Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Bagle Virus Infection

Started by TurnerT2 , Apr 19 2008 07:02 PM

  • Please log in to reply

#1
TurnerT2
Posted 19 April 2008 - 07:02 PM

TurnerT2

    Member

  • Member
  • PipPip
  • 30 posts
There are many different symptoms with my computer. I believe I must have gotten this when I used a coworkers SD card the other day. I can not run any scans localy but I was able to use the Kaspersky online scan. I will attach the Scanner Report to this. Any help in this matter would be greatly appreciated. :)

Attached Files


  • 0

Advertisements

#2
TurnerT2
Posted 19 April 2008 - 07:42 PM

TurnerT2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
My laptop has McAfe Antivirus and it used to start everytime during startup, now it doesn't and I can't get it to open manualy. When I go to services.msc there are many services that have been disabled or stoped (Automatic Updates, Background Intelligent Service, McAfee Framework Service, Network Associates McShield, Network Associates Task manager, Security Center, Windows Firewall/Internet Connection Sharing (ICS), Wireless Zero Configuration) to name a few. I have also tried using System Restore which was unsuccesful using many different restore points. Also I have tried using the SUPER AntiSpyware Free Edition off of this site and when it starts to scan the hard drive it crashes the computer. I am not sure if this is helpful info but I figured I would through it out there. Thanks again!!
  • 0

#3
TurnerT2
Posted 19 April 2008 - 07:57 PM

TurnerT2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
I have also tried to use HiJackThis but when I click to open the prog. I get a message saying HiJackThis.exe is not a valid Win32 application. I have read some other threads on this issue and they seem to have had the same issue with the Bagle virus. What is the work around so I can get a log to you??
  • 0

#4
TurnerT2
Posted 19 April 2008 - 08:58 PM

TurnerT2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Below is the Kaspersky Online Scanner Report

KASPERSKY ONLINE SCANNER REPORT
Saturday, April 19, 2008 9:46:03 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/04/2008
Kaspersky Anti-Virus database records: 715057


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\

Scan Statistics
Total number of scanned objects 119684
Number of viruses found 7
Number of infected objects 55
Number of suspicious objects 0
Duration of the scan process 07:52:07

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\ArchestrA\LogFiles\STLGBUDZYNSKIXP1148331256.aaLDX Object is locked skipped

C:\Documents and Settings\All Users\Application Data\ArchestrA\LogFiles\STLGBUDZYNSKIXP1148331256.aaLOG Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Rockwell\RNAClient\Global\$Global.RnaD Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Rockwell\RNAClient\Global\$System.RnaD Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Rockwell\RNAClient\Local\$Local.RnaD Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Rockwell\RNAClient\Local\$System.RnaD Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Rockwell\RNAServer\Global\$Global.RnaD Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Rockwell\RNAServer\Global\$System.RnaD Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Rockwell\RNAServer\Local\$Local.RnaD Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Rockwell\RNAServer\Local\$System.RnaD Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\smturner\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\smturner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\smturner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\smturner\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\smturner\Local Settings\History\History.IE5\MSHist012008041720080418\index.dat Object is locked skipped

C:\Documents and Settings\smturner\Local Settings\History\History.IE5\MSHist012008041820080419\index.dat Object is locked skipped

C:\Documents and Settings\smturner\Local Settings\Temp\~DF95A7.tmp Object is locked skipped

C:\Documents and Settings\smturner\Local Settings\Temp\~DF95B8.tmp Object is locked skipped

C:\Documents and Settings\smturner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\smturner\Local Settings\Temporary Internet Files\Content.IE5\89VMN7OD\b64_1[1].jpg Infected: Trojan-Downloader.Win32.Bagle.ij skipped

C:\Documents and Settings\smturner\Local Settings\Temporary Internet Files\Content.IE5\89VMN7OD\b64_1[2].jpg Infected: Trojan-Downloader.Win32.Bagle.ij skipped

C:\Documents and Settings\smturner\Local Settings\Temporary Internet Files\Content.IE5\AE50KXC4\b64_2[1].jpg Infected: Email-Worm.Win32.Bagle.vr skipped

C:\Documents and Settings\smturner\Local Settings\Temporary Internet Files\Content.IE5\AE50KXC4\b64_3[1].jpg Infected: Email-Worm.Win32.Bagle.of skipped

C:\Documents and Settings\smturner\Local Settings\Temporary Internet Files\Content.IE5\CD2W83XS\b64_1[1].jpg Infected: Trojan-Downloader.Win32.Bagle.ij skipped

C:\Documents and Settings\smturner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\smturner\Local Settings\Temporary Internet Files\Content.IE5\NHZF4OVS\b64_2[1].jpg Infected: Email-Worm.Win32.Bagle.vr skipped

C:\Documents and Settings\smturner\Local Settings\Temporary Internet Files\Content.IE5\NHZF4OVS\b64_2[2].jpg Infected: Email-Worm.Win32.Bagle.vr skipped

C:\Documents and Settings\smturner\Local Settings\Temporary Internet Files\Content.IE5\RN1QR83V\b64_1[1].jpg Infected: Trojan-Downloader.Win32.Bagle.ij skipped

C:\Documents and Settings\smturner\Local Settings\Temporary Internet Files\Content.IE5\RN1QR83V\b64_2[1].jpg Infected: Email-Worm.Win32.Bagle.vr skipped

C:\Documents and Settings\smturner\Local Settings\Temporary Internet Files\Content.IE5\Z0C0PLDL\b64_2[1].jpg Infected: Email-Worm.Win32.Bagle.vr skipped

C:\Documents and Settings\smturner\ntuser.dat Object is locked skipped

C:\Documents and Settings\smturner\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Common Files\Siemens\SWS\almsrv\almdb.ldb Object is locked skipped

C:\Program Files\Common Files\Siemens\SWS\almsrv\almdb.mdb Object is locked skipped

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe Infected: Trojan-Downloader.Win32.Bagle.ne skipped

C:\Program Files\TightVNC\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped

C:\Program Files\TightVNC\WinVNC.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP589\A0370829.exe Infected: Trojan-Downloader.Win32.Bagle.ne skipped

C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP589\A0370830.exe Infected: Trojan-Downloader.Win32.Bagle.ne skipped

C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP590\A0370851.exe Infected: Trojan-Downloader.Win32.Bagle.ne skipped

C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP590\A0370871.exe Infected: Trojan-Downloader.Win32.Bagle.ne skipped

C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP590\A0370872.sys Infected: Trojan-Downloader.Win32.Bagle.mm skipped

C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP590\A0370882.exe Infected: Trojan-Downloader.Win32.Bagle.ne skipped

C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP590\A0370883.exe Infected: Trojan-Downloader.Win32.Bagle.ne skipped

C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP590\A0370886.sys Infected: Trojan-Downloader.Win32.Bagle.mm skipped

C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP591\A0370973.exe Infected: Trojan-Downloader.Win32.Bagle.ne skipped

C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP591\A0370974.exe Infected: Trojan-Downloader.Win32.Bagle.ne skipped

C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP591\A0370975.sys Infected: Trojan-Downloader.Win32.Bagle.mm skipped

C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP591\A0371882.exe Infected: Trojan-Downloader.Win32.Bagle.ne skipped

C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP591\A0371883.exe Infected: Trojan-Downloader.Win32.Bagle.ne skipped

C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP591\A0371889.sys Infected: Trojan-Downloader.Win32.Bagle.mm skipped

C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP591\A0373882.exe Infected: Trojan-Downloader.Win32.Bagle.ne skipped

C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP591\A0373883.exe Infected: Trojan-Downloader.Win32.Bagle.ne skipped

C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP591\A0373886.sys Infected: Trojan-Downloader.Win32.Bagle.mm skipped

C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP591\A0374882.exe Infected: Trojan-Downloader.Win32.Bagle.ne skipped

C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP591\A0374883.exe Infected: Trojan-Downloader.Win32.Bagle.ne skipped

C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP591\A0374885.sys Infected: Trojan-Downloader.Win32.Bagle.mm skipped

C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP591\A0375882.exe Infected: Trojan-Downloader.Win32.Bagle.ne skipped

C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP591\A0375883.exe Infected: Trojan-Downloader.Win32.Bagle.ne skipped

C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP591\A0375885.sys Infected: Trojan-Downloader.Win32.Bagle.mm skipped

C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP592\A0375887.sys Infected: Trojan-Downloader.Win32.Bagle.mm skipped

C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP592\A0375889.exe Infected: Trojan-Downloader.Win32.Bagle.ne skipped

C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP592\A0375890.exe Infected: Trojan-Downloader.Win32.Bagle.ne skipped

C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP592\A0375945.exe Infected: Trojan-Downloader.Win32.Bagle.ij skipped

C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP592\A0375957.exe Infected: Trojan-Downloader.Win32.Bagle.ij skipped

C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP592\A0375959.exe Infected: Trojan-Downloader.Win32.Bagle.ij skipped

C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP592\A0376090.exe Infected: Trojan-Downloader.Win32.Bagle.ij skipped

C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP592\A0376100.exe Infected: Trojan-Downloader.Win32.Bagle.ij skipped

C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP593\A0376206.sys Infected: Trojan-Downloader.Win32.Bagle.mm skipped

C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP593\A0376207.exe Infected: Trojan-Downloader.Win32.Bagle.ne skipped

C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP593\A0376208.exe Infected: Trojan-Downloader.Win32.Bagle.ne skipped

C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP593\A0376260.exe Infected: Trojan-Downloader.Win32.Bagle.ij skipped

C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP593\A0376272.exe Infected: Trojan-Downloader.Win32.Bagle.ij skipped

C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP593\A0376274.exe Infected: Trojan-Downloader.Win32.Bagle.ij skipped

C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP593\A0376405.exe Infected: Trojan-Downloader.Win32.Bagle.ij skipped

C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP593\A0376415.exe Infected: Trojan-Downloader.Win32.Bagle.ij skipped

C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP593\A0376518.exe Infected: Trojan-Downloader.Win32.Bagle.ne skipped

C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP593\A0376519.sys Infected: Trojan-Downloader.Win32.Bagle.mm skipped

C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP593\A0376520.exe Infected: Trojan-Downloader.Win32.Bagle.ne skipped

C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP593\change.log Object is locked skipped

C:\WINDOWS\$hf_mig$\KB890859\SP2GDR\ntoskrnl.exe Object is locked skipped

C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe Object is locked skipped

C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe Object is locked skipped

C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\accwiz.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\crypt32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\cryptsvc.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\hh.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\hhsetup.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\html32.cnv Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\itss.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\locator.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\magnify.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\migwiz.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\msconv97.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\narrator.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\newdev.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\ntdll.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\osk.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\pchshell.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\raspptp.sys Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\shmedia.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\srrstr.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\srv.sys Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\sysmain.sdb Object is locked skipped

C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\cmdevtgprov.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\evtgprov.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\dao360.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\expsrv.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msexch40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msexcl40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msjet40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msjetol1.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msjetoledb40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msjint40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msjter40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msjtes40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msltus40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\mspbde40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msrd2x40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msrd3x40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msrepl40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\mstext40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\mswdat10.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\mswstr10.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msxbde40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\vbajet32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB839645$\xpsp2res.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB890859_0$\ntoskrnl.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe Object is locked skipped

C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped

C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll Object is locked skipped

C:\WINDOWS\CSC\00000001 Object is locked skipped

C:\WINDOWS\Debug\Netlogon.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\FTDiag.evt Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\JET5D8.tmp Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

Scan process completed.
  • 0

#5
RatHat
Posted 20 April 2008 - 08:34 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hi there,

Welcome to GeeksToGo. My name is RatHat, and I will try to help you get through the process of cleaning the malware from your computer. I must warn you now though, that Bagle can be virtually impossible to remove in some cases, and that reformatting is sometimes the only option.

That said, if you are willing to try to get rid of it, I will do my best to help, but will offer no guarantees of success.

OK firstly, I need you to print out each post I make so that you can refer to it while we fix your computer. This is because there will be times when you are unable to be online to read my instructions, and I will want you to do everything very carefully. I also need you to follow my instructions in the order that they are given. If however, you cannot carry out one of them, please continue on with the next and let me know what you were unsuccessful with. Please ensure you turn off word wrap in Notepad. To do this, open Notepad, choose Format, then Un-check Word Wrap. (Word Wrap makes reading your log difficult).

Next, I would like to make sure that you can view hidden files and folders;
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading SELECT Show hidden files and folders.
  • UNCHECK the Hide protected operating system files (recommended) option.
  • UNCHECK the Hide extensions for known file types option.
  • Click Yes to confirm.
  • Click OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, DSS will open two Notepad files: main.txt and extra.txt
  • Use Save As to save both Notepad files to your Desktop and post them in your next reply.
Note: A copy of these files can be found in you root drive, usually C:\Deckard\System Scanner\

It is important that you run DSS first and save the logs as I want to see how your system looks before running Combofix in the next stage.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Now please ensure you follow these instructions very carefully.

Please read this Combofix tutorial before continuing, then follow the instructions below.

Download ComboFix from Here, Here or Here to your Desktop. (If you already have ComboFix, please delete it and download this new version).

  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Now we need to install the Recovery Console. Go to Microsoft's website => http://support.microsoft.com/kb/310994
  • Select the download that's appropriate for your Operating System (yours is XP Service Pack 2).

    Posted Image
  • Download the file & save it as it's originally named, next to ComboFix.exe.

    Posted Image
  • Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

    -----------------------------------------------------------

  • When the Recovery Console installation is complete. Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Save this log to your desktop as Combofix.txt and post it in your next reply. (This log can also be found at C:\Combofix.txt)
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

So in your next reply, please include the following logs:
  • The contents of DSS main.txt
  • The contents of DSS extra.txt
  • The contents of Combofix.txt
Note that you may have to split your replies into two or three posts to ensure that the full contents of the logs are included.

Regards,
RatHat
  • 0

#6
TurnerT2
Posted 20 April 2008 - 12:41 PM

TurnerT2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Thank you so much for taking the time to help!! I tried to enable Hidden files and folder viewing but it is not in the folder options. I have enabled it using HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced in regedit. In the right hand area, I double clicked hidden and changed the value to 1. I downloaded DSS and saved the .exe to my desktop. When I click to open the program, it prompts me to run, I hit run and then I hear a beep, then a window comes up and then asks me to allow it to scan the computer and create a log. When I click OK the window goes away and nothing happens. I want to be safe and ask you should I go ahead and run ComboFix?? Thanks again.
  • 0

#7
RatHat
Posted 20 April 2008 - 12:56 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Yes, lets go ahead and run Combo-fix. Please make sure to rename it during download though, this is VERY important as Bagle blocks any file named Combofix from running.
  • 0

#8
TurnerT2
Posted 20 April 2008 - 01:49 PM

TurnerT2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
I'm sorry for the delay. I have followed your instructions and installed the Recovery Console and ran through ComboFix. I will paste the log below.

ComboFix 08-04-20.2 - SMTurner 2008-04-20 15:17:56.1 - NTFSx86
Running from: C:\Documents and Settings\smturner\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\smturner\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\WINDOWS\4PUPRPPPPPfmis\00000000000000000000.DLL
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\hosts
C:\WINDOWS\system32\4PUPRPPPPPfmis\00000000000000000000.DLL
C:\WINDOWS\system32\5BF43CB899.dll
C:\WINDOWS\system32\ban_list.txt
C:\WINDOWS\system32\CMMGR32.EXE
C:\WINDOWS\system32\drivers\downld
C:\WINDOWS\system32\drivers\downld\1000068.exe
C:\WINDOWS\system32\drivers\downld\1003533.exe
C:\WINDOWS\system32\drivers\downld\1007498.exe
C:\WINDOWS\system32\drivers\downld\1008299.exe
C:\WINDOWS\system32\drivers\downld\1011834.exe
C:\WINDOWS\system32\drivers\downld\1012866.exe
C:\WINDOWS\system32\drivers\downld\1013897.exe
C:\WINDOWS\system32\drivers\downld\1017613.exe
C:\WINDOWS\system32\drivers\downld\1019195.exe
C:\WINDOWS\system32\drivers\downld\1021018.exe
C:\WINDOWS\system32\drivers\downld\1023501.exe
C:\WINDOWS\system32\drivers\downld\1025424.exe
C:\WINDOWS\system32\drivers\downld\1028929.exe
C:\WINDOWS\system32\drivers\downld\1032414.exe
C:\WINDOWS\system32\drivers\downld\1033646.exe
C:\WINDOWS\system32\drivers\downld\1035839.exe
C:\WINDOWS\system32\drivers\downld\1039394.exe
C:\WINDOWS\system32\drivers\downld\10408807.exe
C:\WINDOWS\system32\drivers\downld\10415857.exe
C:\WINDOWS\system32\drivers\downld\1043049.exe
C:\WINDOWS\system32\drivers\downld\1043600.exe
C:\WINDOWS\system32\drivers\downld\1043860.exe
C:\WINDOWS\system32\drivers\downld\1047426.exe
C:\WINDOWS\system32\drivers\downld\10478036.exe
C:\WINDOWS\system32\drivers\downld\1048157.exe
C:\WINDOWS\system32\drivers\downld\10493869.exe
C:\WINDOWS\system32\drivers\downld\10508350.exe
C:\WINDOWS\system32\drivers\downld\1051932.exe
C:\WINDOWS\system32\drivers\downld\1057750.exe
C:\WINDOWS\system32\drivers\downld\1061676.exe
C:\WINDOWS\system32\drivers\downld\1065171.exe
C:\WINDOWS\system32\drivers\downld\1079251.exe
C:\WINDOWS\system32\drivers\downld\1088615.exe
C:\WINDOWS\system32\drivers\downld\1091890.exe
C:\WINDOWS\system32\drivers\downld\1094964.exe
C:\WINDOWS\system32\drivers\downld\1097237.exe
C:\WINDOWS\system32\drivers\downld\1098169.exe
C:\WINDOWS\system32\drivers\downld\1104237.exe
C:\WINDOWS\system32\drivers\downld\1107582.exe
C:\WINDOWS\system32\drivers\downld\1110967.exe
C:\WINDOWS\system32\drivers\downld\1115463.exe
C:\WINDOWS\system32\drivers\downld\1122293.exe
C:\WINDOWS\system32\drivers\downld\1126179.exe
C:\WINDOWS\system32\drivers\downld\1130775.exe
C:\WINDOWS\system32\drivers\downld\1132147.exe
C:\WINDOWS\system32\drivers\downld\1133269.exe
C:\WINDOWS\system32\drivers\downld\1134060.exe
C:\WINDOWS\system32\drivers\downld\1140089.exe
C:\WINDOWS\system32\drivers\downld\1143253.exe
C:\WINDOWS\system32\drivers\downld\1149402.exe
C:\WINDOWS\system32\drivers\downld\1152467.exe
C:\WINDOWS\system32\drivers\downld\1155701.exe
C:\WINDOWS\system32\drivers\downld\1159056.exe
C:\WINDOWS\system32\drivers\downld\1165125.exe
C:\WINDOWS\system32\drivers\downld\1174639.exe
C:\WINDOWS\system32\drivers\downld\1177352.exe
C:\WINDOWS\system32\drivers\downld\1185724.exe
C:\WINDOWS\system32\drivers\downld\1186456.exe
C:\WINDOWS\system32\drivers\downld\1189720.exe
C:\WINDOWS\system32\drivers\downld\1192945.exe
C:\WINDOWS\system32\drivers\downld\1198974.exe
C:\WINDOWS\system32\drivers\downld\1202108.exe
C:\WINDOWS\system32\drivers\downld\1208187.exe
C:\WINDOWS\system32\drivers\downld\1221266.exe
C:\WINDOWS\system32\drivers\downld\1228506.exe
C:\WINDOWS\system32\drivers\downld\1231881.exe
C:\WINDOWS\system32\drivers\downld\1237930.exe
C:\WINDOWS\system32\drivers\downld\1241194.exe
C:\WINDOWS\system32\drivers\downld\1244379.exe
C:\WINDOWS\system32\drivers\downld\1247634.exe
C:\WINDOWS\system32\drivers\downld\1248855.exe
C:\WINDOWS\system32\drivers\downld\1251028.exe
C:\WINDOWS\system32\drivers\downld\1256807.exe
C:\WINDOWS\system32\drivers\downld\1257057.exe
C:\WINDOWS\system32\drivers\downld\1258229.exe
C:\WINDOWS\system32\drivers\downld\1260182.exe
C:\WINDOWS\system32\drivers\downld\1263486.exe
C:\WINDOWS\system32\drivers\downld\1266971.exe
C:\WINDOWS\system32\drivers\downld\1270446.exe
C:\WINDOWS\system32\drivers\downld\1270817.exe
C:\WINDOWS\system32\drivers\downld\1272950.exe
C:\WINDOWS\system32\drivers\downld\1274983.exe
C:\WINDOWS\system32\drivers\downld\1276485.exe
C:\WINDOWS\system32\drivers\downld\1285258.exe
C:\WINDOWS\system32\drivers\downld\1290145.exe
C:\WINDOWS\system32\drivers\downld\1297295.exe
C:\WINDOWS\system32\drivers\downld\1337252.exe
C:\WINDOWS\system32\drivers\downld\1425179.exe
C:\WINDOWS\system32\drivers\downld\14813610.exe
C:\WINDOWS\system32\drivers\downld\14822894.exe
C:\WINDOWS\system32\drivers\downld\15079863.exe
C:\WINDOWS\system32\drivers\downld\15089046.exe
C:\WINDOWS\system32\drivers\downld\15104969.exe
C:\WINDOWS\system32\drivers\downld\15150825.exe
C:\WINDOWS\system32\drivers\downld\15363131.exe
C:\WINDOWS\system32\drivers\downld\1538992.exe
C:\WINDOWS\system32\drivers\downld\15418470.exe
C:\WINDOWS\system32\drivers\downld\15422997.exe
C:\WINDOWS\system32\drivers\downld\15435024.exe
C:\WINDOWS\system32\drivers\downld\15442254.exe
C:\WINDOWS\system32\drivers\downld\1549237.exe
C:\WINDOWS\system32\drivers\downld\1555696.exe
C:\WINDOWS\system32\drivers\downld\162523.exe
C:\WINDOWS\system32\drivers\downld\174350.exe
C:\WINDOWS\system32\drivers\downld\17552459.exe
C:\WINDOWS\system32\drivers\downld\17567510.exe
C:\WINDOWS\system32\drivers\downld\17581270.exe
C:\WINDOWS\system32\drivers\downld\17608790.exe
C:\WINDOWS\system32\drivers\downld\17629379.exe
C:\WINDOWS\system32\drivers\downld\17637030.exe
C:\WINDOWS\system32\drivers\downld\17655747.exe
C:\WINDOWS\system32\drivers\downld\17660093.exe
C:\WINDOWS\system32\drivers\downld\176854.exe
C:\WINDOWS\system32\drivers\downld\182001.exe
C:\WINDOWS\system32\drivers\downld\18479932.exe
C:\WINDOWS\system32\drivers\downld\18491669.exe
C:\WINDOWS\system32\drivers\downld\185296.exe
C:\WINDOWS\system32\drivers\downld\18530946.exe
C:\WINDOWS\system32\drivers\downld\18548611.exe
C:\WINDOWS\system32\drivers\downld\18552767.exe
C:\WINDOWS\system32\drivers\downld\18585404.exe
C:\WINDOWS\system32\drivers\downld\18592514.exe
C:\WINDOWS\system32\drivers\downld\196492.exe
C:\WINDOWS\system32\drivers\downld\199947.exe
C:\WINDOWS\system32\drivers\downld\204754.exe
C:\WINDOWS\system32\drivers\downld\205916.exe
C:\WINDOWS\system32\drivers\downld\216140.exe
C:\WINDOWS\system32\drivers\downld\232544.exe
C:\WINDOWS\system32\drivers\downld\253073.exe
C:\WINDOWS\system32\drivers\downld\255287.exe
C:\WINDOWS\system32\drivers\downld\288004.exe
C:\WINDOWS\system32\drivers\downld\295945.exe
C:\WINDOWS\system32\drivers\downld\29847618.exe
C:\WINDOWS\system32\drivers\downld\29851814.exe
C:\WINDOWS\system32\drivers\downld\29946981.exe
C:\WINDOWS\system32\drivers\downld\29973579.exe
C:\WINDOWS\system32\drivers\downld\30035018.exe
C:\WINDOWS\system32\drivers\downld\30045923.exe
C:\WINDOWS\system32\drivers\downld\30049008.exe
C:\WINDOWS\system32\drivers\downld\30080713.exe
C:\WINDOWS\system32\drivers\downld\30087864.exe
C:\WINDOWS\system32\drivers\downld\304608.exe
C:\WINDOWS\system32\drivers\downld\3156628.exe
C:\WINDOWS\system32\drivers\downld\316314.exe
C:\WINDOWS\system32\drivers\downld\316615.exe
C:\WINDOWS\system32\drivers\downld\3169577.exe
C:\WINDOWS\system32\drivers\downld\316985.exe
C:\WINDOWS\system32\drivers\downld\3189245.exe
C:\WINDOWS\system32\drivers\downld\32064466.exe
C:\WINDOWS\system32\drivers\downld\32066258.exe
C:\WINDOWS\system32\drivers\downld\32073699.exe
C:\WINDOWS\system32\drivers\downld\32091715.exe
C:\WINDOWS\system32\drivers\downld\32248120.exe
C:\WINDOWS\system32\drivers\downld\32262170.exe
C:\WINDOWS\system32\drivers\downld\32265234.exe
C:\WINDOWS\system32\drivers\downld\32276461.exe
C:\WINDOWS\system32\drivers\downld\32280787.exe
C:\WINDOWS\system32\drivers\downld\327110.exe
C:\WINDOWS\system32\drivers\downld\330635.exe
C:\WINDOWS\system32\drivers\downld\339418.exe
C:\WINDOWS\system32\drivers\downld\342993.exe
C:\WINDOWS\system32\drivers\downld\346087.exe
C:\WINDOWS\system32\drivers\downld\353548.exe
C:\WINDOWS\system32\drivers\downld\366056.exe
C:\WINDOWS\system32\drivers\downld\372155.exe
C:\WINDOWS\system32\drivers\downld\388078.exe
C:\WINDOWS\system32\drivers\downld\394166.exe
C:\WINDOWS\system32\drivers\downld\425802.exe
C:\WINDOWS\system32\drivers\downld\459010.exe
C:\WINDOWS\system32\drivers\downld\46684548.exe
C:\WINDOWS\system32\drivers\downld\46692970.exe
C:\WINDOWS\system32\drivers\downld\46703826.exe
C:\WINDOWS\system32\drivers\downld\46861152.exe
C:\WINDOWS\system32\drivers\downld\46870315.exe
C:\WINDOWS\system32\drivers\downld\46873039.exe
C:\WINDOWS\system32\drivers\downld\46885117.exe
C:\WINDOWS\system32\drivers\downld\46890434.exe
C:\WINDOWS\system32\drivers\downld\469815.exe
C:\WINDOWS\system32\drivers\downld\471227.exe
C:\WINDOWS\system32\drivers\downld\479008.exe
C:\WINDOWS\system32\drivers\downld\479829.exe
C:\WINDOWS\system32\drivers\downld\490144.exe
C:\WINDOWS\system32\drivers\downld\509582.exe
C:\WINDOWS\system32\drivers\downld\532695.exe
C:\WINDOWS\system32\drivers\downld\541698.exe
C:\WINDOWS\system32\drivers\downld\556159.exe
C:\WINDOWS\system32\drivers\downld\561777.exe
C:\WINDOWS\system32\drivers\downld\563099.exe
C:\WINDOWS\system32\drivers\downld\570460.exe
C:\WINDOWS\system32\drivers\downld\582207.exe
C:\WINDOWS\system32\drivers\downld\600773.exe
C:\WINDOWS\system32\drivers\downld\611198.exe
C:\WINDOWS\system32\drivers\downld\61304601.exe
C:\WINDOWS\system32\drivers\downld\61318130.exe
C:\WINDOWS\system32\drivers\downld\61344438.exe
C:\WINDOWS\system32\drivers\downld\61363756.exe
C:\WINDOWS\system32\drivers\downld\61540851.exe
C:\WINDOWS\system32\drivers\downld\61563423.exe
C:\WINDOWS\system32\drivers\downld\61578915.exe
C:\WINDOWS\system32\drivers\downld\61587508.exe
C:\WINDOWS\system32\drivers\downld\619410.exe
C:\WINDOWS\system32\drivers\downld\646169.exe
C:\WINDOWS\system32\drivers\downld\656574.exe
C:\WINDOWS\system32\drivers\downld\659728.exe
C:\WINDOWS\system32\drivers\downld\662132.exe
C:\WINDOWS\system32\drivers\downld\669622.exe
C:\WINDOWS\system32\drivers\downld\669953.exe
C:\WINDOWS\system32\drivers\downld\674950.exe
C:\WINDOWS\system32\drivers\downld\682010.exe
C:\WINDOWS\system32\drivers\downld\689871.exe
C:\WINDOWS\system32\drivers\downld\905441.exe
C:\WINDOWS\system32\drivers\downld\927223.exe
C:\WINDOWS\system32\drivers\downld\936096.exe
C:\WINDOWS\system32\drivers\downld\950436.exe
C:\WINDOWS\system32\drivers\downld\965748.exe
C:\WINDOWS\system32\drivers\downld\976904.exe
C:\WINDOWS\system32\drivers\downld\977816.exe
C:\WINDOWS\system32\drivers\downld\981291.exe
C:\WINDOWS\system32\drivers\downld\984866.exe
C:\WINDOWS\system32\drivers\downld\985677.exe
C:\WINDOWS\system32\drivers\downld\989002.exe
C:\WINDOWS\system32\drivers\downld\992316.exe
C:\WINDOWS\system32\drivers\downld\993057.exe
C:\WINDOWS\system32\drivers\downld\996542.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\mdelk.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\mdelk.exe
C:\WINDOWS\system32\wintems.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-20 to 2008-04-20 )))))))))))))))))))))))))))))))
.

2008-04-20 15:29 . 2008-04-20 15:29 <DIR> d-------- C:\WINDOWS\system32\drivers\downld
2008-04-20 14:29 . 2008-04-20 14:29 <DIR> d-------- C:\Deckard
2008-04-19 11:04 . 2008-04-19 11:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-19 11:03 . 2008-04-19 19:53 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-19 11:03 . 2008-04-19 11:03 <DIR> d-------- C:\Documents and Settings\smturner\Application Data\SUPERAntiSpyware.com
2008-04-19 10:53 . 2008-04-19 10:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-19 00:47 . 2008-04-19 00:47 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-19 00:47 . 2008-04-19 00:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-18 10:25 . 2008-04-18 10:29 66 --a------ C:\WINDOWS\PVB.INI
2008-04-17 21:58 . 2008-04-17 21:58 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-04-17 21:36 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-17 19:41 . 2008-04-19 00:30 <DIR> d-------- C:\201b79a5c3067caab4
2008-04-17 19:34 . 2008-04-19 00:30 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-04-17 19:34 . 2008-04-17 19:34 <DIR> d-------- C:\Program Files\Zone Labs
2008-04-17 19:34 . 2008-04-02 20:07 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-04-17 19:34 . 2008-04-17 19:34 352,624 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-04-17 19:32 . 2008-04-17 19:35 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-04-06 20:18 . 2008-04-20 15:28 108,402 --a------ C:\WINDOWS\system32\oodbs.lor
2008-04-06 20:16 . 2008-04-06 20:16 0 --a------ C:\WINDOWS\oodcnt.INI
2008-04-06 20:10 . 2008-04-06 20:21 <DIR> d-------- C:\WINDOWS\system32\oodag
2008-04-06 20:06 . 2008-04-06 20:06 <DIR> d-------- C:\Program Files\OO Software
2008-04-06 19:40 . 2008-04-06 19:40 <DIR> d-------- C:\WINDOWS\system32\AppData
2008-04-03 16:29 . 2008-04-03 16:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Protexis
2008-03-30 12:39 . 2008-03-30 12:40 4 --a------ C:\WINDOWSRegDefrag.dat
2008-03-30 12:30 . 2008-03-30 12:30 57,344 --a------ C:\WINDOWS\system32\ROCD7.tmp
2008-03-30 11:44 . 2008-03-30 11:44 <DIR> d-------- C:\Documents and Settings\smturner\Application Data\Systweak
2008-03-30 11:43 . 2008-04-06 19:50 <DIR> d-------- C:\Program Files\Advanced System Optimizer
2008-03-30 11:41 . 2006-03-14 14:00 544,833 --a------ C:\WINDOWS\system32\wbocx.ocx
2008-03-30 11:41 . 2004-12-07 10:11 258,352 --a------ C:\WINDOWS\system32\unicows.dll
2008-03-30 11:41 . 2002-03-01 17:58 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll
2008-03-30 11:41 . 2002-03-01 17:58 28,160 --a------ C:\WINDOWS\system32\anim.dll
2008-03-30 11:41 . 1999-11-22 15:50 4,608 --a------ C:\WINDOWS\system32\W95INF32.DLL
2008-03-30 11:41 . 1999-11-22 15:50 2,272 --a------ C:\WINDOWS\system32\W95INF16.DLL
2008-03-30 11:41 . 1999-12-02 12:42 439 --a------ C:\WINDOWS\system32\shfolder.inf
2008-03-25 09:21 . 2008-03-25 09:21 <DIR> d-------- C:\Temp\AOPDiagnostics
2008-03-25 09:13 . 2008-03-25 09:13 <DIR> d-------- C:\CGCM
2008-03-25 09:13 . 2002-01-09 16:40 362,200 --a------ C:\WINDOWS\system32\Vsprint7.ocx
2008-03-25 09:13 . 1995-07-25 23:00 200,704 --a------ C:\WINDOWS\system32\THREED32.OCX
2008-03-25 09:13 . 1998-11-19 09:46 111,104 --a------ C:\WINDOWS\system32\cscomb32.ocx

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-25 13:14 --------- d-----w C:\Program Files\Rockwell Software
2008-03-25 13:12 --------- d-----w C:\Program Files\Rockwell Automation
2008-03-25 13:10 --------- d-----w C:\Program Files\Common Files\Rockwell
2008-03-25 04:14 --------- d-----w C:\Documents and Settings\smturner\Application Data\gspec
2008-03-23 23:45 63,024 ----a-w C:\Documents and Settings\smturner\Application Data\GDIPFONTCACHEV1.DAT
2008-03-19 23:03 --------- d-----w C:\Program Files\gspec
2008-03-19 23:02 --------- d-----w C:\Program Files\Google
2008-03-18 23:49 --------- d-----w C:\Program Files\ControlFLASH
2008-03-18 23:21 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-18 16:14 --------- d-----w C:\Program Files\Common Files\Siemens
2008-03-18 16:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Siemens
2008-03-18 16:12 --------- d-----w C:\Program Files\SIEMENS
2008-03-16 15:54 --------- d-----w C:\Program Files\FKI Logistex
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2004-04-15 16:05 856135 C:\WINDOWS\system32\nview.dll]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2005-08-19 01:02 679936]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-04-15 16:05 4866048]
"nwiz"="nwiz.exe" [2004-04-15 16:05 323584 C:\WINDOWS\system32\nwiz.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 16:00 88363 C:\WINDOWS\agrsmmsg.exe]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2008-04-20 15:23 139320]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2008-04-20 15:23 94208]
"UsbCipHelper"="C:\Program Files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe" [2006-09-28 19:25 434176]
"S7UB Start"="C:\Program Files\Common Files\Siemens\S7ubtoox\s7ubtstx.exe" [2006-03-13 23:59 102453]
"000StTHK"="000StTHK.exe" [2001-06-23 21:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27 385024]
"OODefragTray"="C:\WINDOWS\system32\oodtray.exe" [2007-05-11 02:08 2512392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2004-11-01 12:50 8704 C:\WINDOWS\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.g723"= g723.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=C:\WINDOWS\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2004-06-03 02:50 204800 C:\Program Files\Microsoft IntelliPoint\point32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 16:27 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMax]
--a------ 2004-08-06 09:27 860160 C:\Program Files\Analog Devices\SoundMAX\smax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--ah----- 2005-08-19 01:02 679936 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 22:05 204288 C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"=
"C:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\ArchestrA\\aaLogger.exe"=
"C:\\Program Files\\Common Files\\ArchestrA\\slssvc.exe"=
"C:\\Program Files\\Wonderware\\InTouch\\wm.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\WINDOWS\\system32\\OpcEnum.exe"=
"C:\\WINDOWS\\system32\\dllhost.exe"=
"C:\\Program Files\\Rockwell Software\\RSLogix 5000\\ENU\\v16\\Bin\\RS5000.Exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"445:TCP"= 445:TCP:@xpsp2res.dll,-22005
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"102:TCP"= 102:TCP:DAS SI 102
"135:TCP"= 135:TCP:DCOM 135
"502:TCP"= 502:TCP:Modicon 502
"1434:UDP"= 1434:UDP:SQL Server Browser 1434
"1433:TCP"= 1433:TCP:SQL TCP 1433
"2221:TCP"= 2221:TCP:DAS ABTCP 2221
"2222:TCP"= 2222:TCP:DAS ABTCP 2222
"2223:TCP"= 2223:TCP:DAS ABTCP 2223
"5413:TCP"= 5413:TCP:Port 5413
"80:TCP"= 80:TCP:SuiteVoyager 80
"443:TCP"= 443:TCP:SuiteVoyager 443
"9001:TCP"= 9001:TCP:vista 9001
"9002:TCP"= 9002:TCP:EnvMngr 9002
"9003:TCP"= 9003:TCP:MsgMngr 9003
"9004:TCP"= 9004:TCP:SecMngr 9004
"9006:TCP"= 9006:TCP:RedMngr 9006
"9007:TCP"= 9007:TCP:UnilinkMngr 9007
"9008:TCP"= 9008:TCP:BatchMngr 9008
"9011:TCP"= 9011:TCP:LogMngr 9011
"9012:TCP"= 9012:TCP:InfoMngr 9012
"9013:UDP"= 9013:UDP:RedMngrX 9013
"9014:UDP"= 9014:UDP:RedMngrX2 9014
"9015:TCP"= 9015:TCP:HistQMngrvista 9015
"9016:TCP"= 9016:TCP:HistQReader 9016
"44818:TCP"= 44818:TCP:Logix 44818

R1 RtIf;Radisys INTime;C:\WINDOWS\system32\drivers\RtIf.sys [2004-07-21 10:43]
R2 almservice;Automation License Manager Service;"C:\Program Files\Common Files\Siemens\sws\almsrv\almsrvx.exe" [2006-07-27 15:15]
R2 Dpmtrcdd;Dpmtrcdd;C:\WINDOWS\system32\DRIVERS\dpmtrcdd.sys [2006-07-11 15:16]
R2 INtimeClockSync;INtime Clock Synchronization;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\bin\RTClkSrv.exe [2003-05-12 06:10]
R2 INtimeEventLog;INtime Event Log;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\bin\RTELSrv.exe [2003-05-12 06:10]
R2 INtimeIO;INtime I/O;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\bin\RTIOSrv.exe [2003-05-12 06:10]
R2 INtimeKernel;INtime Kernel;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\bin\LoadRTK.exe [2003-05-12 06:10]
R2 INtimeRegistry;INtime Registry;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\bin\RTRegSrv.exe [2003-05-12 06:10]
R2 s7asysvx;S7 Global Services;"C:\Program Files\Siemens\Step7\S7BIN\s7asysvx.exe" [2006-03-13 19:00]
R2 s7odpx2x;SIMATIC MPI/PROFIBUS DPX2 Driver;C:\WINDOWS\system32\Drivers\S7odpx2x.sys [2007-10-05 11:40]
R2 s7oiehsx;SIMATIC IEPG Help Service;C:\Program Files\Common Files\Siemens\S7IEPG\s7oiehsx.exe [2007-10-05 11:51]
R2 s7osmcax;s7osmcax;C:\WINDOWS\system32\Drivers\s7osmcax.sys [2007-10-05 11:44]
R2 s7otranx;s7otranx;C:\WINDOWS\system32\Drivers\s7otranx.sys [2007-10-05 11:47]
R2 s7snsrtx;PROFINET IO RT-Protocol;C:\WINDOWS\system32\DRIVERS\s7snsrtx.sys [2007-07-30 12:06]
R2 S7TraceServiceX;S7TraceServiceX;C:\Program Files\Common Files\Siemens\Automation\TraceEngine\bin\S7TraceServiceX.exe [2007-08-31 11:32]
R2 scpdrv;scpdrv;C:\PROGRAM FILES\COMMON FILES\SIEMENS\SWS\PLUGINS\SCP\scpdrv.sys [2003-11-10 18:22]
R2 slssvc;Wonderware SuiteLink;"C:\Program Files\Common Files\ArchestrA\slssvc.exe" [2004-07-07 13:07]
R2 SNTIE;SIMATIC Industrial Ethernet (ISO);C:\WINDOWS\system32\DRIVERS\sntie.sys [2007-08-10 09:34]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
R3 EventServer;Rockwell Event Server;"C:\Program Files\Common Files\Rockwell\EventServer.exe" [2005-06-23 19:29]
R3 INtimeNodeDetection;INtime Node Detection;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\bin\RTNDSrv.exe [2003-05-12 06:10]
R3 NtxRemote;INtime Remote Connection Manager;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\Bin\NTXREM~1.EXE [2003-05-12 06:10]
R3 S7oppilx;S7oppilx;C:\WINDOWS\system32\Drivers\S7oppilx.sys [2007-10-05 11:42]
S1 VirtualBackplane;A-B Virtual Backplane;C:\WINDOWS\system32\Drivers\VirtualBackplane.sys []
S3 ABKTCX;Rockwell Automation 1784-KTC(X) Driver;C:\WINDOWS\system32\Drivers\ABKTCX.sys [2000-05-31 21:13]
S3 CW10;Intel® PRO/Wireless LAN Module Driver;C:\WINDOWS\system32\DRIVERS\CW51Usb.sys [2002-07-16 17:22]
S3 EntivityVLCRTPublish;Entivity VLC RTPublish;C:\PROGRA~1\VLC\VLC_6_0\Bin\RTPUBL~1.EXE [2003-05-12 06:10]
S3 EntivityVLCTEEngine;Entivity VLC TEEngine;C:\PROGRA~1\VLC\VLC_6_0\Bin\TEEngine.exe [2003-05-12 06:10]
S3 INtimeDriver3C5xx;INtime 3Com 3C5xx Driver;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\Bin\Itwrpsrv.exe [2003-05-12 06:10]
S3 INtimeDriverEepro100;INtime Eepro100 Driver;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\Bin\Itwrpsrv.exe [2003-05-12 06:10]
S3 INtimeDriverLoopback;INtime Loopback Driver;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\Bin\Itwrpsrv.exe [2003-05-12 06:10]
S3 INtimeDriverNe;INtime NE Driver;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\Bin\Itwrpsrv.exe [2003-05-12 06:10]
S3 INtimeDriverRtl8139;INtime Rtl8139 Driver;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\Bin\Itwrpsrv.exe [2003-05-12 06:10]
S3 INtimeDriverTulip;INtime Tulip Driver;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\Bin\Itwrpsrv.exe [2003-05-12 06:10]
S3 INtimeIP;INtime IP;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\Bin\Itwrpsrv.exe [2003-05-12 06:10]
S3 INtimeNetworkService;INtime Network Service;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\bin\stacksrv.exe [2003-05-12 06:10]
S3 INtimeRawIP;INtime Raw IP;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\Bin\Itwrpsrv.exe [2003-05-12 06:10]
S3 INtimeTCP;INtime TCP;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\Bin\Itwrpsrv.exe [2003-05-12 06:10]
S3 INtimeUDP;INtime UDP ;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\Bin\Itwrpsrv.exe [2003-05-12 06:10]
S3 IRIMAGER;Raytek Ti30, IR-Imager USB Driver (irimager.sys);C:\WINDOWS\system32\Drivers\irimager.sys [2004-11-23 11:24]
S3 pcidnt;A-B 1784-PCIDS;C:\WINDOWS\system32\Drivers\pcidnt.sys []
S3 PcmkWdm;%PcmkWdm.DeviceDesc%;C:\WINDOWS\system32\DRIVERS\PcmkWdm.sys [2000-06-21 13:50]
S3 RS_SS_NT;RSLinx Classic S-S SD/SD2 Device Driver;C:\WINDOWS\system32\RS_SS_NT.SYS [1999-11-10 10:27]
S3 RSI-PKTX-A;RSI-PKTX-A;C:\WINDOWS\system32\drivers\RSI-PKTX-A.SYS [2002-11-13 16:38]
S3 RsiKtControl;RsiKtControl;C:\WINDOWS\system32\RSIKT.SYS [2006-01-18 12:33]
S3 RSLINXNGKtControl;RSLINXNGKtControl;C:\WINDOWS\system32\drivers\RSIKTNG.SYS [2002-04-23 21:02]
S3 RSSERIAL;RSLinx Classic Serial Driver;C:\WINDOWS\system32\RSSERIAL.SYS [1999-05-11 15:48]
S3 s7oefs_x;SIMATIC MPI/EFS Driver;C:\WINDOWS\system32\drivers\s7oefs_x.sys [2002-10-18 03:34]
S3 s7oppitx;s7oppitx;C:\WINDOWS\system32\Drivers\S7oppitx.sys [2007-10-05 11:43]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{478b7611-0c7b-11dd-99d5-000e7b8951ef}]
\Shell\AutoRun\command - E:\nideiect.com
\Shell\explore\Command - E:\nideiect.com
\Shell\open\Command - E:\nideiect.com

.
Contents of the 'Scheduled Tasks' folder
"2008-04-07 14:12:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-07 19:21:49 C:\WINDOWS\Tasks\Critical Battery Alarm Program.job"
"2008-04-20 11:03:08 C:\WINDOWS\Tasks\User_Feed_Synchronization-{CDA94BA5-6E98-4722-85FA-F16B6CE2517E}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-20 15:29:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\Common Files\ArchestrA\aaLogger.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\ArchestrA\NTServApp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Reflection\rtsserv.exe
C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe
C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe
C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe
C:\Program Files\Common Files\Rockwell\RsvcHost.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe
C:\Program Files\Common Files\Rockwell\RnaDirServer.exe
C:\Program Files\Common Files\Rockwell\RNADirMultiplexor.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Siemens\S7UBTOOX\S7ubtoox.exe
C:\Program Files\Common Files\Siemens\SQLANY\dbsrv7.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
.
**************************************************************************
.
Completion time: 2008-04-20 15:45:46 - machine was rebooted [SMTurner]
ComboFix-quarantined-files.txt 2008-04-20 19:45:34

Pre-Run: 38,204,350,464 bytes free
Post-Run: 38,149,906,432 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

509
  • 0

#9
RatHat
Posted 20 April 2008 - 02:15 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Well it's Bagle alright :) .


1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\anim.dll

Folder::
C:\WINDOWS\system32\drivers\downld
C:\WINDOWS\system32\4PUPRPPPPPfmis

DirLook::
C:\201b79a5c3067caab4
C:\CGCM


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A DSSlog (if it will now run).
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
  • Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

So see if you can run DSS now, then post me the new Combofix log, the two DSS logs, and the DrWeb log.

Regards,
RatHat
  • 0

#10
TurnerT2
Posted 20 April 2008 - 07:25 PM

TurnerT2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
I have posted all logs that you asked for. I am trying to get Deckard's to start, it is freezing now when it gets to "Backing up Registry Hives". If I can get it to go through I will post that for your review as well. Thanks again for the help!!

ComboFix 08-04-20.2 - SMTurner 2008-04-20 16:22:30.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.231 [GMT -4:00]
Running from: C:\Documents and Settings\smturner\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\smturner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\anim.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\4PUPRPPPPPfmis
C:\WINDOWS\system32\anim.dll
C:\WINDOWS\system32\drivers\downld

.
((((((((((((((((((((((((( Files Created from 2008-03-20 to 2008-04-20 )))))))))))))))))))))))))))))))
.

2008-04-20 15:58 . 2008-04-20 16:00 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-04-20 14:29 . 2008-04-20 14:29 <DIR> d-------- C:\Deckard
2008-04-19 11:04 . 2008-04-19 11:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-19 11:03 . 2008-04-19 19:53 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-19 11:03 . 2008-04-19 11:03 <DIR> d-------- C:\Documents and Settings\smturner\Application Data\SUPERAntiSpyware.com
2008-04-19 10:53 . 2008-04-19 10:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-19 00:47 . 2008-04-19 00:47 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-19 00:47 . 2008-04-19 00:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-18 10:25 . 2008-04-18 10:29 66 --a------ C:\WINDOWS\PVB.INI
2008-04-17 21:58 . 2008-04-17 21:58 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-04-17 21:36 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-17 19:41 . 2008-04-19 00:30 <DIR> d-------- C:\201b79a5c3067caab4
2008-04-17 19:34 . 2008-04-19 00:30 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-04-17 19:34 . 2008-04-17 19:34 <DIR> d-------- C:\Program Files\Zone Labs
2008-04-17 19:34 . 2008-04-02 20:07 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-04-17 19:34 . 2008-04-17 19:34 352,624 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-04-17 19:32 . 2008-04-17 19:35 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-04-06 20:18 . 2008-04-20 16:14 109,679 --a------ C:\WINDOWS\system32\oodbs.lor
2008-04-06 20:16 . 2008-04-06 20:16 0 --a------ C:\WINDOWS\oodcnt.INI
2008-04-06 20:10 . 2008-04-06 20:21 <DIR> d-------- C:\WINDOWS\system32\oodag
2008-04-06 20:06 . 2008-04-06 20:06 <DIR> d-------- C:\Program Files\OO Software
2008-04-06 19:40 . 2008-04-06 19:40 <DIR> d-------- C:\WINDOWS\system32\AppData
2008-04-03 16:29 . 2008-04-03 16:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Protexis
2008-03-30 12:39 . 2008-03-30 12:40 4 --a------ C:\WINDOWSRegDefrag.dat
2008-03-30 12:30 . 2008-03-30 12:30 57,344 --a------ C:\WINDOWS\system32\ROCD7.tmp
2008-03-30 11:44 . 2008-03-30 11:44 <DIR> d-------- C:\Documents and Settings\smturner\Application Data\Systweak
2008-03-30 11:43 . 2008-04-06 19:50 <DIR> d-------- C:\Program Files\Advanced System Optimizer
2008-03-30 11:41 . 2006-03-14 14:00 544,833 --a------ C:\WINDOWS\system32\wbocx.ocx
2008-03-30 11:41 . 2004-12-07 10:11 258,352 --a------ C:\WINDOWS\system32\unicows.dll
2008-03-30 11:41 . 2002-03-01 17:58 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll
2008-03-30 11:41 . 1999-11-22 15:50 4,608 --a------ C:\WINDOWS\system32\W95INF32.DLL
2008-03-30 11:41 . 1999-11-22 15:50 2,272 --a------ C:\WINDOWS\system32\W95INF16.DLL
2008-03-30 11:41 . 1999-12-02 12:42 439 --a------ C:\WINDOWS\system32\shfolder.inf
2008-03-25 09:21 . 2008-03-25 09:21 <DIR> d-------- C:\Temp\AOPDiagnostics
2008-03-25 09:13 . 2008-03-25 09:13 <DIR> d-------- C:\CGCM
2008-03-25 09:13 . 2002-01-09 16:40 362,200 --a------ C:\WINDOWS\system32\Vsprint7.ocx
2008-03-25 09:13 . 1995-07-25 23:00 200,704 --a------ C:\WINDOWS\system32\THREED32.OCX
2008-03-25 09:13 . 1998-11-19 09:46 111,104 --a------ C:\WINDOWS\system32\cscomb32.ocx

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-25 13:14 --------- d-----w C:\Program Files\Rockwell Software
2008-03-25 13:12 --------- d-----w C:\Program Files\Rockwell Automation
2008-03-25 13:10 --------- d-----w C:\Program Files\Common Files\Rockwell
2008-03-25 04:14 --------- d-----w C:\Documents and Settings\smturner\Application Data\gspec
2008-03-23 23:45 63,024 ----a-w C:\Documents and Settings\smturner\Application Data\GDIPFONTCACHEV1.DAT
2008-03-19 23:03 --------- d-----w C:\Program Files\gspec
2008-03-19 23:02 --------- d-----w C:\Program Files\Google
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\win32k.sys
2008-03-18 23:49 --------- d-----w C:\Program Files\ControlFLASH
2008-03-18 23:21 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-18 16:14 --------- d-----w C:\Program Files\Common Files\Siemens
2008-03-18 16:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Siemens
2008-03-18 16:12 --------- d-----w C:\Program Files\SIEMENS
2008-03-16 15:54 --------- d-----w C:\Program Files\FKI Logistex
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\201b79a5c3067caab4 ----

2008-04-17 19:41 788 --ah----- C:\201b79a5c3067caab4\$shtdwn$.req
2008-04-05 22:56 37496 --a------ C:\201b79a5c3067caab4\mrtstub.exe
2008-04-05 22:56 19836024 --a------ C:\201b79a5c3067caab4\mrt.exe

---- Directory of C:\CGCM ----

2008-03-25 09:13 2083 --a------ C:\CGCM\PIDCal\INSTALL.LOG
2003-12-02 09:43 98304 --a------ C:\CGCM\PIDCal\PIDCal.EXE
2003-11-12 16:02 953361 --a------ C:\CGCM\PIDCal\Pidhelp.hlp
2003-09-03 13:56 519 --a------ C:\CGCM\PIDCal\PIDHelp.cnt
2001-05-10 10:04 162304 --a------ C:\CGCM\PIDCal\UNWISE.EXE


((((((((((((((((((((((((((((( snapshot@2008-04-20_15.38.45.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-19 09:40:27 1,845,888 ----a-w C:\WINDOWS\$hf_mig$\KB941693\SP2QFE\win32k.sys
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB941693\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB941693\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB941693\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB941693\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB941693\update\updspapi.dll
+ 2008-02-20 05:19:35 147,968 ----a-w C:\WINDOWS\$hf_mig$\KB945553\SP2QFE\dnsapi.dll
+ 2008-02-20 18:49:36 45,568 ----a-w C:\WINDOWS\$hf_mig$\KB945553\SP2QFE\dnsrslvr.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB945553\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB945553\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB945553\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB945553\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB945553\update\updspapi.dll
+ 2008-03-01 13:03:00 124,928 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\advpack.dll
+ 2008-03-01 13:03:00 347,136 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\dxtmsft.dll
+ 2008-03-01 13:03:00 214,528 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\dxtrans.dll
+ 2008-03-01 13:03:00 132,608 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\extmgr.dll
+ 2008-03-01 13:03:00 63,488 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\icardie.dll
+ 2008-02-22 09:39:56 70,656 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\ie4uinit.exe
+ 2008-03-01 13:03:00 153,088 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\ieakeng.dll
+ 2008-03-01 13:03:00 230,400 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\ieaksie.dll
+ 2008-02-15 05:44:25 161,792 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\ieakui.dll
+ 2007-04-17 09:32:38 2,455,488 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\ieapfltr.dat
+ 2008-03-01 13:03:00 383,488 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\ieapfltr.dll
+ 2008-03-01 13:03:00 388,608 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\iedkcs32.dll
+ 2008-03-01 13:03:01 6,067,712 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\ieframe.dll
+ 2008-03-01 13:03:01 44,544 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\iernonce.dll
+ 2008-03-01 13:03:01 267,776 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\iertutil.dll
+ 2008-02-22 09:39:56 13,824 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\ieudinit.exe
+ 2008-02-22 09:40:22 625,664 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\iexplore.exe
+ 2008-03-01 13:03:01 27,648 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\jsproxy.dll
+ 2008-03-01 13:03:01 459,264 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\msfeeds.dll
+ 2008-03-01 13:03:01 52,224 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\msfeedsbs.dll
+ 2008-03-01 13:03:01 3,593,216 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\mshtml.dll
+ 2008-03-01 13:03:01 478,208 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\mshtmled.dll
+ 2008-03-01 13:03:01 193,024 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\msrating.dll
+ 2008-03-01 13:03:01 671,232 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\mstime.dll
+ 2008-03-01 13:03:01 102,912 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\occache.dll
+ 2008-03-01 13:03:01 44,544 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\pngfilt.dll
+ 2008-03-01 13:03:02 105,984 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\url.dll
+ 2008-03-01 13:03:02 1,162,752 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\urlmon.dll
+ 2008-03-01 13:03:02 233,472 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\webcheck.dll
+ 2008-03-01 13:03:02 827,392 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
+ 2007-03-06 01:22:33 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\spmsg.dll
+ 2007-03-06 01:22:39 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\spuninst.exe
+ 2007-03-06 01:22:31 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\update\spcustom.dll
+ 2007-03-06 01:22:56 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\update\updspapi.dll
+ 2008-02-20 06:52:43 282,624 ----a-w C:\WINDOWS\$hf_mig$\KB948590\SP2QFE\gdi32.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB948590\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB948590\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB948590\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB948590\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB948590\update\updspapi.dll
+ 2007-03-06 01:22:33 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB948881\spmsg.dll
+ 2007-03-06 01:22:39 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB948881\spuninst.exe
+ 2007-03-06 01:22:31 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB948881\update\spcustom.dll
+ 2007-03-06 01:22:56 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB948881\update\update.exe
+ 2007-03-06 01:23:47 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB948881\update\updspapi.dll
- 2008-04-20 19:28:07 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-20 20:14:49 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2007-12-07 02:21:45 124,928 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\advpack.dll
+ 2007-12-19 23:01:06 347,136 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\dxtmsft.dll
+ 2007-12-07 02:21:45 214,528 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\dxtrans.dll
+ 2007-12-07 02:21:45 133,120 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\extmgr.dll
+ 2007-12-07 02:21:45 63,488 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\icardie.dll
+ 2007-12-06 11:00:57 70,656 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ie4uinit.exe
+ 2007-12-07 02:21:45 153,088 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieakeng.dll
+ 2007-12-07 02:21:45 230,400 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieaksie.dll
+ 2007-12-06 04:59:51 161,792 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieakui.dll
+ 2007-12-07 02:21:45 383,488 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieapfltr.dll
+ 2007-12-07 02:21:45 384,512 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\iedkcs32.dll
+ 2007-12-07 02:21:46 6,066,176 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieframe.dll
+ 2007-12-07 02:21:46 44,544 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\iernonce.dll
+ 2007-12-07 02:21:46 267,776 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\iertutil.dll
+ 2007-12-06 11:00:58 13,824 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieudinit.exe
+ 2007-12-06 11:01:25 625,664 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\iexplore.exe
+ 2007-12-07 02:21:47 27,648 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\jsproxy.dll
+ 2007-12-07 02:21:47 459,264 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\msfeeds.dll
+ 2007-12-07 02:21:47 52,224 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\msfeedsbs.dll
+ 2007-12-08 15:51:48 3,592,192 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\mshtml.dll
+ 2007-12-07 02:21:47 478,208 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\mshtmled.dll
+ 2007-12-07 02:21:48 193,024 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\msrating.dll
+ 2007-12-07 02:21:48 671,232 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\mstime.dll
+ 2007-12-07 02:21:48 102,912 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\occache.dll
+ 2008-01-11 05:53:32 44,544 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\pngfilt.dll
+ 2007-03-06 01:22:39 213,216 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\updspapi.dll
+ 2007-12-07 02:21:48 105,984 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\url.dll
+ 2007-12-07 02:21:48 1,159,680 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\urlmon.dll
+ 2007-12-07 02:21:48 233,472 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\webcheck.dll
+ 2007-12-07 02:21:48 824,832 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\wininet.dll
- 2007-12-07 02:21:45 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2008-03-01 13:06:20 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
- 2007-12-07 02:21:45 124,928 -c----w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2008-03-01 13:06:20 124,928 -c----w C:\WINDOWS\system32\dllcache\advpack.dll
- 2006-06-26 17:37:10 148,480 -c----w C:\WINDOWS\system32\dllcache\dnsapi.dll
+ 2008-02-20 05:32:43 148,992 -c----w C:\WINDOWS\system32\dllcache\dnsapi.dll
+ 2008-02-20 05:32:43 45,568 -c----w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
- 2007-12-19 23:01:06 347,136 -c----w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-03-01 13:06:21 347,136 -c----w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2007-12-07 02:21:45 214,528 -c----w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-03-01 13:06:21 214,528 -c----w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2007-12-07 02:21:45 133,120 -c----w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-03-01 13:06:21 133,120 -c----w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2007-06-19 13:31:19 282,112 -c----w C:\WINDOWS\system32\dllcache\gdi32.dll
+ 2008-02-20 06:51:05 282,624 -c----w C:\WINDOWS\system32\dllcache\gdi32.dll
- 2007-12-07 02:21:45 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll
+ 2008-03-01 13:06:21 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll
- 2007-12-06 11:00:57 70,656 -c----w C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2008-02-29 08:55:23 70,656 -c----w C:\WINDOWS\system32\dllcache\ie4uinit.exe
- 2007-12-07 02:21:45 153,088 -c----w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2008-03-01 13:06:21 153,088 -c----w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2007-12-07 02:21:45 230,400 -c----w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2008-03-01 13:06:21 230,400 -c----w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2007-12-06 04:59:51 161,792 -c----w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2008-02-15 05:44:25 161,792 -c----w C:\WINDOWS\system32\dllcache\ieakui.dll
- 2007-12-07 02:21:45 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
+ 2008-03-01 13:06:22 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
- 2007-12-07 02:21:45 384,512 -c----w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2008-03-01 13:06:22 384,512 -c----w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2007-12-07 02:21:46 6,066,176 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
+ 2008-03-01 13:06:24 6,066,176 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
- 2007-12-07 02:21:46 44,544 -c----w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2008-03-01 13:06:24 44,544 -c----w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2007-12-07 02:21:46 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
+ 2008-03-01 13:06:25 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
- 2007-12-06 11:00:58 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
+ 2008-02-22 10:00:51 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
- 2007-12-06 11:01:25 625,664 -c----w C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2008-02-29 08:55:46 625,664 -c----w C:\WINDOWS\system32\dllcache\iexplore.exe
- 2007-12-07 02:21:47 27,648 -c----w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-03-01 13:06:25 27,648 -c----w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2007-12-07 02:21:47 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
+ 2008-03-01 13:06:26 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
- 2007-12-07 02:21:47 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
+ 2008-03-01 13:06:26 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
- 2007-12-08 15:51:48 3,592,192 -c----w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-03-01 22:36:30 3,591,680 -c----w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2007-12-07 02:21:47 478,208 -c----w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-03-01 13:06:28 478,208 -c----w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2007-12-07 02:21:48 193,024 -c----w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-03-01 13:06:28 193,024 -c----w C:\WINDOWS\system32\dllcache\msrating.dll
- 2007-12-07 02:21:48 671,232 -c----w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-03-01 13:06:29 671,232 -c----w C:\WINDOWS\system32\dllcache\mstime.dll
- 2007-12-07 02:21:48 102,912 -c----w C:\WINDOWS\system32\dllcache\occache.dll
+ 2008-03-01 13:06:29 102,912 -c----w C:\WINDOWS\system32\dllcache\occache.dll
- 2008-01-11 05:53:32 44,544 -c----w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-03-01 13:06:29 44,544 -c----w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2007-12-07 02:21:48 105,984 -c----w C:\WINDOWS\system32\dllcache\url.dll
+ 2008-03-01 13:06:29 105,984 -c----w C:\WINDOWS\system32\dllcache\url.dll
- 2007-12-07 02:21:48 1,159,680 -c----w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-03-01 13:06:30 1,159,680 -c----w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2007-12-07 02:21:48 233,472 -c----w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2008-03-01 13:06:30 233,472 -c----w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2007-03-08 13:47:48 1,843,584 -c----w C:\WINDOWS\system32\dllcache\win32k.sys
+ 2008-03-19 09:47:00 1,845,248 -c----w C:\WINDOWS\system32\dllcache\win32k.sys
- 2007-12-07 02:21:48 824,832 -c----w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-03-01 13:06:31 826,368 -c----w C:\WINDOWS\system32\dllcache\wininet.dll
- 2006-06-26 17:37:10 148,480 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2008-02-20 05:32:43 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
- 2007-12-19 23:01:06 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-03-01 13:06:21 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2007-12-07 02:21:45 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-03-01 13:06:21 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2007-12-07 02:21:45 133,120 ------w C:\WINDOWS\system32\extmgr.dll
+ 2008-03-01 13:06:21 133,120 ------w C:\WINDOWS\system32\extmgr.dll
- 2008-03-06 21:33:05 229,592 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-04-20 20:14:46 229,592 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2007-12-07 02:21:45 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
+ 2008-03-01 13:06:21 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
- 2007-12-06 11:00:57 70,656 ------w C:\WINDOWS\system32\ie4uinit.exe
+ 2008-02-29 08:55:23 70,656 ------w C:\WINDOWS\system32\ie4uinit.exe
- 2007-12-07 02:21:45 153,088 ------w C:\WINDOWS\system32\ieakeng.dll
+ 2008-03-01 13:06:21 153,088 ------w C:\WINDOWS\system32\ieakeng.dll
- 2007-12-07 02:21:45 230,400 ------w C:\WINDOWS\system32\ieaksie.dll
+ 2008-03-01 13:06:21 230,400 ------w C:\WINDOWS\system32\ieaksie.dll
- 2007-12-06 04:59:51 161,792 ------w C:\WINDOWS\system32\ieakui.dll
+ 2008-02-15 05:44:25 161,792 ------w C:\WINDOWS\system32\ieakui.dll
- 2007-12-07 02:21:45 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
+ 2008-03-01 13:06:22 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2007-12-07 02:21:45 384,512 ------w C:\WINDOWS\system32\iedkcs32.dll
+ 2008-03-01 13:06:22 384,512 ------w C:\WINDOWS\system32\iedkcs32.dll
- 2007-12-07 02:21:46 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
+ 2008-03-01 13:06:24 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2007-12-07 02:21:46 44,544 ------w C:\WINDOWS\system32\iernonce.dll
+ 2008-03-01 13:06:24 44,544 ------w C:\WINDOWS\system32\iernonce.dll
- 2007-12-07 02:21:46 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
+ 2008-03-01 13:06:25 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2007-12-06 11:00:58 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2008-02-22 10:00:51 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
- 2007-12-07 02:21:47 27,648 ------w C:\WINDOWS\system32\jsproxy.dll
+ 2008-03-01 13:06:25 27,648 ------w C:\WINDOWS\system32\jsproxy.dll
- 2007-12-07 02:21:47 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
+ 2008-03-01 13:06:26 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
- 2007-12-07 02:21:47 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2008-03-01 13:06:26 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
- 2007-12-08 15:51:48 3,592,192 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-03-01 22:36:30 3,591,680 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2007-12-07 02:21:47 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-03-01 13:06:28 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2007-12-07 02:21:48 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2008-03-01 13:06:28 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
- 2007-12-07 02:21:48 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2008-03-01 13:06:29 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
- 2007-12-07 02:21:48 102,912 ------w C:\WINDOWS\system32\occache.dll
+ 2008-03-01 13:06:29 102,912 ------w C:\WINDOWS\system32\occache.dll
- 2008-01-11 05:53:32 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-03-01 13:06:29 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2007-12-07 02:21:48 105,984 ----a-w C:\WINDOWS\system32\url.dll
+ 2008-03-01 13:06:29 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2007-12-07 02:21:48 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-03-01 13:06:30 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2007-12-07 02:21:48 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2008-03-01 13:06:30 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2004-04-15 16:05 856135 C:\WINDOWS\system32\nview.dll]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2005-08-19 01:02 679936]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-04-15 16:05 4866048]
"nwiz"="nwiz.exe" [2004-04-15 16:05 323584 C:\WINDOWS\system32\nwiz.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 16:00 88363 C:\WINDOWS\agrsmmsg.exe]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2008-04-20 15:23 139320]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2008-04-20 15:23 94208]
"UsbCipHelper"="C:\Program Files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe" [2006-09-28 19:25 434176]
"S7UB Start"="C:\Program Files\Common Files\Siemens\S7ubtoox\s7ubtstx.exe" [2006-03-13 23:59 102453]
"000StTHK"="000StTHK.exe" [2001-06-23 21:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27 385024]
"OODefragTray"="C:\WINDOWS\system32\oodtray.exe" [2007-05-11 02:08 2512392]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2004-11-01 12:50 8704 C:\WINDOWS\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.g723"= g723.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=C:\WINDOWS\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2004-06-03 02:50 204800 C:\Program Files\Microsoft IntelliPoint\point32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 16:27 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMax]
--a------ 2004-08-06 09:27 860160 C:\Program Files\Analog Devices\SoundMAX\smax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--ah----- 2005-08-19 01:02 679936 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 22:05 204288 C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"=
"C:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\ArchestrA\\aaLogger.exe"=
"C:\\Program Files\\Common Files\\ArchestrA\\slssvc.exe"=
"C:\\Program Files\\Wonderware\\InTouch\\wm.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\WINDOWS\\system32\\OpcEnum.exe"=
"C:\\WINDOWS\\system32\\dllhost.exe"=
"C:\\Program Files\\Rockwell Software\\RSLogix 5000\\ENU\\v16\\Bin\\RS5000.Exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"445:TCP"= 445:TCP:@xpsp2res.dll,-22005
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"102:TCP"= 102:TCP:DAS SI 102
"135:TCP"= 135:TCP:DCOM 135
"502:TCP"= 502:TCP:Modicon 502
"1434:UDP"= 1434:UDP:SQL Server Browser 1434
"1433:TCP"= 1433:TCP:SQL TCP 1433
"2221:TCP"= 2221:TCP:DAS ABTCP 2221
"2222:TCP"= 2222:TCP:DAS ABTCP 2222
"2223:TCP"= 2223:TCP:DAS ABTCP 2223
"5413:TCP"= 5413:TCP:Port 5413
"80:TCP"= 80:TCP:SuiteVoyager 80
"443:TCP"= 443:TCP:SuiteVoyager 443
"9001:TCP"= 9001:TCP:vista 9001
"9002:TCP"= 9002:TCP:EnvMngr 9002
"9003:TCP"= 9003:TCP:MsgMngr 9003
"9004:TCP"= 9004:TCP:SecMngr 9004
"9006:TCP"= 9006:TCP:RedMngr 9006
"9007:TCP"= 9007:TCP:UnilinkMngr 9007
"9008:TCP"= 9008:TCP:BatchMngr 9008
"9011:TCP"= 9011:TCP:LogMngr 9011
"9012:TCP"= 9012:TCP:InfoMngr 9012
"9013:UDP"= 9013:UDP:RedMngrX 9013
"9014:UDP"= 9014:UDP:RedMngrX2 9014
"9015:TCP"= 9015:TCP:HistQMngrvista 9015
"9016:TCP"= 9016:TCP:HistQReader 9016
"44818:TCP"= 44818:TCP:Logix 44818

R1 RtIf;Radisys INTime;C:\WINDOWS\system32\drivers\RtIf.sys [2004-07-21 10:43]
R2 almservice;Automation License Manager Service;"C:\Program Files\Common Files\Siemens\sws\almsrv\almsrvx.exe" [2006-07-27 15:15]
R2 Dpmtrcdd;Dpmtrcdd;C:\WINDOWS\system32\DRIVERS\dpmtrcdd.sys [2006-07-11 15:16]
R2 INtimeClockSync;INtime Clock Synchronization;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\bin\RTClkSrv.exe [2003-05-12 06:10]
R2 INtimeEventLog;INtime Event Log;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\bin\RTELSrv.exe [2003-05-12 06:10]
R2 INtimeIO;INtime I/O;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\bin\RTIOSrv.exe [2003-05-12 06:10]
R2 INtimeKernel;INtime Kernel;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\bin\LoadRTK.exe [2003-05-12 06:10]
R2 INtimeRegistry;INtime Registry;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\bin\RTRegSrv.exe [2003-05-12 06:10]
R2 s7asysvx;S7 Global Services;"C:\Program Files\Siemens\Step7\S7BIN\s7asysvx.exe" [2006-03-13 19:00]
R2 s7odpx2x;SIMATIC MPI/PROFIBUS DPX2 Driver;C:\WINDOWS\system32\Drivers\S7odpx2x.sys [2007-10-05 11:40]
R2 s7oiehsx;SIMATIC IEPG Help Service;C:\Program Files\Common Files\Siemens\S7IEPG\s7oiehsx.exe [2007-10-05 11:51]
R2 s7osmcax;s7osmcax;C:\WINDOWS\system32\Drivers\s7osmcax.sys [2007-10-05 11:44]
R2 s7otranx;s7otranx;C:\WINDOWS\system32\Drivers\s7otranx.sys [2007-10-05 11:47]
R2 s7snsrtx;PROFINET IO RT-Protocol;C:\WINDOWS\system32\DRIVERS\s7snsrtx.sys [2007-07-30 12:06]
R2 S7TraceServiceX;S7TraceServiceX;C:\Program Files\Common Files\Siemens\Automation\TraceEngine\bin\S7TraceServiceX.exe [2007-08-31 11:32]
R2 scpdrv;scpdrv;C:\PROGRAM FILES\COMMON FILES\SIEMENS\SWS\PLUGINS\SCP\scpdrv.sys [2003-11-10 18:22]
R2 slssvc;Wonderware SuiteLink;"C:\Program Files\Common Files\ArchestrA\slssvc.exe" [2004-07-07 13:07]
R2 SNTIE;SIMATIC Industrial Ethernet (ISO);C:\WINDOWS\system32\DRIVERS\sntie.sys [2007-08-10 09:34]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
R3 EventServer;Rockwell Event Server;"C:\Program Files\Common Files\Rockwell\EventServer.exe" [2005-06-23 19:29]
R3 INtimeNodeDetection;INtime Node Detection;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\bin\RTNDSrv.exe [2003-05-12 06:10]
R3 NtxRemote;INtime Remote Connection Manager;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\Bin\NTXREM~1.EXE [2003-05-12 06:10]
R3 S7oppilx;S7oppilx;C:\WINDOWS\system32\Drivers\S7oppilx.sys [2007-10-05 11:42]
S1 VirtualBackplane;A-B Virtual Backplane;C:\WINDOWS\system32\Drivers\VirtualBackplane.sys []
S3 ABKTCX;Rockwell Automation 1784-KTC(X) Driver;C:\WINDOWS\system32\Drivers\ABKTCX.sys [2000-05-31 21:13]
S3 CW10;Intel® PRO/Wireless LAN Module Driver;C:\WINDOWS\system32\DRIVERS\CW51Usb.sys [2002-07-16 17:22]
S3 EntivityVLCRTPublish;Entivity VLC RTPublish;C:\PROGRA~1\VLC\VLC_6_0\Bin\RTPUBL~1.EXE [2003-05-12 06:10]
S3 EntivityVLCTEEngine;Entivity VLC TEEngine;C:\PROGRA~1\VLC\VLC_6_0\Bin\TEEngine.exe [2003-05-12 06:10]
S3 INtimeDriver3C5xx;INtime 3Com 3C5xx Driver;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\Bin\Itwrpsrv.exe [2003-05-12 06:10]
S3 INtimeDriverEepro100;INtime Eepro100 Driver;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\Bin\Itwrpsrv.exe [2003-05-12 06:10]
S3 INtimeDriverLoopback;INtime Loopback Driver;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\Bin\Itwrpsrv.exe [2003-05-12 06:10]
S3 INtimeDriverNe;INtime NE Driver;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\Bin\Itwrpsrv.exe [2003-05-12 06:10]
S3 INtimeDriverRtl8139;INtime Rtl8139 Driver;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\Bin\Itwrpsrv.exe [2003-05-12 06:10]
S3 INtimeDriverTulip;INtime Tulip Driver;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\Bin\Itwrpsrv.exe [2003-05-12 06:10]
S3 INtimeIP;INtime IP;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\Bin\Itwrpsrv.exe [2003-05-12 06:10]
S3 INtimeNetworkService;INtime Network Service;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\bin\stacksrv.exe [2003-05-12 06:10]
S3 INtimeRawIP;INtime Raw IP;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\Bin\Itwrpsrv.exe [2003-05-12 06:10]
S3 INtimeTCP;INtime TCP;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\Bin\Itwrpsrv.exe [2003-05-12 06:10]
S3 INtimeUDP;INtime UDP ;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\Bin\Itwrpsrv.exe [2003-05-12 06:10]
S3 IRIMAGER;Raytek Ti30, IR-Imager USB Driver (irimager.sys);C:\WINDOWS\system32\Drivers\irimager.sys [2004-11-23 11:24]
S3 pcidnt;A-B 1784-PCIDS;C:\WINDOWS\system32\Drivers\pcidnt.sys []
S3 PcmkWdm;%PcmkWdm.DeviceDesc%;C:\WINDOWS\system32\DRIVERS\PcmkWdm.sys [2000-06-21 13:50]
S3 RS_SS_NT;RSLinx Classic S-S SD/SD2 Device Driver;C:\WINDOWS\system32\RS_SS_NT.SYS [1999-11-10 10:27]
S3 RSI-PKTX-A;RSI-PKTX-A;C:\WINDOWS\system32\drivers\RSI-PKTX-A.SYS [2002-11-13 16:38]
S3 RsiKtControl;RsiKtControl;C:\WINDOWS\system32\RSIKT.SYS [2006-01-18 12:33]
S3 RSLINXNGKtControl;RSLINXNGKtControl;C:\WINDOWS\system32\drivers\RSIKTNG.SYS [2002-04-23 21:02]
S3 RSSERIAL;RSLinx Classic Serial Driver;C:\WINDOWS\system32\RSSERIAL.SYS [1999-05-11 15:48]
S3 s7oefs_x;SIMATIC MPI/EFS Driver;C:\WINDOWS\system32\drivers\s7oefs_x.sys [2002-10-18 03:34]
S3 s7oppitx;s7oppitx;C:\WINDOWS\system32\Drivers\S7oppitx.sys [2007-10-05 11:43]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{478b7611-0c7b-11dd-99d5-000e7b8951ef}]
\Shell\AutoRun\command - E:\nideiect.com
\Shell\explore\Command - E:\nideiect.com
\Shell\open\Command - E:\nideiect.com

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-07 14:12:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-07 19:21:49 C:\WINDOWS\Tasks\Critical Battery Alarm Program.job"
"2008-04-20 11:03:08 C:\WINDOWS\Tasks\User_Feed_Synchronization-{CDA94BA5-6E98-4722-85FA-F16B6CE2517E}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-20 16:26:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-20 16:28:37
ComboFix-quarantined-files.txt 2008-04-20 20:28:15
ComboFix2.txt 2008-04-20 19:45:47

Pre-Run: 37,924,257,792 bytes free
Post-Run: 37,906,644,992 bytes free

476 --- E O F --- 2008-04-20 20:00:24


DrWeb


s7gsdi_x.dll;C:\Program Files\Common Files\Siemens\S7GSDI;Adware.Hotbar;Incurable.Moved.;
VNCHooks.dll;C:\Program Files\TightVNC;Program.RemoteAdmin;;
WinVNC.exe;C:\Program Files\TightVNC;Program.RemoteAdmin;;
295945.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld;Win32.HLLM.Beagle;Deleted.;
561777.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld;Win32.HLLM.Beagle;Deleted.;
A0370872.sys;C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP590;Win32.HLLM.Beagle.45184;Deleted.;
A0370886.sys;C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP590;Win32.HLLM.Beagle.45184;Deleted.;
A0370975.sys;C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP591;Win32.HLLM.Beagle.45184;Deleted.;
A0371889.sys;C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP591;Win32.HLLM.Beagle.45184;Deleted.;
A0373886.sys;C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP591;Win32.HLLM.Beagle.45184;Deleted.;
A0374885.sys;C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP591;Win32.HLLM.Beagle.45184;Deleted.;
A0375885.sys;C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP591;Win32.HLLM.Beagle.45184;Deleted.;
A0375887.sys;C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP592;Win32.HLLM.Beagle.45184;Deleted.;
A0376206.sys;C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP593;Win32.HLLM.Beagle.45184;Deleted.;
A0376519.sys;C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP593;Win32.HLLM.Beagle.45184;Deleted.;
A0377521.sys;C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP594;Win32.HLLM.Beagle.45184;Deleted.;
A0378522.sys;C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP594;Win32.HLLM.Beagle.45184;Deleted.;
A0379521.sys;C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP594;Win32.HLLM.Beagle.45184;Deleted.;
A0379668.sys;C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP594;Win32.HLLM.Beagle.45184;Deleted.;
A0379670.exe;C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP594;Win32.HLLM.Beagle;Deleted.;
A0379671.exe;C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP594;Win32.HLLM.Beagle;Deleted.;
A0379841.exe;C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP595;Win32.HLLM.Beagle;Deleted.;
A0379896.exe;C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP595;Win32.HLLM.Beagle;Deleted.;
A0379962.EXE;C:\System Volume Information\_restore{EB3E5D44-F574-4345-B64A-E3057FF3E2C5}\RP595;Program.PsExec.170;Incurable.Moved.;
  • 0

Advertisements

#11
RatHat
Posted 20 April 2008 - 07:50 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
We need to disinfect your flash drive(s) or the infection will spread.

Download Flash_Disinfector.exe by sUBs from here and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Lets run an F-Secure online scan for Viruses, Spyware and RootKits:
  • Go to http://support.f-sec.../home/ols.shtml
  • Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
  • Allow the Active X control to be installed on your computer, then click the Accept button
  • Click Full System Scan and allow the components to download and the scan to complete.
  • If malware is found, check Submit samples to F-Secure then select Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan
  • When the cleaning option is presented, Uncheck Submit samples to F-Secure
  • Click Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
Notes:
  • This scan will only work with Internet Explorer
  • You must have administrator rights to run this scan
  • This scan can take a while, so please be patient

OK, post me the log, and let me know how your computer is behaving now.

Regards,
RatHat
  • 0

#12
TurnerT2
Posted 21 April 2008 - 06:35 AM

TurnerT2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Below is the log for F-Secure. Please let me know what you think. My wireless is still not working and my antivirus will still not start. I can not open Deckard's regularly or in safe mode, it freezes the computer. I still can not run Hijack This, it says it is not a valid Win32 program. Please Help Me!!??? :)

Scanning Report
Sunday, April 20, 2008 22:30:19 - 08:30:23
Computer name: STLBUD
Scanning type: Scan system for malware, rootkits
Target: C:\


--------------------------------------------------------------------------------

Result: 3 malware found
Tracking Cookie (spyware)
System
Trojan-Downloader.Win32.Bagle (virus)
System
Trojan-Downloader.Win32.Bagle.ne (virus)
C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBARNOTIFIER\GOOGLETOOLBARNOTIFIER.EXE

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 68339
System: 5203
Not scanned: 89
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 3
Submitted: 0
Files not scanned:
xq �

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.30.0
F-Secure Hydra: 2.8.8110, 2008-04-21
F-Secure AVP: 7.0.171, 2008-04-21
F-Secure Pegasus: 1.20.0, 2008-02-28
F-Secure Blacklight: 1.0.64
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.
  • 0

#13
RatHat
Posted 21 April 2008 - 06:43 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Good morning,

Lets see if F-Secure identified the dropper that re-spawns Bagle:

1. Please download The Avenger2 by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBARNOTIFIER\GOOGLETOOLBARNOTIFIER.EXE

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.

Now run Combo-Fix again and post me the log it produces too.

Regards,
RatHat
  • 0

#14
TurnerT2
Posted 21 April 2008 - 05:33 PM

TurnerT2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Below are all of the logs that you requested. I'm sorry for the delay, I have been at work all day... :)

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBARNOTIFIER\GOOGLETOOLBARNOTIFIER.EXE" not found!
Deletion of file "C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBARNOTIFIER\GOOGLETOOLBARNOTIFIER.EXE" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "l" not found!
Deletion of file "l" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.


ComboFix 08-04-20.2 - SMTurner 2008-04-21 19:24:09.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.162 [GMT -4:00]
Running from: C:\Documents and Settings\smturner\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\downld

.
((((((((((((((((((((((((( Files Created from 2008-03-21 to 2008-04-21 )))))))))))))))))))))))))))))))
.

2008-04-20 22:28 . 2008-04-20 22:28 <DIR> d-------- C:\fsaua.data
2008-04-20 16:36 . 2008-04-20 16:54 <DIR> d-------- C:\Documents and Settings\smturner.STLBUD
2008-04-20 15:58 . 2008-04-20 16:00 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-04-20 14:29 . 2008-04-20 14:29 <DIR> d-------- C:\Deckard
2008-04-19 11:04 . 2008-04-19 11:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-19 11:03 . 2008-04-19 19:53 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-19 11:03 . 2008-04-19 11:03 <DIR> d-------- C:\Documents and Settings\smturner\Application Data\SUPERAntiSpyware.com
2008-04-19 10:53 . 2008-04-19 10:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-19 00:47 . 2008-04-19 00:47 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-19 00:47 . 2008-04-19 00:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-18 10:25 . 2008-04-18 10:29 66 --a------ C:\WINDOWS\PVB.INI
2008-04-17 21:58 . 2008-04-17 21:58 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-04-17 21:36 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-17 19:41 . 2008-04-19 00:30 <DIR> d-------- C:\201b79a5c3067caab4
2008-04-17 19:34 . 2008-04-19 00:30 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-04-17 19:34 . 2008-04-17 19:34 <DIR> d-------- C:\Program Files\Zone Labs
2008-04-17 19:34 . 2008-04-02 20:07 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-04-17 19:34 . 2008-04-17 19:34 352,624 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-04-17 19:32 . 2008-04-17 19:35 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-04-06 20:18 . 2008-04-21 19:15 121,172 --a------ C:\WINDOWS\system32\oodbs.lor
2008-04-06 20:16 . 2008-04-06 20:16 0 --a------ C:\WINDOWS\oodcnt.INI
2008-04-06 20:10 . 2008-04-06 20:21 <DIR> d-------- C:\WINDOWS\system32\oodag
2008-04-06 20:06 . 2008-04-06 20:06 <DIR> d-------- C:\Program Files\OO Software
2008-04-06 19:40 . 2008-04-06 19:40 <DIR> d-------- C:\WINDOWS\system32\AppData
2008-04-03 16:29 . 2008-04-03 16:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Protexis
2008-03-30 12:39 . 2008-03-30 12:40 4 --a------ C:\WINDOWSRegDefrag.dat
2008-03-30 12:30 . 2008-03-30 12:30 57,344 --a------ C:\WINDOWS\system32\ROCD7.tmp
2008-03-30 11:44 . 2008-03-30 11:44 <DIR> d-------- C:\Documents and Settings\smturner\Application Data\Systweak
2008-03-30 11:43 . 2008-04-06 19:50 <DIR> d-------- C:\Program Files\Advanced System Optimizer
2008-03-30 11:41 . 2006-03-14 14:00 544,833 --a------ C:\WINDOWS\system32\wbocx.ocx
2008-03-30 11:41 . 2004-12-07 10:11 258,352 --a------ C:\WINDOWS\system32\unicows.dll
2008-03-30 11:41 . 2002-03-01 17:58 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll
2008-03-30 11:41 . 1999-11-22 15:50 4,608 --a------ C:\WINDOWS\system32\W95INF32.DLL
2008-03-30 11:41 . 1999-11-22 15:50 2,272 --a------ C:\WINDOWS\system32\W95INF16.DLL
2008-03-30 11:41 . 1999-12-02 12:42 439 --a------ C:\WINDOWS\system32\shfolder.inf
2008-03-25 09:21 . 2008-03-25 09:21 <DIR> d-------- C:\Temp\AOPDiagnostics
2008-03-25 09:13 . 2008-03-25 09:13 <DIR> d-------- C:\CGCM
2008-03-25 09:13 . 2002-01-09 16:40 362,200 --a------ C:\WINDOWS\system32\Vsprint7.ocx
2008-03-25 09:13 . 1995-07-25 23:00 200,704 --a------ C:\WINDOWS\system32\THREED32.OCX
2008-03-25 09:13 . 1998-11-19 09:46 111,104 --a------ C:\WINDOWS\system32\cscomb32.ocx

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-21 01:13 --------- d-----w C:\Program Files\TightVNC
2008-03-25 13:14 --------- d-----w C:\Program Files\Rockwell Software
2008-03-25 13:12 --------- d-----w C:\Program Files\Rockwell Automation
2008-03-25 13:10 --------- d-----w C:\Program Files\Common Files\Rockwell
2008-03-25 04:14 --------- d-----w C:\Documents and Settings\smturner\Application Data\gspec
2008-03-23 23:45 63,024 ----a-w C:\Documents and Settings\smturner\Application Data\GDIPFONTCACHEV1.DAT
2008-03-19 23:03 --------- d-----w C:\Program Files\gspec
2008-03-19 23:02 --------- d-----w C:\Program Files\Google
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\win32k.sys
2008-03-18 23:49 --------- d-----w C:\Program Files\ControlFLASH
2008-03-18 23:21 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-18 16:14 --------- d-----w C:\Program Files\Common Files\Siemens
2008-03-18 16:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Siemens
2008-03-18 16:12 --------- d-----w C:\Program Files\SIEMENS
2008-03-16 15:54 --------- d-----w C:\Program Files\FKI Logistex
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((( snapshot_2008-04-20_16.28.04.69 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-20 20:14:49 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-21 23:15:53 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-02-27 19:59:28 290,816 ----a-w C:\WINDOWS\Downloaded Program Files\auc_lib.dll
+ 2008-02-27 19:59:28 495,616 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll
+ 2008-02-27 20:00:12 262,144 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll
+ 2008-02-27 19:59:16 588,392 ----a-w C:\WINDOWS\Downloaded Program Files\gatelauncher.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2004-04-15 16:05 856135 C:\WINDOWS\system32\nview.dll]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-04-15 16:05 4866048]
"nwiz"="nwiz.exe" [2004-04-15 16:05 323584 C:\WINDOWS\system32\nwiz.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 16:00 88363 C:\WINDOWS\agrsmmsg.exe]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2008-04-20 15:23 139320]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2008-04-20 15:23 94208]
"UsbCipHelper"="C:\Program Files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe" [2006-09-28 19:25 434176]
"S7UB Start"="C:\Program Files\Common Files\Siemens\S7ubtoox\s7ubtstx.exe" [2006-03-13 23:59 102453]
"000StTHK"="000StTHK.exe" [2001-06-23 21:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27 385024]
"OODefragTray"="C:\WINDOWS\system32\oodtray.exe" [2007-05-11 02:08 2512392]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2004-11-01 12:50 8704 C:\WINDOWS\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.g723"= g723.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=C:\WINDOWS\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2004-06-03 02:50 204800 C:\Program Files\Microsoft IntelliPoint\point32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 16:27 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMax]
--a------ 2004-08-06 09:27 860160 C:\Program Files\Analog Devices\SoundMAX\smax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 22:05 204288 C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"=
"C:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\ArchestrA\\aaLogger.exe"=
"C:\\Program Files\\Common Files\\ArchestrA\\slssvc.exe"=
"C:\\Program Files\\Wonderware\\InTouch\\wm.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\WINDOWS\\system32\\OpcEnum.exe"=
"C:\\WINDOWS\\system32\\dllhost.exe"=
"C:\\Program Files\\Rockwell Software\\RSLogix 5000\\ENU\\v16\\Bin\\RS5000.Exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"445:TCP"= 445:TCP:@xpsp2res.dll,-22005
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"102:TCP"= 102:TCP:DAS SI 102
"135:TCP"= 135:TCP:DCOM 135
"502:TCP"= 502:TCP:Modicon 502
"1434:UDP"= 1434:UDP:SQL Server Browser 1434
"1433:TCP"= 1433:TCP:SQL TCP 1433
"2221:TCP"= 2221:TCP:DAS ABTCP 2221
"2222:TCP"= 2222:TCP:DAS ABTCP 2222
"2223:TCP"= 2223:TCP:DAS ABTCP 2223
"5413:TCP"= 5413:TCP:Port 5413
"80:TCP"= 80:TCP:SuiteVoyager 80
"443:TCP"= 443:TCP:SuiteVoyager 443
"9001:TCP"= 9001:TCP:vista 9001
"9002:TCP"= 9002:TCP:EnvMngr 9002
"9003:TCP"= 9003:TCP:MsgMngr 9003
"9004:TCP"= 9004:TCP:SecMngr 9004
"9006:TCP"= 9006:TCP:RedMngr 9006
"9007:TCP"= 9007:TCP:UnilinkMngr 9007
"9008:TCP"= 9008:TCP:BatchMngr 9008
"9011:TCP"= 9011:TCP:LogMngr 9011
"9012:TCP"= 9012:TCP:InfoMngr 9012
"9013:UDP"= 9013:UDP:RedMngrX 9013
"9014:UDP"= 9014:UDP:RedMngrX2 9014
"9015:TCP"= 9015:TCP:HistQMngrvista 9015
"9016:TCP"= 9016:TCP:HistQReader 9016
"44818:TCP"= 44818:TCP:Logix 44818

R1 RtIf;Radisys INTime;C:\WINDOWS\system32\drivers\RtIf.sys [2004-07-21 10:43]
R2 almservice;Automation License Manager Service;"C:\Program Files\Common Files\Siemens\sws\almsrv\almsrvx.exe" [2006-07-27 15:15]
R2 Dpmtrcdd;Dpmtrcdd;C:\WINDOWS\system32\DRIVERS\dpmtrcdd.sys [2006-07-11 15:16]
R2 INtimeClockSync;INtime Clock Synchronization;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\bin\RTClkSrv.exe [2003-05-12 06:10]
R2 INtimeEventLog;INtime Event Log;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\bin\RTELSrv.exe [2003-05-12 06:10]
R2 INtimeIO;INtime I/O;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\bin\RTIOSrv.exe [2003-05-12 06:10]
R2 INtimeKernel;INtime Kernel;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\bin\LoadRTK.exe [2003-05-12 06:10]
R2 INtimeRegistry;INtime Registry;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\bin\RTRegSrv.exe [2003-05-12 06:10]
R2 s7asysvx;S7 Global Services;"C:\Program Files\Siemens\Step7\S7BIN\s7asysvx.exe" [2006-03-13 19:00]
R2 s7odpx2x;SIMATIC MPI/PROFIBUS DPX2 Driver;C:\WINDOWS\system32\Drivers\S7odpx2x.sys [2007-10-05 11:40]
R2 s7oiehsx;SIMATIC IEPG Help Service;C:\Program Files\Common Files\Siemens\S7IEPG\s7oiehsx.exe [2007-10-05 11:51]
R2 s7osmcax;s7osmcax;C:\WINDOWS\system32\Drivers\s7osmcax.sys [2007-10-05 11:44]
R2 s7otranx;s7otranx;C:\WINDOWS\system32\Drivers\s7otranx.sys [2007-10-05 11:47]
R2 s7snsrtx;PROFINET IO RT-Protocol;C:\WINDOWS\system32\DRIVERS\s7snsrtx.sys [2007-07-30 12:06]
R2 S7TraceServiceX;S7TraceServiceX;C:\Program Files\Common Files\Siemens\Automation\TraceEngine\bin\S7TraceServiceX.exe [2007-08-31 11:32]
R2 scpdrv;scpdrv;C:\PROGRAM FILES\COMMON FILES\SIEMENS\SWS\PLUGINS\SCP\scpdrv.sys [2003-11-10 18:22]
R2 slssvc;Wonderware SuiteLink;"C:\Program Files\Common Files\ArchestrA\slssvc.exe" [2004-07-07 13:07]
R2 SNTIE;SIMATIC Industrial Ethernet (ISO);C:\WINDOWS\system32\DRIVERS\sntie.sys [2007-08-10 09:34]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
R3 EventServer;Rockwell Event Server;"C:\Program Files\Common Files\Rockwell\EventServer.exe" [2005-06-23 19:29]
R3 INtimeNodeDetection;INtime Node Detection;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\bin\RTNDSrv.exe [2003-05-12 06:10]
R3 NtxRemote;INtime Remote Connection Manager;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\Bin\NTXREM~1.EXE [2003-05-12 06:10]
R3 S7oppilx;S7oppilx;C:\WINDOWS\system32\Drivers\S7oppilx.sys [2007-10-05 11:42]
S1 VirtualBackplane;A-B Virtual Backplane;C:\WINDOWS\system32\Drivers\VirtualBackplane.sys []
S3 ABKTCX;Rockwell Automation 1784-KTC(X) Driver;C:\WINDOWS\system32\Drivers\ABKTCX.sys [2000-05-31 21:13]
S3 CW10;Intel® PRO/Wireless LAN Module Driver;C:\WINDOWS\system32\DRIVERS\CW51Usb.sys [2002-07-16 17:22]
S3 EntivityVLCRTPublish;Entivity VLC RTPublish;C:\PROGRA~1\VLC\VLC_6_0\Bin\RTPUBL~1.EXE [2003-05-12 06:10]
S3 EntivityVLCTEEngine;Entivity VLC TEEngine;C:\PROGRA~1\VLC\VLC_6_0\Bin\TEEngine.exe [2003-05-12 06:10]
S3 INtimeDriver3C5xx;INtime 3Com 3C5xx Driver;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\Bin\Itwrpsrv.exe [2003-05-12 06:10]
S3 INtimeDriverEepro100;INtime Eepro100 Driver;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\Bin\Itwrpsrv.exe [2003-05-12 06:10]
S3 INtimeDriverLoopback;INtime Loopback Driver;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\Bin\Itwrpsrv.exe [2003-05-12 06:10]
S3 INtimeDriverNe;INtime NE Driver;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\Bin\Itwrpsrv.exe [2003-05-12 06:10]
S3 INtimeDriverRtl8139;INtime Rtl8139 Driver;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\Bin\Itwrpsrv.exe [2003-05-12 06:10]
S3 INtimeDriverTulip;INtime Tulip Driver;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\Bin\Itwrpsrv.exe [2003-05-12 06:10]
S3 INtimeIP;INtime IP;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\Bin\Itwrpsrv.exe [2003-05-12 06:10]
S3 INtimeNetworkService;INtime Network Service;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\bin\stacksrv.exe [2003-05-12 06:10]
S3 INtimeRawIP;INtime Raw IP;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\Bin\Itwrpsrv.exe [2003-05-12 06:10]
S3 INtimeTCP;INtime TCP;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\Bin\Itwrpsrv.exe [2003-05-12 06:10]
S3 INtimeUDP;INtime UDP ;C:\PROGRA~1\COMMON~1\Radisys\INtime\RELEAS~1.00\Bin\Itwrpsrv.exe [2003-05-12 06:10]
S3 IRIMAGER;Raytek Ti30, IR-Imager USB Driver (irimager.sys);C:\WINDOWS\system32\Drivers\irimager.sys [2004-11-23 11:24]
S3 pcidnt;A-B 1784-PCIDS;C:\WINDOWS\system32\Drivers\pcidnt.sys []
S3 PcmkWdm;%PcmkWdm.DeviceDesc%;C:\WINDOWS\system32\DRIVERS\PcmkWdm.sys [2000-06-21 13:50]
S3 RS_SS_NT;RSLinx Classic S-S SD/SD2 Device Driver;C:\WINDOWS\system32\RS_SS_NT.SYS [1999-11-10 10:27]
S3 RSI-PKTX-A;RSI-PKTX-A;C:\WINDOWS\system32\drivers\RSI-PKTX-A.SYS [2002-11-13 16:38]
S3 RsiKtControl;RsiKtControl;C:\WINDOWS\system32\RSIKT.SYS [2006-01-18 12:33]
S3 RSLINXNGKtControl;RSLINXNGKtControl;C:\WINDOWS\system32\drivers\RSIKTNG.SYS [2002-04-23 21:02]
S3 RSSERIAL;RSLinx Classic Serial Driver;C:\WINDOWS\system32\RSSERIAL.SYS [1999-05-11 15:48]
S3 s7oefs_x;SIMATIC MPI/EFS Driver;C:\WINDOWS\system32\drivers\s7oefs_x.sys [2002-10-18 03:34]
S3 s7oppitx;s7oppitx;C:\WINDOWS\system32\Drivers\S7oppitx.sys [2007-10-05 11:43]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{478b7611-0c7b-11dd-99d5-000e7b8951ef}]
\Shell\AutoRun\command - E:\nideiect.com
\Shell\explore\Command - E:\nideiect.com
\Shell\open\Command - E:\nideiect.com

.
Contents of the 'Scheduled Tasks' folder
"2008-04-21 14:12:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-07 19:21:49 C:\WINDOWS\Tasks\Critical Battery Alarm Program.job"
"2008-04-21 11:43:38 C:\WINDOWS\Tasks\User_Feed_Synchronization-{CDA94BA5-6E98-4722-85FA-F16B6CE2517E}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-21 19:28:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-21 19:30:36
ComboFix-quarantined-files.txt 2008-04-21 23:30:17
ComboFix2.txt 2008-04-20 20:28:37
ComboFix3.txt 2008-04-20 19:45:47

Pre-Run: 37,827,796,992 bytes free
Post-Run: 37,878,751,232 bytes free

249 --- E O F --- 2008-04-20 20:00:24
  • 0

#15
RatHat
Posted 21 April 2008 - 06:06 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Please download and unzip Icesword to its own folder.

Close all windows and run IceSword by opening the folder and double clicking IceSword.exe.

Click the File button at the bottom left hand side. This will display a Windows Explorer type interface. Navigate to the following file in bold and delete it (click on the file, right click and choose Delete).

C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBARNOTIFIER\GOOGLETOOLBARNOTIFIER.EXE


Let me know if you had any problem finding it or deleting it.

Note: If Delete does not work, choose Force Delete.

Regards,
RatHat
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP