Welcome Guest ( Log In | Join )

Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Want to ask a question, reply to a topic, or remove all advertising? It's easy, fast and free. Join today!
Spyware, virus, trojan, fake security or privacy alerts? Please start with our malware cleaning guide.
     
2 Pages V   1 2 >  
 Closed TopicStart new topic
Virtumonde infection again [CLOSED] [Closed], Randomly disappearing files too
DonQuixorleon
post Nov 26 2008, 02:30 AM
Post #1


Member
**
Posts: 27
OS: XP
I have received Virtumonde infection through the usual WinFix auto-installer popup window. A window popped up during startup saying it could not locate “milokira.dll”, which I have deduced is related to Vundo, since the actual installation could not be completed thanks to a handy(ish) firewall and a quick ctrl-alt-del.

Edit: milokira.dll has stopped being brought up at startup, now the error message reads:
Title bar: "Windows - No Disk
Exception Processing Message c0000013 Parameters 75b6bf7c 4 75b6bf7c 75b6bf7c
Cancel -Try Again- Continue"


We ran Lavasoft Ad-Aware, which began fine but stopped scanning once it got to a certain part of the registry. Spybot temporarily stopped it, and VundoFix has appeared to have finished the job. McAffee and VirtuMondeBeGone do not detect anything else, however Lavasoft Ad-Aware is still auto closing once it gets to a part in the registry.

My sister’s login was also wiped of all her folders and the background was changed to a default blue. Nothing remains but an Internet Explorer icon in the top left corner and a Recycle Bin in the bottom right corner. Other logins have remained untouched. I was hoping it would revert to normal.

Edit: On further investigation it appears her login is being redirected to a temporary ID and her stuff has not been deleted.

Here is my VirtuMondeBeGone log:

[11/26/2008, 0:14:02] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\HP_Owner\Desktop\VirtumundoBeGone.exe" )
[11/26/2008, 0:14:10] - Detected System Information:
[11/26/2008, 0:14:10] - Windows Version: 5.1.2600, Service Pack 3
[11/26/2008, 0:14:11] - Current Username: HP_Owner (Admin)
[11/26/2008, 0:14:11] - Windows is in NORMAL mode.
[11/26/2008, 0:14:11] - Searching for Browser Helper Objects:
[11/26/2008, 0:14:11] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} ()
[11/26/2008, 0:14:11] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/26/2008, 0:14:11] - No filename found. Continuing.
[11/26/2008, 0:14:11] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[11/26/2008, 0:14:11] - BHO 3: {0e01b9c3-3406-496f-82f2-a20ec5edb6ba} ()
[11/26/2008, 0:14:11] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/26/2008, 0:14:11] - Checking for HKLM\...\Winlogon\Notify\lelasupu
[11/26/2008, 0:14:11] - Key not found: HKLM\...\Winlogon\Notify\lelasupu, continuing.
[11/26/2008, 0:14:11] - BHO 4: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[11/26/2008, 0:14:11] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[11/26/2008, 0:14:11] - BHO 6: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} (scriptproxy)
[11/26/2008, 0:14:11] - BHO 7: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[11/26/2008, 0:14:11] - BHO 8: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[11/26/2008, 0:14:11] - BHO 9: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[11/26/2008, 0:14:11] - BHO 10: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} (McAfee SiteAdvisor BHO)
[11/26/2008, 0:14:11] - BHO 11: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} (MSNToolBandBHO)
[11/26/2008, 0:14:11] - Finished Searching Browser Helper Objects
[11/26/2008, 0:14:11] - Finishing up...
[11/26/2008, 0:14:11] - Nothing found! Exiting...



And here is my HiJack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:35:26 PM, on 11/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\CDProxyServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\HP_Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0e01b9c3-3406-496f-82f2-a20ec5edb6ba} - C:\WINDOWS\system32\lelasupu.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mepidukeba] Rundll32.exe "C:\WINDOWS\system32\yifihifu.dll",s
O4 - HKLM\..\RunOnce: [SpybotDeletingA6206] command /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3776] cmd /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB1059] command /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6926] cmd /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - HKUS\S-1-5-19\..\Run: [mepidukeba] Rundll32.exe "C:\WINDOWS\system32\yifihifu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [mepidukeba] Rundll32.exe "C:\WINDOWS\system32\yifihifu.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105fd.bay105.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://198.182.65.154/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://rsvpn.raytheon.com/,DanaInfo=TU2-MS...=java+dwa7W.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06071909/qsp2ie06071909.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F3541E2-CE4E-4D73-A489-E8C3545D5D37}: NameServer = 205.171.3.65,205.171.2.65
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\duyusowi.dll C:\WINDOWS\system32\nepiragi.dll c:\windows\system32\gipefena.dll c:\windows\system32\milokira.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\milokira.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\milokira.dll (file missing)
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - Unknown owner - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

--
End of file - 14325 bytes
Go to the top of the page
 
+Quote Post
fenzodahl512
post Nov 28 2008, 06:33 PM
Post #2


Trusted Helper
Group Icon
Posts: 5,223
OS: Windows XP
Hello, my name is fenzodahl512 and welcome to Geekstogo.. Please do the following..


Please download SDFix by Andy Manchesta and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please reboot into Safe Mode
  1. In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  2. A new folder will be extracted to your %systemdrive%, typically C:\SDFix
  3. Open the extracted folder and double click RunThis.bat to start the script.
  4. Type Y to begin the script.
  5. It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  6. Press any Key and it will restart the PC.
  7. Your system will take longer that normal to restart as the fixtool will be running and removing files.
  8. When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  9. Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt along with any other requested logs at the end of these instructions.





NEXT


Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.
Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DO NOT mouseclick combofix's window while its running. That may cause it to stall




Post me these logs in your next reply.. Post each log in separate post..

1. SDFix
2. ComboFix
3. A fresh HijackThis log
Go to the top of the page
 
+Quote Post
fenzodahl512
post Dec 4 2008, 05:46 AM
Post #3


Trusted Helper
Group Icon
Posts: 5,223
OS: Windows XP
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
Go to the top of the page
 
+Quote Post
Excal
post Dec 4 2008, 10:17 AM
Post #4


Malware Slayer Extraordinaire!
Group Icon
Posts: 11,517
From: Mass, USA :)
OS: XP
User returned. Helper being notified.


thumbsup.gif


Excal
Go to the top of the page
 
+Quote Post
DonQuixorleon
post Dec 4 2008, 11:38 AM
Post #5


Member
**
Posts: 27
OS: XP
Thanks guys. I've recently regained an internet connection on the computer in question, and after a bit of tweaking the Ad-Aware is not being shut down. The worm kdCrypt was detected, and might have been taken care of but I'm not sure, however Vundo is still being detected under some instances of Spybot, Ad-Aware and McAffee but only under certain accounts.

I will post the SDFix, ComboFixer and Hijack This logs by Saturday, I'm pressed for time and using another computer for the time being.

This post has been edited by DonQuixorleon: Dec 4 2008, 11:42 AM
Go to the top of the page
 
+Quote Post
DonQuixorleon
post Dec 4 2008, 11:39 AM
Post #6


Member
**
Posts: 27
OS: XP
Whoops

This post has been edited by DonQuixorleon: Dec 4 2008, 11:41 AM
Go to the top of the page
 
+Quote Post
fenzodahl512
post Dec 4 2008, 06:14 PM
Post #7


Trusted Helper
Group Icon
Posts: 5,223
OS: Windows XP
Thank you Excal smile.gif

Post the requested logs please..
Go to the top of the page
 
+Quote Post
DonQuixorleon
post Dec 8 2008, 03:13 PM
Post #8


Member
**
Posts: 27
OS: XP
From SDFix:


System Report
*************

Run on 2008-12-08 at 13:35

Microsoft Windows XP [Version 5.1.2600]

Current user is an administrator

Running Processes:

\SystemRoot\System32\smss.exe [608]
\??\C:\WINDOWS\system32\csrss.exe [688]
\??\C:\WINDOWS\system32\winlogon.exe [712]
C:\WINDOWS\system32\services.exe [756]
C:\WINDOWS\system32\lsass.exe [768]
C:\WINDOWS\system32\svchost.exe [924]
C:\WINDOWS\system32\svchost.exe [1004]
C:\WINDOWS\System32\svchost.exe [1100]
C:\WINDOWS\system32\svchost.exe [1132]
C:\WINDOWS\system32\svchost.exe [1260]
C:\WINDOWS\system32\svchost.exe [1320]
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [1424]
C:\WINDOWS\system32\spoolsv.exe [1760]
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe [1800]
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [956]
C:\WINDOWS\system32\bgsvcgen.exe [1060]
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe [1168]
C:\WINDOWS\System32\svchost.exe [1328]
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [1508]
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [880]
c:\program files\common files\mcafee\mna\mcnasvc.exe [204]
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [436]
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [432]
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [644]
C:\Program Files\McAfee\MPF\MPFSrv.exe [1084]
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe [2168]
C:\WINDOWS\system32\svchost.exe [2388]
C:\WINDOWS\system32\svchost.exe [2444]
C:\Program Files\Windows Media Player\WMPNetwk.exe [2624]
C:\Program Files\iPod\bin\iPodService.exe [3748]
C:\WINDOWS\System32\alg.exe [2212]
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [3808]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe [2436]
C:\WINDOWS\Explorer.EXE [3460]
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2468]
C:\windows\system\hpsysdrv.exe [1628]
C:\WINDOWS\system32\hphmon06.exe [1528]
C:\HP\KBD\KBD.EXE [2728]
C:\WINDOWS\system32\VTTimer.exe [1568]
C:\WINDOWS\AGRSMMSG.exe [3888]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe [2120]
C:\Program Files\iTunes\iTunesHelper.exe [1164]
C:\WINDOWS\system32\ctfmon.exe [3920]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2808]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE [172]
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE [976]


Drivers - Running:

$sys$cor
$sys$crater
ACPI
AFD
AgereSoftModem
ALCXWDM
AmdK7
Arp1394
atapi
audstub
Beep
Cdfs
Cdrom
CDRPDACC
d347bus
d347prt
Disk
Fastfat
FET5X86V
Fips
FltMgr
Ftdisk
GEARAspiWDM
Gpc
HidUsb
HTTP
i8042prt
Imapi
IpFilterDriver
IpNat
IPSec
isapnp
Iviaspi
Kbdclass
kmixer
KSecDD
LVPr2Mon
mfeavfk
mfebopk
mfehidk
mfesmfk
mnmdd
Modem
Mouclass
mouhid
MountMgr
MPFP
MRxDAV
MRxSmb
Msfs
mssmbios
Mup
NDIS
NdisTapi
Ndisuio
NdisWan
NDProxy
NetBIOS
NetBT
NIC1394
Npfs
Ntfs
Null
ohci1394
Parport
PartMgr
PCI
PCIIde
Pcouffin
Pfc
Point32
PptpMiniport
Ps2
PSched
Ptilink
PxHelp20
RasAcd
Rasl2tp
RasPppoe
Raspti
Rdbss
RDPCDD
redbook
Secdrv
Serenum
Serial
sfdrv01
sfhlp02
sr
Srv
swenum
sysaudio
Tcpip
TermDD
Update
usbehci
usbhub
usbprint
USBSTOR
usbuhci
VgaSave
viaagp1
viagfx
ViaIde
VolSnap
Wanarp
wdmaud
WudfPf


Drivers - Stopped:

Abiosdsk
abp480n5
ACPIEC
adpu160m
aec
Aha154x
aic78u2
aic78xx
ALCXSENS
AliIde
amsint
asc
asc3350p
asc3550
AsyncMac
Atdisk
Atmarpc
catchme
cbidf2k
CCDECODE
cd20xrnt
Cdaudio
Changer
CmdIde
Cpqarray
dac960nt
dmboot
dmio
dmload
DMusic
dpti2o
drmkaud
Fdc
FETND5BV
FETNDISB
Flpydisk
hpn
i2omgmt
i2omp
ialm
ini910u
IntelIde
intelppm
Ip6Fw
IpInIp
IRENUM
lbrtfdc
LVcKap
LVMVDrv
LVUSBSta
mferkdk
mraid35x
MSKSSRV
MSPCLOCK
MSPQM
MSTEE
NABTSFEC
NdisIP
NwlnkFlt
NwlnkFwd
PalmUSBD
ParVdm
PCIDump
Pcmcia
PDCOMP
PDFRAME
PDRELI
PDRFRAME
pepifilter
perc2
perc2hib
PID_PEPI
ql1080
Ql10wnt
ql12160
ql1240
ql1280
RDPWD
rtl8139
SbcpHid
Sfloppy
SilverLink
Simbad
SLIP
Sparrow
splitter
streamip
swmidi
symc810
symc8xx
sym_hi
sym_u3
TDPIPE
TDTCP
TosIde
Udfs
ultra
USBAAPL
usbaudio
usbccgp
usbscan
wanatw
WDICA
WpdUsb
WSTCODEC
WudfRd


Services - Running:

aawservice
ALG
Apple
AudioSrv
bgsvcgen
BITS
Browser
CryptSvc
DcomLaunch
Dhcp
Dnscache
EPSONStatusAgent2
ERSvc
Eventlog
EventSystem
FastUserSwitchingCompatibility
helpsvc
HTTPFilter
iPod
lanmanserver
lanmanworkstation
LmHosts
LVPrcSrv
McAfee
mcmscsvc
McNASvc
McProxy
McShield
McSysmon
MDM
MpfService
Netman
Nla
PlugPlay
PolicyAgent
ProtectedStorage
RasMan
RpcSs
SamSs
Schedule
seclogon
SENS
SharedAccess
ShellHWDetection
Spooler
sprtlisten
srservice
SSDPSRV
stisvc
TapiSrv
TermService
Themes
TrkWks
upnphost
W32Time
WebClient
winmgmt
WMPNetworkSvc
wscsvc
wuauserv
WudfSvc
WZCSVC


Services - Stopped:

Alerter
AppMgmt
aspnet_state
CiSvc
ClipSrv
clr_optimization_v2.0.50727_32
COMSysApp
CWShredder
dmadmin
dmserver
Dot3svc
EapHost
FontCache3.0.0.0
gusvc
HidServ
hkmsvc
IDriverT
idsvc
ImapiService
LVSrvLauncher
McODS
Messenger
mnmsrvc
MSDTC
MSIServer
napagent
NetDDE
NetDDEdsdm
Netlogon
NetTcpPortSharing
NtLmSsp
NtmsSvc
ose
RasAuto
RDSessMgr
RemoteAccess
RpcLocator
RSVP
SCardSvr
SupportSoft
SwPrv
SysmonLog
UPS
VSS
WmdmPmSN
WmiApSrv
xmlprov


Files Created/Modified - 60 Days:


C:\

Dec 8 2008 9:40:44a 469,291,008 A.SH. "C:\hiberfil.sys"
Dec 8 2008 9:40:38a 704,643,072 A.SH. "C:\pagefile.sys"
Nov 27 2008 1:08:50a 96,978 A.... "C:\VirtumundoBeGone.exe"
Nov 27 2008 1:08:56a 119,808 A.... "C:\VundoFix.exe"


C:\WINDOWS\

Dec 8 2008 9:40:46a 2,048 A.S.. "C:\WINDOWS\bootstat.dat"
Nov 7 2008 7:00:02p 116,368 A.... "C:\WINDOWS\Downloaded Program Files\McContentMgr.dll"
Nov 7 2008 6:58:40p 359,056 A.... "C:\WINDOWS\Downloaded Program Files\McHealthCheck.dll"
Nov 7 2008 7:00:38p 117,896 A.... "C:\WINDOWS\Downloaded Program Files\McLogMgr.dll"
Nov 7 2008 6:59:18p 561,808 A.... "C:\WINDOWS\Downloaded Program Files\McPlugins.dll"
Nov 7 2008 7:01:16p 239,760 A.... "C:\WINDOWS\Downloaded Program Files\McProdMgr.dll"
Nov 7 2008 6:57:34p 308,384 A.... "C:\WINDOWS\Downloaded Program Files\MVT.dll"
Nov 7 2008 6:54:48p 147,456 A.... "C:\WINDOWS\Downloaded Program Files\Uploader.exe"
Nov 29 2008 3:28:46p 110 A.... "C:\WINDOWS\ERDNT\CFrecovery.bat"
Dec 8 2008 1:30:20p 191 A.... "C:\WINDOWS\system\hpsysdrv.DAT"
Nov 13 2008 5:04:24p 511,328 A.... "C:\WINDOWS\system32\capicom.dll"
Oct 16 2008 2:09:44p 92,696 A.... "C:\WINDOWS\system32\cdm.dll"
Dec 6 2008 3:53:30p 389,120 A.... "C:\WINDOWS\system32\CF22619.exe"
Dec 6 2008 3:56:40p 389,120 A.... "C:\WINDOWS\system32\CF23236.exe"
Oct 16 2008 6:24:48a 275,760 A.... "C:\WINDOWS\system32\FNTCACHE.DAT"
Oct 15 2008 9:34:24a 337,408 A.... "C:\WINDOWS\system32\netapi32.dll"
Oct 16 2008 2:12:20p 561,688 A.... "C:\WINDOWS\system32\wuapi.dll"
Oct 16 2008 2:09:44p 51,224 A.... "C:\WINDOWS\system32\wuauclt.exe"
Oct 16 2008 2:13:40p 1,809,944 A.... "C:\WINDOWS\system32\wuaueng.dll"
Oct 16 2008 2:12:22p 323,608 A.... "C:\WINDOWS\system32\wucltui.dll"
Oct 16 2008 2:08:58p 34,328 A.... "C:\WINDOWS\system32\wups.dll"
Oct 16 2008 2:09:44p 43,544 A.... "C:\WINDOWS\system32\wups2.dll"
Oct 16 2008 2:13:40p 202,776 A.... "C:\WINDOWS\system32\wuweb.dll"
Dec 8 2008 9:40:58a 6 A..H. "C:\WINDOWS\Tasks\SA.DAT"
Dec 8 2008 1:34:38p 73 A.... "C:\WINDOWS\temp\scs9D.tmp"
Dec 8 2008 9:42:14a 45,903,872 A.... "C:\WINDOWS\temp\WFV8.tmp"
Oct 24 2008 4:21:10a 455,296 ..... "C:\WINDOWS\Driver Cache\i386\mrxsmb.sys"
Dec 2 2008 3:49:46p 156,936 A.... "C:\WINDOWS\McAfee.com\FreeScan\mcfscan.dll"
Dec 2 2008 5:30:00a 952,420 A.... "C:\WINDOWS\McAfee.com\FreeScan\names.DAT"
Dec 2 2008 5:30:00a 59,878,376 A.... "C:\WINDOWS\McAfee.com\FreeScan\scan.DAT"
Oct 16 2008 2:09:44p 92,696 A.... "C:\WINDOWS\system32\dllcache\cdm.dll"
Oct 24 2008 4:21:10a 455,296 ..... "C:\WINDOWS\system32\dllcache\mrxsmb.sys"
Oct 15 2008 9:34:24a 337,408 ..... "C:\WINDOWS\system32\dllcache\netapi32.dll"
Nov 29 2008 2:00:40p 578,560 A.... "C:\WINDOWS\system32\dllcache\user32.dll"
Oct 16 2008 2:12:20p 561,688 A.... "C:\WINDOWS\system32\dllcache\wuapi.dll"
Oct 16 2008 2:09:44p 51,224 A.... "C:\WINDOWS\system32\dllcache\wuauclt.exe"
Oct 16 2008 2:13:40p 1,809,944 A.... "C:\WINDOWS\system32\dllcache\wuaueng.dll"
Oct 16 2008 2:12:22p 323,608 A.... "C:\WINDOWS\system32\dllcache\wucltui.dll"
Oct 16 2008 2:08:58p 34,328 A.... "C:\WINDOWS\system32\dllcache\wups.dll"
Oct 16 2008 2:13:40p 202,776 A.... "C:\WINDOWS\system32\dllcache\wuweb.dll"
Oct 24 2008 4:21:10a 455,296 A.... "C:\WINDOWS\system32\drivers\mrxsmb.sys"
Dec 1 2008 8:13:26a 3,435,888 A.... "C:\WINDOWS\system32\Restore\rstrlog.dat"
Nov 4 2008 9:35:20a 330 A.... "C:\WINDOWS\system32\Adobe\Director\M5drvr32.exe"
Nov 4 2008 9:35:20a 330 A.... "C:\WINDOWS\system32\Adobe\Director\M5if32.dll"
Nov 4 2008 10:15:38a 114,688 A.... "C:\WINDOWS\system32\Adobe\Director\np32dsw.dll"
Nov 4 2008 10:24:12a 202,168 A.... "C:\WINDOWS\system32\Adobe\Director\swdir.dll"
Nov 4 2008 10:24:30a 67,000 A.... "C:\WINDOWS\system32\Adobe\Director\SwDnld.exe"
Nov 4 2008 10:16:16a 499,712 A.... "C:\WINDOWS\system32\Adobe\Shockwave 11\Control.dll"
Nov 4 2008 9:56:40a 1,798,144 A.... "C:\WINDOWS\system32\Adobe\Shockwave 11\dirapi.dll"
Nov 4 2008 10:16:20a 9,216 A.... "C:\WINDOWS\system32\Adobe\Shockwave 11\DynaPlayer.dll"
Nov 4 2008 9:41:22a 710,144 A.... "C:\WINDOWS\system32\Adobe\Shockwave 11\gi.dll"
Nov 4 2008 9:41:24a 1,145,896 A.... "C:\WINDOWS\system32\Adobe\Shockwave 11\gt.exe"
Nov 4 2008 9:41:22a 52,288 A.... "C:\WINDOWS\system32\Adobe\Shockwave 11\gtapi.dll"
Nov 4 2008 9:52:10a 892,928 A.... "C:\WINDOWS\system32\Adobe\Shockwave 11\iml32.dll"
Nov 4 2008 9:41:22a 54,656 A.... "C:\WINDOWS\system32\Adobe\Shockwave 11\pccuapi.dll"
Nov 4 2008 10:14:58a 266,240 A.... "C:\WINDOWS\system32\Adobe\Shockwave 11\Plugin.dll"
Nov 4 2008 10:16:52a 446,464 A.... "C:\WINDOWS\system32\Adobe\Shockwave 11\Proj.dll"
Nov 4 2008 10:23:52a 460,216 A.... "C:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1100470.exe"
Nov 4 2008 10:14:42a 114,688 A.... "C:\WINDOWS\system32\Adobe\Shockwave 11\SwInit.exe"
Nov 4 2008 10:14:40a 94,208 A.... "C:\WINDOWS\system32\Adobe\Shockwave 11\SwMenu.dll"
Nov 4 2008 9:41:22a 58,736 A.... "C:\WINDOWS\system32\Adobe\Shockwave 11\SYMCCHECKER.DLL"
Nov 29 2008 3:46:22p 253,952 A.... "C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT"
Nov 29 2008 3:46:22p 8,192 A.... "C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat"
Nov 29 2008 3:46:22p 249,856 A.... "C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT"
Nov 29 2008 3:46:22p 8,192 A.... "C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat"
Nov 29 2008 3:46:24p 3,887,104 A.... "C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT"
Nov 29 2008 3:46:24p 155,648 A.... "C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat"
Nov 25 2008 6:32:08p 8,590 A.... "C:\WINDOWS\Profiles\Erin\Application Data\Microsoft\HTML Help\hh.dat"


C:\Program Files\

Oct 22 2008 12:32:40p 949,072 A.SHR "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Oct 22 2008 12:33:00p 962,896 A.SHR "C:\Program Files\Spybot - Search & Destroy\Tools.dll"
Oct 30 2008 1:17:06p 1,044,968 A.... "C:\Program Files\McAfee\MSC\mccobres.dll"
Oct 28 2008 5:26:34p 460,000 A.... "C:\Program Files\McAfee\MSC\mcmismgr.dll"
Oct 10 2008 4:16:00p 792,696 A.... "C:\Program Files\McAfee\MSC\mcmscsvc.exe"
Oct 30 2008 1:16:38p 14,461 A.... "C:\Program Files\McAfee\MSC\mscuicfg.dat"
Oct 30 2008 1:17:06p 22,300 A.... "C:\Program Files\McAfee\MSC\oemcfg.dat"
Nov 19 2008 8:51:50p 20,147 A.... "C:\Program Files\McAfee\SiteAdvisor\elist.dat"
Oct 8 2008 12:04:44p 253,456 A.... "C:\Program Files\McAfee\SiteAdvisor\McBrwctl.dll"
Oct 8 2008 12:04:44p 203,280 A.... "C:\Program Files\McAfee\SiteAdvisor\McSACore.exe"
Oct 8 2008 12:04:46p 56,336 A.... "C:\Program Files\McAfee\SiteAdvisor\McSACorePS.dll"
Oct 8 2008 12:04:48p 13,840 A.... "C:\Program Files\McAfee\SiteAdvisor\sahook.dll"
Oct 8 2008 12:04:52p 199,184 A.... "C:\Program Files\McAfee\SiteAdvisor\saplugin.dll"
Oct 8 2008 1:18:56p 1,640,976 A.... "C:\Program Files\McAfee\SiteAdvisor\sares.dll"
Oct 8 2008 12:04:52p 351,248 A.... "C:\Program Files\McAfee\SiteAdvisor\saupkeep.dll"
Oct 8 2008 12:04:48p 24,592 A.... "C:\Program Files\McAfee\SiteAdvisor\uninstall.exe"
Nov 4 2008 2:01:24p 558,808 A.... "C:\Program Files\McAfee.com\Agent\mcupdate.exe"
Oct 16 2008 1:08:10p 18,829 A.... "C:\Program Files\palmOne\Flip2d\HotSyncLog.htm"
Oct 22 2008 12:37:34p 651,144 A.... "C:\Program Files\Spybot - Search & Destroy\Updates\advcheck162.exe"
Oct 22 2008 8:58:50a 621,326 A.... "C:\Program Files\Spybot - Search & Destroy\Updates\advcheck162.zip"
Nov 5 2008 8:59:32a 559,133 A.... "C:\Program Files\Spybot - Search & Destroy\Updates\clsid.zip"
Dec 4 2008 4:48:42p 2,902 A.... "C:\Program Files\Spybot - Search & Destroy\Updates\fpfix.zip"
Nov 5 2008 8:58:56a 86,725 A.... "C:\Program Files\Spybot - Search & Destroy\Updates\includes.pups.zip"
Nov 5 2008 8:59:10a 536,538 A.... "C:\Program Files\Spybot - Search & Destroy\Updates\includes.trojans.zip"
Nov 5 2008 8:59:00a 185,972 A.... "C:\Program Files\Spybot - Search & Destroy\Updates\includes.spybots.zip"
Dec 3 2008 8:26:28a 1,492,962 A.... "C:\Program Files\Spybot - Search & Destroy\Updates\includes.zip"
Nov 19 2008 7:20:56a 153,142 A.... "C:\Program Files\Spybot - Search & Destroy\Updates\includes.hijackers.zip"
Nov 19 2008 7:21:00a 435,016 A.... "C:\Program Files\Spybot - Search & Destroy\Updates\includes.malware.zip"
Oct 8 2008 8:45:30a 25,803 A.... "C:\Program Files\Spybot - Search & Destroy\Updates\lang.english.zip"
Dec 3 2008 8:26:14a 645,679 A.... "C:\Program Files\Spybot - Search & Destroy\Updates\supplemental.zip"
Oct 22 2008 12:57:18p 650,472 A.... "C:\Program Files\Spybot - Search & Destroy\Updates\tools216.exe"
Oct 22 2008 8:59:28a 620,925 A.... "C:\Program Files\Spybot - Search & Destroy\Updates\tools216.zip"
Oct 8 2008 1:15:46p 315,264 A.... "C:\Program Files\Common Files\McAfee\Installer\mcinst.exe"
Oct 14 2008 9:47:46a 163,288 A.... "C:\Program Files\Common Files\McAfee\MSC\mcscrhlp.dll"
Oct 12 2008 5:41:34p 168,432 A.... "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
Oct 12 2008 5:41:42p 10,736 A.... "C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\gth.dll"
Oct 12 2008 5:41:40p 114,672 A.... "C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\gtn.dll"
Oct 12 2008 5:41:40p 652,784 A.... "C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll"
Oct 30 2008 1:16:38p 64,408 A.... "C:\Program Files\McAfee\MSC\1033\mclocres.dll"
Oct 30 2008 1:16:58p 117,968 A.... "C:\Program Files\McAfee\MSC\1033\mscinres.dll"
Nov 19 2008 8:51:48p 186,544 A.... "C:\Program Files\McAfee\SiteAdvisor\Scripts\safesearch.dat"
Oct 16 2008 1:07:58p 337,759 A.... "C:\Program Files\palmOne\Flip2d\address\address.dat"
Oct 16 2008 1:04:40p 106 A.... "C:\Program Files\palmOne\Flip2d\address\UiPrefs.dat"
Oct 16 2008 1:07:58p 521 A.... "C:\Program Files\palmOne\Flip2d\datebook\datebook.dat"
Oct 16 2008 1:04:40p 16 A.... "C:\Program Files\palmOne\Flip2d\datebook\UiPrefs.dat"
Oct 16 2008 1:07:46p 226 A.... "C:\Program Files\palmOne\Flip2d\expense\expense.dat"
Oct 16 2008 1:07:48p 8,737 A.... "C:\Program Files\palmOne\Flip2d\memopad\memopad.dat"
Oct 16 2008 1:07:48p 652 A.... "C:\Program Files\palmOne\Flip2d\Note Pad\Note Pad.dat"
Oct 16 2008 1:08:10p 241 A.... "C:\Program Files\palmOne\Flip2d\QuickInstall\DevInfo.dat"
Nov 3 2008 7:52:08a 1,113 A.... "C:\Program Files\palmOne\Flip2d\QuickInstall\FileList.dat"
Oct 16 2008 1:07:58p 489 A.... "C:\Program Files\palmOne\Flip2d\todo\todo.dat"
Oct 16 2008 1:04:40p 33 A.... "C:\Program Files\palmOne\Flip2d\todo\UiPrefs.dat"
Dec 7 2008 11:20:36a 2,108,989 A...R "C:\Program Files\McAfee\VirusScan\DAT\5457.0\avvclean.dat"
Dec 7 2008 11:20:36a 1,016,837 A...R "C:\Program Files\McAfee\VirusScan\DAT\5457.0\avvnames.dat"
Dec 7 2008 11:20:36a 60,980,141 A...R "C:\Program Files\McAfee\VirusScan\DAT\5457.0\avvscan.dat"
Oct 16 2008 1:07:46p 20 A.... "C:\Program Files\palmOne\Flip2d\PDFView\info\palmfinger.dat"


Files with hidden attributes:

Wed 22 Dec 2004 213 A.SHR --- "C:\BOOT.BAK"
Wed 22 Dec 2004 196 A.SHR --- "C:\BOOTNXX.BAK"
Sun 13 Apr 2008 1,695,232 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Sun 13 Apr 2008 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"
Sun 13 Feb 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 14 Jul 2005 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv12.bak"
Fri 23 Dec 2005 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv13.bak"
Thu 13 Nov 2008 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Thu 13 Nov 2008 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Wed 10 Oct 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 26 Jul 2006 40,448 ...H. --- "C:\Documents and Settings\Erin\My Documents\Resume\~WRL3939.tmp"
Fri 5 Dec 2008 45,128 ...H. --- "C:\Documents and Settings\Mark\Local Settings\temp\Z@R1A7E.tmp"
Fri 5 Dec 2008 44,272 ...H. --- "C:\Documents and Settings\Mark\Local Settings\temp\Z@R1A80.tmp"
Fri 5 Dec 2008 54,420 ...H. --- "C:\Documents and Settings\Mark\Local Settings\temp\Z@R1A82.tmp"
Fri 5 Dec 2008 17,036 ...H. --- "C:\Documents and Settings\Mark\Local Settings\temp\Z@R1A84.tmp"
Fri 5 Dec 2008 39,892 ...H. --- "C:\Documents and Settings\Mark\Local Settings\temp\Z@R1A86.tmp"
Fri 5 Dec 2008 6,000 ...H. --- "C:\Documents and Settings\Mark\Local Settings\temp\Z@R1A88.tmp"
Fri 5 Dec 2008 2,024 ...H. --- "C:\Documents and Settings\Mark\Local Settings\temp\Z@R1A8A.tmp"
Fri 5 Dec 2008 24,048 ...H. --- "C:\Documents and Settings\Mark\Local Settings\temp\Z@R1A8C.tmp"
Fri 5 Dec 2008 24,048 ...H. --- "C:\Documents and Settings\Mark\Local Settings\temp\Z@R1A8E.tmp"
Fri 5 Dec 2008 1,409 ...H. --- "C:\Documents and Settings\Mark\Local Settings\temp\Z@S1A7F.tmp"
Fri 5 Dec 2008 1,409 ...H. --- "C:\Documents and Settings\Mark\Local Settings\temp\Z@S1A81.tmp"
Fri 5 Dec 2008 1,409 ...H. --- "C:\Documents and Settings\Mark\Local Settings\temp\Z@S1A83.tmp"
Fri 5 Dec 2008 1,409 ...H. --- "C:\Documents and Settings\Mark\Local Settings\temp\Z@S1A85.tmp"
Fri 5 Dec 2008 1,409 ...H. --- "C:\Documents and Settings\Mark\Local Settings\temp\Z@S1A87.tmp"
Fri 5 Dec 2008 1,409 ...H. --- "C:\Documents and Settings\Mark\Local Settings\temp\Z@S1A89.tmp"
Fri 5 Dec 2008 1,409 ...H. --- "C:\Documents and Settings\Mark\Local Settings\temp\Z@S1A8B.tmp"
Fri 5 Dec 2008 1,409 ...H. --- "C:\Documents and Settings\Mark\Local Settings\temp\Z@S1A8D.tmp"
Fri 5 Dec 2008 1,409 ...H. --- "C:\Documents and Settings\Mark\Local Settings\temp\Z@S1A8F.tmp"
Mon 10 Jul 2006 54,272 ...H. --- "C:\Documents and Settings\Mark\Desktop\INFO HOBBIES\Politics\Falcone\~WRL0003.tmp"
Tue 11 Jul 2006 67,072 ...H. --- "C:\Documents and Settings\Mark\Desktop\INFO HOBBIES\Politics\Falcone\~WRL0437.tmp"
Tue 11 Jul 2006 68,096 ...H. --- "C:\Documents and Settings\Mark\Desktop\INFO HOBBIES\Politics\Falcone\~WRL0475.tmp"
Tue 11 Jul 2006 79,360 ...H. --- "C:\Documents and Settings\Mark\Desktop\INFO HOBBIES\Politics\Falcone\~WRL0617.tmp"
Tue 11 Jul 2006 76,288 ...H. --- "C:\Documents and Settings\Mark\Desktop\INFO HOBBIES\Politics\Falcone\~WRL0652.tmp"
Tue 11 Jul 2006 80,384 ...H. --- "C:\Documents and Settings\Mark\Desktop\INFO HOBBIES\Politics\Falcone\~WRL0668.tmp"
Tue 11 Jul 2006 67,072 ...H. --- "C:\Documents and Settings\Mark\Desktop\INFO HOBBIES\Politics\Falcone\~WRL0842.tmp"
Tue 11 Jul 2006 79,872 ...H. --- "C:\Documents and Settings\Mark\Desktop\INFO HOBBIES\Politics\Falcone\~WRL1001.tmp"
Tue 11 Jul 2006 67,584 ...H. --- "C:\Documents and Settings\Mark\Desktop\INFO HOBBIES\Politics\Falcone\~WRL1175.tmp"
Tue 11 Jul 2006 78,336 ...H. --- "C:\Documents and Settings\Mark\Desktop\INFO HOBBIES\Politics\Falcone\~WRL1393.tmp"
Tue 11 Jul 2006 65,536 ...H. --- "C:\Documents and Settings\Mark\Desktop\INFO HOBBIES\Politics\Falcone\~WRL1468.tmp"
Tue 11 Jul 2006 77,312 ...H. --- "C:\Documents and Settings\Mark\Desktop\INFO HOBBIES\Politics\Falcone\~WRL1968.tmp"
Tue 11 Jul 2006 77,824 ...H. --- "C:\Documents and Settings\Mark\Desktop\INFO HOBBIES\Politics\Falcone\~WRL2212.tmp"
Tue 11 Jul 2006 65,024 ...H. --- "C:\Documents and Settings\Mark\Desktop\INFO HOBBIES\Politics\Falcone\~WRL2218.tm