Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Help Please Trojan:Backdoor.Win32.Agent.cym [RESOLVED]

Started by SlowerLower , Jan 25 2008 05:34 PM

  • This topic is locked This topic is locked

#1
SlowerLower
Posted 25 January 2008 - 05:34 PM

SlowerLower

    Member

  • Member
  • PipPip
  • 11 posts
A little background - Avast first identified a problem but the trojan destroyed Avast and appeared to be self replicating itself through my system - Spybot and AVG did not identify an issue - SuperAntispybot, Panda and Kaspersky identified several issues as you will see but none of them seem to have fixed the problem - Note I installed Kaspersky after removing Avast because of the Avast being corrupted - Kaspersky is stuck with a web Anti-Virus warning that gives me a choice to allow or deny the Trojan to operate - When I deny it within 2 seconds the same warning pops up - I now have a dos prompt window open too with it being titled Windows\system32\nsysrunex.exe. I am completely stumped on this one please help.

On a side note I have another issue - I unsubscribed from Vongo several months ago but everytime i restart my PC windows installer reinstalls the program and i cant uninstall it. and i noticed in my hyjackthis log that it seems that i have several operations running that i never use and i am not even sure if they are still installed on my pc - how can i check this and fix it - thank you again

SUPERAntiSpyware Scan Log
Generated 01/24/2008 at 10:42 PM

Application Version : 3.6.1000

Core Rules Database Version : 3388
Trace Rules Database Version: 1382

Scan type : Complete Scan
Total Scan Time : 02:06:10

Memory items scanned : 355
Memory threats detected : 2
Registry items scanned : 4986
Registry threats detected : 28
File items scanned : 57222
File threats detected : 2

Adware.E404 Helper/Variant
C:\PROGRAM FILES\HELPER\USAFINDSITE.DLL
C:\PROGRAM FILES\HELPER\USAFINDSITE.DLL
C:\PROGRAM FILES\HELPER\LOOKERLIVE.DLL
C:\PROGRAM FILES\HELPER\LOOKERLIVE.DLL

Adware.E404 Helper/Hij
HKLM\Software\Classes\CLSID\{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}
HKCR\CLSID\{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}
HKCR\CLSID\{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}
HKCR\CLSID\{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}\InprocServer32
HKCR\CLSID\{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}\InprocServer32#ThreadingModel
HKCR\CLSID\{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}\ProgID
HKCR\CLSID\{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}\Programmable
HKCR\CLSID\{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}\TypeLib
HKCR\CLSID\{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}\VersionIndependentProgID
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}
HKCR\E404.e404mgr
HKCR\E404.e404mgr\CLSID
HKCR\E404.e404mgr\CurVer
HKCR\E404.e404mgr.1
HKCR\E404.e404mgr.1\CLSID
HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}
HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0
HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\0
HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\0\win32
HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\FLAGS
HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\HELPDIR
HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}
HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\ProxyStubClsid
HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\ProxyStubClsid32
HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\TypeLib
HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\TypeLib#Version

Trojan.DNSChanger-Codec
HKCR\CLSID\E404.e404mgr
HKCR\CLSID\E404.e404mgr#UserId

Panda Report

Incident Status Location

Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\98bhcgcw.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\98bhcgcw.default\cookies.txt[counter.hitslink.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\98bhcgcw.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\98bhcgcw.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\98bhcgcw.default\cookies.txt[.realmedia.com/]
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Potentially unwanted tool:Application/KillApp.A Not disinfected C:\hp\bin\Terminator.exe

Kaspersky Report
Protection : running
--------------------
Total scanned: 363602
Detected: 3
Untreated: 0
Attacks blocked: 0
Start time: 1/25/2008 5:33:19 AM
Duration: 12:12:38


Detected
--------
Status Object
------ ------
detected: riskware Hidden data sending Running process: C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
detected: riskware Invader Running process: C:\Program Files\Internet Explorer\iexplore.exe
detected: Trojan program Backdoor.Win32.Agent.cym URL: http://xtraload.net/..._Patch.UPX//UPX


Events
------
Time Event
---- -----
1/24/2008 6:10:59 PM Process (PID 492) tried to access Kaspersky Internet Security process (PID 548), but the action has been blocked by the Self-Defense component. No action on your part is required.
1/24/2008 6:11:57 PM You are advised to perform a full computer scan as soon as possible.
1/24/2008 6:12:01 PM Database is out of date, leaving your computer at risk of infection. Please update your database.
1/24/2008 6:12:01 PM Protection of your computer is enabled.
1/24/2008 6:15:12 PM Process C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (PID: 256): attempt to perform suspicious actions is blocked.
1/24/2008 6:15:17 PM Process C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (PID: 256): attempt to perform suspicious actions is blocked.
1/24/2008 6:18:53 PM Update completed successfully
1/24/2008 6:36:11 PM Process (PID 976) tried to access Kaspersky Internet Security process (PID 1004), but the action has been blocked by the Self-Defense component. No action on your part is required.
1/24/2008 6:37:06 PM You are advised to perform a full computer scan as soon as possible.
1/24/2008 6:37:06 PM Protection of your computer is enabled.
1/24/2008 6:39:16 PM Process C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (PID: 1008): attempt to perform suspicious actions is blocked.
1/24/2008 6:39:17 PM Process C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (PID: 1008): attempt to perform suspicious actions is blocked.
1/24/2008 6:47:26 PM Protection of your computer is not running. You are advised to resume protection.
1/24/2008 8:27:30 PM Process (PID 968) tried to access Kaspersky Internet Security process (PID 992), but the action has been blocked by the Self-Defense component. No action on your part is required.
1/24/2008 8:28:10 PM Your evaluation period will end in 29 days. To ensure uninterrupted protection, please <a v(buy)>click here to purchase</a>.
1/24/2008 8:28:13 PM You are advised to perform a full computer scan as soon as possible.
1/24/2008 8:28:14 PM Protection of your computer is enabled.
1/24/2008 8:30:03 PM Process C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (PID: 900): attempt to perform suspicious actions is allowed.
1/24/2008 8:30:06 PM Process C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (PID: 900): attempt to perform suspicious actions is allowed.
1/24/2008 8:33:06 PM Update completed successfully
1/24/2008 8:35:59 PM Process (PID 900) tried to access Kaspersky Internet Security process (PID 784), but the action has been blocked by the Self-Defense component. No action on your part is required.
1/24/2008 8:35:59 PM Process (PID 900) tried to access Kaspersky Internet Security process (PID 992), but the action has been blocked by the Self-Defense component. No action on your part is required.
1/24/2008 10:50:39 PM Update completed successfully
1/25/2008 1:10:17 AM Update completed successfully
1/25/2008 3:30:12 AM Update completed successfully
1/25/2008 5:30:28 AM Protection of your computer is not running. You are advised to resume protection.
1/25/2008 5:32:39 AM Process (PID 264) tried to access Kaspersky Internet Security process (PID 288), but the action has been blocked by the Self-Defense component. No action on your part is required.
1/25/2008 5:33:15 AM Your evaluation period will end in 29 days. To ensure uninterrupted protection, please <a v(buy)>click here to purchase</a>.
1/25/2008 5:33:18 AM You are advised to perform a full computer scan as soon as possible.
1/25/2008 5:33:19 AM Protection of your computer is enabled.
1/25/2008 5:34:00 AM Process C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (PID: 788): attempt to perform suspicious actions is allowed.
1/25/2008 5:34:01 AM Process C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (PID: 788): attempt to perform suspicious actions is allowed.
1/25/2008 5:36:43 AM Update completed successfully
1/25/2008 6:05:33 AM Process (PID 3800) tried to access Kaspersky Internet Security process (PID 652), but the action has been blocked by the Self-Defense component. No action on your part is required.
1/25/2008 6:05:33 AM Process (PID 3800) tried to access Kaspersky Internet Security process (PID 288), but the action has been blocked by the Self-Defense component. No action on your part is required.
1/25/2008 6:29:58 AM Process C:\Program Files\Internet Explorer\iexplore.exe (PID: 3800): attempt to embed itself into another process allowed.
1/25/2008 6:32:43 AM Process C:\Program Files\Internet Explorer\iexplore.exe (PID: 3800): attempt to embed itself into another process allowed.
1/25/2008 8:12:49 AM Not all components were updated
1/25/2008 10:16:30 AM Update completed successfully
1/25/2008 12:36:04 PM Update completed successfully
1/25/2008 2:08:07 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:08:07 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:08:13 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:08:13 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:08:19 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:08:19 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:08:20 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:08:20 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:08:22 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:08:22 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:08:23 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:08:23 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:08:24 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:08:24 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:08:26 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:08:26 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:08:27 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:08:27 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:08:29 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:08:29 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:08:30 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:08:30 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:08:32 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:08:32 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:08:33 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:08:33 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:08:35 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:08:35 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:08:37 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:08:37 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:08:38 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:08:38 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:08:40 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:08:40 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:08:41 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:08:41 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:08:42 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:08:42 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:08:44 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:08:44 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:09:02 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:09:02 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:09:04 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:09:04 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:09:08 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:09:08 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:09:10 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:09:10 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:09:11 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:09:11 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:09:12 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:09:12 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:09:14 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:09:14 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:09:20 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:09:20 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:09:21 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:09:21 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:09:23 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:09:23 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:09:24 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:09:24 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:09:25 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:09:25 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:09:26 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:09:26 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:09:37 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:09:37 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:09:38 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:09:38 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:09:39 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:09:39 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:09:39 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:09:39 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:18:53 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FunWebProducts.zip/sbRecovery.ini: is password protected.
1/25/2008 2:18:53 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FunWebProducts1.zip/sbRecovery.ini: is password protected.
1/25/2008 2:18:53 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FunWebProducts2.zip/sbRecovery.reg: is password protected.
1/25/2008 2:18:53 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FunWebProducts2.zip/sbRecovery.ini: is password protected.
1/25/2008 2:18:53 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MagicAntiSpy.zip/sbRecovery.reg: is password protected.
1/25/2008 2:18:53 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MagicAntiSpy.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\FunWeb.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\FunWeb.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\FunWeb1.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\FunWeb1.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\FunWebProducts.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\FunWebProducts.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\FunWebProducts1.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\FunWebProducts2.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\FunWebProducts2.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\FunWebProducts3.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\FunWebProducts4.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\FunWebProducts4.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch.zip/MWSBAR.DLL: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch1.zip/MWSSRCAS.DLL: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch1.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch10.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch11.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch11.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch12.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch12.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch13.zip/bar/History/search2: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch13.zip/bar/Settings/s_pid.dat: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch13.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch14.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch14.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch15.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch15.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch16.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch16.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch17.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch17.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch2.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch2.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch3.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch3.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch4.zip/bar/1.bin/F3HTMLMU.DLL: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch4.zip/bar/1.bin/MWSOEMON.EXE: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch4.zip/bar/1.bin/MWSOESTB.DLL: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch4.zip/bar/History/search2: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch4.zip/bar/Settings/s_pid.dat: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch4.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch5.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch5.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch6.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch6.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch7.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch7.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch8.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch8.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch9.zip/bar/1.bin/MWSOEMON.EXE: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch9.zip/bar/1.bin/MWSOESTB.DLL: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch9.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch1.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch1.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch2.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch2.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch3.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch3.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\WildTangent1.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\ZlobVideoActiveXObject.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\ZlobVideoActiveXObject.zip/sbRecovery.ini: is password protected.
1/25/2008 2:22:27 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-25-2008 - 05-29-55.SBU/{2DE2EC85-1776-4422-A502-9C8CC28A8A92}: is password protected.
1/25/2008 2:22:27 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-25-2008 - 05-29-55.SBU/{41E09D51-28D6-43B3-A9E1-7F67525DAE28}: is password protected.
1/25/2008 2:22:27 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-25-2008 - 05-29-55.SBU/{53E13DE9-C5BD-4783-B494-3C5A3BEA3158}: is password protected.
1/25/2008 2:22:27 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-25-2008 - 05-29-55.SBU/{96C8338A-36A6-479A-8B62-930379A5A408}: is password protected.
1/25/2008 2:22:27 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-25-2008 - 05-29-55.SBU/backup.db: is password protected.
1/25/2008 3:40:26 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\clihelp.ttd//tmp/..PKText.CLIHelp.en_US: is password protected.
1/25/2008 3:40:26 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\Common.ttd//tmp/..PKText.Common.en_US: is password protected.
1/25/2008 3:40:26 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\Common.ttd//tmp/..PKText.Common.en_US-RSA: is password protected.
1/25/2008 3:40:26 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\pkbrowse.ttd//tmp/..PKText.PKBrowse.en_US: is password protected.
1/25/2008 3:40:26 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\PKCmnDlg.ttd//tmp/..PKText.PKCmnDlg.en_US: is password protected.
1/25/2008 3:40:26 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\PKCmnDlg.ttd//tmp/..PKText.PKCmnDlg.en_US-SECURE: is password protected.
1/25/2008 3:40:26 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\PKCOM700.ttd//tmp/..PKText.PKCOM700.en_US: is password protected.
1/25/2008 3:40:26 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\PKCOM700.ttd//tmp/..PKText.PKCOM700.en_US-SECURE: is password protected.
1/25/2008 3:40:26 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\PKMail.ttd//tmp/..PKText.PKMail.en_US: is password protected.
1/25/2008 3:40:26 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\PKMail.ttd//tmp/..PKText.PKMail.en_US-RSA: is password protected.
1/25/2008 3:40:26 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\PKMail.ttd//tmp/..PKText.PKMail.en_US-SECURE: is password protected.
1/25/2008 3:40:26 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\pknsetup.ttd//tmp/..PKText.PKNSetup.en_US: is password protected.
1/25/2008 3:40:26 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\PKOPT700Text.ttd//tmp/..PKText.PKOPT700Text.en_US: is password protected.
1/25/2008 3:40:26 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\PKOPT700Text.ttd//tmp/..PKText.PKOPT700Text.en_US-SECURE: is password protected.
1/25/2008 3:40:27 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\PKSerial.ttd//tmp/..PKText.PKSerial.en_US: is password protected.
1/25/2008 3:40:27 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\PKSerial.ttd//tmp/..PKText.PKSerial.en_US-RSA: is password protected.
1/25/2008 3:40:27 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\PKSerial.ttd//tmp/..PKText.PKSerial.en_US-SECURE: is password protected.
1/25/2008 3:40:27 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\PKTLV700.ttd//tmp/..PKText.PKTLV700.en_US: is password protected.
1/25/2008 3:40:27 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\PKTLV700.ttd//tmp/..PKText.PKTLV700.en_US-SECURE: is password protected.
1/25/2008 3:40:27 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\PKWizardText.ttd//tmp/..PKText.PKWizardText.en-US-SECURE: is password protected.
1/25/2008 3:40:27 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\PKWizardText.ttd//tmp/..PKText.PKWizardText.en_US: is password protected.
1/25/2008 3:40:27 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\pkzipc.ttd//tmp/..PKText.pkzipc.en_US: is password protected.
1/25/2008 3:40:27 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\pkzipgui.ttd//tmp/..PKText.PKZIPGUI.en_US: is password protected.
1/25/2008 3:40:27 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\pkzipgui.ttd//tmp/..PKText.PKZIPGUI.en_US-SECURE: is password protected.
1/25/2008 3:40:27 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\Vendor.ttd//tmp/..PKText.Vendor.en_US: is password protected.
1/25/2008 3:40:27 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\Vendor.ttd//tmp/..PKText.Vendor.en_US-SECURE: is password protected.
1/25/2008 4:28:52 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/clihelp.ttd//tmp/..PKText.CLIHelp.en_US: is password protected.
1/25/2008 4:28:52 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/Common.ttd//tmp/..PKText.Common.en_US: is password protected.
1/25/2008 4:28:52 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/Common.ttd//tmp/..PKText.Common.en_US-RSA: is password protected.
1/25/2008 4:28:52 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/pkbrowse.ttd//tmp/..PKText.PKBrowse.en_US: is password protected.
1/25/2008 4:28:52 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/PKCmnDlg.ttd//tmp/..PKText.PKCmnDlg.en_US: is password protected.
1/25/2008 4:28:52 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/PKCmnDlg.ttd//tmp/..PKText.PKCmnDlg.en_US-SECURE: is password protected.
1/25/2008 4:28:52 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/PKCOM700.ttd//tmp/..PKText.PKCOM700.en_US: is password protected.
1/25/2008 4:28:52 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/PKCOM700.ttd//tmp/..PKText.PKCOM700.en_US-SECURE: is password protected.
1/25/2008 4:28:52 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/PKMail.ttd//tmp/..PKText.PKMail.en_US: is password protected.
1/25/2008 4:28:52 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/PKMail.ttd//tmp/..PKText.PKMail.en_US-RSA: is password protected.
1/25/2008 4:28:52 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/PKMail.ttd//tmp/..PKText.PKMail.en_US-SECURE: is password protected.
1/25/2008 4:28:52 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/pknsetup.ttd//tmp/..PKText.PKNSetup.en_US: is password protected.
1/25/2008 4:28:52 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/PKOPT700Text.ttd//tmp/..PKText.PKOPT700Text.en_US: is password protected.
1/25/2008 4:28:52 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/PKOPT700Text.ttd//tmp/..PKText.PKOPT700Text.en_US-SECURE: is password protected.
1/25/2008 4:28:53 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/PKSerial.ttd//tmp/..PKText.PKSerial.en_US: is password protected.
1/25/2008 4:28:53 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/PKSerial.ttd//tmp/..PKText.PKSerial.en_US-RSA: is password protected.
1/25/2008 4:28:53 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/PKSerial.ttd//tmp/..PKText.PKSerial.en_US-SECURE: is password protected.
1/25/2008 4:28:53 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/PKTLV700.ttd//tmp/..PKText.PKTLV700.en_US: is password protected.
1/25/2008 4:28:53 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/PKTLV700.ttd//tmp/..PKText.PKTLV700.en_US-SECURE: is password protected.
1/25/2008 4:28:53 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/PKWizardText.ttd//tmp/..PKText.PKWizardText.en-US-SECURE: is password protected.
1/25/2008 4:28:53 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/PKWizardText.ttd//tmp/..PKText.PKWizardText.en_US: is password protected.
1/25/2008 4:28:53 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/pkzipc.ttd//tmp/..PKText.pkzipc.en_US: is password protected.
1/25/2008 4:28:53 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/pkzipgui.ttd//tmp/..PKText.PKZIPGUI.en_US: is password protected.
1/25/2008 4:28:53 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/pkzipgui.ttd//tmp/..PKText.PKZIPGUI.en_US-SECURE: is password protected.
1/25/2008 4:28:53 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/Vendor.ttd//tmp/..PKText.Vendor.en_US: is password protected.
1/25/2008 4:28:53 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/Vendor.ttd//tmp/..PKText.Vendor.en_US-SECURE: is password protected.
1/25/2008 5:19:31 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:19:31 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:19:47 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:19:47 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:19:54 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:19:54 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:19:58 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:19:58 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:19:58 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:19:58 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:19:59 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:19:59 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:20:00 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:20:00 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:20:01 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:20:01 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:20:01 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:20:01 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:20:02 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:20:02 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:20:03 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:20:03 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:20:04 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:20:04 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:20:05 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:20:05 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:20:05 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:20:05 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:20:06 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:20:06 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:20:07 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:20:07 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:20:07 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:20:07 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:20:08 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:20:08 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:20:09 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:20:09 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:20:09 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:20:09 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:20:10 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:20:10 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.


Reports
-------
Component Status Start Finish Size
--------- ------ ----- ------ ----
Firewall completed 1/24/2008 6:12:01 PM 1/24/2008 6:33:59 PM 0 bytes
Anti-Spam completed 1/24/2008 6:12:01 PM 1/24/2008 6:33:57 PM 0 bytes
Privacy Control completed 1/24/2008 6:12:01 PM 1/24/2008 6:33:57 PM 0 bytes
Proactive Defense completed 1/24/2008 6:12:02 PM 1/24/2008 6:34:05 PM 0 bytes
File Anti-Virus completed 1/24/2008 6:12:03 PM 1/24/2008 6:33:57 PM 0 bytes
Mail Anti-Virus completed 1/24/2008 6:12:03 PM 1/24/2008 6:33:57 PM 0 bytes
Web Anti-Virus completed 1/24/2008 6:12:03 PM 1/24/2008 6:34:00 PM 0 bytes
Update completed 1/24/2008 6:14:04 PM 1/24/2008 6:18:53 PM 0 bytes
Scan startup objects completed 1/24/2008 6:14:04 PM 1/24/2008 6:17:56 PM 0 bytes
Firewall completed 1/24/2008 6:37:06 PM 1/24/2008 6:47:26 PM 0 bytes
Anti-Spam completed 1/24/2008 6:37:06 PM 1/24/2008 6:47:25 PM 0 bytes
Privacy Control completed 1/24/2008 6:37:07 PM 1/24/2008 6:47:25 PM 0 bytes
Proactive Defense completed 1/24/2008 6:37:07 PM 1/24/2008 6:47:25 PM 0 bytes
Mail Anti-Virus completed 1/24/2008 6:37:07 PM 1/24/2008 6:47:25 PM 0 bytes
Web Anti-Virus completed 1/24/2008 6:37:07 PM 1/24/2008 6:47:25 PM 0 bytes
File Anti-Virus completed 1/24/2008 6:37:07 PM 1/24/2008 6:47:25 PM 0 bytes
Scan startup objects completed 1/24/2008 6:39:10 PM 1/24/2008 6:41:15 PM 0 bytes
Firewall completed 1/24/2008 8:28:14 PM 1/25/2008 5:30:25 AM 0 bytes
Anti-Spam completed 1/24/2008 8:28:14 PM 1/25/2008 5:30:23 AM 0 bytes
Privacy Control completed 1/24/2008 8:28:14 PM 1/25/2008 5:30:22 AM 0 bytes
Proactive Defense completed 1/24/2008 8:28:16 PM 1/25/2008 5:30:28 AM 0 bytes
Mail Anti-Virus completed 1/24/2008 8:28:16 PM 1/25/2008 5:30:23 AM 0 bytes
Web Anti-Virus completed 1/24/2008 8:28:16 PM 1/25/2008 5:30:25 AM 0 bytes
File Anti-Virus completed 1/24/2008 8:28:16 PM 1/25/2008 5:30:22 AM 0 bytes
Update completed 1/24/2008 8:29:55 PM 1/24/2008 8:33:06 PM 0 bytes
Scan startup objects completed 1/24/2008 8:30:21 PM 1/24/2008 8:32:02 PM 0 bytes
Update completed 1/24/2008 10:48:54 PM 1/24/2008 10:50:39 PM 0 bytes
Update completed 1/25/2008 1:08:50 AM 1/25/2008 1:10:17 AM 0 bytes
Update completed 1/25/2008 3:28:48 AM 1/25/2008 3:30:12 AM 0 bytes
Firewall running 1/25/2008 5:33:19 AM 16.4 KB
Anti-Spam running 1/25/2008 5:33:19 AM 0 bytes
Privacy Control running 1/25/2008 5:33:19 AM 10.5 KB
Mail Anti-Virus running 1/25/2008 5:33:19 AM 0 bytes
Web Anti-Virus running 1/25/2008 5:33:19 AM 434.7 KB
Proactive Defense running 1/25/2008 5:33:19 AM 11 KB
File Anti-Virus running 1/25/2008 5:33:19 AM 11.9 MB
Update completed 1/25/2008 5:34:34 AM 1/25/2008 5:36:41 AM 0 bytes
Scan startup objects completed 1/25/2008 5:35:26 AM 1/25/2008 5:36:57 AM 353.8 KB
Update Not all components were updated 1/25/2008 7:54:29 AM 1/25/2008 8:12:49 AM 0 bytes
Update completed 1/25/2008 10:14:29 AM 1/25/2008 10:16:30 AM 0 bytes
Update completed 1/25/2008 12:34:27 PM 1/25/2008 12:36:03 PM 0 bytes
Scan My Computer completed 1/25/2008 2:12:09 PM 1/25/2008 5:18:15 PM 57.9 MB
Update completed 1/25/2008 5:28:10 PM 1/25/2008 5:30:47 PM 0 bytes
Update completed 1/25/2008 5:40:52 PM 1/25/2008 5:42:42 PM 18.9 KB


Quarantine
----------
Status Object Size Added
------ ------ ---- -----


Backup
------
Status Object Size
------ ------ ----


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:31:44 PM, on 1/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\lwinupdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\S3apphk.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Leapfrog\FlyWorld\bin\FlyMonitor.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us5.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896<
  • 0

Advertisements

#2
JSntgRvr
Posted 25 January 2008 - 07:41 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Hi, SlowerLower :)

Welcome.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#3
SlowerLower
Posted 25 January 2008 - 08:24 PM

SlowerLower

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Thank You
Here You Go

ComboFix 08-01-23.1C - Owner 2008-01-25 21:04:35.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.420 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\Helper
C:\WINDOWS\system32\5537\8260.dll
C:\WINDOWS\system32\jofstvyt.sbin
C:\WINDOWS\system32\prrbpgbr.sys
C:\WINDOWS\system32\rwuwin32.drv

----- BITS: Possible infected sites -----

hxxp://javadl.sun.com
.
((((((((((((((((((((((((( Files Created from 2007-12-26 to 2008-01-26 )))))))))))))))))))))))))))))))
.

2008-01-25 21:02 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-25 18:31 . 2008-01-25 18:31 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-25 06:15 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-25 05:39 . 2008-01-25 09:05 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-25 05:39 . 2008-01-25 05:39 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-25 05:39 . 2008-01-25 05:39 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-25 05:39 . 2008-01-25 05:39 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-24 18:04 . 2008-01-24 18:04 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-01-24 18:04 . 2008-01-24 18:04 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-01-24 18:03 . 2008-01-24 18:03 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-24 18:03 . 2008-01-25 21:09 2,044,704 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-24 18:03 . 2008-01-25 21:08 60,704 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-24 18:03 . 2008-01-25 18:53 28,004 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-24 18:03 . 2008-01-25 18:53 6,380 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-24 17:58 . 2008-01-24 17:58 <DIR> d-------- C:\kav
2008-01-24 17:55 . 2008-01-25 17:50 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-24 17:53 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-24 06:11 . 2008-01-25 17:29 872 --a------ C:\WINDOWS\system32\nsysrunex.exe
2008-01-18 11:14 . 2008-01-25 21:08 <DIR> d-------- C:\WINDOWS\system32\5537
2008-01-18 10:13 . 2008-01-18 10:13 57,344 --a------ C:\WINDOWS\system32\lwinupdate.exe
2008-01-01 20:34 . 2008-01-01 20:34 2,748 --a------ C:\WINDOWS\system32\PerfStringBackup.TMP
2008-01-01 20:31 . 2008-01-01 20:31 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-01 20:31 . 2008-01-01 20:31 <DIR> d-------- C:\Program Files\DIFX
2008-01-01 20:31 . 2007-09-05 15:26 18,560 --a------ C:\WINDOWS\system32\drivers\FlyUsb.sys
2008-01-01 20:31 . 2008-01-15 15:54 682 --a------ C:\logfile.dat
2008-01-01 20:30 . 2008-01-01 20:30 <DIR> d-------- C:\Program Files\Leapfrog
2008-01-01 20:30 . 2008-01-01 20:30 444 --a------ C:\WINDOWS\{5D946D0D-9437-4E15-AC1F-F9BCF0B32561}_WiseFW.ini
2008-01-01 20:29 . 2008-01-24 17:54 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-27 16:00 . 2007-12-27 16:00 <DIR> d-------- C:\Program Files\Common Files\Knowledge Adventure
2007-12-27 16:00 . 2007-12-27 16:00 <DIR> d-------- C:\Program Files\Blaster
2007-12-26 12:45 . 2007-12-26 12:45 <DIR> d-------- C:\Program Files\APTE Software
2007-12-26 12:45 . 2004-08-03 23:10 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2007-12-26 12:45 . 2004-08-03 23:10 10,880 --a--c--- C:\WINDOWS\system32\dllcache\ndisip.sys
2007-12-26 12:45 . 2004-08-03 22:58 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2007-12-26 12:45 . 2004-08-03 22:58 5,504 --a--c--- C:\WINDOWS\system32\dllcache\mstee.sys
2007-12-26 12:43 . 2006-12-21 10:52 29,522 --a------ C:\WINDOWS\system32\drivers\Capt913d.sys
2007-12-26 12:43 . 2006-12-21 10:55 24,363 --a------ C:\WINDOWS\system32\drivers\Camd913d.sys
2007-12-26 09:56 . 2007-12-27 16:01 171 --a------ C:\WINDOWS\ka.ini
2007-12-26 09:53 . 2007-12-26 09:53 <DIR> d-------- C:\Program Files\Common Files\Books by You
2007-12-26 09:53 . 2007-12-26 09:53 <DIR> d-------- C:\Program Files\Books by You

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-26 01:18 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-01-23 23:11 --------- d-----w C:\Program Files\Java
2007-12-26 17:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-19 23:12 --------- d-----w C:\Program Files\LimeWire
2007-12-19 23:05 --------- d-----w C:\Program Files\CMMFS
2007-12-19 23:03 --------- d-----w C:\Program Files\Hewlett-Packard
2007-12-18 05:44 219,664 ----a-w C:\WINDOWS\system32\klogon.dll
2007-12-18 05:43 23,396 ----a-w C:\WINDOWS\system32\drivers\klopp.dat
2007-12-17 03:53 --------- d-----w C:\Program Files\GALA-NET
2007-12-17 03:53 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-17 03:43 --------- d-----w C:\Program Files\PKWARE
2007-12-17 03:43 --------- d-----w C:\Program Files\Common Files\PKWARE
2007-12-17 03:00 --------- d-----w C:\Program Files\Eudemons Online
2007-12-13 18:28 24,592 ----a-w C:\WINDOWS\system32\drivers\klim5.sys
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2001-08-18 12:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 05:56 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 05:56 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
2004-08-04 05:56 54,784 --sha-w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 05:56 413,696 --sha-w C:\WINDOWS\system32\msvcp60.dll
2007-05-17 11:28 549,376 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 05:56 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
2004-08-04 05:56 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F10587E9-0E47-4CBE-84AE-7DD20B8684CC}]
C:\Program Files\Helper\lookerlive.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Zero Knowledge Freedom"="C:\Program Files\Zero Knowledge\Freedom\Freedom.exe" [ ]
"SeaMonkey Quick Launch"="C:\Program Files\mozilla.org\SeaMonkey\SeaMonkey.exe" [ ]
"MoneyAgent"="c:\Program Files\Microsoft Money\System\Money Express.exe" [ ]
"Microsoft Works Update Detection"="c:\Program Files\Microsoft Works\WkDetect.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2004-03-18 09:33 892928]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"S3apphk"="S3apphk.exe" [2002-03-16 00:51 28672 C:\WINDOWS\system32\S3apphk.exe]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-12-19 01:39 212992]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2001-07-03 22:13 81920]
"PreloadApp"="c:\hp\drivers\printers\photosmart\hphprld.exe" [ ]
"nwiz"="nwiz.exe" [2006-09-18 15:25 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-09-18 15:25 86016]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-09-18 15:25 7630848]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 14:55 155648]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 14:51 118784]
"FlyMonitor"="C:\Program Files\Leapfrog\FlyWorld\bin\FlyMonitor.exe" [2007-11-15 14:32 669000]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2002-03-14 12:25 102455]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-12-18 00:43 227856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"WIAWizardMenu"="C:\WINDOWS\system32\sti_ci.dll" [2004-08-04 00:56 136704]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Vongo Tray.lnk - C:\WINDOWS\Installer\{8C3AE2D1-854D-4650-A73D-C7CC7EE36B80}\NewShortcut2_DB7E00C96DEF489A8112D8F81614F45A.exe [2007-08-26 14:16:11 53248]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S3 FlyUsb;FLY Fusion;C:\WINDOWS\system32\DRIVERS\FlyUsb.sys [2007-09-05 15:26]
S3 SQTECH913D;913D Camera;C:\WINDOWS\system32\Drivers\Capt913D.sys [2006-12-21 10:52]
S3 trid3d;trid3d;C:\WINDOWS\system32\DRIVERS\trid3dm.sys [2002-03-21 00:35]

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2008-01-24 07:05:02 C:\WINDOWS\Tasks\avast! Antivirus.job"
- C:\PROGRA~1\ALWILS~1\Avast4\ashAvast.exe
"2008-01-25 07:10:00 C:\WINDOWS\Tasks\CleanUp!.job"
- C:\PROGRA~1\CleanUp!\Cleanup.exe
"2002-04-26 02:39:44 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-25 21:09:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-25 21:11:21
ComboFix-quarantined-files.txt 2008-01-26 02:11:13
.
2008-01-10 08:03:00 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:19:12 PM, on 1/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\S3apphk.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Leapfrog\FlyWorld\bin\FlyMonitor.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us5.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us5.hpwis.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684CC} - C:\Program Files\Helper\lookerlive.dll (file missing)
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [FlyMonitor] "C:\Program Files\Leapfrog\FlyWorld\bin\FlyMonitor.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [SeaMonkey Quick Launch] "C:\Program Files\mozilla.org\SeaMonkey\SeaMonkey.exe" -turbo
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: Vongo Tray.lnk = ?
O8 - Extra context menu item: &Search - ?p=ZK
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtec...ntrol_en_US.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1170536381394
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.co...nstallAsst2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.co.../MathPlayer.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Vongo Service - Unknown owner - G:\vongo\VongoService.exe (file missing)

--
End of file - 7984 bytes
  • 0

#4
JSntgRvr
Posted 25 January 2008 - 09:02 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Hi, SlowerLower :)

  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
File::C:\WINDOWS\system32\nsysrunex.exeC:\WINDOWS\system32\lwinupdate.exeC:\WINDOWS\system32\PerfStringBackup.TMPFolder::C:\WINDOWS\system32\5537C:\Program Files\HelperRegistry::[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F10587E9-0E47-4CBE-84AE-7DD20B8684CC}]

Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log.

Test the computer and let me know how is it doing

Edited by JSntgRvr, 25 January 2008 - 09:02 PM.

  • 0

#5
SlowerLower
Posted 25 January 2008 - 09:45 PM

SlowerLower

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Here we go - I am still getting the windows installer loading vongo every time i restart - but so far no more kasper warnings - any ideas on how i infected my pc? or processes i can or should remove

ComboFix 08-01-23.1C - Owner 2008-01-25 22:22:09.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.432 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\lwinupdate.exe
C:\WINDOWS\system32\nsysrunex.exe
C:\WINDOWS\system32\PerfStringBackup.TMP
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\5537
C:\WINDOWS\system32\lwinupdate.exe
C:\WINDOWS\system32\nsysrunex.exe
C:\WINDOWS\system32\PerfStringBackup.TMP

.
((((((((((((((((((((((((( Files Created from 2007-12-26 to 2008-01-26 )))))))))))))))))))))))))))))))
.

2008-01-25 21:02 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-25 18:31 . 2008-01-25 18:31 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-25 06:15 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-25 05:39 . 2008-01-25 09:05 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-25 05:39 . 2008-01-25 05:39 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-25 05:39 . 2008-01-25 05:39 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-25 05:39 . 2008-01-25 05:39 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-24 18:04 . 2008-01-24 18:04 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-01-24 18:04 . 2008-01-24 18:04 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-01-24 18:03 . 2008-01-24 18:03 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-24 18:03 . 2008-01-25 22:27 2,066,208 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-24 18:03 . 2008-01-25 22:28 63,008 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-24 18:03 . 2008-01-25 21:13 28,484 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-24 18:03 . 2008-01-25 21:13 6,788 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-24 17:58 . 2008-01-24 17:58 <DIR> d-------- C:\kav
2008-01-24 17:55 . 2008-01-25 17:50 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-24 17:53 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-01 20:31 . 2008-01-01 20:31 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-01 20:31 . 2008-01-01 20:31 <DIR> d-------- C:\Program Files\DIFX
2008-01-01 20:31 . 2007-09-05 15:26 18,560 --a------ C:\WINDOWS\system32\drivers\FlyUsb.sys
2008-01-01 20:31 . 2008-01-15 15:54 682 --a------ C:\logfile.dat
2008-01-01 20:30 . 2008-01-01 20:30 <DIR> d-------- C:\Program Files\Leapfrog
2008-01-01 20:30 . 2008-01-01 20:30 444 --a------ C:\WINDOWS\{5D946D0D-9437-4E15-AC1F-F9BCF0B32561}_WiseFW.ini
2008-01-01 20:29 . 2008-01-24 17:54 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-27 16:00 . 2007-12-27 16:00 <DIR> d-------- C:\Program Files\Common Files\Knowledge Adventure
2007-12-27 16:00 . 2007-12-27 16:00 <DIR> d-------- C:\Program Files\Blaster
2007-12-26 12:45 . 2007-12-26 12:45 <DIR> d-------- C:\Program Files\APTE Software
2007-12-26 12:45 . 2004-08-03 23:10 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2007-12-26 12:45 . 2004-08-03 23:10 10,880 --a--c--- C:\WINDOWS\system32\dllcache\ndisip.sys
2007-12-26 12:45 . 2004-08-03 22:58 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2007-12-26 12:45 . 2004-08-03 22:58 5,504 --a--c--- C:\WINDOWS\system32\dllcache\mstee.sys
2007-12-26 12:43 . 2006-12-21 10:52 29,522 --a------ C:\WINDOWS\system32\drivers\Capt913d.sys
2007-12-26 12:43 . 2006-12-21 10:55 24,363 --a------ C:\WINDOWS\system32\drivers\Camd913d.sys
2007-12-26 09:56 . 2007-12-27 16:01 171 --a------ C:\WINDOWS\ka.ini
2007-12-26 09:53 . 2007-12-26 09:53 <DIR> d-------- C:\Program Files\Common Files\Books by You
2007-12-26 09:53 . 2007-12-26 09:53 <DIR> d-------- C:\Program Files\Books by You

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-26 01:18 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-01-23 23:11 --------- d-----w C:\Program Files\Java
2007-12-26 17:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-19 23:12 --------- d-----w C:\Program Files\LimeWire
2007-12-19 23:05 --------- d-----w C:\Program Files\CMMFS
2007-12-19 23:03 --------- d-----w C:\Program Files\Hewlett-Packard
2007-12-18 05:44 219,664 ----a-w C:\WINDOWS\system32\klogon.dll
2007-12-18 05:43 23,396 ----a-w C:\WINDOWS\system32\drivers\klopp.dat
2007-12-17 03:53 --------- d-----w C:\Program Files\GALA-NET
2007-12-17 03:53 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-17 03:43 --------- d-----w C:\Program Files\PKWARE
2007-12-17 03:43 --------- d-----w C:\Program Files\Common Files\PKWARE
2007-12-17 03:00 --------- d-----w C:\Program Files\Eudemons Online
2007-12-13 18:28 24,592 ----a-w C:\WINDOWS\system32\drivers\klim5.sys
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2001-08-18 12:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 05:56 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 05:56 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
2004-08-04 05:56 54,784 --sha-w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 05:56 413,696 --sha-w C:\WINDOWS\system32\msvcp60.dll
2007-05-17 11:28 549,376 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 05:56 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
2004-08-04 05:56 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe
.

((((((((((((((((((((((((((((( snapshot@2008-01-25_21.09.45.14 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-26 02:03:21 1,404,928 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-26 03:21:41 1,404,928 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-26 02:03:21 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-26 03:21:41 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-26 02:03:22 5,844,992 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-26 03:21:42 5,844,992 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-26 02:03:22 151,552 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-26 03:21:42 151,552 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-26 02:03:22 1,400,832 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-26 03:21:42 1,400,832 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-26 02:03:22 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-26 03:21:42 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Zero Knowledge Freedom"="C:\Program Files\Zero Knowledge\Freedom\Freedom.exe" [ ]
"SeaMonkey Quick Launch"="C:\Program Files\mozilla.org\SeaMonkey\SeaMonkey.exe" [ ]
"MoneyAgent"="c:\Program Files\Microsoft Money\System\Money Express.exe" [ ]
"Microsoft Works Update Detection"="c:\Program Files\Microsoft Works\WkDetect.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2004-03-18 09:33 892928]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"S3apphk"="S3apphk.exe" [2002-03-16 00:51 28672 C:\WINDOWS\system32\S3apphk.exe]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-12-19 01:39 212992]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2001-07-03 22:13 81920]
"PreloadApp"="c:\hp\drivers\printers\photosmart\hphprld.exe" [ ]
"nwiz"="nwiz.exe" [2006-09-18 15:25 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-09-18 15:25 86016]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-09-18 15:25 7630848]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 14:55 155648]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 14:51 118784]
"FlyMonitor"="C:\Program Files\Leapfrog\FlyWorld\bin\FlyMonitor.exe" [2007-11-15 14:32 669000]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2002-03-14 12:25 102455]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-12-18 00:43 227856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"WIAWizardMenu"="C:\WINDOWS\system32\sti_ci.dll" [2004-08-04 00:56 136704]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Vongo Tray.lnk - C:\WINDOWS\Installer\{8C3AE2D1-854D-4650-A73D-C7CC7EE36B80}\NewShortcut2_DB7E00C96DEF489A8112D8F81614F45A.exe [2007-08-26 14:16:11 53248]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S3 FlyUsb;FLY Fusion;C:\WINDOWS\system32\DRIVERS\FlyUsb.sys [2007-09-05 15:26]
S3 SQTECH913D;913D Camera;C:\WINDOWS\system32\Drivers\Capt913D.sys [2006-12-21 10:52]
S3 trid3d;trid3d;C:\WINDOWS\system32\DRIVERS\trid3dm.sys [2002-03-21 00:35]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-24 07:05:02 C:\WINDOWS\Tasks\avast! Antivirus.job"
- C:\PROGRA~1\ALWILS~1\Avast4\ashAvast.exe
"2008-01-25 07:10:00 C:\WINDOWS\Tasks\CleanUp!.job"
- C:\PROGRA~1\CleanUp!\Cleanup.exe
"2002-04-26 02:39:44 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-25 22:29:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-25 22:31:23
ComboFix-quarantined-files.txt 2008-01-26 03:31:14
ComboFix2.txt 2008-01-26 02:11:26
.
2008-01-10 08:03:00 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:38:23 PM, on 1/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\S3apphk.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Leapfrog\FlyWorld\bin\FlyMonitor.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us5.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us5.hpwis.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [FlyMonitor] "C:\Program Files\Leapfrog\FlyWorld\bin\FlyMonitor.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [SeaMonkey Quick Launch] "C:\Program Files\mozilla.org\SeaMonkey\SeaMonkey.exe" -turbo
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: Vongo Tray.lnk = ?
O8 - Extra context menu item: &Search - ?p=ZK
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtec...ntrol_en_US.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1170536381394
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.co...nstallAsst2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.co.../MathPlayer.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Vongo Service - Unknown owner - G:\vongo\VongoService.exe (file missing)

--
End of file - 7865 bytes
  • 0

#6
JSntgRvr
Posted 26 January 2008 - 06:02 AM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Hi, SlowerLower :)

The logs look clear. How is the computer doing?
  • 0

#7
SlowerLower
Posted 26 January 2008 - 06:36 AM

SlowerLower

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
I am still having the vongo issue and last night when surfing firefox a problem agent popped-up - the other issues are much better. Do you think i am protected well enough? How can I best avoid future issues

Thank You for the help - How much is fair tip - I have never done this before and don't know anything about tipping for this type of thing.
  • 0

#8
JSntgRvr
Posted 26 January 2008 - 12:13 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Hi, SlowerLower :)

  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop

File::
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Vongo Tray.lnk

Folder::
C:\WINDOWS\Installer\{8C3AE2D1-854D-4650-A73D-C7CC7EE36B80}
G:\vongo

Driver::
Vongo Service


Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log.

Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Edited by JSntgRvr, 26 January 2008 - 12:14 PM.

  • 0

#9
SlowerLower
Posted 27 January 2008 - 10:44 AM

SlowerLower

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Here is the new Hyjackthis and combofix - i will be running the scan today and will post later tonight thank you

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:38:50 AM, on 1/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\S3apphk.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Leapfrog\FlyWorld\bin\FlyMonitor.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us5.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us5.hpwis.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [FlyMonitor] "C:\Program Files\Leapfrog\FlyWorld\bin\FlyMonitor.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [SeaMonkey Quick Launch] "C:\Program Files\mozilla.org\SeaMonkey\SeaMonkey.exe" -turbo
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O8 - Extra context menu item: &Search - ?p=ZK
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtec...ntrol_en_US.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1170536381394
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.co...nstallAsst2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.co.../MathPlayer.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7646 bytes



ComboFix 08-01-23.1C - Owner 2008-01-27 11:20:57.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.385 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Vongo Tray.lnk
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Vongo Tray.lnk
C:\WINDOWS\Installer\{8C3AE2D1-854D-4650-A73D-C7CC7EE36B80}
C:\WINDOWS\Installer\{8C3AE2D1-854D-4650-A73D-C7CC7EE36B80}\ARPPRODUCTICON.exe
C:\WINDOWS\Installer\{8C3AE2D1-854D-4650-A73D-C7CC7EE36B80}\NewShortcut1_8C3AE2D1854D4650A73DC7CC7EE36B80.exe
C:\WINDOWS\Installer\{8C3AE2D1-854D-4650-A73D-C7CC7EE36B80}\NewShortcut11_8C3AE2D1854D4650A73DC7CC7EE36B80.exe
C:\WINDOWS\Installer\{8C3AE2D1-854D-4650-A73D-C7CC7EE36B80}\NewShortcut2_DB7E00C96DEF489A8112D8F81614F45A.exe
C:\WINDOWS\Installer\{8C3AE2D1-854D-4650-A73D-C7CC7EE36B80}\NewShortcut3_DB7E00C96DEF489A8112D8F81614F45A.exe
C:\WINDOWS\Installer\{8C3AE2D1-854D-4650-A73D-C7CC7EE36B80}\NewShortcut4_DB7E00C96DEF489A8112D8F81614F45A.exe
C:\WINDOWS\Installer\{8C3AE2D1-854D-4650-A73D-C7CC7EE36B80}\NewShortcut5_DB7E00C96DEF489A8112D8F81614F45A.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_VONGO_SERVICE
-------\Vongo Service


((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 )))))))))))))))))))))))))))))))
.

2008-01-25 21:02 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-25 18:31 . 2008-01-25 18:31 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-25 06:15 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-25 05:39 . 2008-01-25 09:05 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-25 05:39 . 2008-01-25 05:39 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-25 05:39 . 2008-01-25 05:39 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-25 05:39 . 2008-01-25 05:39 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-24 18:04 . 2008-01-24 18:04 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-01-24 18:04 . 2008-01-24 18:04 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-01-24 18:03 . 2008-01-24 18:03 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-24 18:03 . 2008-01-27 11:32 2,128,928 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-24 18:03 . 2008-01-27 11:32 68,128 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-24 18:03 . 2008-01-27 11:28 29,564 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-24 18:03 . 2008-01-27 11:28 7,412 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-24 17:58 . 2008-01-24 17:58 <DIR> d-------- C:\kav
2008-01-24 17:55 . 2008-01-25 17:50 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-24 17:53 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-01 20:31 . 2008-01-01 20:31 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-01 20:31 . 2008-01-01 20:31 <DIR> d-------- C:\Program Files\DIFX
2008-01-01 20:31 . 2007-09-05 15:26 18,560 --a------ C:\WINDOWS\system32\drivers\FlyUsb.sys
2008-01-01 20:31 . 2008-01-15 15:54 682 --a------ C:\logfile.dat
2008-01-01 20:30 . 2008-01-01 20:30 <DIR> d-------- C:\Program Files\Leapfrog
2008-01-01 20:30 . 2008-01-01 20:30 444 --a------ C:\WINDOWS\{5D946D0D-9437-4E15-AC1F-F9BCF0B32561}_WiseFW.ini
2008-01-01 20:29 . 2008-01-24 17:54 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-27 16:00 . 2007-12-27 16:00 <DIR> d-------- C:\Program Files\Common Files\Knowledge Adventure
2007-12-27 16:00 . 2007-12-27 16:00 <DIR> d-------- C:\Program Files\Blaster

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-27 13:46 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-01-23 23:11 --------- d-----w C:\Program Files\Java
2007-12-26 17:45 --------- d-----w C:\Program Files\APTE Software
2007-12-26 17:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-26 14:53 --------- d-----w C:\Program Files\Common Files\Books by You
2007-12-26 14:53 --------- d-----w C:\Program Files\Books by You
2007-12-19 23:12 --------- d-----w C:\Program Files\LimeWire
2007-12-19 23:05 --------- d-----w C:\Program Files\CMMFS
2007-12-19 23:03 --------- d-----w C:\Program Files\Hewlett-Packard
2007-12-18 05:43 23,396 ----a-w C:\WINDOWS\system32\drivers\klopp.dat
2007-12-17 03:53 --------- d-----w C:\Program Files\GALA-NET
2007-12-17 03:53 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-17 03:43 --------- d-----w C:\Program Files\PKWARE
2007-12-17 03:43 --------- d-----w C:\Program Files\Common Files\PKWARE
2007-12-17 03:00 --------- d-----w C:\Program Files\Eudemons Online
2007-12-13 18:28 24,592 ----a-w C:\WINDOWS\system32\drivers\klim5.sys
2001-08-18 12:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 05:56 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 05:56 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
2004-08-04 05:56 54,784 --sha-w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 05:56 413,696 --sha-w C:\WINDOWS\system32\msvcp60.dll
2007-05-17 11:28 549,376 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 05:56 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
2004-08-04 05:56 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe
.

((((((((((((((((((((((((((((( snapshot@2008-01-25_21.09.45.14 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-26 02:03:21 1,404,928 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-27 16:19:23 1,404,928 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-26 02:03:21 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-27 16:19:23 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-26 02:03:22 5,844,992 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-27 16:19:23 5,844,992 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-26 02:03:22 151,552 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-27 16:19:24 151,552 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-26 02:03:22 1,400,832 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-27 16:19:24 1,400,832 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-26 02:03:22 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-27 16:19:24 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2000-08-31 13:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Zero Knowledge Freedom"="C:\Program Files\Zero Knowledge\Freedom\Freedom.exe" [ ]
"SeaMonkey Quick Launch"="C:\Program Files\mozilla.org\SeaMonkey\SeaMonkey.exe" [ ]
"MoneyAgent"="c:\Program Files\Microsoft Money\System\Money Express.exe" [ ]
"Microsoft Works Update Detection"="c:\Program Files\Microsoft Works\WkDetect.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2004-03-18 09:33 892928]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"S3apphk"="S3apphk.exe" [2002-03-16 00:51 28672 C:\WINDOWS\system32\S3apphk.exe]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-12-19 01:39 212992]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2001-07-03 22:13 81920]
"PreloadApp"="c:\hp\drivers\printers\photosmart\hphprld.exe" [ ]
"nwiz"="nwiz.exe" [2006-09-18 15:25 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-09-18 15:25 86016]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-09-18 15:25 7630848]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 14:55 155648]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 14:51 118784]
"FlyMonitor"="C:\Program Files\Leapfrog\FlyWorld\bin\FlyMonitor.exe" [2007-11-15 14:32 669000]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2002-03-14 12:25 102455]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-12-18 00:43 227856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"WIAWizardMenu"="C:\WINDOWS\system32\sti_ci.dll" [2004-08-04 00:56 136704]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S3 FlyUsb;FLY Fusion;C:\WINDOWS\system32\DRIVERS\FlyUsb.sys [2007-09-05 15:26]
S3 SQTECH913D;913D Camera;C:\WINDOWS\system32\Drivers\Capt913D.sys [2006-12-21 10:52]
S3 trid3d;trid3d;C:\WINDOWS\system32\DRIVERS\trid3dm.sys [2002-03-21 00:35]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-24 07:05:02 C:\WINDOWS\Tasks\avast! Antivirus.job"
- C:\PROGRA~1\ALWILS~1\Avast4\ashAvast.exe
"2008-01-25 07:10:00 C:\WINDOWS\Tasks\CleanUp!.job"
- C:\PROGRA~1\CleanUp!\Cleanup.exe
"2002-04-26 02:39:44 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 11:32:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\Program Files\ArcSoft\PhotoImpression 5\share\pihook.dll
.
Completion time: 2008-01-27 11:37:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-27 16:37:20
ComboFix2.txt 2008-01-26 03:31:25
ComboFix3.txt 2008-01-26 02:11:26
.
2008-01-10 08:03:00 --- E O F ---
  • 0

#10
SlowerLower
Posted 27 January 2008 - 08:56 PM

SlowerLower

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Here is my Kaspersky report
First what does this mean


1/27/2008 1:12:16 PM File C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\98bhcgcw.default\Cache\6D952C06d01//PE_Patch.UPX/catchme.cfexe: detected modification of virus 'Heur.Invader'.[/color]

Report


Protection : running
--------------------
Total scanned: 319605
Detected: 7
Untreated: 0
Attacks blocked: 0
Start time: 1/27/2008 11:47:05 AM
Duration: 09:49:56


Detected
--------
Status Object
------ ------
detected: riskware Hidden data sending Running process: C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
detected: riskware Invader Running process: C:\Program Files\Internet Explorer\iexplore.exe
detected: Trojan program Backdoor.Win32.Agent.cym URL: http://xtraload.net/..._Patch.UPX//UPX
not found: virus Heur.Invader (modification) File: c:\documents and settings\owner\desktop\combofix.exe//PE_Patch.UPX/catchme.cfexe
not found: virus Heur.Invader (modification) File: c:\documents and settings\owner\desktop\combofix.exe//PE_Patch.UPX/catchme.cfexe//PE_Patch.UPX
detected: riskware Invader Running process: C:\ComboFix\ListDlls.cfexe
not found: virus Heur.Invader (modification) File: C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\98bhcgcw.default\Cache\6D952C06d01//PE_Patch.UPX/catchme.cfexe


Events
------
Time Event
---- -----
1/24/2008 6:10:59 PM Process (PID 492) tried to access Kaspersky Internet Security process (PID 548), but the action has been blocked by the Self-Defense component. No action on your part is required.
1/24/2008 6:11:57 PM You are advised to perform a full computer scan as soon as possible.
1/24/2008 6:12:01 PM Database is out of date, leaving your computer at risk of infection. Please update your database.
1/24/2008 6:12:01 PM Protection of your computer is enabled.
1/24/2008 6:15:12 PM Process C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (PID: 256): attempt to perform suspicious actions is blocked.
1/24/2008 6:15:17 PM Process C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (PID: 256): attempt to perform suspicious actions is blocked.
1/24/2008 6:18:53 PM Update completed successfully
1/24/2008 6:36:11 PM Process (PID 976) tried to access Kaspersky Internet Security process (PID 1004), but the action has been blocked by the Self-Defense component. No action on your part is required.
1/24/2008 6:37:06 PM You are advised to perform a full computer scan as soon as possible.
1/24/2008 6:37:06 PM Protection of your computer is enabled.
1/24/2008 6:39:16 PM Process C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (PID: 1008): attempt to perform suspicious actions is blocked.
1/24/2008 6:39:17 PM Process C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (PID: 1008): attempt to perform suspicious actions is blocked.
1/24/2008 6:47:26 PM Protection of your computer is not running. You are advised to resume protection.
1/24/2008 8:27:30 PM Process (PID 968) tried to access Kaspersky Internet Security process (PID 992), but the action has been blocked by the Self-Defense component. No action on your part is required.
1/24/2008 8:28:10 PM Your evaluation period will end in 29 days. To ensure uninterrupted protection, please <a v(buy)>click here to purchase</a>.
1/24/2008 8:28:13 PM You are advised to perform a full computer scan as soon as possible.
1/24/2008 8:28:14 PM Protection of your computer is enabled.
1/24/2008 8:30:03 PM Process C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (PID: 900): attempt to perform suspicious actions is allowed.
1/24/2008 8:30:06 PM Process C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (PID: 900): attempt to perform suspicious actions is allowed.
1/24/2008 8:33:06 PM Update completed successfully
1/24/2008 8:35:59 PM Process (PID 900) tried to access Kaspersky Internet Security process (PID 784), but the action has been blocked by the Self-Defense component. No action on your part is required.
1/24/2008 8:35:59 PM Process (PID 900) tried to access Kaspersky Internet Security process (PID 992), but the action has been blocked by the Self-Defense component. No action on your part is required.
1/24/2008 10:50:39 PM Update completed successfully
1/25/2008 1:10:17 AM Update completed successfully
1/25/2008 3:30:12 AM Update completed successfully
1/25/2008 5:30:28 AM Protection of your computer is not running. You are advised to resume protection.
1/25/2008 5:32:39 AM Process (PID 264) tried to access Kaspersky Internet Security process (PID 288), but the action has been blocked by the Self-Defense component. No action on your part is required.
1/25/2008 5:33:15 AM Your evaluation period will end in 29 days. To ensure uninterrupted protection, please <a v(buy)>click here to purchase</a>.
1/25/2008 5:33:18 AM You are advised to perform a full computer scan as soon as possible.
1/25/2008 5:33:19 AM Protection of your computer is enabled.
1/25/2008 5:34:00 AM Process C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (PID: 788): attempt to perform suspicious actions is allowed.
1/25/2008 5:34:01 AM Process C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (PID: 788): attempt to perform suspicious actions is allowed.
1/25/2008 5:36:43 AM Update completed successfully
1/25/2008 6:05:33 AM Process (PID 3800) tried to access Kaspersky Internet Security process (PID 652), but the action has been blocked by the Self-Defense component. No action on your part is required.
1/25/2008 6:05:33 AM Process (PID 3800) tried to access Kaspersky Internet Security process (PID 288), but the action has been blocked by the Self-Defense component. No action on your part is required.
1/25/2008 6:29:58 AM Process C:\Program Files\Internet Explorer\iexplore.exe (PID: 3800): attempt to embed itself into another process allowed.
1/25/2008 6:32:43 AM Process C:\Program Files\Internet Explorer\iexplore.exe (PID: 3800): attempt to embed itself into another process allowed.
1/25/2008 8:12:49 AM Not all components were updated
1/25/2008 10:16:30 AM Update completed successfully
1/25/2008 12:36:04 PM Update completed successfully
1/25/2008 2:08:07 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:08:07 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:08:13 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:08:13 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:08:19 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:08:19 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:08:20 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:08:20 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:08:22 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:08:22 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:08:23 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:08:23 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:08:24 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:08:24 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:08:26 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:08:26 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:08:27 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:08:27 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:08:29 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:08:29 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:08:30 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:08:30 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:08:32 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:08:32 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:08:33 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:08:33 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:08:35 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:08:35 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:08:37 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:08:37 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:08:38 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:08:38 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:08:40 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:08:40 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:08:41 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:08:41 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:08:42 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:08:42 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:08:44 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:08:44 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:09:02 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:09:02 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:09:04 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:09:04 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:09:08 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:09:08 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:09:10 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:09:10 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:09:11 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:09:11 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:09:12 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:09:12 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:09:14 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:09:14 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:09:20 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:09:20 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:09:21 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:09:21 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:09:23 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:09:23 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:09:24 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:09:24 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:09:25 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:09:25 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:09:26 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:09:26 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:09:37 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:09:37 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:09:38 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:09:38 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:09:39 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:09:39 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:09:39 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 2:09:39 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 2:18:53 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FunWebProducts.zip/sbRecovery.ini: is password protected.
1/25/2008 2:18:53 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FunWebProducts1.zip/sbRecovery.ini: is password protected.
1/25/2008 2:18:53 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FunWebProducts2.zip/sbRecovery.reg: is password protected.
1/25/2008 2:18:53 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FunWebProducts2.zip/sbRecovery.ini: is password protected.
1/25/2008 2:18:53 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MagicAntiSpy.zip/sbRecovery.reg: is password protected.
1/25/2008 2:18:53 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MagicAntiSpy.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\FunWeb.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\FunWeb.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\FunWeb1.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\FunWeb1.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\FunWebProducts.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\FunWebProducts.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\FunWebProducts1.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\FunWebProducts2.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\FunWebProducts2.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\FunWebProducts3.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\FunWebProducts4.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\FunWebProducts4.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch.zip/MWSBAR.DLL: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch1.zip/MWSSRCAS.DLL: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch1.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch10.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch11.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch11.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch12.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch12.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch13.zip/bar/History/search2: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch13.zip/bar/Settings/s_pid.dat: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch13.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch14.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch14.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch15.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch15.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch16.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch16.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch17.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:26 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch17.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch2.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch2.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch3.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch3.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch4.zip/bar/1.bin/F3HTMLMU.DLL: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch4.zip/bar/1.bin/MWSOEMON.EXE: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch4.zip/bar/1.bin/MWSOESTB.DLL: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch4.zip/bar/History/search2: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch4.zip/bar/Settings/s_pid.dat: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch4.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch5.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch5.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch6.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch6.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch7.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch7.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch8.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch8.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch9.zip/bar/1.bin/MWSOEMON.EXE: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch9.zip/bar/1.bin/MWSOESTB.DLL: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch9.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch1.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch1.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch2.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch2.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch3.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch3.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\WildTangent1.zip/sbRecovery.ini: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\ZlobVideoActiveXObject.zip/sbRecovery.reg: is password protected.
1/25/2008 2:21:27 PM File C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy\Recovery\ZlobVideoActiveXObject.zip/sbRecovery.ini: is password protected.
1/25/2008 2:22:27 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-25-2008 - 05-29-55.SBU/{2DE2EC85-1776-4422-A502-9C8CC28A8A92}: is password protected.
1/25/2008 2:22:27 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-25-2008 - 05-29-55.SBU/{41E09D51-28D6-43B3-A9E1-7F67525DAE28}: is password protected.
1/25/2008 2:22:27 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-25-2008 - 05-29-55.SBU/{53E13DE9-C5BD-4783-B494-3C5A3BEA3158}: is password protected.
1/25/2008 2:22:27 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-25-2008 - 05-29-55.SBU/{96C8338A-36A6-479A-8B62-930379A5A408}: is password protected.
1/25/2008 2:22:27 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-25-2008 - 05-29-55.SBU/backup.db: is password protected.
1/25/2008 3:40:26 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\clihelp.ttd//tmp/..PKText.CLIHelp.en_US: is password protected.
1/25/2008 3:40:26 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\Common.ttd//tmp/..PKText.Common.en_US: is password protected.
1/25/2008 3:40:26 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\Common.ttd//tmp/..PKText.Common.en_US-RSA: is password protected.
1/25/2008 3:40:26 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\pkbrowse.ttd//tmp/..PKText.PKBrowse.en_US: is password protected.
1/25/2008 3:40:26 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\PKCmnDlg.ttd//tmp/..PKText.PKCmnDlg.en_US: is password protected.
1/25/2008 3:40:26 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\PKCmnDlg.ttd//tmp/..PKText.PKCmnDlg.en_US-SECURE: is password protected.
1/25/2008 3:40:26 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\PKCOM700.ttd//tmp/..PKText.PKCOM700.en_US: is password protected.
1/25/2008 3:40:26 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\PKCOM700.ttd//tmp/..PKText.PKCOM700.en_US-SECURE: is password protected.
1/25/2008 3:40:26 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\PKMail.ttd//tmp/..PKText.PKMail.en_US: is password protected.
1/25/2008 3:40:26 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\PKMail.ttd//tmp/..PKText.PKMail.en_US-RSA: is password protected.
1/25/2008 3:40:26 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\PKMail.ttd//tmp/..PKText.PKMail.en_US-SECURE: is password protected.
1/25/2008 3:40:26 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\pknsetup.ttd//tmp/..PKText.PKNSetup.en_US: is password protected.
1/25/2008 3:40:26 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\PKOPT700Text.ttd//tmp/..PKText.PKOPT700Text.en_US: is password protected.
1/25/2008 3:40:26 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\PKOPT700Text.ttd//tmp/..PKText.PKOPT700Text.en_US-SECURE: is password protected.
1/25/2008 3:40:27 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\PKSerial.ttd//tmp/..PKText.PKSerial.en_US: is password protected.
1/25/2008 3:40:27 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\PKSerial.ttd//tmp/..PKText.PKSerial.en_US-RSA: is password protected.
1/25/2008 3:40:27 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\PKSerial.ttd//tmp/..PKText.PKSerial.en_US-SECURE: is password protected.
1/25/2008 3:40:27 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\PKTLV700.ttd//tmp/..PKText.PKTLV700.en_US: is password protected.
1/25/2008 3:40:27 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\PKTLV700.ttd//tmp/..PKText.PKTLV700.en_US-SECURE: is password protected.
1/25/2008 3:40:27 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\PKWizardText.ttd//tmp/..PKText.PKWizardText.en-US-SECURE: is password protected.
1/25/2008 3:40:27 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\PKWizardText.ttd//tmp/..PKText.PKWizardText.en_US: is password protected.
1/25/2008 3:40:27 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\pkzipc.ttd//tmp/..PKText.pkzipc.en_US: is password protected.
1/25/2008 3:40:27 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\pkzipgui.ttd//tmp/..PKText.PKZIPGUI.en_US: is password protected.
1/25/2008 3:40:27 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\pkzipgui.ttd//tmp/..PKText.PKZIPGUI.en_US-SECURE: is password protected.
1/25/2008 3:40:27 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\Vendor.ttd//tmp/..PKText.Vendor.en_US: is password protected.
1/25/2008 3:40:27 PM File C:\Program Files\Common Files\PKWARE\PKZIP7\Collections\Vendor.ttd//tmp/..PKText.Vendor.en_US-SECURE: is password protected.
1/25/2008 4:28:52 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/clihelp.ttd//tmp/..PKText.CLIHelp.en_US: is password protected.
1/25/2008 4:28:52 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/Common.ttd//tmp/..PKText.Common.en_US: is password protected.
1/25/2008 4:28:52 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/Common.ttd//tmp/..PKText.Common.en_US-RSA: is password protected.
1/25/2008 4:28:52 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/pkbrowse.ttd//tmp/..PKText.PKBrowse.en_US: is password protected.
1/25/2008 4:28:52 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/PKCmnDlg.ttd//tmp/..PKText.PKCmnDlg.en_US: is password protected.
1/25/2008 4:28:52 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/PKCmnDlg.ttd//tmp/..PKText.PKCmnDlg.en_US-SECURE: is password protected.
1/25/2008 4:28:52 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/PKCOM700.ttd//tmp/..PKText.PKCOM700.en_US: is password protected.
1/25/2008 4:28:52 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/PKCOM700.ttd//tmp/..PKText.PKCOM700.en_US-SECURE: is password protected.
1/25/2008 4:28:52 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/PKMail.ttd//tmp/..PKText.PKMail.en_US: is password protected.
1/25/2008 4:28:52 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/PKMail.ttd//tmp/..PKText.PKMail.en_US-RSA: is password protected.
1/25/2008 4:28:52 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/PKMail.ttd//tmp/..PKText.PKMail.en_US-SECURE: is password protected.
1/25/2008 4:28:52 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/pknsetup.ttd//tmp/..PKText.PKNSetup.en_US: is password protected.
1/25/2008 4:28:52 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/PKOPT700Text.ttd//tmp/..PKText.PKOPT700Text.en_US: is password protected.
1/25/2008 4:28:52 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/PKOPT700Text.ttd//tmp/..PKText.PKOPT700Text.en_US-SECURE: is password protected.
1/25/2008 4:28:53 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/PKSerial.ttd//tmp/..PKText.PKSerial.en_US: is password protected.
1/25/2008 4:28:53 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/PKSerial.ttd//tmp/..PKText.PKSerial.en_US-RSA: is password protected.
1/25/2008 4:28:53 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/PKSerial.ttd//tmp/..PKText.PKSerial.en_US-SECURE: is password protected.
1/25/2008 4:28:53 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/PKTLV700.ttd//tmp/..PKText.PKTLV700.en_US: is password protected.
1/25/2008 4:28:53 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/PKTLV700.ttd//tmp/..PKText.PKTLV700.en_US-SECURE: is password protected.
1/25/2008 4:28:53 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/PKWizardText.ttd//tmp/..PKText.PKWizardText.en-US-SECURE: is password protected.
1/25/2008 4:28:53 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/PKWizardText.ttd//tmp/..PKText.PKWizardText.en_US: is password protected.
1/25/2008 4:28:53 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/pkzipc.ttd//tmp/..PKText.pkzipc.en_US: is password protected.
1/25/2008 4:28:53 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/pkzipgui.ttd//tmp/..PKText.PKZIPGUI.en_US: is password protected.
1/25/2008 4:28:53 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/pkzipgui.ttd//tmp/..PKText.PKZIPGUI.en_US-SECURE: is password protected.
1/25/2008 4:28:53 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/Vendor.ttd//tmp/..PKText.Vendor.en_US: is password protected.
1/25/2008 4:28:53 PM File C:\WINDOWS\Downloaded Installations\{EDAD26BD-57D3-4BDA-993D-424C8C1ED399}\ZIP Reader 8.00.0018.msi//Data1.cab/Vendor.ttd//tmp/..PKText.Vendor.en_US-SECURE: is password protected.
1/25/2008 5:19:31 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:19:31 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:19:47 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:19:47 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:19:54 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:19:54 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:19:58 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:19:58 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:19:58 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:19:58 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:19:59 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:19:59 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:20:00 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:20:00 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:20:01 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:20:01 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:20:01 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:20:01 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:20:02 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:20:02 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:20:03 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:20:03 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:20:04 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:20:04 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:20:05 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:20:05 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:20:05 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:20:05 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:20:06 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:20:06 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:20:07 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:20:07 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:20:07 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:20:07 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:20:08 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:20:08 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:20:09 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:20:09 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:20:09 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:20:09 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:20:10 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:20:10 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:26:12 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:26:12 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:29:03 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:29:03 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:29:12 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:29:12 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:29:15 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:29:15 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:29:16 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:29:16 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:29:18 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:29:18 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:29:20 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:29:20 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:29:26 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:29:26 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:29:29 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:29:29 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:29:31 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:29:31 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:29:33 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:29:33 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:29:34 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:29:34 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:29:39 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:29:39 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:29:41 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:29:41 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:29:42 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:29:42 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:29:43 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:29:43 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:29:43 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:29:44 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:29:44 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:29:44 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:29:45 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:29:45 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:29:46 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:29:46 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:29:47 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:29:47 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:29:48 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:29:48 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:29:49 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:29:49 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:29:49 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:29:49 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:29:50 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:29:50 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:29:51 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:29:51 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:29:52 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:29:52 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:29:52 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:29:52 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:29:53 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:29:53 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:30:47 PM Update completed successfully
1/25/2008 5:40:27 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:40:28 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:40:29 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:40:29 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:40:29 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:40:30 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:40:30 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:40:30 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:40:31 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:40:31 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:40:32 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:40:32 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:40:33 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:40:33 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:40:33 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:40:34 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:40:34 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:40:34 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:40:35 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:40:35 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:40:37 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:40:37 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:40:38 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 5:40:38 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 5:42:42 PM Update completed successfully
1/25/2008 6:27:25 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 6:27:25 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 6:35:56 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 6:35:56 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: access denied.
1/25/2008 6:35:58 PM Malicious HTTP object <http://xtraload.net/...atch.UPX//UPX>: detected: Trojan program 'Backdoor.Win32.Agent.cym'.
1/25/2008 6:35:58 PM Malicious HTTP object <http://xtraload.net/...unex.exe//PE_Pa
  • 0

Advertisements

#11
JSntgRvr
Posted 28 January 2008 - 06:38 AM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Hi, SlowerLower :)

Most of Karsperky findings are false positives.

1. Launch Notepad, and copy/paste the contents of the quote box below into a new Notepad file. Save it with file name options.txt and save as file type: all files to your desktop.

RegSearch Options File

[Search]
nsysrunex.exe

[Exclude]

[Options]
Filter=KVDLUI



2. Download Registry Search to your desktop.
  • Right click on the compressed RegSearch folder, and choose "Extract All". In the box that pops open, click "Next", then "Next" again, and then "Finish". You now have another RegSearch folder on your desktop.
  • Open the new folder, and double click on regsearch.exe
  • Click "Import" in the lower left corner and browse to the options.txt file that you just saved on your desktop. Do not choose the one in the RegSearch folder itself.
  • Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
  • Please reply here with the entire contents of the Notepad file from RegSearch.

  • 0

#12
SlowerLower
Posted 28 January 2008 - 04:51 PM

SlowerLower

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hello Again

Here is the log

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 1/28/2008 5:44:05 PM for strings:
; 'nsysrunex.exe'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...
  • 0

#13
JSntgRvr
Posted 28 January 2008 - 06:21 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Hi, SlowerLower :)

Lets try this application.

Download WinPFind35U.exe (BETA) to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of WinpFind35U.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with WinpFind35U or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

  • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  • Now click the Run Scan button on the toolbar.
  • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Save that notepad file
Use the Reply button and attach the notepad file here (Do not copy and paste in a reply, rather attach it to it).
  • 0

#14
SlowerLower
Posted 29 January 2008 - 04:37 PM

SlowerLower

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
That program includes a trojan program trojan.win32.inject.mf and catchme.exe i dont understand why i should load it can you please explain - Thank You
  • 0

#15
JSntgRvr
Posted 29 January 2008 - 05:45 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts

That program includes a trojan program trojan.win32.inject.mf and catchme.exe i dont understand why i should load it can you please explain - Thank You

Yes. Some of its components will be detected as such, but it is due to its heuristics. That is the reason we recommended to temporary disable the real time protection in your computer. It will act against the application. The detections are false positives. Please proceed as requested. Once we are finished, we will remove all these programs from your computer.

Thanks!
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP