14:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Microsoft Help
2007-01-10 14:30 <DIR> d-------- C:\Program Files\RealVNC
2007-01-10 14:29 <DIR> d---s---- C:\DOCUME~1\arintoul\UserData
2007-01-10 14:12 <DIR> d-------- C:\WINDOWS\SchCache
2007-01-10 14:11 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-01-10 14:09 <DIR> d--hs---- C:\WINDOWS\CSC
2007-01-10 13:58 <DIR> d-------- C:\Program Files\Nero
2007-01-10 13:58 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-01-10 13:56 24,816 --a------ C:\WINDOWS\system32\mdimon.dll
2007-01-10 13:55 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-01-10 13:55 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-01-10 13:55 <DIR> d-------- C:\Program Files\Microsoft Works
2007-01-10 13:55 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-01-10 13:55 <DIR> d-------- C:\Program Files\Common Files\L&H
2007-01-10 13:52 <DIR> dr-h----- C:\MSOCache
2007-01-10 13:50 58,048 --a------ C:\WINDOWS\system32\drivers\mvstdi5x.sys
2007-01-10 13:50 108,256 --a------ C:\WINDOWS\system32\drivers\naiavf5x.sys
2007-01-10 13:50 <DIR> d-------- C:\Program Files\Network Associates
2007-01-10 13:50 <DIR> d-------- C:\Program Files\Common Files\Network Associates
2007-01-10 13:50 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2007-01-10 13:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Network Associates
2007-01-10 13:47 86,016 --a------ C:\WINDOWS\system32\nvmctray.dll
2007-01-10 13:47 81,920 --a------ C:\WINDOWS\system32\nvwddi.dll
2007-01-10 13:47 6,725,632 --a------ C:\WINDOWS\system32\nvcpl.dll
2007-01-10 13:47 540,672 --a------ C:\WINDOWS\system32\nvhwvid.dll
2007-01-10 13:47 5,144,576 --a------ C:\WINDOWS\system32\nvoglnt.dll
2007-01-10 13:47 466,944 --a------ C:\WINDOWS\system32\nvshell.dll
2007-01-10 13:47 442,368 --a------ C:\WINDOWS\system32\nvappbar.exe
2007-01-10 13:47 393,216 --a------ C:\WINDOWS\system32\keystone.exe
2007-01-10 13:47 32,768 --a------ C:\WINDOWS\system32\nvcodins.dll
2007-01-10 13:47 32,768 --a------ C:\WINDOWS\system32\nvcod.dll
2007-01-10 13:47 3,879,808 --a------ C:\WINDOWS\system32\nv4_disp.dll
2007-01-10 13:47 3,188,512 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-01-10 13:47 286,720 --a------ C:\WINDOWS\system32\nvnt4cpl.dll
2007-01-10 13:47 176,128 --a------ C:\WINDOWS\system32\nvudisp.exe
2007-01-10 13:47 147,456 --a------ C:\WINDOWS\system32\nvcolor.exe
2007-01-10 13:47 127,043 --a------ C:\WINDOWS\system32\nvsvc32.exe
2007-01-10 13:47 1,662,976 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2007-01-10 13:47 1,519,616 --a------ C:\WINDOWS\system32\nwiz.exe
2007-01-10 13:47 1,466,368 --a------ C:\WINDOWS\system32\nview.dll
2007-01-10 13:47 1,339,392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2007-01-10 13:47 1,019,904 --a------ C:\WINDOWS\system32\nvwimg.dll
2007-01-10 13:47 <DIR> d-------- C:\WINDOWS\nview
2007-01-10 13:47 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-01-10 13:46 <DIR> d--hs---- C:\RECYCLER
2007-01-10 13:46 <DIR> d-------- C:\dbx
2007-01-10 13:39 24,064 --a------ C:\WINDOWS\system32\IntelNic.dll
2007-01-10 13:39 139,264 --a------ C:\WINDOWS\system32\e1000msg.dll
2007-01-10 13:39 131,584 --a------ C:\WINDOWS\system32\drivers\e1000325.sys
2007-01-10 13:39 118,784 --a------ C:\WINDOWS\system32\Prounstl.exe
2007-01-10 12:36 <DIR> d-------- C:\I386
2007-01-10 12:34 <DIR> d-------- C:\WINDOWS\SoftwareDistribution
2007-01-10 12:34 <DIR> d-------- C:\WINDOWS\Prefetch
2007-01-10 12:31 <DIR> d-------- C:\WINDOWS\system32\xircom
2007-01-10 12:31 <DIR> d-------- C:\Program Files\microsoft frontpage
2007-01-10 12:31 <DIR> d-------- C:\DELL
2007-01-10 12:30 112,128 --a------ C:\WINDOWS\system32\mapi32.dll
2007-01-10 12:30 0 -rahs---- C:\MSDOS.SYS
2007-01-10 12:30 0 -rahs---- C:\IO.SYS
2007-01-10 12:30 0 --a------ C:\CONFIG.SYS
2007-01-10 12:30 0 --a------ C:\AUTOEXEC.BAT
2007-01-10 12:30 <DIR> dr------- C:\WINDOWS\Offline Web Pages
2007-01-10 12:30 <DIR> d--hs---- C:\DOCUME~1\ALLUSE~1\DRM
2007-01-10 12:30 <DIR> d--h----- C:\Program Files\WindowsUpdate
2007-01-10 12:30 <DIR> d---s---- C:\WINDOWS\Downloaded Program Files
2007-01-10 12:29 81,920 --a------ C:\WINDOWS\system32\isign32.dll
2007-01-10 12:29 81,920 --a------ C:\WINDOWS\system32\ils.dll
2007-01-10 12:29 8,192 --a------ C:\WINDOWS\system32\bitsprx2.dll
2007-01-10 12:29 73,728 --a------ C:\WINDOWS\system32\icwdial.dll
2007-01-10 12:29 73,472 --a------ C:\WINDOWS\system32\drivers\sr.sys
2007-01-10 12:29 7,168 --a------ C:\WINDOWS\system32\bitsprx3.dll
2007-01-10 12:29 69,632 --a------ C:\WINDOWS\system32\msconf.dll
2007-01-10 12:29 679,424 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-01-10 12:29 67,584 --a------ C:\WINDOWS\system32\srclient.dll
2007-01-10 12:29 65,536 --a------ C:\WINDOWS\system32\icwphbk.dll
2007-01-10 12:29 64,512 --a------ C:\WINDOWS\system32\acctres.dll
2007-01-10 12:29 6,656 --a------ C:\WINDOWS\system32\wuauserv.dll
2007-01-10 12:29 48,128 --a------ C:\WINDOWS\system32\inetres.dll
2007-01-10 12:29 465,176 --a------ C:\WINDOWS\system32\wuapi.dll
2007-01-10 12:29 45,568 --a------ C:\WINDOWS\system32\safrslv.dll
2007-01-10 12:29 43,520 --a------ C:\WINDOWS\system32\safrcdlg.dll
2007-01-10 12:29 43,520 --a------ C:\WINDOWS\system32\racpldlg.dll
2007-01-10 12:29 41,240 --a------ C:\WINDOWS\system32\wups.dll
2007-01-10 12:29 382,464 --a------ C:\WINDOWS\system32\qmgr.dll
2007-01-10 12:29 34,560 --a------ C:\WINDOWS\system32\mnmdd.dll
2007-01-10 12:29 32,768 --a------ C:\WINDOWS\system32\mnmsrvc.exe
2007-01-10 12:29 32,768 --a------ C:\WINDOWS\system32\isrdbg32.dll
2007-01-10 12:29 29,696 --a------ C:\WINDOWS\system32\safrdm.dll
2007-01-10 12:29 28,672 --a------ C:\WINDOWS\system32\nmmkcert.dll
2007-01-10 12:29 274,944 --a------ C:\WINDOWS\system32\mstask.dll
2007-01-10 12:29 274,432 --a------ C:\WINDOWS\system32\inetcfg.dll
2007-01-10 12:29 252,928 --a------ C:\WINDOWS\system32\msoeacct.dll
2007-01-10 12:29 239,104 --a------ C:\WINDOWS\system32\srrstr.dll
2007-01-10 12:29 23,040 --a------ C:\WINDOWS\system32\fltmc.exe
2007-01-10 12:29 194,328 --a------ C:\WINDOWS\system32\wuaueng1.dll
2007-01-10 12:29 190,976 --a------ C:\WINDOWS\system32\schedsvc.dll
2007-01-10 12:29 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2007-01-10 12:29 173,536 --a------ C:\WINDOWS\system32\wuweb.dll
2007-01-10 12:29 172,312 --a------ C:\WINDOWS\system32\wuauclt1.exe
2007-01-10 12:29 170,496 --a------ C:\WINDOWS\system32\srsvc.dll
2007-01-10 12:29 16,896 --a------ C:\WINDOWS\system32\fltlib.dll
2007-01-10 12:29 16,384 --a------ C:\WINDOWS\system32\icfgnt5.dll
2007-01-10 12:29 128,896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2007-01-10 12:29 127,256 --a------ C:\WINDOWS\system32\wucltui.dll
2007-01-10 12:29 124,184 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-01-10 12:29 12,288 --a------ C:\WINDOWS\system32\nmevtmsg.dll
2007-01-10 12:29 12,288 --a------ C:\WINDOWS\system32\mstinit.exe
2007-01-10 12:29 11,264 --a------ C:\WINDOWS\system32\atrace.dll
2007-01-10 12:29 105,984 --a------ C:\WINDOWS\system32\msoert2.dll
2007-01-10 12:29 1,343,768 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-01-10 12:29 <DIR> d---s---- C:\WINDOWS\Tasks
2007-01-10 12:29 <DIR> d-------- C:\WINDOWS\system32\Restore
2007-01-10 12:29 <DIR> d-------- C:\WINDOWS\system32\Macromed
2007-01-10 12:29 <DIR> d-------- C:\WINDOWS\system32\DirectX
2007-01-10 12:29 <DIR> d-------- C:\WINDOWS\srchasst
2007-01-10 12:29 <DIR> d-------- C:\Program Files\Movie Maker
2007-01-10 12:29 <DIR> d-------- C:\Program Files\Common Files\MSSoap
2007-01-10 12:28 97,792 --a------ C:\WINDOWS\system32\comrepl.dll
2007-01-10 12:28 956,416 --a------ C:\WINDOWS\system32\msdtctm.dll
2007-01-10 12:28 93,696 --a------ C:\WINDOWS\system32\tscfgwmi.dll
2007-01-10 12:28 91,136 --a------ C:\WINDOWS\system32\mtxoci.dll
2007-01-10 12:28 9,728 --a------ C:\WINDOWS\system32\reset.exe
2007-01-10 12:28 87,176 --a------ C:\WINDOWS\system32\rdpwsx.dll
2007-01-10 12:28 85,504 --a------ C:\WINDOWS\system32\catsrvps.dll
2007-01-10 12:28 80,384 --a------ C:\WINDOWS\system32\charmap.exe
2007-01-10 12:28 73,216 --a------ C:\WINDOWS\system32\avwav.dll
2007-01-10 12:28 67,072 --a------ C:\WINDOWS\system32\rdshost.exe
2007-01-10 12:28 655,360 --a------ C:\WINDOWS\system32\mstscax.dll
2007-01-10 12:28 625,152 --a------ C:\WINDOWS\system32\catsrvut.dll
2007-01-10 12:28 62,464 --a------ C:\WINDOWS\system32\rdpclip.exe
2007-01-10 12:28 605,696 --a------ C:\WINDOWS\system32\getuname.dll
2007-01-10 12:28 60,416 --a------ C:\WINDOWS\system32\remotepg.dll
2007-01-10 12:28 60,416 --a------ C:\WINDOWS\system32\colbact.dll
2007-01-10 12:28 6,144 --a------ C:\WINDOWS\system32\msdtc.exe
2007-01-10 12:28 58,880 --a------ C:\WINDOWS\system32\msdtclog.dll
2007-01-10 12:28 56,832 --a------ C:\WINDOWS\system32\sol.exe
2007-01-10 12:28 55,296 --a------ C:\WINDOWS\system32\freecell.exe
2007-01-10 12:28 540,160 --a------ C:\WINDOWS\system32\comuid.dll
2007-01-10 12:28 54,272 --a------ C:\WINDOWS\system32\stclient.dll
2007-01-10 12:28 538,624 --a------ C:\WINDOWS\system32\spider.exe
2007-01-10 12:28 5,632 --a------ C:\WINDOWS\system32\write.exe
2007-01-10 12:28 5,120 --a------ C:\WINDOWS\system32\dcomcnfg.exe
2007-01-10 12:28 498,688 --a------ C:\WINDOWS\system32\clbcatq.dll
2007-01-10 12:28 44,544 --a------ C:\WINDOWS\system32\tscupgrd.exe
2007-01-10 12:28 44,544 --a------ C:\WINDOWS\system32\hticons.dll
2007-01-10 12:28 426,496 --a------ C:\WINDOWS\system32\msdtcprx.dll
2007-01-10 12:28 407,552 --a------ C:\WINDOWS\system32\mstsc.exe
2007-01-10 12:28 4,096 --a------ C:\WINDOWS\system32\rdpcfgex.dll
2007-01-10 12:28 4,096 --a------ C:\WINDOWS\system32\mtxex.dll
2007-01-10 12:28 38,912 --a------ C:\WINDOWS\system32\cfgbkend.dll
2007-01-10 12:28 35,328 --a------ C:\WINDOWS\system32\winchat.exe
2007-01-10 12:28 347,136 --a------ C:\WINDOWS\system32\hypertrm.dll
2007-01-10 12:28 343,040 --a------ C:\WINDOWS\system32\mspaint.exe
2007-01-10 12:28 33,792 --a------ C:\WINDOWS\system32\regini.exe
2007-01-10 12:28 295,424 --a------ C:\WINDOWS\system32\termsrv.dll
2007-01-10 12:28 25,600 --a------ C:\WINDOWS\system32\comaddin.dll
2007-01-10 12:28 25,088 --a------ C:\WINDOWS\system32\mtxlegih.dll
2007-01-10 12:28 227,840 --a------ C:\WINDOWS\system32\avtapi.dll
2007-01-10 12:28 225,792 --a------ C:\WINDOWS\system32\catsrv.dll
2007-01-10 12:28 22,016 --a------ C:\WINDOWS\system32\qwinsta.exe
2007-01-10 12:28 21,896 --a------ C:\WINDOWS\system32\drivers\tdtcp.sys
2007-01-10 12:28 20,992 --a------ C:\WINDOWS\system32\msg.exe
2007-01-10 12:28 20,480 --a------ C:\WINDOWS\system32\qprocess.exe
2007-01-10 12:28 20,480 --a------ C:\WINDOWS\system32\mtxdm.dll
2007-01-10 12:28 19,968 --a------ C:\WINDOWS\system32\rdpsnd.dll
2007-01-10 12:28 183,808 --a------ C:\WINDOWS\system32\accwiz.exe
2007-01-10 12:28 161,280 --a------ C:\WINDOWS\system32\msdtcuiu.dll
2007-01-10 12:28 16,896 --a------ C:\WINDOWS\system32\tsshutdn.exe
2007-01-10 12:28 16,896 --a------ C:\WINDOWS\system32\qappsrv.exe
2007-01-10 12:28 16,384 --a------ C:\WINDOWS\system32\tskill.exe
2007-01-10 12:28 16,384 --a------ C:\WINDOWS\system32\avmeter.dll
2007-01-10 12:28 15,872 --a------ C:\WINDOWS\system32\rwinsta.exe
2007-01-10 12:28 15,872 --a------ C:\WINDOWS\system32\cdmodem.dll
2007-01-10 12:28 15,360 --a------ C:\WINDOWS\system32\logoff.exe
2007-01-10 12:28 147,968 --a------ C:\WINDOWS\system32\rdchost.dll
2007-01-10 12:28 147,456 --a------ C:\WINDOWS\system32\comsnap.dll
2007-01-10 12:28 140,800 --a------ C:\WINDOWS\system32\sessmgr.exe
2007-01-10 12:28 14,848 --a------ C:\WINDOWS\system32\tsdiscon.exe
2007-01-10 12:28 14,848 --a------ C:\WINDOWS\system32\tscon.exe
2007-01-10 12:28 14,848 --a------ C:\WINDOWS\system32\shadow.exe
2007-01-10 12:28 139,528 --a------ C:\WINDOWS\system32\drivers\rdpwd.sys
2007-01-10 12:28 138,752 --a------ C:\WINDOWS\system32\sndvol32.exe
2007-01-10 12:28 131,584 --a------ C:\WINDOWS\system32\sndrec32.exe
2007-01-10 12:28 13,824 --a------ C:\WINDOWS\system32\rdsaddin.exe
2007-01-10 12:28 126,976 --a------ C:\WINDOWS\system32\mshearts.exe
2007-01-10 12:28 123,392 --a------ C:\WINDOWS\system32\mplay32.exe
2007-01-10 12:28 12,040 --a------ C:\WINDOWS\system32\drivers\tdpipe.sys
2007-01-10 12:28 119,808 --a------ C:\WINDOWS\system32\winmine.exe
2007-01-10 12:28 114,688 --a------ C:\WINDOWS\system32\calc.exe
2007-01-10 12:28 110,080 --a------ C:\WINDOWS\system32\clbcatex.dll
2007-01-10 12:28 11,776 --a------ C:\WINDOWS\system32\xolehlp.dll
2007-01-10 12:28 11,264 --a------ C:\WINDOWS\system32\icaapi.dll
2007-01-10 12:28 102,912 --a------ C:\WINDOWS\system32\clipbrd.exe
2007-01-10 12:28 1,267,200 --a------ C:\WINDOWS\system32\comsvcs.dll
2007-01-10 12:28 1,161 --a------ C:\WINDOWS\system32\usrlogon.cmd
2007-01-10 12:28 <DIR> d-------- C:\WINDOWS\system32\MsDtc
2007-01-10 12:28 <DIR> d-------- C:\WINDOWS\system32\Com
2007-01-10 12:28 <DIR> d-------- C:\WINDOWS\Registration
2007-01-10 12:28 <DIR> d-------- C:\Program Files\Windows NT
2007-01-10 12:28 <DIR> d-------- C:\Program Files\Online Services
2007-01-10 12:28 <DIR> d-------- C:\Program Files\MSN Gaming Zone
2007-01-10 12:28 <DIR> d-------- C:\Program Files\Messenger
2007-01-10 12:27 58,880 --a------ C:\WINDOWS\system32\licwmi.dll
2007-01-10 12:27 56,320 --a------ C:\WINDOWS\system32\servdeps.dll
2007-01-10 12:27 40,840 --a------ C:\WINDOWS\system32\drivers\termdd.sys
2007-01-10 12:27 196,864 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys
2007-01-10 12:27 185,344 --a------ C:\WINDOWS\system32\cmprops.dll
2007-01-10 12:27 17,408 --a------ C:\WINDOWS\system32\mmfutil.dll
2007-01-10 12:26 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2007-01-10 12:25 74,240 --a------ C:\WINDOWS\system32\usbui.dll
2007-01-10 12:25 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2007-01-10 12:25 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2007-01-10 12:25 5,504 --a------ C:\WINDOWS\system32\drivers\intelide.sys
2007-01-10 12:24 9,936 --a------ C:\WINDOWS\system\LZEXPAND.DLL
2007-01-10 12:24 9,008 --a------ C:\WINDOWS\system\VER.DLL
2007-01-10 12:24 85,020 --a------ C:\WINDOWS\system32\dgsetup.dll
2007-01-10 12:24 82,944 --a------ C:\WINDOWS\system\OLECLI.DLL
2007-01-10 12:24 8,704 --a------ C:\WINDOWS\system32\batt.dll
2007-01-10 12:24 8,192 -ra------ C:\WINDOWS\system32\kbdhept.dll
2007-01-10 12:24 74,752 --a------ C:\WINDOWS\system32\storprop.dll
2007-01-10 12:24 7,168 -ra------ C:\WINDOWS\system32\kbdcz.dll
2007-01-10 12:24 69,584 --a------ C:\WINDOWS\system\AVICAP.DLL
2007-01-10 12:24 69,120 --a------ C:\WINDOWS\NOTEPAD.EXE
2007-01-10 12:24 68,768 --a------ C:\WINDOWS\system\MMSYSTEM.DLL
2007-01-10 12:24 6,656 -ra------ C:\WINDOWS\system32\kbdycl.dll
2007-01-10 12:24 6,656 -ra------ C:\WINDOWS\system32\kbdsl1.dll
2007-01-10 12:24 6,656 -ra------ C:\WINDOWS\system32\kbdsl.dll
2007-01-10 12:24 6,656 -ra------ C:\WINDOWS\system32\kbdpl.dll
2007-01-10 12:24 6,656 -ra------ C:\WINDOWS\system32\kbdhu.dll
2007-01-10 12:24 6,656 -ra------ C:\WINDOWS\system32\kbdhela3.dll
2007-01-10 12:24 6,656 -ra------ C:\WINDOWS\system32\kbdcz2.dll
2007-01-10 12:24 6,656 -ra------ C:\WINDOWS\system32\kbdcz1.dll
2007-01-10 12:24 6,656 -ra------ C:\WINDOWS\system32\kbdcr.dll
2007-01-10 12:24 6,656 -ra------ C:\WINDOWS\system32\KBDAL.DLL
2007-01-10 12:24 6,144 -ra------ C:\WINDOWS\system32\kbdtuq.dll
2007-01-10 12:24 6,144 -ra------ C:\WINDOWS\system32\kbdtuf.dll
2007-01-10 12:24 6,144 -ra------ C:\WINDOWS\system32\kbdlv1.dll
2007-01-10 12:24 6,144 -ra------ C:\WINDOWS\system32\kbdlv.dll
2007-01-10 12:24 6,144 -ra------ C:\WINDOWS\system32\kbdhela2.dll
2007-01-10 12:24 6,144 -ra------ C:\WINDOWS\system32\kbdgkl.dll
2007-01-10 12:24 6,144 -ra------ C:\WINDOWS\system32\kbdest.dll
2007-01-10 12:24 5,632 -ra------ C:\WINDOWS\system32\kbdro.dll
2007-01-10 12:24 5,632 -ra------ C:\WINDOWS\system32\kbdpl1.dll
2007-01-10 12:24 5,632 -ra------ C:\WINDOWS\system32\kbdmon.dll
2007-01-10 12:24 5,632 -ra------ C:\WINDOWS\system32\kbdlt1.dll
2007-01-10 12:24 5,632 -ra------ C:\WINDOWS\system32\kbdlt.dll
2007-01-10 12:24 5,632 -ra------ C:\WINDOWS\system32\kbdkyr.dll
2007-01-10 12:24 5,632 -ra------ C:\WINDOWS\system32\kbdhu1.dll
2007-01-10 12:24 5,632 -ra------ C:\WINDOWS\system32\kbdhe319.dll
2007-01-10 12:24 5,632 -ra------ C:\WINDOWS\system32\kbdhe220.dll
2007-01-10 12:24 5,632 -ra------ C:\WINDOWS\system32\kbdhe.dll
2007-01-10 12:24 5,632 -ra------ C:\WINDOWS\system32\kbdazel.dll
2007-01-10 12:24 5,120 --a------ C:\WINDOWS\system\SHELL.DLL
2007-01-10 12:24 32,816 --a------ C:\WINDOWS\system\COMMDLG.DLL
2007-01-10 12:24 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2007-01-10 12:24 24,064 --a------ C:\WINDOWS\system\OLESVR.DLL
2007-01-10 12:24 19,200 --a------ C:\WINDOWS\system\TAPI.DLL
2007-01-10 12:24 176,157 --a------ C:\WINDOWS\system32\dgrpsetu.dll
2007-01-10 12:24 15,360 --a------ C:\WINDOWS\TASKMAN.EXE
2007-01-10 12:24 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2007-01-10 12:24 126,912 --a------ C:\WINDOWS\system\MSVIDEO.DLL
2007-01-10 12:24 11,264 --a------ C:\WINDOWS\system32\drivers\irenum.sys
2007-01-10 12:24 109,456 --a------ C:\WINDOWS\system\AVIFILE.DLL
2007-01-10 12:24 103,424 --a------ C:\WINDOWS\system32\EqnClass.Dll
2007-01-10 12:24 <DIR> dr------- C:\Program Files
2007-01-10 12:24 <DIR> dr------- C:\DOCUME~1\ALLUSE~1\Documents
2007-01-10 12:24 <DIR> d--hs---- C:\WINDOWS\Installer
2007-01-10 12:24 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2007-01-10 12:24 <DIR> d-------- C:\WINDOWS\system32\CatRoot
2007-01-10 12:24 <DIR> d-------- C:\Program Files\Common Files\SpeechEngines
2007-01-10 12:24 <DIR> d-------- C:\Program Files\Common Files\ODBC
2007-01-10 12:23 <DIR> d--hs---- C:\System Volume Information
2007-01-10 12:23 <DIR> d-------- C:\Documents and Settings
2007-01-10 12:18 <DIR> dr-hsc--- C:\WINDOWS\system32\dllcache
2007-01-10 12:18 <DIR> dr--s---- C:\WINDOWS\Fonts
2007-01-10 12:18 <DIR> dr------- C:\WINDOWS\Web
2007-01-10 12:18 <DIR> d-a------ C:\WINDOWS\system32
2007-01-10 12:18 <DIR> d--h----- C:\WINDOWS\inf
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\WinSxS
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\twain_32
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\system32\wins
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\system32\wbem
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\system32\usmt
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\system32\spool
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\system32\ShellExt
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\system32\Setup
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\system32\ras
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\system32\oobe
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\system32\npp
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\system32\mui
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\system32\inetsrv
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\system32\IME
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\system32\icsxml
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\system32\ias
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\system32\export
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\system32\drivers\etc
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\system32\drivers\disdn
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\system32\drivers
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\system32\dhcp
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\system32\config
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\system32\3com_dmi
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\system32\3076
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\system32\2052
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\system32\1054
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\system32\1042
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\system32\1041
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\system32\1037
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\system32\1033
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\system32\1031
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\system32\1028
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\system32\1025
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\system
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\security
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\Resources
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\repair
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\Provisioning
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\PeerNet
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\pchealth
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\mui
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\msapps
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\msagent
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\Media
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\java
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\ime
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\Help
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\ehome
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\Driver Cache
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\dell
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\Debug
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\Cursors
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\Connection Wizard
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\Config
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\AppPatch
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS\addins
2007-01-10 12:18 <DIR> d-------- C:\WINDOWS


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-22 10:32 -------- d---s---- C:\DOCUME~1\arintoul\Application Data\microsoft
2007-01-11 12:34 -------- d-------- C:\DOCUME~1\arintoul\Application Data\macromedia
2007-01-10 15:12 -------- d-------- C:\DOCUME~1\arintoul\Application Data\mozilla
2007-01-10 14:12 -------- d-------- C:\DOCUME~1\arintoul\Application Data\identities
2007-01-10 12:24 62 --ahs---- C:\DOCUME~1\arintoul\Application Data\desktop.ini
2006-12-07 05:29 2374472 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Startup Guru"="\"C:\\Program Files\\StartupGuru\\startupguru.exe\" /B"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"nwiz"="\"nwiz.exe\" /install"
"NvMediaCenter"="\"RUNDLL32.EXE\" C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"Network Associates Error Reporting Service"="\"C:\\Program Files\\Common Files\\Network Associates\\TalkBack\\tbmon.exe\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=hex:01,00,00,00
"NoSMMyPictures"=hex:01,00,00,00
"ForceStartMenuLogOff"=dword:00000001
"DisallowRun"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\DisallowRun]
"1"="cleanmgr.exe"
"2"="edonkey.exe"
"3"="kazaa.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_ENTDRV51


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\defrag C.job
C:\WINDOWS\tasks\defrag D.job

Completion time: 07-01-26 13:02:53







Logfile of HijackThis v1.99.1
Scan saved at 13:06, on 07-01-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\oracle\ora92\bin\omtsreco.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
\lonfs01\BMS-MAIN\Vobuild.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HJT\analyse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.24.74.3:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.trema.com;172.24.*;*.tremaone.com;*.wallstreetsystems.com;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Startup Guru] "C:\Program Files\StartupGuru\startupguru.exe" /B
O4 - Startup: BMS.lnk = ?
O4 - Startup: taskmgr.exe.lnk = C:\WINDOWS\system32\taskmgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Outlook 2003.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1168440378449
O16 - DPF: {68CDB19A-6305-4589-8C35-41E3502CD451} (Siebel Option Pack for IE 7.5.3) - http://customerservices.trema.com/service_...lOptionPack.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1168849323825
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.trema.com
O17 - HKLM\Software\..\Telephony: DomainName = corp.trema.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.trema.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.trema.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - c:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - c:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)


Cheers
Andy

#8 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:03:42 PM

Posted 31 January 2007 - 02:27 AM

Andy:

Hi and welcome.

Sorry for delayed in reply back.
Your helper is away and I will be assisting you with whatever is left to do.

I looked over your logs briefly and must warn you that you had some keylogger activity on your computer.
I suspect virus infection as well unless you just did a repair install or something.
There is no reason other than an entire system update or re-install of the OS on top of old combofix would report this many file/folder changes.

I notice you have RealVNC installed. Is this a computer you use to access work? Or is an office computer?
If this a work computer then you potientially have a security issue.

Seeing you had keylogger infection:

You will need to change ALL your passwords to any sites/services you log into.
Because I am not sure you are clean yet you are advised not to use this computer to log into these sites/services untill cleaned.
If you use this computer to do online banking, credit card purchases or similar sensitive activities you are advised to contact these companies to advise them of probable comprimise.

If you use this machine to log into work over a VPN or similar you are advised to notify the IT department at work so your log-in passwords can be reset.


In all honesty if this was my machine that was attacked in this nature I would be formatting/re-installing the Operating system along with all my programs from known good/clean backups.
If this is a work related machine and have sensitive data stored on it or customer databases for whatever work you do I dont think you or the company involved should take the risk of this data being comprimised and landing in the wrong hands.

Let me know when you have seen this and let me know if you want to continue cleaning or are going to opt for format.

Thanks

Blender
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#9 andyrint

andyrint
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 02 February 2007 - 08:24 AM

Hi Blender,

I think I'm quite lucky as I think I know when this infection happened and haven't been to any banking or secure sites since then. Also, this machine was formatted only 3/4 weeks ago. If it's possible to be 100% sure the key logger is gone then I think I can do without re-formatting. This machine is at my office and is on a VPN that requires external users to log on with a number generated by a little key fob 'dongle' - as well as my logon password. VNC was installed by us but can probably be removed now as we've changed to using Remote Desktop.

Let me know what you think.

Cheers
Andy

#10 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:03:42 PM

Posted 02 February 2007 - 08:55 PM

Hi

The machine being formatted a few weeks ago explains why then so many files are listed in your combofix log.
It looks like the new install took place around the neighbourhood of the 10th of January. Correct?
Over the course of a few days later you installed the rest of your softwares.

One thing I am concerned with is the nature of data stored on this machine.
If an unauthorized party was able to gain access and had access to sensitive customer data your company could end up liable.

Besides the keylogger you had there was also 2 backdoors as shown/cleaned up by SDFix & Rustbfix.

http://www.castlecops.com/o23list-2222.html
http://fileinfo.prevx.com/adware/qqc6f6411...MSASVC.EXE.html

http://www.symantec.com/security_response/...-99&tabid=2

Keylogger info:

http://www.sophos.com/virusinfo/analyses/trojtorpigc.html

Not sure I understand this key fob thing but am I close to say it is a device each user who connects to your PC would need to have in order to generate the "one time" passcode to get to where he/she can then logon using the preset password you provided them with?
Without it one cannot logon correct?

I would like to double check with an online scan and another log to check some security settings.
I believe sdfix reset most of the damage done by the backdoor.

Question about some security settings..
Looks like you set these policies?:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\DisallowRun]
"1"="cleanmgr.exe"
"2"="edonkey.exe"
"3"="kazaa.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"=dword:00000001

Disabled running of kazaa, edonkey, cleanmgr and disabled anyone from changing your password.
Correct?

Just checking cus if you set these...OK
I'll confirm with you about other set policies before changing anything from the other log.

Have a look in this folder:

C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WEB FOLDERS

Look for any ibm0000*.*
Either dll files or exes. They all start with ibm0000
I think all have been picked up by the apps you ran so far but do double check.
if any are present...delete em

Using Internet Explorer please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save report button.
  • Call it Kaspersky.txt
  • Expand the arrow beside "file types" and save as .txt file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

Next:

I have attached a file called Inspect.zip
Save file and unzip it.
It must be unzipped to work.
Double click Inspect.bat and let it run.
Log file should pop up. If it does not the log is located here:

C:\lsa.txt

Post its contents please.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#11 andyrint

andyrint
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 06 February 2007 - 04:01 AM

Hi Blender,

You are correct about the key fob. I have to go to a web site where I add my username and the one time password. That then launches a bit of software that allows me to Remote access this PC.

I haven't set any policies - it's a group policy set by the IT dept. I can believe that they have disallowed those programs and I know I'm not allowed to change my password.

No ibm0000*.* in C:\Program Files\Common Files\Microsoft Shared\Web Folders or C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033

Kaspersky found a lot of virus - most of them locked.
Here's the log file....


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, February 06, 2007 8:49:52 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 5/02/2007
Kaspersky Anti-Virus database records: 264917
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
P:\
W:\
X:\
Y:\
Z:\

Scan Statistics:
Total number of scanned objects: 278695
Number of viruses found: 7
Number of infected objects: 92 / 0
Number of suspicious objects: 0
Duration of the scan process: 07:03:17

Infected Object Name / Virus Name / Last Action
C:\!KillBox\ctpmon.exe Infected: Trojan-Clicker.Win32.Agent.is skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20070205_Time-110315218_EnterceptExceptions.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20070205_Time-110315218_EnterceptRules.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_ARINTOUL.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_ARINTOUL.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\arintoul\Application Data\Microsoft\Outlook\Outlook.srs Object is locked skipped
C:\Documents and Settings\arintoul\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\arintoul\Application Data\Mozilla\Firefox\Profiles\rme7jpr2.default\cert8.db Object is locked skipped
C:\Documents and Settings\arintoul\Application Data\Mozilla\Firefox\Profiles\rme7jpr2.default\history.dat Object is locked skipped
C:\Documents and Settings\arintoul\Application Data\Mozilla\Firefox\Profiles\rme7jpr2.default\key3.db Object is locked skipped
C:\Documents and Settings\arintoul\Application Data\Mozilla\Firefox\Profiles\rme7jpr2.default\parent.lock Object is locked skipped
C:\Documents and Settings\arintoul\Application Data\Mozilla\Firefox\Profiles\rme7jpr2.default\search.sqlite Object is locked skipped
C:\Documents and Settings\arintoul\Application Data\Mozilla\Firefox\Profiles\rme7jpr2.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\arintoul\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\arintoul\Local Settings\Application Data\Adobe\Acrobat\8.0\Updater\updater.log Object is locked skipped
C:\Documents and Settings\arintoul\Local Settings\Application Data\Microsoft\Outlook\outlook.ost Object is locked skipped
C:\Documents and Settings\arintoul\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\arintoul\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\arintoul\Local Settings\Application Data\Mozilla\Firefox\Profiles\rme7jpr2.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\arintoul\Local Settings\Application Data\Mozilla\Firefox\Profiles\rme7jpr2.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\arintoul\Local Settings\Application Data\Mozilla\Firefox\Profiles\rme7jpr2.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\arintoul\Local Settings\Application Data\Mozilla\Firefox\Profiles\rme7jpr2.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\arintoul\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\arintoul\Local Settings\Temp\AcrAF5D.tmp Object is locked skipped
C:\Documents and Settings\arintoul\Local Settings\Temp\ExchangePerflog_8484fa31c61f26c0cfcccd43.dat Object is locked skipped
C:\Documents and Settings\arintoul\Local Settings\Temp\hsperfdata_arintoul\3152 Object is locked skipped
C:\Documents and Settings\arintoul\Local Settings\Temp\~DF7A42.tmp Object is locked skipped
C:\Documents and Settings\arintoul\Local Settings\Temp\~WRS0000.tmp Object is locked skipped
C:\Documents and Settings\arintoul\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\arintoul\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\arintoul\NtUser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\oracle\ora92\oramts\trace\OracleMTSRecoveryService(532).trc Object is locked skipped
C:\oracle\sqldeveloper\jdev\system\oracle.javatools.cache\persist_0.stf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\msdbdata.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\msdblog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\northwnd.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\northwnd.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\pubs.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\pubs_log.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\LOG\ERRORLOG Object is locked skipped
C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\quarantine\Tools&Docs.zip.Vir/TEMP/pskill.exe Infected: not-a-virus:NetTool.Win32.PsKill skipped
C:\quarantine\Tools&Docs.zip.Vir ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{3136F22D-795D-47DA-9882-1975C88EE065}\RP1\A0000144.exe Infected: Trojan-Clicker.Win32.Agent.is skipped
C:\System Volume Information\_restore{3136F22D-795D-47DA-9882-1975C88EE065}\RP1\A0000150.exe Infected: Trojan-Clicker.Win32.Agent.is skipped
C:\System Volume Information\_restore{3136F22D-795D-47DA-9882-1975C88EE065}\RP1\A0000191.exe Infected: Trojan-Clicker.Win32.Agent.is skipped
C:\System Volume Information\_restore{3136F22D-795D-47DA-9882-1975C88EE065}\RP1\A0000456.exe Infected: Trojan-PSW.Win32.Sinowal.bw skipped
C:\System Volume Information\_restore{3136F22D-795D-47DA-9882-1975C88EE065}\RP12\change.log Object is locked skipped
C:\System Volume Information\_restore{3136F22D-795D-47DA-9882-1975C88EE065}\RP2\A0000467.dll Infected: Trojan-PSW.Win32.Sinowal.cg skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\CAS.log Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\CcmExec.log Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\CertificateMaintenance.log Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\ClientIDManagerStartup.log Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\DataTransferService.log Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\execmgr.log Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\FileSystemFile.log Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\InventoryAgent.log Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\LocationServices.log Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\mtrmgr.log Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\PatchInstall.log Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\PatchUIMonitor.log Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\PolicyAgent.log Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\PolicyAgentProvider.log Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\PolicyEvaluator.log Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\Scheduler.log Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\SrcUpdateMgr.log Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\StatusAgent.log Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\CertificateMaintenanceEndpoint\00000009.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\CertificateMaintenanceEndpoint\00000009.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\CTMDTSReply\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\CTMDTSReply\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\execmgr\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\execmgr\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\InventoryAgent\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\InventoryAgent\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ReplyLocations\00000008.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ReplyLocations\00000008.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ScheduledCleanup\0000000A.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ScheduledCleanup\0000000A.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\MtrMgr\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\MtrMgr\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PatchUIMonitor\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PatchUIMonitor\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_Cleanup\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_Cleanup\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyDownload\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyDownload\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyEvaluator\0000001U.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyEvaluator\0000001U.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_ReplyAssignments\0000000L.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_ReplyAssignments\0000000L.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_RequestAssignments\0000001E.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_RequestAssignments\0000001E.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_ReRequestPolicy\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_ReRequestPolicy\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\RemoteToolsAgent\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\RemoteToolsAgent\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\SrcUpdateMgr\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\SrcUpdateMgr\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\SWMTRReportGen\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\SWMTRReportGen\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\UpdatesInstallMgr\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\UpdatesInstallMgr\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\UploadProtocol\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\UploadProtocol\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_ddrendpoint\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_ddrendpoint\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_hinvendpoint\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_hinvendpoint\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_relayendpoint\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_relayendpoint\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_sinvendpoint\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_sinvendpoint\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_statusreceiver\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_statusreceiver\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_[http]mp_locationmanager\0000000C.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_[http]mp_locationmanager\0000000C.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_[http]mp_policymanager\0000001D.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_[http]mp_policymanager\0000001D.que Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_1f0.dat Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\App25\build\richmond.VOM Object is locked skipped
D:\App25\build\RSLSQL.LOG Object is locked skipped
D:\App25\VODATA\Gdn\01_RSL_L.APP Object is locked skipped
D:\App25\VODATA\Gdn\02_RSL_D.APP Object is locked skipped
D:\App25\VODATA\Gdn\03_RSL_C.APP Object is locked skipped
D:\App25\VODATA\Gdn\04_RSL_G.APP Object is locked skipped
D:\App25\VODATA\Gdn\10_BE_MI.APP Object is locked skipped
D:\App25\VODATA\Gdn\11_BE_AC.APP Object is locked skipped
D:\App25\VODATA\Gdn\12_BE_GU.APP Object is locked skipped
D:\App25\VODATA\Gdn\13_BE_CL.APP Object is locked skipped
D:\App25\VODATA\Gdn\14_BE_CO.APP Object is locked skipped
D:\App25\VODATA\Gdn\20_MLN_L.APP Object is locked skipped
D:\App25\VODATA\Gdn\21_MLN_S.APP Object is locked skipped
D:\App25\VODATA\Gdn\22_MLN_M.APP Object is locked skipped
D:\App25\VODATA\Gdn\30_GDN_D.APP Object is locked skipped
D:\App25\VODATA\Gdn\31_GDN_D.APP Object is locked skipped
D:\App25\VODATA\Gdn\32_GDN_D.APP Object is locked skipped
D:\App25\VODATA\Gdn\33_GDN_D.APP Object is locked skipped
D:\App25\VODATA\Gdn\34_GDN_B.APP Object is locked skipped
D:\App25\VODATA\Gdn\35_GDN_R.APP Object is locked skipped
D:\App25\VODATA\Gdn\36_GDN_A.APP Object is locked skipped
D:\App25\VODATA\Gdn\37_GDN_S.APP Object is locked skipped
D:\App25\VODATA\Gdn\39_GDN_L.APP Object is locked skipped
D:\App25\VODATA\Gdn\41_CPT_W.APP Object is locked skipped
D:\App25\VODATA\Gdn\42_CPT_P.APP Object is locked skipped
D:\App25\VODATA\Gdn\43_CPT_G.APP Object is locked skipped
D:\App25\VODATA\Gdn\44_CPT_A.APP Object is locked skipped
D:\App25\VODATA\Gdn\45_CPT_P.APP Object is locked skipped
D:\App25\VODATA\Gdn\46_CPT_R.APP Object is locked skipped
D:\App25\VODATA\Gdn\47_CPT_V.APP Object is locked skipped
D:\App25\VODATA\Gdn\50_PHT_D.APP Object is locked skipped
D:\App25\VODATA\Gdn\51_PHT_M.APP Object is locked skipped
D:\App25\VODATA\Gdn\52_PHT_E.APP Object is locked skipped
D:\App25\VODATA\Gdn\53_PHT_F.APP Object is locked skipped
D:\App25\VODATA\Gdn\54_PHT_C.APP Object is locked skipped
D:\App25\VODATA\Gdn\55_PHT_R.APP Object is locked skipped
D:\App25\VODATA\Gdn\56_PHT_N.APP Object is locked skipped
D:\App25\VODATA\Gdn\57_PHT_P.APP Object is locked skipped
D:\App25\VODATA\Gdn\60_SOC_L.APP Object is locked skipped
D:\App25\VODATA\Gdn\80_CLI_C.APP Object is locked skipped
D:\App25\VODATA\Gdn\90_ECASH.APP Object is locked skipped
D:\App25\VODATA\Gdn\APP_1.APP Object is locked skipped
D:\App25\VODATA\Gdn\APP_CONC.APP Object is locked skipped
D:\App25\VODATA\Gdn\APP_GUAR.APP Object is locked skipped
D:\App25\VODATA\Gdn\APP_MAIN.APP Object is locked skipped
D:\App25\VODATA\Gdn\APP_ODYS.APP Object is locked skipped
D:\App25\VODATA\Gdn\APP_PROP.APP Object is locked skipped
D:\App25\VODATA\Gdn\APP_RSLF.APP Object is locked skipped
D:\App25\VODATA\Gdn\APP_SENT.APP Object is locked skipped
D:\App25\VODATA\Gdn\APP_SOCR.APP Object is locked skipped
D:\App25\VODATA\Gdn\APP_SQL_.APP Object is locked skipped
D:\App25\VODATA\Gdn\APP_XML_.APP Object is locked skipped
D:\App25\VODATA\Gdn\REPNAME.IND Object is locked skipped
D:\App25\VODATA\Gdn\REPTYPE.IND Object is locked skipped
D:\App25\VODATA\Gdn\_CATALOG.VO Object is locked skipped
D:\CAVO25\SYSTEM\SYSTEM10.APP Object is locked skipped
D:\CAVO25\SYSTEM\SYSTEM11.APP Object is locked skipped
D:\CAVO25\SYSTEM\SYSTEM12.APP Object is locked skipped
D:\CAVO25\SYSTEM\SYSTEM13.APP Object is locked skipped
D:\CAVO25\SYSTEM\SYSTEM14.APP Object is locked skipped
D:\CAVO25\SYSTEM\SYSTEM1_.APP Object is locked skipped
D:\CAVO25\SYSTEM\SYSTEM3_.APP Object is locked skipped
D:\CAVO25\SYSTEM\SYSTEM4_.APP Object is locked skipped
D:\CAVO25\SYSTEM\SYSTEM5_.APP Object is locked skipped
D:\CAVO25\SYSTEM\SYSTEM6_.APP Object is locked skipped
D:\CAVO25\SYSTEM\SYSTEM7_.APP Object is locked skipped
D:\CAVO25\SYSTEM\SYSTEM8_.APP Object is locked skipped
D:\CAVO25\SYSTEM\SYSTEM9_.APP Object is locked skipped
D:\CAVO25\SYSTEM\SYSTEM_L.APP Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{3136F22D-795D-47DA-9882-1975C88EE065}\RP12\change.log Object is locked skipped
W:\Agilent\setupECASH_RELEASE_3.0718.zip/setupECASH_RELEASE_3.0718.exe/data0332/TEMP/pskill.exe Infected: not-a-virus:NetTool.Win32.PsKill skipped
W:\Agilent\setupECASH_RELEASE_3.0718.zip/setupECASH_RELEASE_3.0718.exe/data0332 Infected: not-a-virus:NetTool.Win32.PsKill skipped
W:\Agilent\setupECASH_RELEASE_3.0718.zip/setupECASH_RELEASE_3.0718.exe Infected: not-a-virus:NetTool.Win32.PsKill skipped
W:\Agilent\setupECASH_RELEASE_3.0718.zip ZIP: infected - 3 skipped
W:\Omnicom\From FTP Server\setupECASH_RELEASE_3.0604A.exe/data0298/TEMP/pskill.exe Infected: not-a-virus:NetTool.Win32.PsKill skipped
W:\Omnicom\From FTP Server\setupECASH_RELEASE_3.0604A.exe/data0298 Infected: not-a-virus:NetTool.Win32.PsKill skipped
W:\Omnicom\From FTP Server\setupECASH_RELEASE_3.0604A.exe Inno: infected - 2 skipped
W:\Omnicom\From FTP Server\setupECASH_RELEASE_3.0715.exe/data0332/TEMP/pskill.exe Infected: not-a-virus:NetTool.Win32.PsKill skipped
W:\Omnicom\From FTP Server\setupECASH_RELEASE_3.0715.exe/data0332 Infected: not-a-virus:NetTool.Win32.PsKill skipped
W:\Omnicom\From FTP Server\setupECASH_RELEASE_3.0715.exe Inno: infected - 2 skipped
W:\Omnicom\From FTP Server\setupECASH_RELEASE_3.0718.exe/data0332/TEMP/pskill.exe Infected: not-a-virus:NetTool.Win32.PsKill skipped
W:\Omnicom\From FTP Server\setupECASH_RELEASE_3.0718.exe/data0332 Infected: not-a-virus:NetTool.Win32.PsKill skipped
W:\Omnicom\From FTP Server\setupECASH_RELEASE_3.0718.exe Inno: infected - 2 skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd10.zip/APP25/ECASH/Output/setup.exe/data0280/TEMP/pskill.exe Infected: not-a-virus:NetTool.Win32.PsKill skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd10.zip/APP25/ECASH/Output/setup.exe/data0280 Infected: not-a-virus:NetTool.Win32.PsKill skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd10.zip/APP25/ECASH/Output/setup.exe Infected: not-a-virus:NetTool.Win32.PsKill skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd10.zip ZIP: infected - 3 skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd13.zip/APP25/ECASH/Output/setup.exe/data0280/TEMP/pskill.exe Infected: not-a-virus:NetTool.Win32.PsKill skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd13.zip/APP25/ECASH/Output/setup.exe/data0280 Infected: not-a-virus:NetTool.Win32.PsKill skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd13.zip/APP25/ECASH/Output/setup.exe Infected: not-a-virus:NetTool.Win32.PsKill skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd13.zip ZIP: infected - 3 skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd16.zip/APP25/ECASH/Output/setup.exe/data0280/TEMP/pskill.exe Infected: not-a-virus:NetTool.Win32.PsKill skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd16.zip/APP25/ECASH/Output/setup.exe/data0280 Infected: not-a-virus:NetTool.Win32.PsKill skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd16.zip/APP25/ECASH/Output/setup.exe Infected: not-a-virus:NetTool.Win32.PsKill skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd16.zip ZIP: infected - 3 skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd19.zip/APP25/ECASH/Output/setup.exe/data0280/TEMP/pskill.exe Infected: not-a-virus:NetTool.Win32.PsKill skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd19.zip/APP25/ECASH/Output/setup.exe/data0280 Infected: not-a-virus:NetTool.Win32.PsKill skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd19.zip/APP25/ECASH/Output/setup.exe Infected: not-a-virus:NetTool.Win32.PsKill skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd19.zip ZIP: infected - 3 skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd22.zip/APP25/ECASH/eCash3/tools/Tools&Docs.zip/TEMP/pskill.exe Infected: not-a-virus:NetTool.Win32.PsKill skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd22.zip/APP25/ECASH/eCash3/tools/Tools&Docs.zip Infected: not-a-virus:NetTool.Win32.PsKill skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd22.zip ZIP: infected - 2 skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd25.zip/APP25/ECASH/eCash3/tools/Tools&Docs.zip/TEMP/pskill.exe Infected: not-a-virus:NetTool.Win32.PsKill skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd25.zip/APP25/ECASH/eCash3/tools/Tools&Docs.zip Infected: not-a-virus:NetTool.Win32.PsKill skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd25.zip ZIP: infected - 2 skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd28.zip/APP25/ECASH/eCash3/tools/Tools&Docs.zip/TEMP/pskill.exe Infected: not-a-virus:NetTool.Win32.PsKill skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd28.zip/APP25/ECASH/eCash3/tools/Tools&Docs.zip Infected: not-a-virus:NetTool.Win32.PsKill skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd28.zip ZIP: infected - 2 skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd31.zip/APP25/ECASH/eCash3/tools/Tools&Docs.zip/TEMP/pskill.exe Infected: not-a-virus:NetTool.Win32.PsKill skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd31.zip/APP25/ECASH/eCash3/tools/Tools&Docs.zip Infected: not-a-virus:NetTool.Win32.PsKill skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd31.zip ZIP: infected - 2 skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd34.zip/APP25/ECASH/eCash3/tools/Tools&Docs.zip/TEMP/pskill.exe Infected: not-a-virus:NetTool.Win32.PsKill skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd34.zip/APP25/ECASH/eCash3/tools/Tools&Docs.zip Infected: not-a-virus:NetTool.Win32.PsKill skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd34.zip ZIP: infected - 2 skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd37.zip/APP25/ECASH/eCash3/tools/Tools&Docs.zip/TEMP/pskill.exe Infected: not-a-virus:NetTool.Win32.PsKill skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd37.zip/APP25/ECASH/eCash3/tools/Tools&Docs.zip Infected: not-a-virus:NetTool.Win32.PsKill skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd37.zip ZIP: infected - 2 skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd39.zip/APP25/ECASH/eCash3/tools/Tools&Docs.zip/TEMP/pskill.exe Infected: not-a-virus:NetTool.Win32.PsKill skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd39.zip/APP25/ECASH/eCash3/tools/Tools&Docs.zip Infected: not-a-virus:NetTool.Win32.PsKill skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd39.zip ZIP: infected - 2 skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd4.zip/APP25/ECASH/Output/setup.exe/data0280/TEMP/pskill.exe Infected: not-a-virus:NetTool.Win32.PsKill skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd4.zip/APP25/ECASH/Output/setup.exe/data0280 Infected: not-a-virus:NetTool.Win32.PsKill skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd4.zip/APP25/ECASH/Output/setup.exe Infected: not-a-virus:NetTool.Win32.PsKill skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd4.zip ZIP: infected - 3 skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd41.zip/APP25/ECASH/eCash3/tools/Tools&Docs.zip/TEMP/pskill.exe Infected: not-a-virus:NetTool.Win32.PsKill skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd41.zip/APP25/ECASH/eCash3/tools/Tools&Docs.zip Infected: not-a-virus:NetTool.Win32.PsKill skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd41.zip ZIP: infected - 2 skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd44.zip/APP25/ECASH/eCash3/tools/Tools&Docs.zip/TEMP/pskill.exe Infected: not-a-virus:NetTool.Win32.PsKill skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd44.zip/APP25/ECASH/eCash3/tools/Tools&Docs.zip Infected: not-a-virus:NetTool.Win32.PsKill skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd44.zip ZIP: infected - 2 skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd47.zip/APP25/ECASH/eCash3/tools/Tools&Docs.zip/TEMP/pskill.exe Infected: not-a-virus:NetTool.Win32.PsKill skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd47.zip/APP25/ECASH/eCash3/tools/Tools&Docs.zip Infected: not-a-virus:NetTool.Win32.PsKill skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd47.zip ZIP: infected - 2 skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd57.zip/crack.exe/ist1.exe Infected: Trojan-Downloader.Win32.IstBar.is skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd57.zip/crack.exe Infected: Trojan-Downloader.Win32.IstBar.is skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd57.zip ZIP: infected - 2 skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd60.zip/crack.exe Infected: Trojan-Downloader.Win32.Small.bws skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd60.zip ZIP: infected - 1 skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd61.zip/crack.exe Infected: Trojan-Downloader.Win32.Small.bws skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd61.zip ZIP: infected - 1 skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd62.zip/crack.exe Infected: Trojan-Downloader.Win32.Small.bws skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd62.zip ZIP: infected - 1 skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd64.exe Infected: Trojan-Downloader.Win32.Small.bws skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd65.exe/ist1.exe Infected: Trojan-Downloader.Win32.IstBar.is skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd65.exe ZIP: infected - 1 skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd66.exe Infected: Trojan-Downloader.Win32.Small.bws skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd67.exe Infected: Trojan-Downloader.Win32.Small.bws skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd7.zip/APP25/ECASH/Output/setup.exe/data0280/TEMP/pskill.exe Infected: not-a-virus:NetTool.Win32.PsKill skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd7.zip/APP25/ECASH/Output/setup.exe/data0280 Infected: not-a-virus:NetTool.Win32.PsKill skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd7.zip/APP25/ECASH/Output/setup.exe Infected: not-a-virus:NetTool.Win32.PsKill skipped
X:\RECYCLER\S-1-5-21-129000043-1474514139-1846952604-500\Dd7.zip ZIP: infected - 3 skipped
X:\System Volume Information\tracking.log Object is locked skipped

Scan process completed.

It looks like there are some false positives here.
all the D:\App25\VODATA\Gdn\*.APP files are the ones I make (I'm a programmer)
and the D:\CAVO25\SYSTEM\*.APP are from the programming language I use.

I couldn't see the attachment - Inspect.zip?

Cheers
Andy

#12 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:03:42 PM

Posted 06 February 2007 - 11:33 PM

Hi

Sorry I took a while to get back. Had my own system crash to fix.

Most if not all of those "locked" files are not malware. They are just files the online scanner cannot open to read. System or a program on your PC has them "in use". None in your list look to be of malicious nature.

Files flagged from this directory:
C:\Program Files\RealVNC
Not a virus but it is a remote access tool. I imagine you are/were using this to access the other PC or have others log into yours.
Perfectly legit program but it is flagged as risk because these tools can be used maliciously.

where you see pskill.exe all over through the logs...
Again not a true virus but this tool can be used maliciously to stop system processes. It is a command line process killer.
It is legit if used properly.
Where it is listed throughout your log it seems each program would need to use it in order to shut down/restart the application that is being installed/updated.
AV cannot tell the difference between good/bad use of such programs so they alert the user.

Those items on drive W you also created? If so....they are OK. Looks again like pskill is flagged in each instance.

This leaves stuff in system restore. We'll deal with that last. Those files cannot hurt you unless you actually restore your computer using an infected restore point.
Also leaves this file:
C:\!KillBox\ctpmon.exe
You can delete the directory !Killbox

Drive X has some junk in the recycle bin.
Just empty your recycle bin. Should nuke those.

Looks like I forgot to attach inspect.zip. Sorry about that :thumbsup:

Will try again.
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#13 andyrint

andyrint
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 07 February 2007 - 03:43 AM

Hi Blender

Ah ha! found the zip file! - Here's it's output....

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
"DependOnGroup"=hex(7):00
"DependOnService"=hex(7):4e,65,74,6d,61,6e,00,57,69,6e,4d,67,6d,74,00,00
"Description"="Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network."
"DisplayName"="Windows Firewall/Internet Connection Sharing (ICS)"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,\
32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00
"ObjectName"="LocalSystem"
"Start"=dword:00000002
"Type"=dword:00000020

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch]
"Epoch"=dword:000000e6

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters]
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,69,70,6e,61,74,68,6c,70,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP"="139:TCP:*:Enabled:@xpsp2res.dll,-22004"
"445:TCP"="445:TCP:*:Enabled:@xpsp2res.dll,-22005"
"137:UDP"="137:UDP:*:Enabled:@xpsp2res.dll,-22001"
"138:UDP"="138:UDP:*:Enabled:@xpsp2res.dll,-22002"
"3389:TCP"="3389:TCP:*:Enabled:@xpsp2res.dll,-22009"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP"="139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004"
"445:TCP"="445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005"
"137:UDP"="137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001"
"138:UDP"="138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002"
"3389:TCP"="3389:TCP:*:Enabled:@xpsp2res.dll,-22009"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup]
"ServiceUpgrade"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate]
"All"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum]
"0"="Root\\LEGACY_SHAREDACCESS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"WUServer"="http://labswus"
"WUStatusServer"="http://labswus"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"AutoInstallMinorUpdates"=dword:00000001
"NoAutoUpdate"=dword:00000000
"AUOptions"=dword:00000004
"ScheduledInstallDay"=dword:00000000
"ScheduledInstallTime"=dword:00000003
"RebootRelaunchTimeoutEnabled"=dword:00000001
"RebootRelaunchTimeout"=dword:00000078
"UseWUServer"=dword:00000001
"RescheduleWaitTimeEnabled"=dword:00000001
"RescheduleWaitTime"=dword:0000000f
"DetectionFrequencyEnabled"=dword:00000001
"DetectionFrequency"=dword:0000000c

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=dword:00000001
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\OLE]

REGEDIT4

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wscsvc]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,\
32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00
"DisplayName"="Security Center"
"DependOnService"=hex(7):52,70,63,53,73,00,77,69,6e,6d,67,6d,74,00,00
"ObjectName"="LocalSystem"
"Description"="Monitors system security settings and configurations."

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wscsvc\Parameters]
"ServiceDll"=hex(2):25,53,59,53,54,45,4d,52,4f,4f,54,25,5c,73,79,73,74,65,6d,\
33,32,5c,77,73,63,73,76,63,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wscsvc\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wscsvc\Enum]
"0"="Root\\LEGACY_WSCSVC\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

REGEDIT4

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TlntSvr]
"Type"=dword:00000010
"Start"=dword:00000003
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,6d,33,32,5c,\
74,6c,6e,74,73,76,72,2e,65,78,65,00
"DisplayName"="Telnet"
"DependOnService"=hex(7):52,50,43,53,53,00,54,43,50,49,50,00,4e,54,4c,4d,53,53,\
50,00,00
"DependOnGroup"=hex(7):00
"ObjectName"="LocalSystem"
"Description"=hex(2):45,6e,61,62,6c,65,73,20,61,20,72,65,6d,6f,74,65,20,75,73,\
65,72,20,74,6f,20,6c,6f,67,20,6f,6e,20,74,6f,20,74,68,69,73,20,63,6f,6d,70,\
75,74,65,72,20,61,6e,64,20,72,75,6e,20,70,72,6f,67,72,61,6d,73,2c,20,61,6e,\
64,20,73,75,70,70,6f,72,74,73,20,76,61,72,69,6f,75,73,20,54,43,50,2f,49,50,\
20,54,65,6c,6e,65,74,20,63,6c,69,65,6e,74,73,2c,20,69,6e,63,6c,75,64,69,6e,\
67,20,55,4e,49,58,2d,62,61,73,65,64,20,61,6e,64,20,57,69,6e,64,6f,77,73,2d,\
62,61,73,65,64,20,63,6f,6d,70,75,74,65,72,73,2e,20,49,66,20,74,68,69,73,20,\
73,65,72,76,69,63,65,20,69,73,20,73,74,6f,70,70,65,64,2c,20,72,65,6d,6f,74,\
65,20,75,73,65,72,20,61,63,63,65,73,73,20,74,6f,20,70,72,6f,67,72,61,6d,73,\
20,6d,69,67,68,74,20,62,65,20,75,6e,61,76,61,69,6c,61,62,6c,65,2e,20,49,66,\
20,74,68,69,73,20,73,65,72,76,69,63,65,20,69,73,20,64,69,73,61,62,6c,65,64,\
2c,20,61,6e,79,20,73,65,72,76,69,63,65,73,20,74,68,61,74,20,65,78,70,6c,69,\
63,69,74,6c,79,20,64,65,70,65,6e,64,20,6f,6e,20,69,74,20,77,69,6c,6c,20,66,\
61,69,6c,20,74,6f,20,73,74,61,72,74,2e,00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TlntSvr\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry]
"Description"="Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start."
"DependOnService"=hex(7):52,50,43,53,53,00,00
"DisplayName"="Remote Registry"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,\
32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,4c,6f,63,61,6c,53,65,72,\
76,69,63,65,00
"ObjectName"="NT AUTHORITY\\LocalService"
"Group"=""
"Start"=dword:00000002
"Type"=dword:00000020
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,e0,ad,08,\
00,01,00,00,00,e8,03,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Parameters]
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,72,65,67,73,76,63,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\
05,0b,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,\
23,02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,\
02,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum]
"0"="Root\\LEGACY_REMOTEREGISTRY\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"autodisconnect"=dword:0000000f
"enableforcedlogoff"=dword:00000001
"enablesecuritysignature"=dword:00000000
"requiresecuritysignature"=dword:00000000
"NullSessionPipes"=hex(7):43,4f,4d,4e,41,50,00,43,4f,4d,4e,4f,44,45,00,53,51,\
4c,5c,51,55,45,52,59,00,53,50,4f,4f,4c,53,53,00,4c,4c,53,52,50,43,00,62,72,\
6f,77,73,65,72,00,00
"NullSessionShares"=hex(7):43,4f,4d,43,46,47,00,44,46,53,24,00,00
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,73,72,76,73,76,63,2e,64,6c,6c,00
"Lmannounce"=dword:00000000
"Size"=dword:00000001
"Guid"=hex:c3,52,6d,24,fb,47,03,41,90,a8,f1,a1,ea,a3,59,dc
"AdjustedNullSessionPipes"=dword:00000001
"CachedOpenLimit"=dword:00000000

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters]
"enableplaintextpassword"=dword:00000000
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000000
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,77,6b,73,73,76,63,2e,64,6c,6c,00
"OtherDomains"=hex(7):00


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
WaitToKillServiceTimeout REG_SZ 20000

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter]
"Enabled"=dword:00000002

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting\ExclusionList]
"Photoshop Album Starter Edition.exe"=dword:00000001
"componentlauncher.exe"=dword:00000001

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,5c,00,00,00,6c,00,00,00,00,00,00,00,\
14,00,00,00,02,00,48,00,03,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
00,05,04,00,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,00,05,12,00,00,\
00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,\
20,00,00,00,20,02,00,00
"MachineLaunchRestriction"=hex:01,00,04,80,6c,00,00,00,7c,00,00,00,00,00,00,00,\
14,00,00,00,02,00,58,00,03,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
00,01,00,00,00,00,00,00,24,00,1f,00,00,00,01,05,00,00,00,00,00,05,15,00,00,\
00,3f,ad,14,62,fd,77,b1,56,82,8b,a6,28,f2,03,00,00,01,02,00,00,00,00,00,05,\
20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00
"MachineAccessRestriction"=hex:01,00,04,80,44,00,00,00,54,00,00,00,00,00,00,00,\
14,00,00,00,02,00,30,00,02,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,\
00,00,05,07,00,00,00,00,00,14,00,07,00,00,00,01,01,00,00,00,00,00,01,00,00,\
00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00
"EnableDCOM"="Y"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList]
"{A50398B8-9075-4FBF-A7A1-456BF21937AD}"="1"
"{AD65A69D-3831-40D7-9629-9B0B50A93843}"="1"
"{0040D221-54A1-11D1-9DE0-006097042D69}"="1"
"{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST]
"System.EnterpriseServices.Thunk.dll"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,65,72,62,65,72,6f,73,00,6d,73,76,31,5f,30,00,73,\
63,68,61,6e,6e,65,6c,00,77,64,69,67,65,73,74,00,00
"ImpersonatePrivilegeUpgradeToolHasRun"=dword:00000001
"LsaPid"=dword:000003b4
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000000
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
"enabledcom"="y"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,69,6e,64,6f,77,73,20,4e,54,20,41,63,63,65,73,73,20,\
50,72,6f,76,69,64,65,72,00,00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,6e,74,6d,61,72,74,61,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Audit]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:d1,92,b1,7a,74,bc,e3,b5,bd,f0,73,87,5e,1c,49,19,34,62,33,35,64,\
36,39,30,00,fd,07,00,4e,4a,00,00,34,fa,07,00,56,82,7c,75,20,fa,07,00,40,fd,\
07,00,4c,fd,07,00,3d,d9,45,5d,11,d4,35,41,4d,f5,ae,4b

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:9e,03,a0,14,bb,bb,01,f9,be

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:b9,1a,8d,03,83,3d

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0]
"Auth132"="IISSUBA"
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:75,a8,fd,93,af,78,75,4f,a6,bb,00,a3,93,f4,85,8b

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SSO]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:6e,28,23,73,66,35,c7,01

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,e0,60,91,1a,7a,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,e0,60,91,1a,7a,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,e0,60,91,1a,7a,c4,01
"Type"=dword:00000031

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr]
"Type"=dword:00000002
"Start"=dword:00000000
"ErrorControl"=dword:00000001
"Tag"=dword:00000004
"ImagePath"=hex(2):73,79,73,74,65,6d,33,32,5c,44,52,49,56,45,52,53,5c,73,72,2e,\
73,79,73,00
"DisplayName"="System Restore Filter Driver"
"Group"="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Parameters]
"FirstRun"=dword:00000000
"DontBackup"=dword:00000000
"MachineGuid"="{3136F22D-795D-47DA-9882-1975C88EE065}"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Enum]
"0"="Root\\LEGACY_SR\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"ClearRecentDocsOnExit"=hex:01,00,00,00
"NoSMMyPictures"=hex:01,00,00,00
"ForceStartMenuLogOff"=dword:00000001
"DisallowRun"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun]
"1"="cleanmgr.exe"
"2"="edonkey.exe"
"3"="kazaa.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableChangePassword"=dword:00000001

Cheers
Andy

#14 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:03:42 PM

Posted 07 February 2007 - 04:37 AM

Hi

Log looks fine. :thumbsup:

I did forget to ask you though if you or IT dept wanted windows task manager to run at boot-up?

O4 - Startup: taskmgr.exe.lnk = C:\WINDOWS\system32\taskmgr.exe

You can delete the following if you have not already:

C:\SDFix <-- folder
C:\rustbfix <--folder
c:\avenger.txt
C:\lsa.txt
SDFix.exe off desktop
rustbfix.exe off desktop
combofix.exe
Inspect.zip
inspect.txt
You can delete those scan logs we asked for as well.

Do me up one more hijackthis log and post it here please?
Things running smooth?

Thanks :flowers:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#15 andyrint

andyrint
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 09 February 2007 - 03:37 AM

Hi Blender,

It's me that likes Task Manager to run at startup - I write to many endless loops!

I'll remove all those diagnostic tools in a few minutes.

Here's the last HijackThis log....

Logfile of HijackThis v1.99.1
Scan saved at 08:31:46, on 09/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\oracle\ora92\bin\omtsreco.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
\lonfs01\BMS-MAIN\Vobuild.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HJT\analyse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.24.74.3:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.trema.com;172.24.*;*.tremaone.com;*.wallstreetsystems.com;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [Startup Guru] "C:\Program Files\StartupGuru\startupguru.exe" /B
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: BMS.lnk = ?
O4 - Startup: taskmgr.exe.lnk = C:\WINDOWS\system32\taskmgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Outlook 2003.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1168440378449
O16 - DPF: {68CDB19A-6305-4589-8C35-41E3502CD451} (Siebel Option Pack for IE 7.5.3) - http://customerservices.trema.com/service_...lOptionPack.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1168849323825
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.trema.com
O17 - HKLM\Software\..\Telephony: DomainName = corp.trema.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.trema.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.trema.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - c:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - c:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

Thank you (and MFDnSC) very much for all your help, now my PC is clean I'll make a donation.

Andy :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users