Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Norton AV found "903872836.exe" [RESOLVED]

Started by Kellee , Jul 12 2008 05:27 PM

  • This topic is locked This topic is locked

#16
Kellee
Posted 13 July 2008 - 06:34 PM

Kellee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Here's Step #1

Scanner results
Scan taken on 14 Jul 2008 00:31:30 (GMT)
A-Squared Found nothing
AntiVir Found TR/Rootkit.Gen
ArcaVir Found Trojan.Rootkit.Qandr.Do
Avast Found Win32:Qandr
AVG Antivirus Found Scagent.L
BitDefender Found Trojan.Srizbi.SYS.Gen
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found Trojan.Spambot.3201
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Rootkit.Win32.Qandr.do
Fortinet Found nothing
Ikarus Found Rootkit.Win32.Agent.ea
Kaspersky Anti-Virus Found Rootkit.Win32.Qandr.do
NOD32 Found a variant of Win32/Srizbi
Norman Virus Control Found nothing
Panda Antivirus Found Trj/Dropper.WF
Sophos Antivirus Found Mal/RootKit-C
VirusBuster Found nothing
VBA32 Found Rootkit.Win32.Qandr.do
  • 0

Advertisements

#17
Kellee
Posted 13 July 2008 - 07:10 PM

Kellee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Here's Step #2


SDFix: Version 1.205
Run by Kellee Albrecht on Sun 07/13/2008 at 05:44 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-13 17:51:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mdgd32]
"Type"=dword:00000001
"Tag"=dword:00000001
"Group"="System Reserved\0Boot Bus Extender\0System Bus Extender\0SCSI miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open File\0FSFilter Physical Quota Management\0FSFilter Encryption\0FSFilter Compression\0FSFilter HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File System\0Event Log\0Streams Drivers\0NDIS Wrapper\0COM Infrastructure\0UIGroup\0LocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0Symantec Services\0NetBIOSGroup\0ShellSvcGroup\0SchedulerGroup\0SpoolerGroup\0AudioGroup\0SmartCardGroup\0NetworkProvider\0RemoteValidation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0MS Transactions\0"
"ErrorControl"=dword:00000001
"Start"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Mdgd32]
"Type"=dword:00000001
"Tag"=dword:00000001
"Group"="System Reserved\0Boot Bus Extender\0System Bus Extender\0SCSI miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open File\0FSFilter Physical Quota Management\0FSFilter Encryption\0FSFilter Compression\0FSFilter HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File System\0Event Log\0Streams Drivers\0NDIS Wrapper\0COM Infrastructure\0UIGroup\0LocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0Symantec Services\0NetBIOSGroup\0ShellSvcGroup\0SchedulerGroup\0SpoolerGroup\0AudioGroup\0SmartCardGroup\0NetworkProvider\0RemoteValidation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0MS Transactions\0"
"ErrorControl"=dword:00000001
"Start"=dword:00000000

scanning hidden registry entries ...

scanning hidden files ...

C:\WINDOWS\system32\drivers\Mdgd32.sys 126464 bytes executable

scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 1


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Kazaa\\kazaa.exe"="C:\\Program Files\\Kazaa\\kazaa.exe:*:Enabled:Kazaa"
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"="C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe:*:Enabled:Age of Empires 3"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"E:\\Setup.exe"="E:\\Setup.exe:*:Enabled:Setup"
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client\\SmartFTP.exe:*:Enabled:SmartFTP Client 3.0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :



Files with Hidden Attributes :

Sun 6 Aug 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 16 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Wed 17 May 2006 24,064 A..H. --- "C:\Documents and Settings\Kellee Albrecht\My Documents\Sierras invitation artwork\~WRL0005.tmp"
Wed 17 May 2006 24,576 A..H. --- "C:\Documents and Settings\Kellee Albrecht\My Documents\Sierras invitation artwork\~WRL0499.tmp"
Wed 17 May 2006 56,832 A..H. --- "C:\Documents and Settings\Kellee Albrecht\My Documents\Sierras invitation artwork\~WRL1127.tmp"
Wed 17 May 2006 24,064 A..H. --- "C:\Documents and Settings\Kellee Albrecht\My Documents\Sierras invitation artwork\~WRL1592.tmp"
Wed 17 May 2006 24,064 A..H. --- "C:\Documents and Settings\Kellee Albrecht\My Documents\Sierras invitation artwork\~WRL1921.tmp"
Wed 17 May 2006 26,112 A..H. --- "C:\Documents and Settings\Kellee Albrecht\My Documents\Sierras invitation artwork\~WRL2705.tmp"
Wed 23 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\bc066f3f60df1b38218903dd0d40ce98\BIT6B.tmp"
Sun 6 Aug 2006 4,348 A..H. --- "C:\Documents and Settings\Kellee Albrecht\My Documents\My Music\License Backup\drmv1key.bak"
Fri 8 Dec 2006 20 A..H. --- "C:\Documents and Settings\Kellee Albrecht\My Documents\My Music\License Backup\drmv1lic.bak"
Sun 6 Aug 2006 400 A.SH. --- "C:\Documents and Settings\Kellee Albrecht\My Documents\My Music\License Backup\drmv2key.bak"

Finished!




HERE'S THE HIJACKTHIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:09:58 PM, on 7/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:\WINDOWS\system32\TwcToolbarBho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HotSync Manager.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: demr.opt.fimserve.com
O15 - Trusted Zone: http://api.msappspace.com
O15 - Trusted Zone: http://home.myspace.com
O15 - Trusted Zone: http://secure.myspace.com
O15 - Trusted Zone: http://www.myspace.com
O15 - Trusted Zone: *.myspace.com
O15 - Trusted Zone: http://webmail.sti.net
O15 - Trusted Zone: www.sti.net
O15 - Trusted Zone: http://www.webkinz.com
O15 - Trusted Zone: http://www.yosemitearea.com
O15 - Trusted Zone: http://www.yosemiteforums.com
O15 - Trusted Zone: www.youtube.com
O15 - Trusted Zone: http://www.youtube.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1152115822535
O16 - DPF: {85BA505F-FD01-4A91-836C-F7D502E89C9A} (Image Uploader Control) - http://www.evite.com...geUploader4.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.on...e/en/crlocx.ocx
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 12009 bytes
  • 0

#18
Kellee
Posted 13 July 2008 - 07:26 PM

Kellee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Here's Step #3, hopefully this worked correctly, I didn't get anything about the Recovery Console but everything else matched your description. Let me know!

ComboFix 08-07-13.6 - Kellee Albrecht 2008-07-13 18:15:38.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2459 [GMT -7:00]
Running from: C:\Documents and Settings\Kellee Albrecht\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Documents\My Videos\Desktop.ini
C:\Documents and Settings\Kellee Albrecht\My Documents\My Videos\Desktop.ini
C:\Documents and Settings\LocalService\Application Data\1023286718.exe
C:\WINDOWS\system32\drivers\Mdgd32.sys
C:\WINDOWS\system32\oeminfo.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MDGD32
-------\Service_Mdgd32


((((((((((((((((((((((((( Files Created from 2008-06-14 to 2008-07-14 )))))))))))))))))))))))))))))))
.

2008-07-13 17:39 . 2008-07-13 17:39 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-13 17:36 . 2008-07-13 17:54 <DIR> d-------- C:\SDFix
2008-07-13 13:13 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-13 13:12 . 2008-07-13 13:12 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-13 10:03 . 2008-07-13 10:03 250 --a------ C:\WINDOWS\gmer.ini
2008-07-13 09:15 . 2008-07-13 09:15 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-13 09:15 . 2008-07-13 09:15 <DIR> d-------- C:\Documents and Settings\Kellee Albrecht\Application Data\Malwarebytes
2008-07-13 09:15 . 2008-07-13 09:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-13 09:15 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-13 09:15 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-12 20:19 . 2008-07-12 20:19 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-07-12 20:19 . 2008-07-12 20:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-12 19:03 . 2008-07-12 19:03 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-12 19:03 . 2008-07-12 19:03 <DIR> d-------- C:\Documents and Settings\Kellee Albrecht\Application Data\SUPERAntiSpyware.com
2008-07-12 19:03 . 2008-07-12 19:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-12 19:02 . 2008-07-12 19:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-12 18:45 . 2008-07-12 18:45 <DIR> d-------- C:\_OTMoveIt
2008-07-12 16:59 . 2008-07-12 16:59 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-12 16:49 . 2008-07-12 16:49 <DIR> d-------- C:\Deckard
2008-07-12 15:18 . 2008-07-12 16:52 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-12 15:18 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-07-12 15:18 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-07-12 15:18 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-07-12 15:18 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-07-12 15:17 . 2008-07-12 15:20 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-07-12 15:17 . 2008-07-12 15:17 <DIR> d-------- C:\Documents and Settings\Kellee Albrecht\Application Data\PC Tools
2008-06-20 03:44 . 2008-06-20 03:44 138,368 --------- C:\WINDOWS\system32\dllcache\afd.sys
2008-06-19 16:30 . 2008-06-19 16:39 <DIR> d-------- C:\Program Files\Pizza Chef
2008-06-18 15:59 . 2008-06-18 16:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Go Go Gourmet
2008-06-18 15:56 . 2008-06-18 15:56 <DIR> d-------- C:\Program Files\Go Go Gourmet

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-14 01:19 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-13 20:13 --------- d-----w C:\Program Files\Java
2008-07-12 03:24 --------- d-----w C:\Program Files\Hello Kitty Studio
2008-06-24 01:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hello Kitty Studio
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-06 14:54 --------- d-----w C:\Program Files\The Weather Channel FW
2008-05-30 00:48 --------- d-----w C:\Program Files\HP
2008-05-28 03:46 --------- d-----w C:\Program Files\SmartFTP Client 3.0 Setup Files
2008-05-28 03:46 --------- d-----w C:\Program Files\SmartFTP Client
2008-05-28 03:46 --------- d-----w C:\Documents and Settings\Kellee Albrecht\Application Data\SmartFTP
2008-05-18 02:52 --------- d-----w C:\Program Files\iTunes
2008-05-18 02:52 --------- d-----w C:\Program Files\iPod
2008-05-18 02:50 --------- d-----w C:\Program Files\QuickTime
2008-05-18 02:39 --------- d-----w C:\Program Files\Apple Software Update
2008-05-17 02:14 --------- d-----w C:\Documents and Settings\Kellee Albrecht\Application Data\LimeWire
2008-05-16 04:38 --------- d-----w C:\Program Files\Sun
2008-05-16 04:34 --------- d-----w C:\Program Files\Windows Live
2008-05-16 04:33 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-16 04:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-24 05:16 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:40 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-10-13 15:05 32 --sha-w C:\WINDOWS\{078EB43C-2977-4CAA-A2D5-ACAE96D6F8AB}.dat
2007-10-13 15:05 32 --sha-w C:\WINDOWS\system32\{3FC2401F-6C03-4A14-A38C-399A3251341C}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 17:43 4670704]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-19 09:16 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00 15360]
"DW6"="C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2008-06-10 16:18 785520]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 17:42 1404928]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-31 19:05 344064]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 18:29 49152]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 03:20 122940]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 14:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 14:50 81920]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-08-19 22:22 50880]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-19 22:23 34504]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-10-14 20:59 95960]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Planner Reminders Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Planner Reminders Tray Icon.lnk
backup=C:\WINDOWS\pss\Event Planner Reminders Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=C:\WINDOWS\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kellee Albrecht^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Kellee Albrecht\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a--c--- 2006-06-27 05:32 169472 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=


.
Contents of the 'Scheduled Tasks' folder
"2008-07-08 04:30:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-12 04:12:13 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-07-14 01:21:56 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-13 18:19:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> ?:\WINDOWS\system32\COMRes.dll
-> ?:\WINDOWS\system32\COMRes.dll
-> ?:\WINDOWS\system32\ATL.DLL
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
.
**************************************************************************
.
Completion time: 2008-07-13 18:23:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-14 01:23:33

Pre-Run: 122,833,403,904 bytes free
Post-Run: 123,036,758,016 bytes free

207 --- E O F --- 2008-07-10 00:13:00



HERE'S THE HIJACKTHIS LOG


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:26:10 PM, on 7/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:\WINDOWS\system32\TwcToolbarBho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HotSync Manager.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: demr.opt.fimserve.com
O15 - Trusted Zone: http://api.msappspace.com
O15 - Trusted Zone: http://home.myspace.com
O15 - Trusted Zone: http://secure.myspace.com
O15 - Trusted Zone: http://www.myspace.com
O15 - Trusted Zone: *.myspace.com
O15 - Trusted Zone: http://webmail.sti.net
O15 - Trusted Zone: www.sti.net
O15 - Trusted Zone: http://www.webkinz.com
O15 - Trusted Zone: http://www.yosemitearea.com
O15 - Trusted Zone: http://www.yosemiteforums.com
O15 - Trusted Zone: www.youtube.com
O15 - Trusted Zone: http://www.youtube.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1152115822535
O16 - DPF: {85BA505F-FD01-4A91-836C-F7D502E89C9A} (Image Uploader Control) - http://www.evite.com...geUploader4.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.on...e/en/crlocx.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 12051 bytes
  • 0

#19
andrewuk
Posted 13 July 2008 - 07:39 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi Kellee

well, that file was indeed bad and is indeed a rootkit, and combofix managed to clean it. so, we will do a registry search to ensure it is all gone. we will also have to do another online scan to make sure. but, hopefully, this will be it and we can wrap up once the online scan comes through.

feel free to post the logs are you get them :)


====STEP 1====
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mdgd32]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Mdgd32]

SysRst::


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.



====STEP 2====
Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
====STEP 3====
1. Launch Notepad, and copy/paste the contents of the quote box below into a new Notepad file. Save it with file name options.txt and save as file type: all files to your desktop.

RegSearch Options File

[Search]
Mdgd32

[Options]
Filter=KVDLUI



2. Download Registry Search to your desktop.
  • Right click on the compressed RegSearch folder, and choose "Extract All". In the box that pops open, click "Next", then "Next" again, and then "Finish". You now have another RegSearch folder on your desktop.
  • Open the new folder, and double click on regsearch.exe
  • Click "Import" in the lower left corner and browse to the options.txt file that you just saved on your desktop. Do not choose the one in the RegSearch folder itself.
  • Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
  • Please reply here with the entire contents of the Notepad file from RegSearch.
In your next reply could i see:
1. the combofix log
2. the new hijackthis log
3. the kaspersky log
4. the Regsearch log

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk

Edited by andrewuk, 13 July 2008 - 07:40 PM.

  • 0

#20
Kellee
Posted 13 July 2008 - 07:55 PM

Kellee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
HERE'S THE COMBOFIX LOG - STEP #1

ComboFix 08-07-13.6 - Kellee Albrecht 2008-07-13 18:50:02.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2441 [GMT -7:00]
Running from: C:\Documents and Settings\Kellee Albrecht\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kellee Albrecht\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-06-14 to 2008-07-14 )))))))))))))))))))))))))))))))
.

2008-07-13 17:39 . 2008-07-13 17:39 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-13 17:36 . 2008-07-13 17:54 <DIR> d-------- C:\SDFix
2008-07-13 13:13 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-13 13:12 . 2008-07-13 13:12 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-13 10:03 . 2008-07-13 10:03 250 --a------ C:\WINDOWS\gmer.ini
2008-07-13 09:15 . 2008-07-13 09:15 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-13 09:15 . 2008-07-13 09:15 <DIR> d-------- C:\Documents and Settings\Kellee Albrecht\Application Data\Malwarebytes
2008-07-13 09:15 . 2008-07-13 09:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-13 09:15 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-13 09:15 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-12 20:19 . 2008-07-12 20:19 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-07-12 20:19 . 2008-07-12 20:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-12 19:03 . 2008-07-12 19:03 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-12 19:03 . 2008-07-12 19:03 <DIR> d-------- C:\Documents and Settings\Kellee Albrecht\Application Data\SUPERAntiSpyware.com
2008-07-12 19:03 . 2008-07-12 19:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-12 19:02 . 2008-07-12 19:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-12 18:45 . 2008-07-12 18:45 <DIR> d-------- C:\_OTMoveIt
2008-07-12 16:59 . 2008-07-12 16:59 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-12 16:49 . 2008-07-12 16:49 <DIR> d-------- C:\Deckard
2008-07-12 15:18 . 2008-07-12 16:52 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-12 15:18 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-07-12 15:18 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-07-12 15:18 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-07-12 15:18 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-07-12 15:17 . 2008-07-12 15:20 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-07-12 15:17 . 2008-07-12 15:17 <DIR> d-------- C:\Documents and Settings\Kellee Albrecht\Application Data\PC Tools
2008-06-20 03:44 . 2008-06-20 03:44 138,368 --------- C:\WINDOWS\system32\dllcache\afd.sys
2008-06-19 16:30 . 2008-06-19 16:39 <DIR> d-------- C:\Program Files\Pizza Chef
2008-06-18 15:59 . 2008-06-18 16:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Go Go Gourmet
2008-06-18 15:56 . 2008-06-18 15:56 <DIR> d-------- C:\Program Files\Go Go Gourmet

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-14 01:19 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-13 20:13 --------- d-----w C:\Program Files\Java
2008-07-12 03:24 --------- d-----w C:\Program Files\Hello Kitty Studio
2008-06-24 01:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hello Kitty Studio
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-06 14:54 --------- d-----w C:\Program Files\The Weather Channel FW
2008-05-30 00:48 --------- d-----w C:\Program Files\HP
2008-05-28 03:46 --------- d-----w C:\Program Files\SmartFTP Client 3.0 Setup Files
2008-05-28 03:46 --------- d-----w C:\Program Files\SmartFTP Client
2008-05-28 03:46 --------- d-----w C:\Documents and Settings\Kellee Albrecht\Application Data\SmartFTP
2008-05-18 02:52 --------- d-----w C:\Program Files\iTunes
2008-05-18 02:52 --------- d-----w C:\Program Files\iPod
2008-05-18 02:50 --------- d-----w C:\Program Files\QuickTime
2008-05-18 02:39 --------- d-----w C:\Program Files\Apple Software Update
2008-05-17 02:14 --------- d-----w C:\Documents and Settings\Kellee Albrecht\Application Data\LimeWire
2008-05-16 04:38 --------- d-----w C:\Program Files\Sun
2008-05-16 04:34 --------- d-----w C:\Program Files\Windows Live
2008-05-16 04:33 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-16 04:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-24 05:16 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:40 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-10-13 15:05 32 --sha-w C:\WINDOWS\{078EB43C-2977-4CAA-A2D5-ACAE96D6F8AB}.dat
2007-10-13 15:05 32 --sha-w C:\WINDOWS\system32\{3FC2401F-6C03-4A14-A38C-399A3251341C}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 17:42 1404928]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-31 19:05 344064]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 18:29 49152]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 03:20 122940]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 14:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 14:50 81920]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-08-19 22:22 50880]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-19 22:23 34504]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-10-14 20:59 95960]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Planner Reminders Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Planner Reminders Tray Icon.lnk
backup=C:\WINDOWS\pss\Event Planner Reminders Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=C:\WINDOWS\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kellee Albrecht^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Kellee Albrecht\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a--c--- 2006-06-27 05:32 169472 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=


.
Contents of the 'Scheduled Tasks' folder
"2008-07-08 04:30:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-12 04:12:13 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-07-14 01:21:56 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-13 18:51:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-13 18:52:53
ComboFix-quarantined-files.txt 2008-07-14 01:52:51
ComboFix2.txt 2008-07-14 01:23:39

Pre-Run: 123,013,042,176 bytes free
Post-Run: 123,008,413,696 bytes free

161 --- E O F --- 2008-07-10 00:13:00


HERE'S THE NEW HIJACKTHIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:55:08 PM, on 7/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:\WINDOWS\system32\TwcToolbarBho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HotSync Manager.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: demr.opt.fimserve.com
O15 - Trusted Zone: http://api.msappspace.com
O15 - Trusted Zone: http://home.myspace.com
O15 - Trusted Zone: http://secure.myspace.com
O15 - Trusted Zone: http://www.myspace.com
O15 - Trusted Zone: *.myspace.com
O15 - Trusted Zone: http://webmail.sti.net
O15 - Trusted Zone: www.sti.net
O15 - Trusted Zone: http://www.webkinz.com
O15 - Trusted Zone: http://www.yosemitearea.com
O15 - Trusted Zone: http://www.yosemiteforums.com
O15 - Trusted Zone: www.youtube.com
O15 - Trusted Zone: http://www.youtube.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1152115822535
O16 - DPF: {85BA505F-FD01-4A91-836C-F7D502E89C9A} (Image Uploader Control) - http://www.evite.com...geUploader4.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.on...e/en/crlocx.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 12004 bytes
  • 0

#21
Kellee
Posted 14 July 2008 - 07:47 AM

Kellee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
HERE'S STEP #2 - IT FOUND VIRUSES BUT DIDN'T FIX THEM?

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, July 14, 2008 6:44:50 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/07/2008
Kaspersky Anti-Virus database records: 950157
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 232220
Number of viruses found: 23
Number of infected objects: 1141
Number of suspicious objects: 539
Duration of the scan process: 02:36:48

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003F139AD188D782833B1/[From [email protected]][Date Mon, 16 May 2005 09:25:43 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003F139AD188D782833B1/[From [email protected]][Date Mon, 16 May 2005 09:25:43 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003F139AD188D782833B1/[From [email protected]][Date Mon, 16 May 2005 09:25:43 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003F139AD188D782833B1 Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003F139AD188D782833B1 CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003F244D4906E0BD360EF/[From [email protected]][Date Mon, 16 May 2005 09:25:43 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003F244D4906E0BD360EF/[From [email protected]][Date Mon, 16 May 2005 09:25:43 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003F244D4906E0BD360EF/[From [email protected]][Date Mon, 16 May 2005 09:25:43 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003F244D4906E0BD360EF Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003F244D4906E0BD360EF CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003F370EE5E206E4477A0/[From [email protected]][Date Mon, 16 May 2005 09:25:28 -0400]/msg11730.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003F370EE5E206E4477A0 Mail: infected - 1 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003F370EE5E206E4477A0 CryptFF: infected - 1 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003F4746DE9C059651977/[From [email protected]][Date Sat, 21 May 2005 09:27:47 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003F4746DE9C059651977/[From [email protected]][Date Sat, 21 May 2005 09:27:47 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003F4746DE9C059651977/[From [email protected]][Date Sat, 21 May 2005 09:27:47 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003F4746DE9C059651977 Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003F4746DE9C059651977 CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003F5451EB7B826DF20FC/[From [email protected]][Date Sat, 21 May 2005 09:27:47 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003F5451EB7B826DF20FC/[From [email protected]][Date Sat, 21 May 2005 09:27:47 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003F5451EB7B826DF20FC/[From [email protected]][Date Sat, 21 May 2005 09:27:47 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003F5451EB7B826DF20FC Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003F5451EB7B826DF20FC CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003F62181148A89F6AB4D/[From [email protected]][Date Thu, 11 Aug 2005 09:38:28 -0400]/mail15274.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003F62181148A89F6AB4D Mail: infected - 1 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003F62181148A89F6AB4D CryptFF: infected - 1 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003F7A15A2C9B916BC1FC/[From [email protected]][Date Thu, 11 Aug 2005 09:38:22 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003F7A15A2C9B916BC1FC/[From [email protected]][Date Thu, 11 Aug 2005 09:38:22 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003F7A15A2C9B916BC1FC/[From [email protected]][Date Thu, 11 Aug 2005 09:38:22 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003F7A15A2C9B916BC1FC Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003F7A15A2C9B916BC1FC CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003F864FBD0B78EAAAED2/[From [email protected]][Date Thu, 11 Aug 2005 09:38:22 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003F864FBD0B78EAAAED2/[From [email protected]][Date Thu, 11 Aug 2005 09:38:22 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003F864FBD0B78EAAAED2/[From [email protected]][Date Thu, 11 Aug 2005 09:38:22 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003F864FBD0B78EAAAED2 Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003F864FBD0B78EAAAED2 CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003F93BBECE65546A9529/[From [email protected]][Date Mon, 18 Apr 2005 09:11:12 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003F93BBECE65546A9529/[From [email protected]][Date Mon, 18 Apr 2005 09:11:12 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003F93BBECE65546A9529/[From [email protected]][Date Mon, 18 Apr 2005 09:11:12 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003F93BBECE65546A9529 Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003F93BBECE65546A9529 CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003FAD7A9CD891BA30637/[From [email protected]][Date Mon, 18 Apr 2005 09:11:12 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003FAD7A9CD891BA30637/[From [email protected]][Date Mon, 18 Apr 2005 09:11:12 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003FAD7A9CD891BA30637/[From [email protected]][Date Mon, 18 Apr 2005 09:11:12 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003FAD7A9CD891BA30637 Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003FAD7A9CD891BA30637 CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003FB4BC413184932D41F/[From [email protected]][Date Tue, 12 Jul 2005 09:41:46 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003FB4BC413184932D41F/[From [email protected]][Date Tue, 12 Jul 2005 09:41:46 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003FB4BC413184932D41F/[From [email protected]][Date Tue, 12 Jul 2005 09:41:46 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003FB4BC413184932D41F Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003FB4BC413184932D41F CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003FC53596872243502A2/[From [email protected]][Date Tue, 12 Jul 2005 09:41:46 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003FC53596872243502A2/[From [email protected]][Date Tue, 12 Jul 2005 09:41:46 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003FC53596872243502A2/[From [email protected]][Date Tue, 12 Jul 2005 09:41:46 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003FC53596872243502A2 Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003FC53596872243502A2 CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003FDCD821C50B7B66B63/[From [email protected]][Date Sat, 11 Jun 2005 09:33:26 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003FDCD821C50B7B66B63/[From [email protected]][Date Sat, 11 Jun 2005 09:33:26 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003FDCD821C50B7B66B63/[From [email protected]][Date Sat, 11 Jun 2005 09:33:26 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003FDCD821C50B7B66B63 Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003FDCD821C50B7B66B63 CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003FE41A6B4A423154E05/[From [email protected]][Date Sat, 11 Jun 2005 09:33:26 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003FE41A6B4A423154E05/[From [email protected]][Date Sat, 11 Jun 2005 09:33:26 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003FE41A6B4A423154E05/[From [email protected]][Date Sat, 11 Jun 2005 09:33:26 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003FE41A6B4A423154E05 Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003FE41A6B4A423154E05 CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003FFA53CE2029C6733DE/[From [email protected]][Date Fri, 15 Apr 2005 16:22:56 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003FFA53CE2029C6733DE/[From [email protected]][Date Fri, 15 Apr 2005 16:22:56 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003FFA53CE2029C6733DE/[From [email protected]][Date Fri, 15 Apr 2005 16:22:56 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003FFA53CE2029C6733DE Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000003FFA53CE2029C6733DE CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000400AAE6622016B1A621/[From [email protected]][Date Fri, 15 Apr 2005 16:22:56 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000400AAE6622016B1A621/[From [email protected]][Date Fri, 15 Apr 2005 16:22:56 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000400AAE6622016B1A621/[From [email protected]][Date Fri, 15 Apr 2005 16:22:56 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000400AAE6622016B1A621 Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000400AAE6622016B1A621 CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000401A7F1A19BFDA2621B/[From [email protected]][Date Fri, 15 Apr 2005 16:16:13 -0400]/data8406.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000401A7F1A19BFDA2621B Mail: infected - 1 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000401A7F1A19BFDA2621B CryptFF: infected - 1 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000040284D59AE0D6961100/[From [email protected]][Date Wed, 13 Apr 2005 09:14:54 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000040284D59AE0D6961100/[From [email protected]][Date Wed, 13 Apr 2005 09:14:54 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000040284D59AE0D6961100/[From [email protected]][Date Wed, 13 Apr 2005 09:14:54 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000040284D59AE0D6961100 Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000040284D59AE0D6961100 CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000403B9485145A77107A5/[From [email protected]][Date Wed, 13 Apr 2005 09:14:54 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000403B9485145A77107A5/[From [email protected]][Date Wed, 13 Apr 2005 09:14:54 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000403B9485145A77107A5/[From [email protected]][Date Wed, 13 Apr 2005 09:14:54 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000403B9485145A77107A5 Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000403B9485145A77107A5 CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000404D5D0183802FD9086/[From [email protected]][Date Wed, 13 Apr 2005 09:14:27 -0400]/data32026.zip Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000404D5D0183802FD9086 Mail: infected - 1 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000404D5D0183802FD9086 CryptFF: infected - 1 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000040539AF96F52E9E61B4/[From [email protected]][Date Wed, 11 May 2005 09:18:06 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000040539AF96F52E9E61B4/[From [email protected]][Date Wed, 11 May 2005 09:18:06 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000040539AF96F52E9E61B4/[From [email protected]][Date Wed, 11 May 2005 09:18:06 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000040539AF96F52E9E61B4 Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000040539AF96F52E9E61B4 CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000040664356D508345971D/[From [email protected]][Date Wed, 11 May 2005 09:18:06 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000040664356D508345971D/[From [email protected]][Date Wed, 11 May 2005 09:18:06 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000040664356D508345971D/[From [email protected]][Date Wed, 11 May 2005 09:18:06 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000040664356D508345971D Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000040664356D508345971D CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000407A06205EB1685201E/[From [email protected]][Date Tue, 16 Aug 2005 09:48:47 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000407A06205EB1685201E/[From [email protected]][Date Tue, 16 Aug 2005 09:48:47 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000407A06205EB1685201E/[From [email protected]][Date Tue, 16 Aug 2005 09:48:47 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000407A06205EB1685201E Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000407A06205EB1685201E CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000408CC59F78D9C654FAD/[From [email protected]][Date Tue, 16 Aug 2005 09:48:47 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000408CC59F78D9C654FAD/[From [email protected]][Date Tue, 16 Aug 2005 09:48:47 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000408CC59F78D9C654FAD/[From [email protected]][Date Tue, 16 Aug 2005 09:48:47 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000408CC59F78D9C654FAD Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000408CC59F78D9C654FAD CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000004096B0A23DE2733E526/[From [email protected]][Date Tue, 2 Aug 2005 18:54:55 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000004096B0A23DE2733E526/[From [email protected]][Date Tue, 2 Aug 2005 18:54:55 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000004096B0A23DE2733E526/[From [email protected]][Date Tue, 2 Aug 2005 18:54:55 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000004096B0A23DE2733E526 Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000004096B0A23DE2733E526 CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000040A9BE5DE91A9423905/[From [email protected]][Date Tue, 2 Aug 2005 18:54:55 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000040A9BE5DE91A9423905/[From [email protected]][Date Tue, 2 Aug 2005 18:54:55 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000040A9BE5DE91A9423905/[From [email protected]][Date Tue, 2 Aug 2005 18:54:55 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000040A9BE5DE91A9423905 Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000040A9BE5DE91A9423905 CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000040BB48F6324147216B0/[From [email protected]][Date Thu, 7 Jul 2005 09:45:20 -0400]/data32163.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000040BB48F6324147216B0 Mail: infected - 1 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000040BB48F6324147216B0 CryptFF: infected - 1 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000040C7ABB7C24683EF2AE/[From [email protected]][Date Thu, 7 Jul 2005 09:41:19 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000040C7ABB7C24683EF2AE/[From [email protected]][Date Thu, 7 Jul 2005 09:41:19 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000040C7ABB7C24683EF2AE/[From [email protected]][Date Thu, 7 Jul 2005 09:41:19 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000040C7ABB7C24683EF2AE Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000040C7ABB7C24683EF2AE CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000040D6EF04636DEB266DD/[From [email protected]][Date Thu, 7 Jul 2005 09:41:19 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000040D6EF04636DEB266DD/[From [email protected]][Date Thu, 7 Jul 2005 09:41:19 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000040D6EF04636DEB266DD/[From [email protected]][Date Thu, 7 Jul 2005 09:41:19 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000040D6EF04636DEB266DD Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000040D6EF04636DEB266DD CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000040EE9D32E0A0C6C77B3/[From [email protected]][Date Tue, 9 Aug 2005 09:13:48 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000040EE9D32E0A0C6C77B3/[From [email protected]][Date Tue, 9 Aug 2005 09:13:48 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000040EE9D32E0A0C6C77B3/[From [email protected]][Date Tue, 9 Aug 2005 09:13:48 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000040EE9D32E0A0C6C77B3 Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000040EE9D32E0A0C6C77B3 CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000040F351248EF9CF5DFF1/[From [email protected]][Date Tue, 9 Aug 2005 09:13:48 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000040F351248EF9CF5DFF1/[From [email protected]][Date Tue, 9 Aug 2005 09:13:48 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000040F351248EF9CF5DFF1/[From [email protected]][Date Tue, 9 Aug 2005 09:13:48 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000040F351248EF9CF5DFF1 Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000040F351248EF9CF5DFF1 CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000041028B94978F43B228D/[From [email protected]][Date Tue, 9 Aug 2005 09:13:11 -0400]/msg27598.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000041028B94978F43B228D Mail: infected - 1 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000041028B94978F43B228D CryptFF: infected - 1 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000004118C4E94271577C11C/[From [email protected]][Date Tue, 24 May 2005 09:30:56 -0400]/data24475.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000004118C4E94271577C11C Mail: infected - 1 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000004118C4E94271577C11C CryptFF: infected - 1 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000412F929647B5DE5F711/[From [email protected]][Date Tue, 24 May 2005 09:30:30 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000412F929647B5DE5F711/[From [email protected]][Date Tue, 24 May 2005 09:30:30 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000412F929647B5DE5F711/[From [email protected]][Date Tue, 24 May 2005 09:30:30 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000412F929647B5DE5F711 Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000412F929647B5DE5F711 CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000004132DD06C13885A50B5/[From [email protected]][Date Tue, 24 May 2005 09:30:30 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000004132DD06C13885A50B5/[From [email protected]][Date Tue, 24 May 2005 09:30:30 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000004132DD06C13885A50B5/[From [email protected]][Date Tue, 24 May 2005 09:30:30 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000004132DD06C13885A50B5 Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000004132DD06C13885A50B5 CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000414EE8EB830D3398EB5/[From [email protected]][Date Sat, 27 Aug 2005 09:57:17 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000414EE8EB830D3398EB5/[From [email protected]][Date Sat, 27 Aug 2005 09:57:17 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000414EE8EB830D3398EB5/[From [email protected]][Date Sat, 27 Aug 2005 09:57:17 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000414EE8EB830D3398EB5 Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000414EE8EB830D3398EB5 CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000041523D23B3D85A18740/[From [email protected]][Date Sat, 27 Aug 2005 09:57:17 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000041523D23B3D85A18740/[From [email protected]][Date Sat, 27 Aug 2005 09:57:17 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000041523D23B3D85A18740/[From [email protected]][Date Sat, 27 Aug 2005 09:57:17 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000041523D23B3D85A18740 Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000041523D23B3D85A18740 CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000416979C42102C82EF17/[From [email protected]][Date Sat, 7 May 2005 09:21:04 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000416979C42102C82EF17/[From [email protected]][Date Sat, 7 May 2005 09:21:04 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000416979C42102C82EF17/[From [email protected]][Date Sat, 7 May 2005 09:21:04 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000416979C42102C82EF17 Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000416979C42102C82EF17 CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000041779F14F6F527CC475/[From [email protected]][Date Sat, 7 May 2005 09:21:04 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000041779F14F6F527CC475/[From [email protected]][Date Sat, 7 May 2005 09:21:04 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000041779F14F6F527CC475/[From [email protected]][Date Sat, 7 May 2005 09:21:04 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000041779F14F6F527CC475 Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000041779F14F6F527CC475 CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000418DE54B5A64343D921/[From [email protected]][Date Sat, 7 May 2005 09:19:52 -0400]/data1372.zip Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000418DE54B5A64343D921 Mail: infected - 1 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000418DE54B5A64343D921 CryptFF: infected - 1 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000419E58DD744F11A1A59/[From [email protected]][Date Wed, 22 Jun 2005 09:31:48 -0400]/message17938.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000419E58DD744F11A1A59 Mail: infected - 1 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000419E58DD744F11A1A59 CryptFF: infected - 1 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000041ACD096E19F3EC4271/[From [email protected]][Date Wed, 22 Jun 2005 09:31:37 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000041ACD096E19F3EC4271/[From [email protected]][Date Wed, 22 Jun 2005 09:31:37 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000041ACD096E19F3EC4271/[From [email protected]][Date Wed, 22 Jun 2005 09:31:37 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000041ACD096E19F3EC4271 Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000041ACD096E19F3EC4271 CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000041B7FFF64C474E392AE/[From [email protected]][Date Wed, 22 Jun 2005 09:31:37 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000041B7FFF64C474E392AE/[From [email protected]][Date Wed, 22 Jun 2005 09:31:37 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000041B7FFF64C474E392AE/[From [email protected]][Date Wed, 22 Jun 2005 09:31:37 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000041B7FFF64C474E392AE Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000041B7FFF64C474E392AE CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000041C1454AB139ABF96CB/[From [email protected]][Date Sun, 5 Jun 2005 15:04:53 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000041C1454AB139ABF96CB/[From [email protected]][Date Sun, 5 Jun 2005 15:04:53 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000041C1454AB139ABF96CB/[From [email protected]][Date Sun, 5 Jun 2005 15:04:53 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000041C1454AB139ABF96CB Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000041C1454AB139ABF96CB CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000041D527FD46EBC78A142/[From [email protected]][Date Sun, 5 Jun 2005 15:04:53 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000041D527FD46EBC78A142/[From [email protected]][Date Sun, 5 Jun 2005 15:04:53 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000041D527FD46EBC78A142/[From [email protected]][Date Sun, 5 Jun 2005 15:04:53 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000041D527FD46EBC78A142 Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000041D527FD46EBC78A142 CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000041E6C348D31BF5F7F27/[From [email protected]][Date Sun, 5 Jun 2005 15:04:43 -0400]/message13723.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000041E6C348D31BF5F7F27 Mail: infected - 1 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000041E6C348D31BF5F7F27 CryptFF: infected - 1 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000041FDF17D96117DAEC4C/[From [email protected]][Date Tue, 26 Apr 2005 09:19:03 -0400]/message7187.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000041FDF17D96117DAEC4C Mail: infected - 1 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000041FDF17D96117DAEC4C CryptFF: infected - 1 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000420814F54DC18844855/[From [email protected]][Date Tue, 26 Apr 2005 09:19:01 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000420814F54DC18844855/[From [email protected]][Date Tue, 26 Apr 2005 09:19:01 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000420814F54DC18844855/[From [email protected]][Date Tue, 26 Apr 2005 09:19:01 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000420814F54DC18844855 Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000420814F54DC18844855 CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000421C73D79F6E72F4003/[From [email protected]][Date Tue, 26 Apr 2005 09:19:01 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000421C73D79F6E72F4003/[From [email protected]][Date Tue, 26 Apr 2005 09:19:01 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000421C73D79F6E72F4003/[From [email protected]][Date Tue, 26 Apr 2005 09:19:01 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000421C73D79F6E72F4003 Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000421C73D79F6E72F4003 CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000422D7ADC20A2093258F/[From [email protected]][Date Thu, 5 May 2005 09:25:42 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000422D7ADC20A2093258F/[From [email protected]][Date Thu, 5 May 2005 09:25:42 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000422D7ADC20A2093258F/[From [email protected]][Date Thu, 5 May 2005 09:25:42 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000422D7ADC20A2093258F Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000422D7ADC20A2093258F CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000423FB0AA73AC3730929/[From [email protected]][Date Thu, 5 May 2005 09:25:42 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000423FB0AA73AC3730929/[From [email protected]][Date Thu, 5 May 2005 09:25:42 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000423FB0AA73AC3730929/[From [email protected]][Date Thu, 5 May 2005 09:25:42 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000423FB0AA73AC3730929 Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000423FB0AA73AC3730929 CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000042497807283351DAA73/[From [email protected]][Date Thu, 19 May 2005 09:20:44 -0400]/message31207.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000042497807283351DAA73 Mail: infected - 1 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000042497807283351DAA73 CryptFF: infected - 1 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000004255A5E92F9C6AA4BAB/[From [email protected]][Date Thu, 19 May 2005 09:18:18 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000004255A5E92F9C6AA4BAB/[From [email protected]][Date Thu, 19 May 2005 09:18:18 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000004255A5E92F9C6AA4BAB/[From [email protected]][Date Thu, 19 May 2005 09:18:18 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000004255A5E92F9C6AA4BAB Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000004255A5E92F9C6AA4BAB CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000004260C41D345CA4A84ED/[From [email protected]][Date Thu, 19 May 2005 09:18:18 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000004260C41D345CA4A84ED/[From [email protected]][Date Thu, 19 May 2005 09:18:18 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000004260C41D345CA4A84ED/[From [email protected]][Date Thu, 19 May 2005 09:18:18 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000004260C41D345CA4A84ED Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000004260C41D345CA4A84ED CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000427A070CA1C20DF7FD5/[From [email protected]][Date Thu, 25 Aug 2005 09:56:43 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000427A070CA1C20DF7FD5/[From [email protected]][Date Thu, 25 Aug 2005 09:56:43 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000427A070CA1C20DF7FD5/[From [email protected]][Date Thu, 25 Aug 2005 09:56:43 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000427A070CA1C20DF7FD5 Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000427A070CA1C20DF7FD5 CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000428E4CF761BE6FDD029/[From [email protected]][Date Thu, 25 Aug 2005 09:56:43 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000428E4CF761BE6FDD029/[From [email protected]][Date Thu, 25 Aug 2005 09:56:43 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000428E4CF761BE6FDD029/[From [email protected]][Date Thu, 25 Aug 2005 09:56:43 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000428E4CF761BE6FDD029 Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP00000428E4CF761BE6FDD029 CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000042959E43FAE8A571CEB/[From [email protected]][Date Thu, 25 Aug 2005 09:53:19 -0400]/data16461.zip Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000042959E43FAE8A571CEB Mail: infected - 1 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000042959E43FAE8A571CEB CryptFF: infected - 1 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000042A86081EE889BD983D/[From [email protected]][Date Fri, 22 Jul 2005 09:51:08 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000042A86081EE889BD983D/[From [email protected]][Date Fri, 22 Jul 2005 09:51:08 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000042A86081EE889BD983D/[From [email protected]][Date Fri, 22 Jul 2005 09:51:08 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000042A86081EE889BD983D Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000042A86081EE889BD983D CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000042B377771EC7B8C5D9B/[From [email protected]][Date Fri, 22 Jul 2005 09:51:08 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000042B377771EC7B8C5D9B/[From [email protected]][Date Fri, 22 Jul 2005 09:51:08 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000042B377771EC7B8C5D9B/[From [email protected]][Date Fri, 22 Jul 2005 09:51:08 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000042B377771EC7B8C5D9B Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000042B377771EC7B8C5D9B CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000042CEDFA39B77238F4B0/[From [email protected]][Date Fri, 22 Jul 2005 09:49:14 -0400]/mail25389.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000042CEDFA39B77238F4B0 Mail: infected - 1 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000042CEDFA39B77238F4B0 CryptFF: infected - 1 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000042D8143751268B6194F/[From [email protected]][Date Fri, 15 Jul 2005 09:38:24 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000042D8143751268B6194F/[From [email protected]][Date Fri, 15 Jul 2005 09:38:24 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000042D8143751268B6194F/[From [email protected]][Date Fri, 15 Jul 2005 09:38:24 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000042D8143751268B6194F Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000042D8143751268B6194F CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000042E393FEB46C4451563/[From [email protected]][Date Fri, 15 Jul 2005 09:38:24 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000042E393FEB46C4451563/[From [email protected]][Date Fri, 15 Jul 2005 09:38:24 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000042E393FEB46C4451563/[From [email protected]][Date Fri, 15 Jul 2005 09:38:24 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000042E393FEB46C4451563 Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000042E393FEB46C4451563 CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000042F368DB57988D1E7ED/[From [email protected]][Date Mon, 6 Jun 2005 09:49:47 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000042F368DB57988D1E7ED/[From [email protected]][Date Mon, 6 Jun 2005 09:49:47 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000042F368DB57988D1E7ED/[From [email protected]][Date Mon, 6 Jun 2005 09:49:47 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000042F368DB57988D1E7ED Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP0000042F368DB57988D1E7ED CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000004301E4040B87A7BE175/[From [email protected]][Date Mon, 6 Jun 2005 09:49:47 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000004301E4040B87A7BE175/[From [email protected]][Date Mon, 6 Jun 2005 09:49:47 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000004301E4040B87A7BE175/[From [email protected]][Date Mon, 6 Jun 2005 09:49:47 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000004301E4040B87A7BE175 Mail: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000004301E4040B87A7BE175 CryptFF: infected - 1, suspicious - 2 skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000004316DDD688FF0A3E3DC/[From [email protected]][Date Tue, 23 Aug 2005 10:07:29 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000004316DDD688FF0A3E3DC/[From [email protected]][Date Tue, 23 Aug 2005 10:07:29 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Deckard\System Scanner\20080712165743\backup\WINDOWS\temp\TMP000004316DDD688FF0A3E3DC/[From [email protected]][Date Tue, 23 Aug 2005 10:07:29 -0400]/m
  • 0

#22
Kellee
Posted 14 July 2008 - 07:51 AM

Kellee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
ANDREW, THE REGISTRY SEARCH PAGE IS NOT FOUND. IS THERE ANOTHER LINK THAT I CAN USE?
  • 0

#23
andrewuk
Posted 14 July 2008 - 10:16 AM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
the combofix log looks good :)

HERE'S STEP #2 - IT FOUND VIRUSES BUT DIDN'T FIX THEM?

dont worry about that, it only scans. we will fix anything it finds. in this case it is only finding safely quarantined items which we will finally clear at the end.

also, the kaspersky scan got cut off, because it is long. so, could you attach the text log instead:
To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post



THE REGISTRY SEARCH PAGE IS NOT FOUND. IS THERE ANOTHER LINK THAT I CAN USE?

try this instead:

1. Launch Notepad, and copy/paste the contents of the quote box below into a new Notepad file. Save it with file name options.txt and save as file type: all files to your desktop.


RegSearch Options File

[Search]
Mdgd32

[Exclude]

[Options]
Filter=KLU


2. Download Registry Search to your desktop.
  • Right click on the compressed RegSearch folder, and choose "Extract All". In the box that pops open, click "Next", then "Next" again, and then "Finish". You now have another RegSearch folder on your desktop.
  • Open the new folder, and double click on regsearch.exe
  • Click "Import" in the lower left corner and browse to the options.txt file that you just saved on your desktop. Do not choose the one in the RegSearch folder itself.
  • Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
  • Please reply here with the entire contents of the Notepad file from RegSearch.


andrewuk
  • 0

#24
Kellee
Posted 14 July 2008 - 03:30 PM

Kellee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
The max size for attachments is 500k and my file is 604k. Can it be uploaded another way or emailed?

Edited by Kellee, 14 July 2008 - 05:46 PM.

  • 0

#25
Kellee
Posted 14 July 2008 - 03:42 PM

Kellee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
HERE IS THE REGISTRY SEARCH RESULTS: (IS THIS CORRECT?)

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 7/14/2008 2:38:37 PM for strings:
; 'mdgd32'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...
  • 0

Advertisements

#26
Kellee
Posted 14 July 2008 - 05:35 PM

Kellee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
please disregard

Edited by Kellee, 14 July 2008 - 05:46 PM.

  • 0

#27
Kellee
Posted 14 July 2008 - 05:37 PM

Kellee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
please disregard

Edited by Kellee, 14 July 2008 - 05:47 PM.

  • 0

#28
andrewuk
Posted 14 July 2008 - 10:39 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Registry search was good (i.e nothing found) :)

email the log to me at andrewuk at live.co.uk

andrewuk

Edited by andrewuk, 15 July 2008 - 11:57 AM.

  • 0

#29
Kellee
Posted 15 July 2008 - 10:29 PM

Kellee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
email sent :)
  • 0

#30
andrewuk
Posted 16 July 2008 - 12:30 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
C:\Documents and Settings\Kellee Albrecht\My Documents\My Music\Digital Underground - Doowutchyalike.wma
C:\Program Files\STK014_V2.01\STK014D.exe
F:\oldc\WINDOWS\Temp\Altnet\mysearch.cab
F:\oldc\WINDOWS\Temp\Altnet\Setup.exe
F:\oldc\WINDOWS\Downloaded Program Files\popcaploader.dll
F:\oldc\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
F:\My Documents\My Music\Digital Underground - Doowutchyalike.wma
EmptyTemp
purity 
[start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP