Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Malware check: zlob.mediacodic [RESOLVED]


  • This topic is locked This topic is locked

#1
**Brian**

**Brian**

    Semper Paratus: Always Ready

  • Member
  • PipPipPipPip
  • 1,159 posts
Hello everyone:

Well, I was infected with a zlob infection, and ran HJT to determine what the deal was. Had the following things going on:

1. Red X in System Tray that was flashing
2. Browser Hijack and warnings that computer is infected
3. Virus Heat 4.3 was installed
4. Security Toolbar 7.1 Was Installed

Using my malware reseach skills, was able to determine what entries in HJT were the culprits and research the CLSID's. Then I used the malware removal instructions for Zlob.mediacodic in the Malware Guides and Tutorials Forum. Ran SmitfaudFix in Safe mode as instructed. I believe that I am clean, but just in case, I am posting a HJT log taken when I discovered I was first infected, before I followed the instructions, as well as a rapport.txt from before the infection was removed.

Here we go:
=================================
Prior to cleaning - HJT LOG showing infection
=================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:46:47 PM, on 2/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PsCtrls.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
c:\program files\panda software\panda internet security 2007\firewall\PSHOST.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NetProject\scit.exe
C:\Program Files\NetProject\sbmntr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\USB Storage RW\shwicon.exe
C:\Program Files\NetProject\scm.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\NetProject\sbsm.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\WebProxy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PavBckPT.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {C2A1C5CB-C0EF-4689-9436-F62CCA1C5383} - C:\Program Files\NetProject\sbmdl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Web Application - {81705D67-3F73-4983-859B-97D0922E5ABE} - C:\Program Files\NetProject\wamdl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [VirusHeat 4.3] "C:\Program Files\VirusHeat 4.3\VirusHeat 4.3.exe" /h
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\NetProject\scit.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\NetProject\sbmntr.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MsnFixer.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.explorert...et/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.explorert...et/redirect.php (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Cribbage - http://download2.gam...nts/y/it1_x.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1197924352406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1198251829781
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O22 - SharedTaskScheduler: djuka - {ee9f7cf5-cd49-4cd8-8ba6-1514e7a5c22c} - C:\WINDOWS\system32\wbchha.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software International - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda software\panda internet security 2007\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe

--
End of file - 11870 bytes

=============================
Rapport.txt after running Smitfaudfix
============================
mitFraudFix v2.294

Scan done at 17:05:14.07, Sat 02/23/2008
Run from C:\Documents and Settings\buddy\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{ee9f7cf5-cd49-4cd8-8ba6-1514e7a5c22c}"="djuka"

[HKEY_CLASSES_ROOT\CLSID\{ee9f7cf5-cd49-4cd8-8ba6-1514e7a5c22c}\InProcServer32]
@="C:\WINDOWS\system32\wbchha.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{ee9f7cf5-cd49-4cd8-8ba6-1514e7a5c22c}\InProcServer32]
@="C:\WINDOWS\system32\wbchha.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\system32\wbchha.dll -> Hoax.Win32.Renos.gen.o
C:\WINDOWS\system32\wbchha.dll -> Deleted


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\Documents and Settings\buddy\Application Data\Microsoft\Internet Explorer\Quick Launch\VirusHeat 4.3.lnk Deleted
C:\DOCUME~1\buddy\STARTM~1\VirusHeat 4.3.lnk Deleted
C:\DOCUME~1\buddy\STARTM~1\Programs\VirusHeat 4.3 Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
C:\DOCUME~1\buddy\Desktop\VirusHeat 4.3.lnk Deleted
C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url Deleted
C:\DOCUME~1\buddy\FAVORI~1\Online Security Test.url Deleted
C:\Program Files\NetProject\ Deleted
C:\Program Files\VirusHeat 4.3\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{DADB0BF4-E8AA-45C7-BBF8-C42238A78268}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{DADB0BF4-E8AA-45C7-BBF8-C42238A78268}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{DADB0BF4-E8AA-45C7-BBF8-C42238A78268}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

===========================
HJT LOG #2 - Run after Smitfaudfix
===========================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:28:22 PM, on 2/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\USB Storage RW\shwicon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PsCtrls.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
c:\program files\panda software\panda internet security 2007\firewall\PSHOST.EXE
C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD.EXE
C:\Program Files\Panda Software\Panda Internet Security 2007\WebProxy.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PavBckPT.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MsnFixer.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Cribbage - http://download2.gam...nts/y/it1_x.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1197924352406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1198251829781
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software International - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda software\panda internet security 2007\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe

--
End of file - 10271 bytes
========================
SMITFAUDfix log post cleaning
========================
SmitFraudFix v2.294

Scan done at 17:10:48.96, Sat 02/23/2008
Run from C:\Documents and Settings\buddy\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{DADB0BF4-E8AA-45C7-BBF8-C42238A78268}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{DADB0BF4-E8AA-45C7-BBF8-C42238A78268}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{DADB0BF4-E8AA-45C7-BBF8-C42238A78268}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


Now, I am wondering if I am totally clean, or if I need to do anything more. The strange thing is that My Panda apparently didn't see or stop the infection, but was on - I recognized the type of infection, but was surprised that it was not nutralized.

Any help would be appreciated :)

Thank you!!!

Brian
  • 0

Advertisements


#2
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi Brian

looks like you did a good job in removing the key infections :)

you have one orphaned entry and a couple of adware in that log which we will clear now. we will also do a couple of scans and get a DSS to see if there is anything else lurking on your machine. we will also flush your temp folders - the scans will highlight and clear all cookies anyway.

the scans will likely take over 2 hours to complete - so just let them run till they are done.

====STEP 1====
Please download the OTMoveIt2 by OldTimer and Save it to your desktop.

Do NOT run it yet


Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.


  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\ALCXMNTR.EXE
    C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Purity
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


====STEP 2====
Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.


====STEP 3====
Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

====STEP 4====
Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.


In your next reply could i see:
1. the OTMoveIT log
2. the SUPERantispyware scan
3. the kaspersky scan
4. the 2 DSS logs

there is a lot of information to post i reply and therefore you may need to post over more than one reply to ensure all the information is posted.

andrewuk
  • 0

#3
**Brian**

**Brian**

    Semper Paratus: Always Ready

  • Topic Starter
  • Member
  • PipPipPipPip
  • 1,159 posts
AndrewUK:

Thank you for responding so fast - I will be working on the things you ask me to do and will get back to you soon :)

Thanks :)

Brian
  • 0

#4
**Brian**

**Brian**

    Semper Paratus: Always Ready

  • Topic Starter
  • Member
  • PipPipPipPip
  • 1,159 posts
Hiyas AndrewUK:

Here is an update on my progress:

OTMovit 2 used and scan completed, and log Saved
SAS Scan Completed and Log saved
Kaspersky Webscan commencing.........
DSS Scan to be completed when Kaspersky completes
Will post again with logs when all scans are completed

Brian
  • 0

#5
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
no problem, i will be here :)
  • 0

#6
**Brian**

**Brian**

    Semper Paratus: Always Ready

  • Topic Starter
  • Member
  • PipPipPipPip
  • 1,159 posts
Andrewuk:

My scans are done, and I am trying to run DSS as instructed - It keeps erroring out stating something about the inability to access the hosts file and my Panda nutralizes the scanner - I now I have some baddies in here, some of which were downloaded, and I want to get rid of them........

I can post the logs I have if you wish :)

Your pleasure?

Brian
  • 0

#7
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
post all the logs, and instead of the DSS post a hijackthis log
  • 0

#8
**Brian**

**Brian**

    Semper Paratus: Always Ready

  • Topic Starter
  • Member
  • PipPipPipPip
  • 1,159 posts

post all the logs, and instead of the DSS post a hijackthis log

Gotcha :)

Brian
  • 0

#9
**Brian**

**Brian**

    Semper Paratus: Always Ready

  • Topic Starter
  • Member
  • PipPipPipPip
  • 1,159 posts
OTMoveit 2 Log

C:\WINDOWS\ALCXMNTR.EXE moved successfully.
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe moved successfully.
[Custom Input]
< Purity >

OTMoveIt2 v1.0.20 log created on 02252008_084351

Brian
  • 0

#10
**Brian**

**Brian**

    Semper Paratus: Always Ready

  • Topic Starter
  • Member
  • PipPipPipPip
  • 1,159 posts
SuperAntiSpyware Log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/25/2008 at 10:34 AM

Application Version : 3.9.1008

Core Rules Database Version : 3408
Trace Rules Database Version: 1400

Scan type : Complete Scan
Total Scan Time : 01:40:18

Memory items scanned : 628
Memory threats detected : 0
Registry items scanned : 6957
Registry threats detected : 2
File items scanned : 112482
File threats detected : 62

Adware.Tracking Cookie
C:\Documents and Settings\buddy\Cookies\[email protected][1].txt
C:\Documents and Settings\buddy\Cookies\[email protected][1].txt
C:\Documents and Settings\buddy\Cookies\[email protected][1].txt
C:\Documents and Settings\buddy\Cookies\[email protected][1].txt
C:\Documents and Settings\buddy\Cookies\[email protected][1].txt
C:\Documents and Settings\buddy\Cookies\[email protected][2].txt
C:\Documents and Settings\buddy\Cookies\[email protected][2].txt
C:\Documents and Settings\buddy\Cookies\[email protected][2].txt
C:\Documents and Settings\buddy\Cookies\[email protected][2].txt
C:\Documents and Settings\buddy\Cookies\[email protected][2].txt
C:\Documents and Settings\buddy\Cookies\[email protected][2].txt
C:\Documents and Settings\buddy\Cookies\[email protected][1].txt
C:\Documents and Settings\buddy\Cookies\[email protected][1].txt
C:\Documents and Settings\buddy\Cookies\[email protected][1].txt
C:\Documents and Settings\buddy\Cookies\[email protected][1].txt
C:\Documents and Settings\buddy\Cookies\[email protected][1].txt
C:\Documents and Settings\buddy\Cookies\[email protected][1].txt
C:\Documents and Settings\buddy\Cookies\[email protected][1].txt
C:\Documents and Settings\buddy\Cookies\[email protected][1].txt
C:\Documents and Settings\buddy\Cookies\[email protected][2].txt
C:\Documents and Settings\buddy\Cookies\[email protected][2].txt
C:\Documents and Settings\buddy\Cookies\[email protected][2].txt
C:\Documents and Settings\buddy\Cookies\[email protected][1].txt
C:\Documents and Settings\buddy\Cookies\[email protected][1].txt
C:\Documents and Settings\buddy\Cookies\[email protected][1].txt
C:\Documents and Settings\buddy\Cookies\[email protected][1].txt
C:\Documents and Settings\buddy\Cookies\[email protected][1].txt
C:\Documents and Settings\buddy\Cookies\[email protected][1].txt
C:\Documents and Settings\buddy\Cookies\[email protected][2].txt
C:\Documents and Settings\buddy\Cookies\[email protected][1].txt
C:\Documents and Settings\buddy\Cookies\[email protected][1].txt
C:\Documents and Settings\buddy\Cookies\[email protected][1].txt
C:\Documents and Settings\buddy\Cookies\[email protected][2].txt
C:\Documents and Settings\buddy\Cookies\[email protected][1].txt
C:\Documents and Settings\buddy\Cookies\[email protected][1].txt
C:\Documents and Settings\buddy\Cookies\[email protected][1].txt
C:\Documents and Settings\buddy\Cookies\[email protected][1].txt
C:\Documents and Settings\buddy\Cookies\[email protected][2].txt
C:\Documents and Settings\buddy\Cookies\[email protected][1].txt
C:\Documents and Settings\buddy\Cookies\[email protected][1].txt
C:\Documents and Settings\buddy\Cookies\[email protected][1].txt
C:\Documents and Settings\buddy\Cookies\[email protected][1].txt
C:\Documents and Settings\buddy\Cookies\[email protected][1].txt
C:\Documents and Settings\buddy\Cookies\[email protected][2].txt
C:\Documents and Settings\buddy\Cookies\[email protected][1].txt
C:\Documents and Settings\buddy\Cookies\[email protected][2].txt
C:\Documents and Settings\buddy\Cookies\[email protected][1].txt
C:\Documents and Settings\buddy\Cookies\[email protected][1].txt
C:\Documents and Settings\buddy\Cookies\[email protected][2].txt
C:\Documents and Settings\buddy\Cookies\[email protected][1].txt
C:\Documents and Settings\buddy\Cookies\[email protected][1].txt
C:\Documents and Settings\buddy\Cookies\[email protected][1].txt
C:\Documents and Settings\buddy\Cookies\[email protected][1].txt
C:\Documents and Settings\buddy\Cookies\[email protected][2].txt
C:\Documents and Settings\buddy\Cookies\[email protected][1].txt
C:\Documents and Settings\buddy\Cookies\[email protected][1].txt
C:\Documents and Settings\buddy\Cookies\[email protected][1].txt
C:\Documents and Settings\buddy\Cookies\[email protected][2].txt
C:\Documents and Settings\buddy\Cookies\[email protected][1].txt
C:\Documents and Settings\buddy\Cookies\[email protected][1].txt

Trojan.Media-Codec/V4
HKCR\videoPl.chl
HKCR\videoPl.chl\CLSID

Trojan.Smitfraud Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAC9DB1F-8BEF-451E-AB3B-6A67094EA198}\RP216\A0019472.DLL

Rogue.VirusHeat
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAC9DB1F-8BEF-451E-AB3B-6A67094EA198}\RP216\A0019494.EXE

Brian
  • 0

Advertisements


#11
**Brian**

**Brian**

    Semper Paratus: Always Ready

  • Topic Starter
  • Member
  • PipPipPipPip
  • 1,159 posts
Kaspersky Log

(Note: Ran Cleanup to clear temp files after trying to run DSS and having it fail)

Monday, February 25, 2008 7:35:31 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/02/2008
Kaspersky Anti-Virus database records: 580051


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
M:\

Scan Statistics
Total number of scanned objects 176342
Number of viruses found 17
Number of infected objects 247
Number of suspicious objects 0
Duration of the scan process 08:00:00

Infected Object Name Virus Name Last Action
C:\01afa3a1fa870c4536b1\%temp%dd_msxml_retMSI.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\buddy\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped

C:\Documents and Settings\buddy\Application Data\Microsoft\Word\AutoRecovery save of RUTH RATHBURN SERVICE CALl-1.asd Object is locked skipped

C:\Documents and Settings\buddy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped

C:\Documents and Settings\buddy\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\buddy\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\buddy\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\buddy\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped

C:\Documents and Settings\buddy\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped

C:\Documents and Settings\buddy\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped

C:\Documents and Settings\buddy\Local Settings\Application Data\ApplicationHistory\hpqgalry.exe.f314eb97.ini.inuse Object is locked skipped

C:\Documents and Settings\buddy\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped

C:\Documents and Settings\buddy\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped

C:\Documents and Settings\buddy\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped

C:\Documents and Settings\buddy\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped

C:\Documents and Settings\buddy\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped

C:\Documents and Settings\buddy\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped

C:\Documents and Settings\buddy\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped

C:\Documents and Settings\buddy\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped

C:\Documents and Settings\buddy\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped

C:\Documents and Settings\buddy\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped

C:\Documents and Settings\buddy\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped

C:\Documents and Settings\buddy\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped

C:\Documents and Settings\buddy\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped

C:\Documents and Settings\buddy\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped

C:\Documents and Settings\buddy\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped

C:\Documents and Settings\buddy\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped

C:\Documents and Settings\buddy\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped

C:\Documents and Settings\buddy\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped

C:\Documents and Settings\buddy\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped

C:\Documents and Settings\buddy\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped

C:\Documents and Settings\buddy\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped

C:\Documents and Settings\buddy\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped

C:\Documents and Settings\buddy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\buddy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\buddy\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\buddy\Local Settings\Temp\hpodvd09.log Object is locked skipped

C:\Documents and Settings\buddy\Local Settings\Temp\~DF4034.tmp Object is locked skipped

C:\Documents and Settings\buddy\Local Settings\Temp\~DF43D.tmp Object is locked skipped

C:\Documents and Settings\buddy\Local Settings\Temp\~DF7735.tmp Object is locked skipped

C:\Documents and Settings\buddy\Local Settings\Temp\~DFF202.tmp Object is locked skipped

C:\Documents and Settings\buddy\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\buddy\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\buddy\My Documents\ANDREW\KUS-web-2007-09-23.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file04 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

C:\Documents and Settings\buddy\My Documents\ANDREW\KUS-web-2007-09-23.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file05 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

C:\Documents and Settings\buddy\My Documents\ANDREW\KUS-web-2007-09-23.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file34 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

C:\Documents and Settings\buddy\My Documents\ANDREW\KUS-web-2007-09-23.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

C:\Documents and Settings\buddy\My Documents\ANDREW\KUS-web-2007-09-23.tar Tar: infected - 4 skipped

C:\Documents and Settings\buddy\My Documents\ANDREW\KUS-web-2007-10-18.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file04 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

C:\Documents and Settings\buddy\My Documents\ANDREW\KUS-web-2007-10-18.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file05 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

C:\Documents and Settings\buddy\My Documents\ANDREW\KUS-web-2007-10-18.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file34 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

C:\Documents and Settings\buddy\My Documents\ANDREW\KUS-web-2007-10-18.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

C:\Documents and Settings\buddy\My Documents\ANDREW\KUS-web-2007-10-18.tar Tar: infected - 4 skipped

C:\Documents and Settings\buddy\My Documents\BUDDY'S DESKTOP ITEMS\PERSONAL\BSB\PAA\PAULS CLASS LISTS AND SCHEDULES\SERVICE_CALLS\RUTH RATHBURN SERVICE CALl-1.doc Object is locked skipped

C:\Documents and Settings\buddy\My Documents\MISC_DOCS\UltraVNC-102-Setup.exe/file04 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

C:\Documents and Settings\buddy\My Documents\MISC_DOCS\UltraVNC-102-Setup.exe/file05 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

C:\Documents and Settings\buddy\My Documents\MISC_DOCS\UltraVNC-102-Setup.exe/file34 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

C:\Documents and Settings\buddy\My Documents\MISC_DOCS\UltraVNC-102-Setup.exe Inno: infected - 3 skipped

C:\Documents and Settings\buddy\My Documents\PROGRAMS_ZIPFILES\MIRC\mirc621.exe/stream/data0008 Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped

C:\Documents and Settings\buddy\My Documents\PROGRAMS_ZIPFILES\MIRC\mirc621.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped

C:\Documents and Settings\buddy\My Documents\PROGRAMS_ZIPFILES\MIRC\mirc621.exe NSIS: infected - 2 skipped

C:\Documents and Settings\buddy\My Documents\PROGRAMS_ZIPFILES\REAL VNC\vnc-3.3.7-x86_win32.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped

C:\Documents and Settings\buddy\My Documents\PROGRAMS_ZIPFILES\REAL VNC\vnc-3.3.7-x86_win32.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped

C:\Documents and Settings\buddy\My Documents\PROGRAMS_ZIPFILES\REAL VNC\vnc-3.3.7-x86_win32.exe/data0004 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped

C:\Documents and Settings\buddy\My Documents\PROGRAMS_ZIPFILES\REAL VNC\vnc-3.3.7-x86_win32.exe Inno: infected - 3 skipped

C:\Documents and Settings\buddy\My Documents\PROGRAMS_ZIPFILES\REAL VNC\vnc-4_1_1-x86_win32.exe/file1 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 skipped

C:\Documents and Settings\buddy\My Documents\PROGRAMS_ZIPFILES\REAL VNC\vnc-4_1_1-x86_win32.exe/file3 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

C:\Documents and Settings\buddy\My Documents\PROGRAMS_ZIPFILES\REAL VNC\vnc-4_1_1-x86_win32.exe Inno: infected - 2 skipped

C:\Documents and Settings\buddy\My Documents\PROGRAMS_ZIPFILES\UltraVNC-102-Setup.exe/file04 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

C:\Documents and Settings\buddy\My Documents\PROGRAMS_ZIPFILES\UltraVNC-102-Setup.exe/file05 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

C:\Documents and Settings\buddy\My Documents\PROGRAMS_ZIPFILES\UltraVNC-102-Setup.exe/file34 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

C:\Documents and Settings\buddy\My Documents\PROGRAMS_ZIPFILES\UltraVNC-102-Setup.exe Inno: infected - 3 skipped

C:\Documents and Settings\buddy\My Documents\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\buddy\My Documents\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\buddy\My Documents\SmitfraudFix.exe RarSFX: infected - 2 skipped

C:\Documents and Settings\buddy\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\buddy\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped

C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped

C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\MshConf\scoffset.bin.incr Object is locked skipped

C:\Program Files\Panda Software\Panda Internet Security 2007\f4d4851e8935eebef0f2eb52b3212bc9PSK_NAMES Object is locked skipped

C:\Program Files\Panda Software\Panda Internet Security 2007\f4d4851e8935eebef0f2eb52b3212bc9PSK_NAMES2 Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{DAC9DB1F-8BEF-451E-AB3B-6A67094EA198}\RP216\A0018445.exe Infected: not-virus:Hoax.Win32.Gavec.s skipped

C:\System Volume Information\_restore{DAC9DB1F-8BEF-451E-AB3B-6A67094EA198}\RP216\A0018447.exe Infected: Trojan-Downloader.Win32.Zlob.ied skipped

C:\System Volume Information\_restore{DAC9DB1F-8BEF-451E-AB3B-6A67094EA198}\RP216\A0019445.exe Infected: not-virus:Hoax.Win32.Gavec.s skipped

C:\System Volume Information\_restore{DAC9DB1F-8BEF-451E-AB3B-6A67094EA198}\RP216\A0019447.exe Infected: Trojan-Downloader.Win32.Zlob.ied skipped

C:\System Volume Information\_restore{DAC9DB1F-8BEF-451E-AB3B-6A67094EA198}\RP216\A0019482.exe Infected: Trojan-Downloader.Win32.Zlob.ied skipped

C:\System Volume Information\_restore{DAC9DB1F-8BEF-451E-AB3B-6A67094EA198}\RP216\A0019483.exe Infected: Trojan-Downloader.Win32.Zlob.iej skipped

C:\System Volume Information\_restore{DAC9DB1F-8BEF-451E-AB3B-6A67094EA198}\RP216\A0019485.exe Infected: not-virus:Hoax.Win32.Gavec.s skipped

C:\System Volume Information\_restore{DAC9DB1F-8BEF-451E-AB3B-6A67094EA198}\RP216\A0019486.exe Infected: Trojan-Downloader.Win32.Zlob.ieq skipped

C:\System Volume Information\_restore{DAC9DB1F-8BEF-451E-AB3B-6A67094EA198}\RP216\A0019489.dll Infected: Trojan-Downloader.Win32.Zlob.iec skipped

C:\System Volume Information\_restore{DAC9DB1F-8BEF-451E-AB3B-6A67094EA198}\RP216\A0019524.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\System Volume Information\_restore{DAC9DB1F-8BEF-451E-AB3B-6A67094EA198}\RP219\change.log Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\cmdevtgprov.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\evtgprov.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped

C:\WINDOWS\CSC\00000001 Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\ModemLog_Agere Win Modem.txt Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{ED7C5A64-6BFC-40D9-954C-8D30EAE9FB7A}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

L:\System Volume Information\_restore{DAC9DB1F-8BEF-451E-AB3B-6A67094EA198}\RP192\A0016908.exe Infected: Trojan.Win32.Dialer.yz skipped

L:\PROGRAMS_ZIPFILES\UltraVNC-102-Setup.exe/file04 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\PROGRAMS_ZIPFILES\UltraVNC-102-Setup.exe/file05 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\PROGRAMS_ZIPFILES\UltraVNC-102-Setup.exe/file34 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\PROGRAMS_ZIPFILES\UltraVNC-102-Setup.exe Inno: infected - 3 skipped

L:\PROGRAMS_ZIPFILES\UB_CD4WIN_STUFF\UBCD4WinV25.exe/data.rar/plugin/ipscan/ipscan.exe Infected: not-a-virus:NetTool.Win32.Portscan.c skipped

L:\PROGRAMS_ZIPFILES\UB_CD4WIN_STUFF\UBCD4WinV25.exe/data.rar/plugin/passwordspro/files/PasswordsPro.exe Infected: not-a-virus:PSWTool.Win32.SAMInside.b skipped

L:\PROGRAMS_ZIPFILES\UB_CD4WIN_STUFF\UBCD4WinV25.exe/data.rar/plugin/VNCServer/vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

L:\PROGRAMS_ZIPFILES\UB_CD4WIN_STUFF\UBCD4WinV25.exe/data.rar/plugin/VNCServer/winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

L:\PROGRAMS_ZIPFILES\UB_CD4WIN_STUFF\UBCD4WinV25.exe/data.rar/plugin/ultravnc/files/vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\PROGRAMS_ZIPFILES\UB_CD4WIN_STUFF\UBCD4WinV25.exe/data.rar/plugin/VNCServer/wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

L:\PROGRAMS_ZIPFILES\UB_CD4WIN_STUFF\UBCD4WinV25.exe/data.rar Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

L:\PROGRAMS_ZIPFILES\UB_CD4WIN_STUFF\UBCD4WinV25.exe RarSFX: infected - 7 skipped

L:\PROGRAMS_ZIPFILES\SPYWARE UTILS FOR IE\vnc-3.3.7-x86_win32.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped

L:\PROGRAMS_ZIPFILES\SPYWARE UTILS FOR IE\vnc-3.3.7-x86_win32.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped

L:\PROGRAMS_ZIPFILES\SPYWARE UTILS FOR IE\vnc-3.3.7-x86_win32.exe/data0004 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped

L:\PROGRAMS_ZIPFILES\SPYWARE UTILS FOR IE\vnc-3.3.7-x86_win32.exe Inno: infected - 3 skipped

L:\PROGRAMS_ZIPFILES\REAL VNC\vnc-3.3.7-x86_win32.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped

L:\PROGRAMS_ZIPFILES\REAL VNC\vnc-3.3.7-x86_win32.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped

L:\PROGRAMS_ZIPFILES\REAL VNC\vnc-3.3.7-x86_win32.exe/data0004 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped

L:\PROGRAMS_ZIPFILES\REAL VNC\vnc-3.3.7-x86_win32.exe Inno: infected - 3 skipped

L:\PROGRAMS_ZIPFILES\REAL VNC\vnc-4_1_1-x86_win32.exe/file1 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 skipped

L:\PROGRAMS_ZIPFILES\REAL VNC\vnc-4_1_1-x86_win32.exe/file3 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

L:\PROGRAMS_ZIPFILES\REAL VNC\vnc-4_1_1-x86_win32.exe Inno: infected - 2 skipped

L:\PROGRAMS_ZIPFILES\MIRC\mirc621.exe/stream/data0008 Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped

L:\PROGRAMS_ZIPFILES\MIRC\mirc621.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped

L:\PROGRAMS_ZIPFILES\MIRC\mirc621.exe NSIS: infected - 2 skipped

L:\EMM_Backups\C ROOT\NERO 7 Premium\Nero-7.8.5.0_eng_trial.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped

L:\EMM_Backups\C ROOT\NERO 7 Premium\Nero-7.8.5.0_eng_trial.exe RAR: infected - 1 skipped

L:\EMM_Backups\C ROOT\KROMHOUT_US_BACKUPS\OCT\KUS-web-2007-09-23.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file04 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\EMM_Backups\C ROOT\KROMHOUT_US_BACKUPS\OCT\KUS-web-2007-09-23.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file05 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\EMM_Backups\C ROOT\KROMHOUT_US_BACKUPS\OCT\KUS-web-2007-09-23.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file34 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\EMM_Backups\C ROOT\KROMHOUT_US_BACKUPS\OCT\KUS-web-2007-09-23.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\EMM_Backups\C ROOT\KROMHOUT_US_BACKUPS\OCT\KUS-web-2007-09-23.tar Tar: infected - 4 skipped

L:\EMM_Backups\C ROOT\KROMHOUT_US_BACKUPS\MAR\KUS-web-2007-03-22.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file04 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\EMM_Backups\C ROOT\KROMHOUT_US_BACKUPS\MAR\KUS-web-2007-03-22.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file05 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\EMM_Backups\C ROOT\KROMHOUT_US_BACKUPS\MAR\KUS-web-2007-03-22.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file34 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\EMM_Backups\C ROOT\KROMHOUT_US_BACKUPS\MAR\KUS-web-2007-03-22.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\EMM_Backups\C ROOT\KROMHOUT_US_BACKUPS\MAR\KUS-web-2007-03-22.tar Tar: infected - 4 skipped

L:\EMM_Backups\C ROOT\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-home-3-3-07.tar/public_html/VNC/UltraVNC-102-Setup.exe/file04 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\EMM_Backups\C ROOT\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-home-3-3-07.tar/public_html/VNC/UltraVNC-102-Setup.exe/file05 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\EMM_Backups\C ROOT\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-home-3-3-07.tar/public_html/VNC/UltraVNC-102-Setup.exe/file34 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\EMM_Backups\C ROOT\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-home-3-3-07.tar/public_html/VNC/UltraVNC-102-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\EMM_Backups\C ROOT\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-home-3-3-07.tar Tar: infected - 4 skipped

L:\EMM_Backups\C ROOT\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-web-2007-03-08.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file04 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\EMM_Backups\C ROOT\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-web-2007-03-08.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file05 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\EMM_Backups\C ROOT\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-web-2007-03-08.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file34 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\EMM_Backups\C ROOT\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-web-2007-03-08.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\EMM_Backups\C ROOT\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-web-2007-03-08.tar Tar: infected - 4 skipped

L:\EMM_Backups\C ROOT\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-web-3-3-07.tar/VNC/UltraVNC-102-Setup.exe/file04 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\EMM_Backups\C ROOT\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-web-3-3-07.tar/VNC/UltraVNC-102-Setup.exe/file05 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\EMM_Backups\C ROOT\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-web-3-3-07.tar/VNC/UltraVNC-102-Setup.exe/file34 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\EMM_Backups\C ROOT\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-web-3-3-07.tar/VNC/UltraVNC-102-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\EMM_Backups\C ROOT\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-web-3-3-07.tar Tar: infected - 4 skipped

L:\EMM_Backups\USER Data\buddy\MYDOCS\MISC_DOCS\UltraVNC-102-Setup.exe/file04 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\EMM_Backups\USER Data\buddy\MYDOCS\MISC_DOCS\UltraVNC-102-Setup.exe/file05 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\EMM_Backups\USER Data\buddy\MYDOCS\MISC_DOCS\UltraVNC-102-Setup.exe/file34 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\EMM_Backups\USER Data\buddy\MYDOCS\MISC_DOCS\UltraVNC-102-Setup.exe Inno: infected - 3 skipped

L:\EMM_Backups\USER Data\buddy\MYDOCS\PROGRAMS_ZIPFILES\UltraVNC-102-Setup.exe/file04 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\EMM_Backups\USER Data\buddy\MYDOCS\PROGRAMS_ZIPFILES\UltraVNC-102-Setup.exe/file05 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\EMM_Backups\USER Data\buddy\MYDOCS\PROGRAMS_ZIPFILES\UltraVNC-102-Setup.exe/file34 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\EMM_Backups\USER Data\buddy\MYDOCS\PROGRAMS_ZIPFILES\UltraVNC-102-Setup.exe Inno: infected - 3 skipped

L:\EMM_Backups\USER Data\buddy\MYDOCS\PROGRAMS_ZIPFILES\UB_CD4WIN_STUFF\UBCD4WinV25.exe/data.rar/plugin/ipscan/ipscan.exe Infected: not-a-virus:NetTool.Win32.Portscan.c skipped

L:\EMM_Backups\USER Data\buddy\MYDOCS\PROGRAMS_ZIPFILES\UB_CD4WIN_STUFF\UBCD4WinV25.exe/data.rar/plugin/passwordspro/files/PasswordsPro.exe Infected: not-a-virus:PSWTool.Win32.SAMInside.b skipped

L:\EMM_Backups\USER Data\buddy\MYDOCS\PROGRAMS_ZIPFILES\UB_CD4WIN_STUFF\UBCD4WinV25.exe/data.rar/plugin/VNCServer/vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

L:\EMM_Backups\USER Data\buddy\MYDOCS\PROGRAMS_ZIPFILES\UB_CD4WIN_STUFF\UBCD4WinV25.exe/data.rar/plugin/VNCServer/winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

L:\EMM_Backups\USER Data\buddy\MYDOCS\PROGRAMS_ZIPFILES\UB_CD4WIN_STUFF\UBCD4WinV25.exe/data.rar/plugin/ultravnc/files/vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\EMM_Backups\USER Data\buddy\MYDOCS\PROGRAMS_ZIPFILES\UB_CD4WIN_STUFF\UBCD4WinV25.exe/data.rar/plugin/VNCServer/wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

L:\EMM_Backups\USER Data\buddy\MYDOCS\PROGRAMS_ZIPFILES\UB_CD4WIN_STUFF\UBCD4WinV25.exe/data.rar Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

L:\EMM_Backups\USER Data\buddy\MYDOCS\PROGRAMS_ZIPFILES\UB_CD4WIN_STUFF\UBCD4WinV25.exe RarSFX: infected - 7 skipped

L:\EMM_Backups\USER Data\buddy\MYDOCS\PROGRAMS_ZIPFILES\SPYWARE UTILS FOR IE\vnc-3.3.7-x86_win32.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped

L:\EMM_Backups\USER Data\buddy\MYDOCS\PROGRAMS_ZIPFILES\SPYWARE UTILS FOR IE\vnc-3.3.7-x86_win32.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped

L:\EMM_Backups\USER Data\buddy\MYDOCS\PROGRAMS_ZIPFILES\SPYWARE UTILS FOR IE\vnc-3.3.7-x86_win32.exe/data0004 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped

L:\EMM_Backups\USER Data\buddy\MYDOCS\PROGRAMS_ZIPFILES\SPYWARE UTILS FOR IE\vnc-3.3.7-x86_win32.exe Inno: infected - 3 skipped

L:\EMM_Backups\USER Data\buddy\MYDOCS\PROGRAMS_ZIPFILES\REAL VNC\vnc-3.3.7-x86_win32.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped

L:\EMM_Backups\USER Data\buddy\MYDOCS\PROGRAMS_ZIPFILES\REAL VNC\vnc-3.3.7-x86_win32.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped

L:\EMM_Backups\USER Data\buddy\MYDOCS\PROGRAMS_ZIPFILES\REAL VNC\vnc-3.3.7-x86_win32.exe/data0004 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped

L:\EMM_Backups\USER Data\buddy\MYDOCS\PROGRAMS_ZIPFILES\REAL VNC\vnc-3.3.7-x86_win32.exe Inno: infected - 3 skipped

L:\EMM_Backups\USER Data\buddy\MYDOCS\PROGRAMS_ZIPFILES\REAL VNC\vnc-4_1_1-x86_win32.exe/file1 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 skipped

L:\EMM_Backups\USER Data\buddy\MYDOCS\PROGRAMS_ZIPFILES\REAL VNC\vnc-4_1_1-x86_win32.exe/file3 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

L:\EMM_Backups\USER Data\buddy\MYDOCS\PROGRAMS_ZIPFILES\REAL VNC\vnc-4_1_1-x86_win32.exe Inno: infected - 2 skipped

L:\EMM_Backups\USER Data\buddy\MYDOCS\PROGRAMS_ZIPFILES\MIRC\mirc621.exe/stream/data0008 Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped

L:\EMM_Backups\USER Data\buddy\MYDOCS\PROGRAMS_ZIPFILES\MIRC\mirc621.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped

L:\EMM_Backups\USER Data\buddy\MYDOCS\PROGRAMS_ZIPFILES\MIRC\mirc621.exe NSIS: infected - 2 skipped

L:\OTHER Programs ON D\UNIX BACKUPS\KROMHOUT_US_BACKUPS\MAR\KUS-web-2007-03-22.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file04 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\OTHER Programs ON D\UNIX BACKUPS\KROMHOUT_US_BACKUPS\MAR\KUS-web-2007-03-22.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file05 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\OTHER Programs ON D\UNIX BACKUPS\KROMHOUT_US_BACKUPS\MAR\KUS-web-2007-03-22.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file34 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\OTHER Programs ON D\UNIX BACKUPS\KROMHOUT_US_BACKUPS\MAR\KUS-web-2007-03-22.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\OTHER Programs ON D\UNIX BACKUPS\KROMHOUT_US_BACKUPS\MAR\KUS-web-2007-03-22.tar Tar: infected - 4 skipped

L:\OTHER Programs ON D\UNIX BACKUPS\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-home-3-3-07.tar/public_html/VNC/UltraVNC-102-Setup.exe/file04 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\OTHER Programs ON D\UNIX BACKUPS\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-home-3-3-07.tar/public_html/VNC/UltraVNC-102-Setup.exe/file05 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\OTHER Programs ON D\UNIX BACKUPS\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-home-3-3-07.tar/public_html/VNC/UltraVNC-102-Setup.exe/file34 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\OTHER Programs ON D\UNIX BACKUPS\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-home-3-3-07.tar/public_html/VNC/UltraVNC-102-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\OTHER Programs ON D\UNIX BACKUPS\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-home-3-3-07.tar Tar: infected - 4 skipped

L:\OTHER Programs ON D\UNIX BACKUPS\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-web-2007-03-08.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file04 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\OTHER Programs ON D\UNIX BACKUPS\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-web-2007-03-08.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file05 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\OTHER Programs ON D\UNIX BACKUPS\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-web-2007-03-08.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file34 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\OTHER Programs ON D\UNIX BACKUPS\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-web-2007-03-08.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\OTHER Programs ON D\UNIX BACKUPS\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-web-2007-03-08.tar Tar: infected - 4 skipped

L:\OTHER Programs ON D\UNIX BACKUPS\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-web-3-3-07.tar/VNC/UltraVNC-102-Setup.exe/file04 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\OTHER Programs ON D\UNIX BACKUPS\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-web-3-3-07.tar/VNC/UltraVNC-102-Setup.exe/file05 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\OTHER Programs ON D\UNIX BACKUPS\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-web-3-3-07.tar/VNC/UltraVNC-102-Setup.exe/file34 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\OTHER Programs ON D\UNIX BACKUPS\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-web-3-3-07.tar/VNC/UltraVNC-102-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\OTHER Programs ON D\UNIX BACKUPS\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-web-3-3-07.tar Tar: infected - 4 skipped

L:\OTHER Programs ON D\UNIX BACKUPS\KROMHOUT_US_BACKUPS\JUNE\KUS-web-2007-06-09.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file04 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\OTHER Programs ON D\UNIX BACKUPS\KROMHOUT_US_BACKUPS\JUNE\KUS-web-2007-06-09.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file05 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\OTHER Programs ON D\UNIX BACKUPS\KROMHOUT_US_BACKUPS\JUNE\KUS-web-2007-06-09.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file34 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\OTHER Programs ON D\UNIX BACKUPS\KROMHOUT_US_BACKUPS\JUNE\KUS-web-2007-06-09.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\OTHER Programs ON D\UNIX BACKUPS\KROMHOUT_US_BACKUPS\JUNE\KUS-web-2007-06-09.tar Tar: infected - 4 skipped

L:\OTHER Programs ON D\UNIX BACKUPS\KROMHOUT_US_BACKUPS\AUG\web-kus.tar/VNC/UltraVNC-102-Setup.exe/file04 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\OTHER Programs ON D\UNIX BACKUPS\KROMHOUT_US_BACKUPS\AUG\web-kus.tar/VNC/UltraVNC-102-Setup.exe/file05 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\OTHER Programs ON D\UNIX BACKUPS\KROMHOUT_US_BACKUPS\AUG\web-kus.tar/VNC/UltraVNC-102-Setup.exe/file34 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\OTHER Programs ON D\UNIX BACKUPS\KROMHOUT_US_BACKUPS\AUG\web-kus.tar/VNC/UltraVNC-102-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\OTHER Programs ON D\UNIX BACKUPS\KROMHOUT_US_BACKUPS\AUG\web-kus.tar Tar: infected - 4 skipped

L:\ODDESSY BACKUPS\back-2\KROMHOUT_US_BACKUPS\OCT\KUS-web-2007-09-23.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file04 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\ODDESSY BACKUPS\back-2\KROMHOUT_US_BACKUPS\OCT\KUS-web-2007-09-23.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file05 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\ODDESSY BACKUPS\back-2\KROMHOUT_US_BACKUPS\OCT\KUS-web-2007-09-23.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file34 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\ODDESSY BACKUPS\back-2\KROMHOUT_US_BACKUPS\OCT\KUS-web-2007-09-23.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\ODDESSY BACKUPS\back-2\KROMHOUT_US_BACKUPS\OCT\KUS-web-2007-09-23.tar Tar: infected - 4 skipped

L:\ODDESSY BACKUPS\back-2\KROMHOUT_US_BACKUPS\MAR\KUS-web-2007-03-22.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file04 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\ODDESSY BACKUPS\back-2\KROMHOUT_US_BACKUPS\MAR\KUS-web-2007-03-22.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file05 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\ODDESSY BACKUPS\back-2\KROMHOUT_US_BACKUPS\MAR\KUS-web-2007-03-22.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file34 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\ODDESSY BACKUPS\back-2\KROMHOUT_US_BACKUPS\MAR\KUS-web-2007-03-22.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\ODDESSY BACKUPS\back-2\KROMHOUT_US_BACKUPS\MAR\KUS-web-2007-03-22.tar Tar: infected - 4 skipped

L:\ODDESSY BACKUPS\back-2\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-home-3-3-07.tar/public_html/VNC/UltraVNC-102-Setup.exe/file04 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\ODDESSY BACKUPS\back-2\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-home-3-3-07.tar/public_html/VNC/UltraVNC-102-Setup.exe/file05 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\ODDESSY BACKUPS\back-2\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-home-3-3-07.tar/public_html/VNC/UltraVNC-102-Setup.exe/file34 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\ODDESSY BACKUPS\back-2\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-home-3-3-07.tar/public_html/VNC/UltraVNC-102-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\ODDESSY BACKUPS\back-2\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-home-3-3-07.tar Tar: infected - 4 skipped

L:\ODDESSY BACKUPS\back-2\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-web-2007-03-08.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file04 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\ODDESSY BACKUPS\back-2\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-web-2007-03-08.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file05 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\ODDESSY BACKUPS\back-2\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-web-2007-03-08.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file34 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\ODDESSY BACKUPS\back-2\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-web-2007-03-08.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\ODDESSY BACKUPS\back-2\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-web-2007-03-08.tar Tar: infected - 4 skipped

L:\ODDESSY BACKUPS\back-2\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-web-3-3-07.tar/VNC/UltraVNC-102-Setup.exe/file04 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\ODDESSY BACKUPS\back-2\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-web-3-3-07.tar/VNC/UltraVNC-102-Setup.exe/file05 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\ODDESSY BACKUPS\back-2\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-web-3-3-07.tar/VNC/UltraVNC-102-Setup.exe/file34 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\ODDESSY BACKUPS\back-2\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-web-3-3-07.tar/VNC/UltraVNC-102-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\ODDESSY BACKUPS\back-2\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-web-3-3-07.tar Tar: infected - 4 skipped

L:\ODDESSY BACKUPS\back-2\NERO 7 Premium\Nero-7.8.5.0_eng_trial.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped

L:\ODDESSY BACKUPS\back-2\NERO 7 Premium\Nero-7.8.5.0_eng_trial.exe RAR: infected - 1 skipped

L:\ODDESSY BACKUPS\back-2\ROOT DIRECTORY C\NERO 7 Premium\Nero-7.8.5.0_eng_trial.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped

L:\ODDESSY BACKUPS\back-2\ROOT DIRECTORY C\NERO 7 Premium\Nero-7.8.5.0_eng_trial.exe RAR: infected - 1 skipped

L:\ODDESSY BACKUPS\back-2\ROOT DIRECTORY C\KROMHOUT_US_BACKUPS\OCT\KUS-web-2007-09-23.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file04 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\ODDESSY BACKUPS\back-2\ROOT DIRECTORY C\KROMHOUT_US_BACKUPS\OCT\KUS-web-2007-09-23.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file05 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\ODDESSY BACKUPS\back-2\ROOT DIRECTORY C\KROMHOUT_US_BACKUPS\OCT\KUS-web-2007-09-23.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file34 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\ODDESSY BACKUPS\back-2\ROOT DIRECTORY C\KROMHOUT_US_BACKUPS\OCT\KUS-web-2007-09-23.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\ODDESSY BACKUPS\back-2\ROOT DIRECTORY C\KROMHOUT_US_BACKUPS\OCT\KUS-web-2007-09-23.tar Tar: infected - 4 skipped

L:\ODDESSY BACKUPS\back-2\ROOT DIRECTORY C\KROMHOUT_US_BACKUPS\MAR\KUS-web-2007-03-22.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file04 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\ODDESSY BACKUPS\back-2\ROOT DIRECTORY C\KROMHOUT_US_BACKUPS\MAR\KUS-web-2007-03-22.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file05 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\ODDESSY BACKUPS\back-2\ROOT DIRECTORY C\KROMHOUT_US_BACKUPS\MAR\KUS-web-2007-03-22.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file34 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\ODDESSY BACKUPS\back-2\ROOT DIRECTORY C\KROMHOUT_US_BACKUPS\MAR\KUS-web-2007-03-22.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\ODDESSY BACKUPS\back-2\ROOT DIRECTORY C\KROMHOUT_US_BACKUPS\MAR\KUS-web-2007-03-22.tar Tar: infected - 4 skipped

L:\ODDESSY BACKUPS\back-2\ROOT DIRECTORY C\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-home-3-3-07.tar/public_html/VNC/UltraVNC-102-Setup.exe/file04 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\ODDESSY BACKUPS\back-2\ROOT DIRECTORY C\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-home-3-3-07.tar/public_html/VNC/UltraVNC-102-Setup.exe/file05 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\ODDESSY BACKUPS\back-2\ROOT DIRECTORY C\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-home-3-3-07.tar/public_html/VNC/UltraVNC-102-Setup.exe/file34 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\ODDESSY BACKUPS\back-2\ROOT DIRECTORY C\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-home-3-3-07.tar/public_html/VNC/UltraVNC-102-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\ODDESSY BACKUPS\back-2\ROOT DIRECTORY C\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-home-3-3-07.tar Tar: infected - 4 skipped

L:\ODDESSY BACKUPS\back-2\ROOT DIRECTORY C\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-web-2007-03-08.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file04 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\ODDESSY BACKUPS\back-2\ROOT DIRECTORY C\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-web-2007-03-08.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file05 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\ODDESSY BACKUPS\back-2\ROOT DIRECTORY C\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-web-2007-03-08.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file34 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\ODDESSY BACKUPS\back-2\ROOT DIRECTORY C\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-web-2007-03-08.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\ODDESSY BACKUPS\back-2\ROOT DIRECTORY C\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-web-2007-03-08.tar Tar: infected - 4 skipped

L:\ODDESSY BACKUPS\back-2\ROOT DIRECTORY C\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-web-3-3-07.tar/VNC/UltraVNC-102-Setup.exe/file04 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\ODDESSY BACKUPS\back-2\ROOT DIRECTORY C\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-web-3-3-07.tar/VNC/UltraVNC-102-Setup.exe/file05 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\ODDESSY BACKUPS\back-2\ROOT DIRECTORY C\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-web-3-3-07.tar/VNC/UltraVNC-102-Setup.exe/file34 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\ODDESSY BACKUPS\back-2\ROOT DIRECTORY C\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-web-3-3-07.tar/VNC/UltraVNC-102-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\ODDESSY BACKUPS\back-2\ROOT DIRECTORY C\KROMHOUT_US_BACKUPS\MAR\OLDER\KUS-web-3-3-07.tar Tar: infected - 4 skipped

L:\ODDESSY BACKUPS\USERS\Buddys Documents\ANDREW\KUS-web-2007-09-23.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file04 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\ODDESSY BACKUPS\USERS\Buddys Documents\ANDREW\KUS-web-2007-09-23.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file05 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\ODDESSY BACKUPS\USERS\Buddys Documents\ANDREW\KUS-web-2007-09-23.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file34 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\ODDESSY BACKUPS\USERS\Buddys Documents\ANDREW\KUS-web-2007-09-23.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\ODDESSY BACKUPS\USERS\Buddys Documents\ANDREW\KUS-web-2007-09-23.tar Tar: infected - 4 skipped

L:\ODDESSY BACKUPS\USERS\Buddys Documents\ANDREW\KUS-web-2007-10-18.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file04 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\ODDESSY BACKUPS\USERS\Buddys Documents\ANDREW\KUS-web-2007-10-18.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file05 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\ODDESSY BACKUPS\USERS\Buddys Documents\ANDREW\KUS-web-2007-10-18.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe/file34 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\ODDESSY BACKUPS\USERS\Buddys Documents\ANDREW\KUS-web-2007-10-18.tar/home/bsbaker/public_html/VNC/UltraVNC-102-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\ODDESSY BACKUPS\USERS\Buddys Documents\ANDREW\KUS-web-2007-10-18.tar Tar: infected - 4 skipped

L:\ODDESSY BACKUPS\USERS\Buddys Documents\MISC_DOCS\UltraVNC-102-Setup.exe/file04 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\ODDESSY BACKUPS\USERS\Buddys Documents\MISC_DOCS\UltraVNC-102-Setup.exe/file05 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\ODDESSY BACKUPS\USERS\Buddys Documents\MISC_DOCS\UltraVNC-102-Setup.exe/file34 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\ODDESSY BACKUPS\USERS\Buddys Documents\MISC_DOCS\UltraVNC-102-Setup.exe Inno: infected - 3 skipped

L:\ODDESSY BACKUPS\USERS\Buddys Documents\PROGRAMS_ZIPFILES\UltraVNC-102-Setup.exe/file04 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\ODDESSY BACKUPS\USERS\Buddys Documents\PROGRAMS_ZIPFILES\UltraVNC-102-Setup.exe/file05 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped

L:\ODDESSY BACKUPS\USERS\Buddys Documents\PROGRAMS_ZIPFILES\UltraVNC-102-Setup.exe/file34 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped

L:\ODDESSY BACKUPS\USERS\Buddys Documents\PROGRAMS_ZIPFILES\UltraVNC-102-Setup.exe Inno: infected - 3 skipped

L:\ODDESSY BACKUPS\USERS\Buddys Documents\PROGRAMS_ZIPFILES\REAL VNC\vnc-3.3.7-x86_win32.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped

L:\ODDESSY BACKUPS\USERS\Buddys Documents\PROGRAMS_ZIPFILES\REAL VNC\vnc-3.3.7-x86_win32.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped

L:\ODDESSY BACKUPS\USERS\Buddys Documents\PROGRAMS_ZIPFILES\REAL VNC\vnc-3.3.7-x86_win32.exe/data0004 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped

L:\ODDESSY BACKUPS\USERS\Buddys Documents\PROGRAMS_ZIPFILES\REAL VNC\vnc-3.3.7-x86_win32.exe Inno: infected - 3 skipped

L:\ODDESSY BACKUPS\USERS\Buddys Documents\PROGRAMS_ZIPFILES\REAL VNC\vnc-4_1_1-x86_win32.exe/file1 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 skipped

L:\ODDESSY BACKUPS\USERS\Buddys Documents\PROGRAMS_ZIPFILES\REAL VNC\vnc-4_1_1-x86_win32.exe/file3 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

L:\ODDESSY BACKUPS\USERS\Buddys Documents\PROGRAMS_ZIPFILES\REAL VNC\vnc-4_1_1-x86_win32.exe Inno: infected - 2 skipped

L:\ODDESSY BACKUPS\USERS\Buddys Documents\PROGRAMS_ZIPFILES\MIRC\mirc621.exe/stream/data0008 Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped

L:\ODDESSY BACKUPS\USERS\Buddys Documents\PROGRAMS_ZIPFILES\MIRC\mirc621.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped

L:\ODDESSY BACKUPS\USERS\Buddys Documents\PROGRAMS_ZIPFILES\MIRC\mirc621.exe NSIS: infected - 2 skipped

L:\ADOBE1\Adobe_Acrobat_6.0_Standard.rar/keygen.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.bwo skipped

L:\ADOBE1\Adobe_Acrobat_6.0_Standard.rar/crack.exe Infected: Trojan.Win32.Dialer.yz skipped

L:\ADOBE1\Adobe_Acrobat_6.0_Standard.rar RAR: infected - 2 skipped

L:\ADOBE1\Adobe_Acrobat_6_pro.rar/keygen.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.bwo skipped

L:\ADOBE1\Adobe_Acrobat_6_pro.rar/crack.exe Infected: Trojan.Win32.Dialer.yz skipped

L:\ADOBE1\Adobe_Acrobat_6_pro.rar RAR: infected - 2 skipped

Scan process completed.


Brian

(Note: I know that there are apparently cracks there in the scan, I want to eliminate them)

[quote]such as

L:\ADOBE1\Adobe_Acrobat_6.0_Standard.rar/keygen.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.bwo skipped

L:\ADOBE1\Adobe_Acrobat_6.0_Standard.rar/crack.exe Infected: Trojan.Win32.Dialer.yz skipped

L:\ADOBE1\Adobe_Acrobat_6.0_Standard.rar RAR: infected - 2 skipped

L:\ADOBE1\Adobe_Acrobat_6_pro.rar/keygen.exe Infected: not-a-vi

Edited by **Brian**, 26 February 2008 - 08:26 AM.

  • 0

#12
**Brian**

**Brian**

    Semper Paratus: Always Ready

  • Topic Starter
  • Member
  • PipPipPipPip
  • 1,159 posts
New HJT LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:28:32 AM, on 2/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PsCtrls.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
c:\program files\panda software\panda internet security 2007\firewall\PSHOST.EXE
C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\USB Storage RW\shwicon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PavBckPT.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\apvxdwin.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\WebProxy.exe
C:\Program Files\SSH Communications Security\SSH Secure Shell\SshClient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MsnFixer.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Cribbage - http://download2.gam...nts/y/it1_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1197924352406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1198251829781
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software International - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda software\panda internet security 2007\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe

--
End of file - 10386 bytes


Brian
  • 0

#13
**Brian**

**Brian**

    Semper Paratus: Always Ready

  • Topic Starter
  • Member
  • PipPipPipPip
  • 1,159 posts
Deleted the Adobe Directory with the cracks in it

Brian
  • 0

#14
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
hi brian

your logs are looking good. in this post we shall clear the infected files found in the scans and do one final scan.

====STEP 1====
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    L:\PROGRAMS_ZIPFILES\UB_CD4WIN_STUFF\UBCD4WinV25.exe
    L:\EMM_Backups\C ROOT\NERO 7 Premium\Nero-7.8.5.0_eng_trial.exe
    L:\EMM_Backups\USER Data\buddy\MYDOCS\PROGRAMS_ZIPFILES\UB_CD4WIN_STUFF\UBCD4WinV25.exe
    L:\ODDESSY BACKUPS\back-2\NERO 7 Premium\Nero-7.8.5.0_eng_trial.exe
    L:\ODDESSY BACKUPS\back-2\ROOT DIRECTORY C\NERO 7 Premium\Nero-7.8.5.0_eng_trial.exe
    L:\ADOBE1\Adobe_Acrobat_6.0_Standard.rar
    L:\ADOBE1\Adobe_Acrobat_6_pro.rar
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


====STEP 2====
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


In your next reply could i see:
1. the OTMoveIT log
2. the malwarebytes log
3. some idea of how your machine is running

andrewuk
  • 0

#15
**Brian**

**Brian**

    Semper Paratus: Always Ready

  • Topic Starter
  • Member
  • PipPipPipPip
  • 1,159 posts
AndrewUK:

I am sorry that I didn't get back to you until now - I am running OTMI II and will be downloading MBAM and runing it as instructed: I will post again when these scans complete, possibly by tomorrow Morning :)

Thanks for all the help :)

Brian
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP