Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Security toolbar, and lots of other creepy stuff.. Help!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Security toolbar, and lots of other creepy stuff.. Help!

Unread postby vikraman007 » November 7th, 2007, 10:59 am

Two days of web crawling (on my other computer) and I have tried the following (in order):

Run Ad-aware, Symantec-AV
a) remove ADD-ons in IE
b) Reboot in safe mode and restore to earlier version
c) Install IE7
d) Uninstall IE7
e) Install Firefox

And still the old IE (6?) which apparently cannot be separated from the OS is still popping ADs all over my PC.

So,

f) Run HJT and post log...

Did I miss any trick? :(

Any help mucho appreciated.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:39:29 AM, on 11/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\bjfkrxcl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\WINDOWS\winshow.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rediff.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = www
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\nzsearch\nzsearchenh.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\gzupkahr.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - HKLM\..\Run: [0d8fa9cf] rundll32.exe "C:\WINDOWS\system32\avlmrcvi.dll",b
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\inetrepl.dll
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe (file missing)
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/24.11/uploader2.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\bjfkrxcl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Online Services\vimoku.html

--
End of file - 6020 bytes
vikraman007
Active Member
 
Posts: 12
Joined: November 7th, 2007, 10:53 am
Advertisement
Register to Remove

Unread postby Simon V. » November 7th, 2007, 12:56 pm

Hello, and welcome to the forum.

My name is Simon V., and I'll be glad to help you with your computer problems.

I'm afraid I have unpleasant news for you. You have been infected by Troj/VB-DXP. This infection allows outsiders complete access to every keystroke, account, and password you use while on this machine.

IF this computer has been used for any kind of important data, my best recommendation is to disconnect from the internet, reformat the entire drive and reinstall your operating system and applications.

We can likely clean the infected files off the computer, and if you wish we will attempt to do so, but we cannot be sure that the infection didn't do something to your system to reduce the system security. If that's the case, you could be subject to another attack or takeover as soon as you reconnect to the internet, even after removal of the infection.

The decision whether to reformat or not should be based on what you use the computer for. If the computer has been used for any important data, you are strongly advised to do the following, immediately:
  • Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
  • Back up all important data on the machine. Do not back up any applications (programs) or executable files (.dll, .exe, .scr, .bat, .cmd, .vbs, .sys). Those should be reinstalled from the original CD's or websites.
  • If you have used this computer for shopping, banking, or any transactions relating to your financial well being, call all of your banks, credit card companies and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change ALL your online passwords - for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
  • DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
  • Take any other steps you think appropriate for an attempted identity theft.

While you are deciding whether to reformat and reinstall, this can be a useful link.

Please let me know what you decide.
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Unread postby vikraman007 » November 7th, 2007, 4:08 pm

Hi simon,

thanks for the response. I would like to give this cleen-up option a shot before nuking the hard disk. Please let me know what I have to do.
vikraman007
Active Member
 
Posts: 12
Joined: November 7th, 2007, 10:53 am

Unread postby Simon V. » November 7th, 2007, 4:14 pm

Hi :)

Step 1

Please download ATF Cleaner. Double-click on ATF-Cleaner.exe to start the program.
  • Under the Main tab, put a check next to Select All.
    Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)
  • If you use the Firefox browser:
    Click on Firefox at the top and put a check next to Select All.
    If you would like to keep your saved passwords, click No at the prompt.
    Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)
  • If you use the Opera browser:
    Click on Opera at the top and put a check next to Select All.
    If you would like to keep your saved passwords, click No at the prompt.
    Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)
Step 2

Please download Combofix:
Double-click on combofix.exe and follow the prompts.
When finished, it will produce a log for you. Save it to a convenient location.

Note: Do not mouseclick Combofix's window whilst it's running. That may cause it to stall.

Step 3

Open HijackThis.
  • Click on the Config button.
  • Click on the Misc Tools button.
  • Click on the Open Uninstall Manager button.
  • Click on the Save list... button and save the file to a convenient location. When you press Save, Notepad will open with the contents of that file.
Step 4

In your next reply, please post:
  • the Combofix log (C:\Combofix.txt)
  • the Uninstall List
  • a new HijackThis log
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Unread postby vikraman007 » November 7th, 2007, 5:26 pm

thanks. i will do so and get back to you.. So, I read the link on "how did i get affected"? BUT I DO ALL THOSE THINGS!

I have symantec anti-virus, Ad-aware and Spybot and i run all religiously. So there is no sure fire way of preventing infection?

Will run those scripts now.. thx
vikraman007
Active Member
 
Posts: 12
Joined: November 7th, 2007, 10:53 am

Unread postby vikraman007 » November 7th, 2007, 8:15 pm

Unable to generate the UninstallList log file. When I hit "Save", the HJT application just shuts down - window disappears.

Here are the other two logs - combofix and HJT log

COMBOFIX LOG:
===========
ComboFix 07-11-08.1 - nandu 2007-11-07 17:50:38.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.190 [GMT -6:00]
Running from: C:\Documents and Settings\nandu\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\ProductCode
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\ProductCode
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\nandu\Application Data.\AVSystemCare
C:\Documents and Settings\nandu\Application Data.\AVSystemCare\avtasks.dat
C:\Documents and Settings\nandu\Application Data.\AVSystemCare\Logs\av.log
C:\Documents and Settings\nandu\Application Data.\AVSystemCare\Logs\ga6Support.log
C:\Documents and Settings\nandu\Application Data.\AVSystemCare\Logs\update.log
C:\Documents and Settings\nandu\Application Data.\AVSystemCare\PGE.dat
C:\Documents and Settings\nandu\Application Data\WinTouch
C:\Documents and Settings\nandu\Application Data\WinTouch\wintouch.cfg
C:\Documents and Settings\nandu\Application Data\WinTouch\WTUninstaller.exe
C:\Documents and Settings\nandu\Desktop\Live Safety Center.lnk
C:\Documents and Settings\nandu\Desktop\Online Security Guide.lnk
C:\Documents and Settings\nandu\err.log
C:\Documents and Settings\nandu\Favorites\Online Security Guide.lnk
C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\WinAntiSpyware 2007\bak\WAS7Mon.exe
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\crosof~1.net
C:\Program Files\inetget2
C:\Program Files\Online Services\rydivy.dll
C:\Program Files\Online Services\rydivy436.dll
C:\Program Files\Online Services\rydivy999.dll
C:\Program Files\Online Services\vimoku.html
C:\Program Files\Temporary
C:\Program Files\Temporary\wininstall.exe
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\matrix.dat
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\UGA6P
C:\WINDOWS\b104.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\b128.exe
C:\WINDOWS\b138.exe
C:\WINDOWS\b147.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\a1
C:\WINDOWS\system32\a1\rarndrll2.exe
C:\WINDOWS\system32\drivers\ApiMon.sys
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\g2
C:\WINDOWS\system32\g2\caws83122.exe
C:\WINDOWS\system32\gzupkahr.dllbox
C:\WINDOWS\system32\MabryObj.dll
C:\WINDOWS\system32\nnnmp.bak1
C:\WINDOWS\system32\nnnmp.bak2
C:\WINDOWS\system32\nnnmp.ini
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pmnnn.dll
C:\WINDOWS\system32\r2
C:\WINDOWS\system32\r2\wr31drs.exe
C:\WINDOWS\system32\v8
C:\WINDOWS\system32\v8\taldrvr11.exe
C:\WINDOWS\system32\winnb58.dll
C:\WINDOWS\system32\xrmhvpyj.dllbox
C:\WINDOWS\tk58.exe
C:\WINDOWS\TTC-4444.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\winshow.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FOPN
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\core
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-10-09 to 2007-11-09 )))))))))))))))))))))))))))))))
.

2007-11-07 17:47 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-07 08:26 79,936 --a------ C:\WINDOWS\system32\nvhqneph.dll
2007-11-07 08:23 86,080 --a------ C:\WINDOWS\system32\avlmrcvi.dll
2007-11-07 08:17 145,984 --a------ C:\WINDOWS\system32\gzupkahr.dll
2007-11-07 08:17 145,984 --a------ C:\WINDOWS\system32\fpaugbju.dll
2007-11-07 08:16 71,232 --a------ C:\WINDOWS\system32\bjfkrxcl.exe
2007-11-06 20:42 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-06 19:59 1,156 --a------ C:\WINDOWS\mozver.dat
2007-11-06 18:55 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-11-06 18:55 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-11-06 18:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-11-06 18:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-11-06 18:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-11-06 18:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-06 18:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-11-06 18:55 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-11-06 18:45 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2007-11-06 18:43 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-11-06 18:42 35,328 --a------ C:\WINDOWS\system32\jkkifda.dll
2007-11-06 18:39 <DIR> d--hs---- C:\WINDOWS\c3Jpa2FudGg
2007-11-06 18:39 35,840 --a------ C:\WINDOWS\mrofinu572.exe
2007-11-06 18:38 <DIR> d-------- C:\WINDOWS\system32\Mz02r
2007-11-06 18:38 <DIR> d-------- C:\Temp\mZOr
2007-11-06 18:38 <DIR> d-------- C:\Temp
2007-11-06 18:38 35,328 --a------ C:\WINDOWS\system32\nnnnmmj.dll
2007-11-06 18:15 <DIR> d-------- C:\WUTemp
2007-11-04 18:53 36,352 --a------ C:\WINDOWS\system32\mljhghh.dll
2007-11-03 14:49 <DIR> d-------- C:\Documents and Settings\nandu\Application Data\Viewpoint
2007-11-02 11:05 <DIR> d-------- C:\WINDOWS\system32\Mz08r
2007-10-10 08:49 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-20 19:11 --------- d-----w C:\Program Files\QuickTime
2007-10-20 03:37 --------- d-----w C:\Program Files\Free Surfer
2007-10-20 03:34 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-10-15 22:02 --------- d--h--r C:\Documents and Settings\nandu\Application Data\yahoo!
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2005-12-05 16:49 38,456 ----a-w C:\Documents and Settings\nandu\Application Data\GDIPFONTCACHEV1.DAT
2004-10-15 15:36 36,728 ----a-w C:\Documents and Settings\Guest\Application Data\GDIPFONTCACHEV1.DAT
2005-07-29 22:24:26 472 --sha-r C:\WINDOWS\c3Jpa2FudGg\waLDuZIRx30.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2da0f53e-d9e2-493c-816f-04e0f9882367}]
2007-11-07 08:26 79936 --a------ C:\WINDOWS\system32\nvhqneph.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{502506A7-C196-4407-B63B-4D9FA8A26835}]
2007-08-02 07:43 282624 --a------ C:\Program Files\ComPlus Applications\niry83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634BBAB7-3F60-4426-944F-A62B9007F67F}]
2007-11-04 18:53 36352 --a------ C:\WINDOWS\system32\mljhghh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-07 08:17 145984 --a------ C:\WINDOWS\system32\gzupkahr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FBEE2A2A-2380-4DDB-9F39-946BA1452EFC}]
2007-08-02 07:43 282624 --a------ C:\Program Files\ComPlus Applications\niry4444.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\gzupkahr.dll [2007-11-07 08:17 145984]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-05-02 14:19]
"nwiz"="nwiz.exe" [2003-05-02 14:19 C:\WINDOWS\system32\nwiz.exe]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\bak\qttask.exe" [2005-11-10 19:14]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" []
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" []
"0d8fa9cf"="C:\WINDOWS\system32\avlmrcvi.dll" [2007-11-07 08:23]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL" [2003-05-02 14:19]
"NVIEW"="nview.dll" [2003-05-02 14:19 C:\WINDOWS\system32\nview.dll]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" []
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2003-09-11 00:56:02]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{634BBAB7-3F60-4426-944F-A62B9007F67F}"= C:\WINDOWS\system32\mljhghh.dll [2007-11-04 18:53 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gzupkahr]
gzupkahr.dll 2007-11-07 08:17 145984 C:\WINDOWS\system32\gzupkahr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljhghh]
mljhghh.dll 2007-11-04 18:53 36352 C:\WINDOWS\system32\mljhghh.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmnnn.dll

R1 VIAPFD;VIAPFD;C:\WINDOWS\system32\Drivers\VIAPFD.SYS
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys
R3 crtaud;Conexant Riptide WDM Audio Driver;C:\WINDOWS\system32\drivers\crtaud.sys
R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys
R3 rpfun;Conexant Riptide Dummy Driver;C:\WINDOWS\system32\drivers\rpfun.sys
R3 rthwcls;Conexant Riptide Bus / Firmware Downloader;C:\WINDOWS\system32\drivers\rthwcls.sys
R3 Winacpci;Winacpci;C:\WINDOWS\system32\DRIVERS\winacpci.sys
S2 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys
S3 VNICPKT5;VNICPKT5 Protocol Driver;\??\C:\WINDOWS\System32\VNICPKT5.SYS

.
Contents of the 'Scheduled Tasks' folder
"2007-10-26 21:00:00 C:\WINDOWS\Tasks\{3CAE9AAD-6521-4A64-A1F2-DD904C96036A}_SRIK-BUILT_nandu.job"
"2007-11-01 21:00:09 C:\WINDOWS\Tasks\{79B68748-0FC3-4B4A-AA68-547468788625}_SRIK-BUILT_nandu.job"
- C:\WINDOWS\system32\mobsync.exe
"2007-11-07 15:00:01 C:\WINDOWS\Tasks\{81C53930-4EE3-40ED-89A3-8E7BF020B9CE}_SRIK-BUILT_nandu.job"
- C:\WINDOWS\system32\mobsync.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-08 18:01:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-08 18:04:54 - machine was rebooted
.
--- E O F ---


HJT LOG:
======
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:13:06 PM, on 11/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rediff.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = www
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\nzsearch\nzsearchenh.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\gzupkahr.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [0d8fa9cf] rundll32.exe "C:\WINDOWS\system32\avlmrcvi.dll",b
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\inetrepl.dll
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe (file missing)
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/24.11/uploader2.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5983 bytes
vikraman007
Active Member
 
Posts: 12
Joined: November 7th, 2007, 10:53 am

Unread postby Simon V. » November 8th, 2007, 2:36 am

Step 1

Please visit Virustotal

  • Click the Browse... button.
  • Navigate to the file C:\Program Files\ComPlus Applications\niry83122.dll
  • Click the Open button.
  • Click the Send button.
Also do this for:
  • C:\Program Files\ComPlus Applications\niry4444.dll
Copy and paste the results in Notepad, and save them to your desktop, so you can post them in your next reply.

Step 2

Open Notepad (Go to Start > Run, type Notepad and hit Enter), and copy/paste the text in the quotebox below into it:

Code: Select all
File::

C:\WINDOWS\system32\nvhqneph.dll
C:\WINDOWS\system32\avlmrcvi.dll
C:\WINDOWS\system32\gzupkahr.dll
C:\WINDOWS\system32\fpaugbju.dll
C:\WINDOWS\system32\bjfkrxcl.exe
C:\WINDOWS\system32\jkkifda.dll
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\nnnnmmj.dll
C:\WINDOWS\system32\mljhghh.dll

DirLook::

C:\WINDOWS\c3Jpa2FudGg

Folder::

C:\WINDOWS\system32\Mz02r
C:\Temp\mZOr
C:\WINDOWS\system32\Mz08r

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2da0f53e-d9e2-493c-816f-04e0f9882367}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634BBAB7-3F60-4426-944F-A62B9007F67F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"0d8fa9cf"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{634BBAB7-3F60-4426-944F-A62B9007F67F}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gzupkahr]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljhghh]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00


Click on File > Save as....

In the File Name box, copy/paste CFScript.txt (Note: Do not change the filename!)

Click Save.

Image

Referring to the picture above, drag CFScript into ComboFix.exe.
It will create a log. Be sure to save it to a convenient location.

Step 3

Please do an online scan with Kaspersky WebScanner.

Click on Kaspersky Online Scanner. On the welcome screen, click Accept.

You will be promted to install an ActiveX component from Kaspersky, click Install.
  • The program will launch and then begin downloading the latest definition files.
  • Once the files have been downloaded click on Next.
  • Now click on Scan Settings.
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:

      Extended (if available, otherwise Standard)
    • Scan Options:

      Scan Archives
      Scan Mail Bases
  • Click OK.
  • Now under Select a Target to Scan:
    • Select My Computer.
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button and save the file to your desktop.
Step 4

In your next reply, please post:
  • the Virustotal results
  • the Combofix log (C:\Combofix.txt)
  • the Kaspersky Online Scan report
  • a new HijackThis log
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Unread postby vikraman007 » November 8th, 2007, 9:43 pm

VIRUSTOTAL
=============================================
File niry4444.dll received on 11.09.2007 00:40:49 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 22/32 (68.75%)
Loading server information...
Your file is queued in position: 6.
Estimated start time is between 55 and 78 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2007.11.9.0 2007.11.08 -
AntiVir 7.6.0.34 2007.11.08 ADSPY/TTC.A.5
Authentium 4.93.8 2007.11.01 -
Avast 4.7.1074.0 2007.11.08 Win32:Adloader-KH
AVG 7.5.0.503 2007.11.08 Adware Generic2.JEG
BitDefender 7.2 2007.11.08 Adware.TTC
CAT-QuickHeal 9.00 2007.11.08 AdWare.TTC.a (Not a Virus)
ClamAV 0.91.2 2007.11.08 -
DrWeb 4.44.0.09170 2007.11.08 -
eSafe 7.0.15.0 2007.11.08 -
eTrust-Vet 31.2.5281 2007.11.08 Win32/Zquest.G
Ewido 4.0 2007.11.08 -
FileAdvisor 1 2007.11.08 Low threat detected
Fortinet 3.11.0.0 2007.10.19 Adware/TTC
F-Prot 4.4.2.54 2007.11.07 W32/Adware.WWV
F-Secure 6.70.13030.0 2007.11.09 -
Ikarus T3.1.1.12 2007.11.08 not-a-virus:AdWare.Win32.TTC.a
Kaspersky 7.0.0.125 2007.11.09 not-a-virus:AdWare.Win32.TTC.a
McAfee 5159 2007.11.08 Downloader-BEC
Microsoft 1.3007 2007.11.09 Program:Win32/TTC
NOD32v2 2646 2007.11.08 -
Norman 5.80.02 2007.11.08 W32/TTC.DX
Panda 9.0.0.4 2007.11.09 Adware/TTC
Prevx1 V2 2007.11.08 -
Rising 20.17.32.00 2007.11.08 AdWare.Win32.TTC.d
Sophos 4.23.0 2007.11.09 Troj/TTC-Gen
Sunbelt 2.2.907.0 2007.11.08 Adware.TTC
Symantec 10 2007.11.09 Downloader
TheHacker 6.2.9.120 2007.11.08 Adware/TTC.a
VBA32 3.12.2.4 2007.11.06 AdWare.Win32.TTC.a
VirusBuster 4.3.26:9 2007.11.08 -
Webwasher-Gateway 6.0.1 2007.11.09 Ad-Spyware.TTC.A.5
Additional information
File size: 282624 bytes
MD5: 0b36bd26e49f50029b240ef4c5f2f729
SHA1: 217b7851f3acac62eec1aa22fba5e282460a4d88
Bit9 info: http://fileadvisor.bit9.com/services/ex ... f4c5f2f729

File niry83122.dll received on 11.09.2007 01:20:31 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 22/32 (68.75%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 44 and 63 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2007.11.9.0 2007.11.08 -
AntiVir 7.6.0.34 2007.11.08 ADSPY/TTC.A.5
Authentium 4.93.8 2007.11.01 -
Avast 4.7.1074.0 2007.11.08 Win32:Adloader-KH
AVG 7.5.0.503 2007.11.08 Adware Generic2.JEG
BitDefender 7.2 2007.11.08 Adware.TTC
CAT-QuickHeal 9.00 2007.11.08 AdWare.TTC.a (Not a Virus)
ClamAV 0.91.2 2007.11.09 -
DrWeb 4.44.0.09170 2007.11.08 -
eSafe 7.0.15.0 2007.11.08 -
eTrust-Vet 31.2.5281 2007.11.08 Win32/Zquest.G
Ewido 4.0 2007.11.08 -
FileAdvisor 1 2007.11.09 Low threat detected
Fortinet 3.11.0.0 2007.10.19 Adware/TTC
F-Prot 4.4.2.54 2007.11.07 W32/Adware.WWV
F-Secure 6.70.13030.0 2007.11.09 -
Ikarus T3.1.1.12 2007.11.08 not-a-virus:AdWare.Win32.TTC.a
Kaspersky 7.0.0.125 2007.11.09 not-a-virus:AdWare.Win32.TTC.a
McAfee 5159 2007.11.08 Downloader-BEC
Microsoft 1.3007 2007.11.09 Program:Win32/TTC
NOD32v2 2646 2007.11.08 -
Norman 5.80.02 2007.11.08 W32/TTC.DX
Panda 9.0.0.4 2007.11.09 Adware/TTC
Prevx1 V2 2007.11.09 -
Rising 20.17.32.00 2007.11.08 AdWare.Win32.TTC.d
Sophos 4.23.0 2007.11.09 Troj/TTC-Gen
Sunbelt 2.2.907.0 2007.11.08 Adware.TTC
Symantec 10 2007.11.09 Downloader
TheHacker 6.2.9.120 2007.11.08 Adware/TTC.a
VBA32 3.12.2.4 2007.11.06 AdWare.Win32.TTC.a
VirusBuster 4.3.26:9 2007.11.08 -
Webwasher-Gateway 6.0.1 2007.11.09 Ad-Spyware.TTC.A.5
Additional information
File size: 282624 bytes
MD5: 0b36bd26e49f50029b240ef4c5f2f729
SHA1: 217b7851f3acac62eec1aa22fba5e282460a4d88
Bit9 info: http://fileadvisor.bit9.com/services/ex ... ef4c5f2f72

COMBOFIX
===============================================
ComboFix 07-11-08.1 - nandu 2007-11-09 18:30:33.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.213 [GMT -6:00]
Running from: C:\Documents and Settings\nandu\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\nandu\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\avlmrcvi.dll
C:\WINDOWS\system32\bjfkrxcl.exe
C:\WINDOWS\system32\fpaugbju.dll
C:\WINDOWS\system32\gzupkahr.dll
C:\WINDOWS\system32\jkkifda.dll
C:\WINDOWS\system32\mljhghh.dll
C:\WINDOWS\system32\nnnnmmj.dll
C:\WINDOWS\system32\nvhqneph.dll
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\nandu\Desktop\Live Safety Center.lnk
C:\Documents and Settings\nandu\Desktop\Online Security Guide.lnk
C:\Documents and Settings\nandu\Favorites\Online Security Guide.lnk
C:\Temp\mZOr
C:\Temp\mZOr\tOasF.log
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\avlmrcvi.dll
C:\WINDOWS\system32\bbadd.bak1
C:\WINDOWS\system32\bbadd.ini
C:\WINDOWS\system32\bjfkrxcl.exe
C:\WINDOWS\system32\ddabb.dll
C:\WINDOWS\system32\fpaugbju.dll
C:\WINDOWS\system32\gzupkahr.dll
C:\WINDOWS\system32\gzupkahr.dllbox
C:\WINDOWS\system32\jkkifda.dll
C:\WINDOWS\system32\mljhghh.dll
C:\WINDOWS\system32\Mz02r
C:\WINDOWS\system32\Mz02r\Mz02r1065.exe
C:\WINDOWS\system32\Mz08r
C:\WINDOWS\system32\nnnnmmj.dll
C:\WINDOWS\system32\nvhqneph.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-10 to 2007-11-10 )))))))))))))))))))))))))))))))
.

2007-11-07 17:47 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-06 20:42 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-06 19:59 1,156 --a------ C:\WINDOWS\mozver.dat
2007-11-06 18:55 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-11-06 18:55 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-11-06 18:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-11-06 18:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-11-06 18:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-11-06 18:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-06 18:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-11-06 18:55 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-11-06 18:45 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2007-11-06 18:43 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-11-06 18:39 <DIR> d--hs---- C:\WINDOWS\c3Jpa2FudGg
2007-11-06 18:38 <DIR> d-------- C:\Temp
2007-11-06 18:15 <DIR> d-------- C:\WUTemp
2007-11-03 14:49 <DIR> d-------- C:\Documents and Settings\nandu\Application Data\Viewpoint
2007-10-10 08:49 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-20 19:11 --------- d-----w C:\Program Files\QuickTime
2007-10-20 03:37 --------- d-----w C:\Program Files\Free Surfer
2007-10-20 03:34 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-10-15 22:02 --------- d--h--r C:\Documents and Settings\nandu\Application Data\yahoo!
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2005-12-05 16:49 38,456 ----a-w C:\Documents and Settings\nandu\Application Data\GDIPFONTCACHEV1.DAT
2004-10-15 15:36 36,728 ----a-w C:\Documents and Settings\Guest\Application Data\GDIPFONTCACHEV1.DAT
2005-07-29 22:24:26 472 --sha-r C:\WINDOWS\c3Jpa2FudGg\waLDuZIRx30.vbs
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\c3Jpa2FudGg ----

2005-07-29 16:24 472 -rahs---- C:\WINDOWS\c3Jpa2FudGg\waLDuZIRx30.vbs


((((((((((((((((((((((((((((( snapshot@2007-11-08_18.02.38.18 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-07 17:33:16 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-09 23:40:00 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-07 17:33:16 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-09 23:40:00 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 49,152 2004-12-16 23:49:14 C:\Program Files\ANI\ANIWZCS2 Service\bak\WZCSLDR2.exe

----a-w 700,416 2006-08-07 15:06:38 C:\Program Files\Creative\Sync Manager Unicode\bak\CTSyncU.exe

----a-w 1,228,800 2005-03-18 10:34:00 C:\Program Files\D-Link\AirPlus G\bak\AirGCFG.exe

----a-w 28 2007-10-09 22:19:58 C:\Program Files\Free Surfer\bak\fs.ini
----a-w 867 2007-10-08 16:33:18 C:\Program Files\Free Surfer\fs.ini

----a-w 720,896 2002-09-19 00:25:30 C:\Program Files\Free Surfer\bak\fs20.exe

----a-w 68,856 2007-05-24 03:47:37 C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe

----a-w 401,496 2002-01-07 21:24:12 C:\Program Files\Microsoft ActiveSync\bak\WCESCOMM.EXE

----a-w 77,824 2005-11-11 01:14:49 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 90,112 2003-05-21 06:21:18 C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\bak\vptray.exe

----a-w 618,496 2007-06-06 15:35:44 C:\qoobox\Quarantine\C\Program Files\Common Files\WinAntiSpyware 2007\bak\WAS7Mon.exe.vir

----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\system32\ctfmon.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{502506A7-C196-4407-B63B-4D9FA8A26835}]
2007-08-02 07:43 282624 --a------ C:\Program Files\ComPlus Applications\niry83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FBEE2A2A-2380-4DDB-9F39-946BA1452EFC}]
2007-08-02 07:43 282624 --a------ C:\Program Files\ComPlus Applications\niry4444.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-05-02 14:19]
"nwiz"="nwiz.exe" [2003-05-02 14:19 C:\WINDOWS\system32\nwiz.exe]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\bak\qttask.exe" [2005-11-10 19:14]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" []
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL" [2003-05-02 14:19]
"NVIEW"="nview.dll" [2003-05-02 14:19 C:\WINDOWS\system32\nview.dll]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" []
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2003-09-11 00:56:02]

R1 VIAPFD;VIAPFD;C:\WINDOWS\system32\Drivers\VIAPFD.SYS
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys
R3 crtaud;Conexant Riptide WDM Audio Driver;C:\WINDOWS\system32\drivers\crtaud.sys
R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys
R3 rpfun;Conexant Riptide Dummy Driver;C:\WINDOWS\system32\drivers\rpfun.sys
R3 rthwcls;Conexant Riptide Bus / Firmware Downloader;C:\WINDOWS\system32\drivers\rthwcls.sys
R3 Winacpci;Winacpci;C:\WINDOWS\system32\DRIVERS\winacpci.sys
S2 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys
S3 VNICPKT5;VNICPKT5 Protocol Driver;\??\C:\WINDOWS\System32\VNICPKT5.SYS

.
Contents of the 'Scheduled Tasks' folder
"2007-10-26 21:00:00 C:\WINDOWS\Tasks\{3CAE9AAD-6521-4A64-A1F2-DD904C96036A}_SRIK-BUILT_nandu.job"
"2007-11-01 21:00:09 C:\WINDOWS\Tasks\{79B68748-0FC3-4B4A-AA68-547468788625}_SRIK-BUILT_nandu.job"
- C:\WINDOWS\system32\mobsync.exe
"2007-11-07 15:00:01 C:\WINDOWS\Tasks\{81C53930-4EE3-40ED-89A3-8E7BF020B9CE}_SRIK-BUILT_nandu.job"
- C:\WINDOWS\system32\mobsync.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-09 18:38:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-09 18:40:08 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-08 18:04
.
--- E O F ---


KASPERSKY
===============================================
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, November 09, 2007 7:39:45 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 9/11/2007
Kaspersky Anti-Virus database records: 454886
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 43928
Number of viruses found: 30
Number of infected objects: 127
Number of suspicious objects: 0
Duration of the scan process: 00:39:09

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\01d565accc32c486ddb0f430826a5949_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\01f4660ca1c1068c277441233a58ec95_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\035c9e61eac431128e4035195c9af77d_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0548d9d785f78150000e3446767c60b4_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\05948a65d909136ea0b4b969c7f67e75_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0a843a17232225f5a819386cbcb41533_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0b73c16998e4615bb19576ab584e1c42_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0bed4491a96f7eb9fd5c2f906a81feac_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0d12edb52b336a1c83af0c5476be95a8_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0fdd35525452c15dba547ed7d979d4ca_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\11ecd0d26f851f6ff4603d698aa25338_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\12f2aa58bdd26fc73538fd870c3545d6_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1385f7c3b17ed92584c1988e9be500b4_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\147791ce97f58dcfacd34ce73f8086d6_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\156768ccd0c3e0b72c754122ca49fe2e_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\19a504e1b5a033b019eb9a2e46dd149d_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1c0452efb0222888818aafffa7d29f22_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1db24a00056d680bd69ae26b5b644b13_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1ef8fd76f61c3e924faad707f1e5f060_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\268e70679b89b97625124e27dcf734af_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\29389630fcea4016fd6ce2de3e78d076_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2ba32a0f8e12a14598c722c37ebb4cdd_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2c8db922cb2b28615d1f7cabd205687d_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2d0450382b1e6ed0c83e849f46f08c18_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2e0cc709aaed86375fac12fce4c59960_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2ec764e3d0340ad3cb26c94695e0ce80_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2fff83efe10059828c154a5b01557f96_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\31cd4e3f7e71b193b083a1cac83e5667_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\333703a704d88145b71e43483cf18087_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\33adbb1267eb4cd70a79313fca02d55a_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\33baa723e604e084fefacaa1601d6395_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\36e60e8b7e76a0fa781b1bc1d14377f6_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\38c9fdd209a4e0432af57d01e0fd3d86_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\38fda2148aa9b97bfae3bf8a2c93ea72_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3a3dc718b908d651fc657d36031a9982_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3d5c6b622c93bcb382e5b1f13827b2c2_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3dab8fcf2fa64b054c56e6c8ed6a7782_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3e0284128d96c98d543729f35c070dd3_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\40055242849048d6e8d3ff7c1f6f52f8_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\411380ad50ddc22d0b07e03ee8d1bddd_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4214309a9ad4aff754794a85f89740d5_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\42ceef728566a08489fd2a6684674801_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\45b636d26d79a06c40b8bc186d0e0551_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4778c88bb7a55dfa3400ab4577b44c28_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\47bbd2112b3f24a5cfca0ad23325e1d8_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\48ef8bd92804af97f51ec61e8505d9d3_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4be6c8edcf17157c96ac553c9f5f9c47_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4c71557de364c8bf39a4efcf8fe11adf_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\50ffd6fef492e41a2cd6b046996e3dd6_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\540c3be793ed64414da87efb56d90fff_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\54320f42918128cdce81eb419c9c0b02_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\565ee5451b454d072eaa89dfbba470a0_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\57418847932c2eeb9ea4bfc4f60f5d57_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\57e0877202d6b09a950c553064430892_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5ac2a4046848150cdb0602b74d15b1d2_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5ae1314920d9c85b4755db47bf52dbd4_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5fa5c1f3bee043ac578df9d6def9bcc9_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5fb6345d2fb1d4402c17a960dc07b9c2_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6339d1e02fdd7905add285e215cc0a4e_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6433835287b910fd201169969f19affb_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\645c236c26a80c721dc021be3fdb6cfb_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\666937646cf4e59f3b58e7e2890e1fde_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\672ed8128d73c79afbf12db1738bc528_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6beb41c3c7652bd0f70ba336b6c0a35b_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6cf6b0b1a0f6c2921e5fa83b3df913f9_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6d109d4c71dfe15686ffadf184790fb6_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6e78cfe07d57c41cd127d4b3300d1116_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\72251209aa0ab2134b35471dc2935e47_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\72e1649e7f8958dbdc229440fa46ad13_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\73db4d68556e810957de6313febad9e2_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\73dcd1103b75f128a05017e0a24fa2ee_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\74835892960d251a6606c2444d8d57fd_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\755e1700a6e973da8de12267d7e19696_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7663f58bc63e013b829f4caeb2c5275d_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7a044a7aafbdfd0e776ee503847c3c5d_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7bf7106a95e4150b7855fa08815215c3_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7c3ab8c45b7f1c0c4fc7f57b1546827b_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7d5e1617aa98002e4e99ae865b4b6cbb_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7e419d4dbc667df8f168828d577339f2_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7fc2a729dcd33dcc20774b347b6cf652_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8048c0acdd5641ff95f02eb3bc499ae1_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\80a25d6f13039ce1e48778cd386b2cb2_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\80cfa86bdd653f566bd786a4d8c1b992_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8111c7ce45953561259f1c9d4a6c3112_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8a922764e4e2908cfc94c21f7cc7e06b_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9040fe71880e5d66b59d93615ee15a83_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\90597c65e4a99782c5baf242ce65b2ad_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9204835904dcc4e0b0f4538f2a052b5a_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\93f2fe1859e642a61ab2055aa12c6c38_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\94330f3295bd4c474b8f2aca6765cc8b_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9de5c6681b6efed5781e5ae6e179cbeb_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9e497a2b476c605b6904c40f0a954f1d_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a13e9ff6b25466dec5889a63c51893f7_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a1c326f434baf503f0083634da33f889_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a244d7decfce5f5ad86c808dc068bbb8_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a305dd676fa33d61a07e5d2e29675d8f_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a31e12a65eee477e571303b2facd8f24_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a34a646d605f6fde190e3b5a06d240c4_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a6714bffddde3c21eea11e4b8799fd51_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a74a89aabeb568161d750f094369d8e2_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a88609fc945059e36a7f6771f776859d_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ab2f4528aea87e7eb00e44a55e077e93_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ac94587e19ac6c82ce00ae1647e3016b_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b2782fa984b7f60f0feff8698c71a6df_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b2c1586c368f4e6a0b6b8cd46d07fd60_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b556bb9754e16ee01e418acc74120605_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b88199674ee589b63eb7ed9068dc426e_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b8d63fb7b7484dbe22b37c409abc7c3b_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bdeafac5ac406643f032a0aa79652ff4_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bf1789eddf64ec105e39ddcead3e4a94_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c2f02cee7bba8ee68694f2b81fe7126b_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c544727908e3dc20edcae68fa80f2518_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c5630f010299b110d675788027c9c85d_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c5df7b5bed3591295f3a14e08311df21_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c5ff7dbe4da8284dc9e8d3bb13f981bc_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c8473743890c6921487a31a6c769b521_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c98b5358a6c545215ce2bb9dc0ed9343_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\caa00103a6cee511a5f8ecc4f03362ee_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\cb755532a0896dd913c3f9c3f8d5eceb_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\cc98fe45405bc67dd5ddd4e28d4bcb56_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d00ab47e9fde393f19c0aecd4ef58137_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d2c3672625459eb945f1d7774ad01532_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d3e1ca87363db653b93939cf8f41ff1a_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d6189ebeae6a18d2c8847261e9212a35_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d68c06f095f8c6eac708fb5ba30bea8b_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d8af82e6f06c59e31beec2174fcc85df_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\dad4f90616ef36ca99087223a6dc350f_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\db7c319a8fe5f1c53d8e36472d855301_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e1012c4e04ec37084e7cec4db68d78d3_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e1a67aacaa4c8a9eaebe48ea8003f904_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e41df0cd56be52cdfe372b0f2c515476_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e5a5a239f3177471b4bc142de453d17d_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ea4ef848184a7238a795a7b70e896ff6_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f0ee9f50659d2504750a8c21e250b067_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f0f2e348456c97d79c3cb37d0b4c7d21_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f25a89123f1fa9ffe9127ccce1eacadb_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f4c288e20e67e4109fa264df62bee83c_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f4d1976ccadcc26378c7e14c315b059f_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f9181fd90a7752ef2979dd6a0b97022f_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f9660c68c69213a8c18a1a315b6ab311_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fd3c9b965e40ea63f3eb5f8255404953_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\febd5939a5029ddecfedfd0fedfe7ce1_7e052697-f676-42fc-887b-75c5e430eae6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08640000.VBN Infected: Trojan.Win32.Agent.bxj skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\087C0000.VBN Infected: Trojan.Win32.Agent.bxj skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\087C0001.VBN Infected: Trojan.Win32.Agent.bxj skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08800000.VBN Infected: Trojan.Win32.Agent.bxj skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08840000.VBN Infected: Trojan.Win32.Agent.bxj skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08880000.VBN Infected: Trojan.Win32.Agent.bxj skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08880001.VBN Infected: Trojan.Win32.Agent.bxj skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08880002.VBN Infected: Trojan.Win32.Agent.bxj skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08880003.VBN Infected: Trojan.Win32.Agent.bxj skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\088C0000.VBN Infected: Trojan.Win32.Agent.bxj skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08940000.VBN Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08980000.VBN Infected: Trojan-Downloader.Win32.Agent.emo skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08BC0000.VBN Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08D00000.VBN Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08D00001.VBN Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08D80000.VBN Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08DC0000.VBN Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\090C0000.VBN Infected: Trojan.Win32.Agent.bxj skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\098C0000.VBN Infected: Trojan.Win32.Agent.bxj skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\098C0001.VBN Infected: Trojan.Win32.Agent.bxj skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09980000.VBN Infected: Trojan.Win32.Agent.bxj skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\099C0000.VBN Infected: Trojan.Win32.Agent.bxj skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09AC0000.VBN Infected: Trojan.Win32.Agent.bxj skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0AA40001.VBN Infected: Trojan-Downloader.Win32.Small.gll skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0AB40000.VBN Infected: Trojan-Downloader.Win32.VB.axa skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0AB80000.VBN Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0AF80000.VBN Infected: Trojan.Win32.Agent.bxj skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0AF80001.VBN Infected: Trojan.Win32.Agent.bxj skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0AF80002.VBN Infected: Trojan.Win32.Agent.bxj skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0AF80003.VBN Infected: Trojan.Win32.Agent.bxj skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B380000.VBN Infected: Trojan-Downloader.Win32.Agent.emo skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B3C0000.VBN Infected: Trojan-Downloader.Win32.VB.bqc skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B500001.VBN Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0CE00000.VBN/data0006 Infected: Trojan-Downloader.Win32.VB.bqc skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0CE00000.VBN NSIS: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0CE00000.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0CE00001.VBN/data0006 Infected: Trojan-Downloader.Win32.VB.bqc skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0CE00001.VBN NSIS: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0CE00001.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\nandu\Application Data\Mozilla\Firefox\Profiles\s8aaaboo.default\cert8.db Object is locked skipped
C:\Documents and Settings\nandu\Application Data\Mozilla\Firefox\Profiles\s8aaaboo.default\history.dat Object is locked skipped
C:\Documents and Settings\nandu\Application Data\Mozilla\Firefox\Profiles\s8aaaboo.default\key3.db Object is locked skipped
C:\Documents and Settings\nandu\Application Data\Mozilla\Firefox\Profiles\s8aaaboo.default\parent.lock Object is locked skipped
C:\Documents and Settings\nandu\Application Data\Mozilla\Firefox\Profiles\s8aaaboo.default\search.sqlite Object is locked skipped
C:\Documents and Settings\nandu\Application Data\Mozilla\Firefox\Profiles\s8aaaboo.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\nandu\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\nandu\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\nandu\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\nandu\Local Settings\Application Data\Mozilla\Firefox\Profiles\s8aaaboo.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\nandu\Local Settings\Application Data\Mozilla\Firefox\Profiles\s8aaaboo.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\nandu\Local Settings\Application Data\Mozilla\Firefox\Profiles\s8aaaboo.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\nandu\Local Settings\Application Data\Mozilla\Firefox\Profiles\s8aaaboo.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\nandu\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\nandu\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\nandu\ntuser.dat Object is locked skipped
C:\Documents and Settings\nandu\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20071105.016\0000NAV~.TMP Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20071106.025\0000NAV~.TMP Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Program Files\ComPlus Applications\niry4444.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Program Files\ComPlus Applications\niry83122.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20071106-215713-237-source.html Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\qoobox\Quarantine\C\Documents and Settings\nandu\Application Data\WinTouch\WTUninstaller.exe.vir Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\qoobox\Quarantine\C\Program Files\Common Files\WinAntiSpyware 2007\bak\WAS7Mon.exe.vir Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped
C:\qoobox\Quarantine\C\Program Files\Common Files\Yazzle1281OinAdmin.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\qoobox\Quarantine\C\Program Files\Online Services\rydivy.dll.vir Infected: Trojan.Win32.BHO.ab skipped
C:\qoobox\Quarantine\C\Program Files\Online Services\rydivy436.dll.vir Infected: Trojan.Win32.BHO.ab skipped
C:\qoobox\Quarantine\C\Program Files\Online Services\rydivy999.dll.vir Infected: Trojan.Win32.BHO.ab skipped
C:\qoobox\Quarantine\C\Program Files\Online Services\vimoku.html.vir Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\qoobox\Quarantine\C\WINDOWS\b104.exe.vir/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\qoobox\Quarantine\C\WINDOWS\b104.exe.vir/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\qoobox\Quarantine\C\WINDOWS\b104.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\qoobox\Quarantine\C\WINDOWS\b104.exe.vir NSIS: infected - 3 skipped
C:\qoobox\Quarantine\C\WINDOWS\b122.exe.vir Infected: Trojan-Downloader.Win32.Agent.erf skipped
C:\qoobox\Quarantine\C\WINDOWS\b138.exe.vir Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\qoobox\Quarantine\C\WINDOWS\mrofinu572.exe.vir Infected: Trojan-Downloader.Win32.Agent.emo skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\a1\rarndrll2.exe.vir Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\g2\caws83122.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\g2\caws83122.exe.vir NSIS: infected - 1 skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\jkkifda.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ahr skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\Mz02r\Mz02r1065.exe.vir Infected: Trojan-Downloader.Win32.VB.bqc skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\nnnnmmj.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ahr skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\r2\wr31drs.exe.vir Infected: Trojan-Downloader.Win32.Small.gll skipped
C:\qoobox\Quarantine\C\WINDOWS\tk58.exe.vir Infected: Trojan.Win32.BHO.ab skipped
C:\qoobox\Quarantine\C\WINDOWS\TTC-4444.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\qoobox\Quarantine\C\WINDOWS\TTC-4444.exe.vir NSIS: infected - 1 skipped
C:\qoobox\Quarantine\catchme2007-11-08_180046.10.zip/core.sys Infected: Rootkit.Win32.Agent.mb skipped
C:\qoobox\Quarantine\catchme2007-11-08_180046.10.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP280\A0118898.lnk Object is locked skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP280\A0118900.lnk Object is locked skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP287\A0125140.exe/fdd_ps_eula.txt Infected: not-a-virus:AdWare.Win32.DashBar.g skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP287\A0125140.exe CAB: infected - 1 skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP308\A0134711.exe Infected: Trojan-Downloader.Win32.Agent.emo skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP308\A0134897.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP308\A0134898.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP308\A0134900.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP308\A0134901.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP308\A0134906.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP308\A0134918.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP308\A0134918.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP308\A0134919.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP308\A0134920.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP308\A0135047.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP308\A0135123.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP308\A0135123.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP308\A0135124.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP308\A0135132.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP308\A0135141.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP308\A0135141.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP308\A0135142.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP308\A0136131.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP308\A0136144.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP308\A0136144.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP308\A0136144.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP309\A0136154.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP309\A0136156.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP309\A0136156.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP309\A0136156.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP309\A0136156.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP309\A0136157.exe Infected: Trojan-Downloader.Win32.Agent.erf skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP309\A0136159.exe Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP309\A0136161.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP309\A0136162.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP309\A0136163.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP309\A0136165.exe Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP309\A0136167.exe Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP309\A0136168.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP309\A0136169.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP309\A0136169.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP309\A0136170.exe Infected: Trojan-Downloader.Win32.Small.gll skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP309\A0136176.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP309\A0136177.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP309\A0136177.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP311\A0136254.exe Infected: Trojan-Downloader.Win32.VB.bqc skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP311\A0136255.exe Infected: Trojan-Downloader.Win32.Agent.emo skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP311\A0136259.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ahr skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP311\A0136260.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ahr skipped
C:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP311\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll Infected: not-a-virus:AdWare.Win32.Gator.1019 skipped
C:\WINDOWS\Downloaded Program Files\HDPlugin1019.dll Infected: not-a-virus:AdWare.Win32.Gator.1019 skipped
C:\WINDOWS\Downloaded Program Files\QDow.dll Infected: Trojan-Downloader.Win32.QDown.a skipped
C:\WINDOWS\mrofinu572.exe.tmp Infected: Trojan-Downloader.Win32.Agent.emo skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\LAPTOP BACKUP\outlook_INTEL_2006.pst.pst/My Folders(ACTIVE)/Deleted Items/Girls/priya/24 Ma
vikraman007
Active Member
 
Posts: 12
Joined: November 7th, 2007, 10:53 am

Unread postby vikraman007 » November 8th, 2007, 11:52 pm

Contd...

May 2000 19:15 from bozo1:hello.rtf Infected: Email-Worm.VBS.KakWorm skipped
D:\LAPTOP BACKUP\outlook_INTEL_2006.pst.pst/My Folders(ACTIVE)/Deleted Items/Girls/priya/05 Jun 2000 07:33 from bozo1:hello.rtf Infected: Email-Worm.VBS.KakWorm skipped
D:\LAPTOP BACKUP\outlook_INTEL_2006.pst.pst/My Folders(ACTIVE)/StrongARM/general/17 Nov 1998 18:51 from Someshwar, Ashok:FW: SA2 Customer Overvie/sa2ove~8.ppt Infected: Virus.MSExcel.Paix skipped
D:\LAPTOP BACKUP\outlook_INTEL_2006.pst.pst/My Folders(ACTIVE)/StrongARM/12 Nov 1998 14:35 from Slaton, Jeff:FW: SA2 Customer Overview - /sa2ove~8.ppt Infected: Virus.MSExcel.Paix skipped
D:\LAPTOP BACKUP\outlook_INTEL_2006.pst.pst/My Folders(ACTIVE)/ENS382N/18 Feb 1999 00:16 from seema prasad:/ppp.doc Infected: Virus.MSWord.Groovie skipped
D:\LAPTOP BACKUP\outlook_INTEL_2006.pst.pst Mail MS Mail: infected - 5 skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{AAE34C61-4AA5-4937-B3FB-3D21E9329396}\RP311\change.log Object is locked skipped

Scan process completed.

=============================================
HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:40:16 PM, on 11/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rediff.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = www
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\nzsearch\nzsearchenh.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {502506A7-C196-4407-B63B-4D9FA8A26835} - C:\Program Files\ComPlus Applications\niry83122.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {FBEE2A2A-2380-4DDB-9F39-946BA1452EFC} - C:\Program Files\ComPlus Applications\niry4444.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\inetrepl.dll
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe (file missing)
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/24.11/uploader2.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6495 bytes
vikraman007
Active Member
 
Posts: 12
Joined: November 7th, 2007, 10:53 am

Unread postby Simon V. » November 9th, 2007, 2:48 am

Hi :)

Step 1

Please go to this page and select your Norton product. Follow the instructions to delete your quarantine files.

Step 2

Click here to download FindAWF.exe and save it to your desktop.
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to Press any key to continue.
  • Press 1 and then Enter, and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or to the same location as FindAWF.exe.
Step 3

We'll need to run a new CFScript. Please delete the one you have now, and do the following:

Open Notepad (Go to Start > Run, type Notepad and hit Enter), and copy/paste the text in the quotebox below into it:

Code: Select all
File::

C:\Program Files\ComPlus Applications\niry4444.dll
C:\Program Files\ComPlus Applications\niry83122.dll
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll
C:\WINDOWS\Downloaded Program Files\HDPlugin1019.dll
C:\WINDOWS\Downloaded Program Files\QDow.dll
C:\WINDOWS\mrofinu572.exe.tmp

Folder::

C:\WINDOWS\c3Jpa2FudGg

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{502506A7-C196-4407-B63B-4D9FA8A26835}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FBEE2A2A-2380-4DDB-9F39-946BA1452EFC}]


Click on File > Save as....

In the File Name box, copy/paste CFScript.txt (Note: Do not change the filename!)

Click Save.

Image

Referring to the picture above, drag CFScript into ComboFix.exe.
It will create a log. Be sure to save it to a convenient location.

Step 4

In your next reply, please post:
  • the FindAWF log
  • the Combofix log (C:\Combofix.txt)
  • a new HijackThis log
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Unread postby vikraman007 » November 9th, 2007, 9:33 am

All 3 logs requested are below.

One Q: My clock got advanced to Nov 10, Sat. It is only Nov 9, Fri - today. Was it something that these fixes did or is there another malware?

thanks for all the help!


==============================================
FINDAWF
==============================================
Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Sat 11/10/2007
The current time is: 7:15:44.84


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\FREESU~1\BAK

10/09/2007 04:19 PM 28 fs.ini
09/18/2002 06:25 PM 720,896 fs20.exe
2 File(s) 720,924 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\MICROS~2\BAK

01/07/2002 03:24 PM 401,496 WCESCOMM.EXE
1 File(s) 401,496 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

11/10/2005 07:14 PM 77,824 qttask.exe
1 File(s) 77,824 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 01:56 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\ANI\ANIWZC~1\BAK

12/16/2004 05:49 PM 49,152 WZCSLDR2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\CREATIVE\SYNCMA~1\BAK

08/07/2006 09:06 AM 700,416 CTSyncU.exe
1 File(s) 700,416 bytes

Directory of C:\PROGRA~1\D-LINK\AIRPLU~1\BAK

03/18/2005 04:34 AM 1,228,800 AirGCFG.exe
1 File(s) 1,228,800 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~2\BAK

05/23/2007 09:47 PM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes

Directory of C:\PROGRA~1\SKYPE\PHONE\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\SYMANT~1\SYMANT~1\BAK

05/21/2003 12:21 AM 90,112 vptray.exe
1 File(s) 90,112 bytes

Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\COMMON~1\WINANT~1\BAK

06/06/2007 09:35 AM 618,496 WAS7Mon.exe.vir
1 File(s) 618,496 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

867 Oct 8 2007 "C:\Program Files\Free Surfer\fs.ini"
28 Oct 9 2007 "C:\Program Files\Free Surfer\bak\fs.ini"
720896 Sep 18 2002 "C:\Program Files\Free Surfer\bak\fs20.exe"
401496 Jan 7 2002 "C:\Program Files\Microsoft ActiveSync\bak\WCESCOMM.EXE"
77824 Nov 10 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
49152 Dec 16 2004 "C:\Program Files\ANI\ANIWZCS2 Service\bak\WZCSLDR2.exe"
700416 Aug 7 2006 "C:\Program Files\Creative\Sync Manager Unicode\bak\CTSyncU.exe"
1228800 Mar 18 2005 "C:\Program Files\D-Link\AirPlus G\bak\AirGCFG.exe"
52272 Feb 16 2007 "C:\Program Files\Google\googletoolbar3user.exe"
3739648 Jan 1 2007 "C:\Program Files\Google\Google Talk\googletalk.exe"
559784 Jan 27 2007 "C:\Program Files\Common Files\Real\GToolbar\GoogleToolbarInstaller.exe"
138168 Feb 16 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
1581768 Oct 29 2006 "C:\Program Files\Google\Google Talk\googletalk-1.0.0.100\googletalk-setup-upgrade.exe"
1606064 Feb 4 2007 "C:\Program Files\Google\Google Talk\googletalk-1.0.0.104\googletalk-setup-upgrade.exe"
862136 Dec 4 2005 "C:\Program Files\Google\Google Talk\googletalk-1.0.0.78\googletalk-setup-upgrade.exe"
893408 Jan 21 2006 "C:\Program Files\Google\Google Talk\googletalk-1.0.0.82\googletalk-setup-upgrade.exe"
892080 Feb 5 2006 "C:\Program Files\Google\Google Talk\googletalk-1.0.0.84\googletalk-setup-upgrade.exe"
896720 Apr 5 2006 "C:\Program Files\Google\Google Talk\googletalk-1.0.0.86\googletalk-setup-upgrade.exe"
68856 May 23 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
559784 Mar 15 2006 "C:\Documents and Settings\nandu\Application Data\Real\GOOGLE_TOOLBAR\googletoolbarinstaller.exe"
90112 May 21 2003 "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\bak\vptray.exe"
618496 Jun 6 2007 "C:\qoobox\Quarantine\C\Program Files\Common Files\WinAntiSpyware 2007\bak\WAS7Mon.exe.vir"


end of report



==============================================
COMBOFIX
==============================================
ComboFix 07-11-08.1 - nandu 2007-11-10 7:22:47.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.177 [GMT -6:00]
Running from: C:\Documents and Settings\nandu\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\nandu\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Program Files\ComPlus Applications\niry4444.dll
C:\Program Files\ComPlus Applications\niry83122.dll
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll
C:\WINDOWS\Downloaded Program Files\HDPlugin1019.dll
C:\WINDOWS\Downloaded Program Files\QDow.dll
C:\WINDOWS\mrofinu572.exe.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\c3Jpa2FudGg
C:\WINDOWS\c3Jpa2FudGg\waLDuZIRx30.vbs
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll
C:\WINDOWS\Downloaded Program Files\HDPlugin1019.dll
C:\WINDOWS\Downloaded Program Files\QDow.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-10 to 2007-11-10 )))))))))))))))))))))))))))))))
.

2007-11-09 18:47 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-09 18:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-07 17:47 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-06 20:42 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-06 19:59 1,156 --a------ C:\WINDOWS\mozver.dat
2007-11-06 18:55 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-11-06 18:55 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-11-06 18:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-11-06 18:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-11-06 18:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-11-06 18:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-06 18:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-11-06 18:55 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-11-06 18:45 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2007-11-06 18:43 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-11-06 18:38 <DIR> d-------- C:\Temp
2007-11-06 18:15 <DIR> d-------- C:\WUTemp
2007-11-03 14:49 <DIR> d-------- C:\Documents and Settings\nandu\Application Data\Viewpoint
2007-10-10 08:49 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-20 19:11 --------- d-----w C:\Program Files\QuickTime
2007-10-20 03:37 --------- d-----w C:\Program Files\Free Surfer
2007-10-20 03:34 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-10-15 22:02 --------- d--h--r C:\Documents and Settings\nandu\Application Data\yahoo!
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2005-12-05 16:49 38,456 ----a-w C:\Documents and Settings\nandu\Application Data\GDIPFONTCACHEV1.DAT
2004-10-15 15:36 36,728 ----a-w C:\Documents and Settings\Guest\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2007-11-08_18.02.38.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-05-24 18:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 21:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 21:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2007-11-07 17:33:16 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-10 13:12:56 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-07 17:33:16 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-10 13:12:56 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 49,152 2004-12-16 23:49:14 C:\Program Files\ANI\ANIWZCS2 Service\bak\WZCSLDR2.exe

----a-w 700,416 2006-08-07 15:06:38 C:\Program Files\Creative\Sync Manager Unicode\bak\CTSyncU.exe

----a-w 1,228,800 2005-03-18 10:34:00 C:\Program Files\D-Link\AirPlus G\bak\AirGCFG.exe

----a-w 28 2007-10-09 22:19:58 C:\Program Files\Free Surfer\bak\fs.ini
----a-w 867 2007-10-08 16:33:18 C:\Program Files\Free Surfer\fs.ini

----a-w 720,896 2002-09-19 00:25:30 C:\Program Files\Free Surfer\bak\fs20.exe

----a-w 68,856 2007-05-24 03:47:37 C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe

----a-w 401,496 2002-01-07 21:24:12 C:\Program Files\Microsoft ActiveSync\bak\WCESCOMM.EXE

----a-w 77,824 2005-11-11 01:14:49 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 90,112 2003-05-21 06:21:18 C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\bak\vptray.exe

----a-w 618,496 2007-06-06 15:35:44 C:\qoobox\Quarantine\C\Program Files\Common Files\WinAntiSpyware 2007\bak\WAS7Mon.exe.vir

----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\system32\ctfmon.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-05-02 14:19]
"nwiz"="nwiz.exe" [2003-05-02 14:19 C:\WINDOWS\system32\nwiz.exe]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\bak\qttask.exe" [2005-11-10 19:14]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" []
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL" [2003-05-02 14:19]
"NVIEW"="nview.dll" [2003-05-02 14:19 C:\WINDOWS\system32\nview.dll]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" []
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2003-09-11 00:56:02]

R1 VIAPFD;VIAPFD;C:\WINDOWS\system32\Drivers\VIAPFD.SYS
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys
R3 crtaud;Conexant Riptide WDM Audio Driver;C:\WINDOWS\system32\drivers\crtaud.sys
R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys
R3 rpfun;Conexant Riptide Dummy Driver;C:\WINDOWS\system32\drivers\rpfun.sys
R3 rthwcls;Conexant Riptide Bus / Firmware Downloader;C:\WINDOWS\system32\drivers\rthwcls.sys
R3 Winacpci;Winacpci;C:\WINDOWS\system32\DRIVERS\winacpci.sys
S2 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys
S3 VNICPKT5;VNICPKT5 Protocol Driver;\??\C:\WINDOWS\System32\VNICPKT5.SYS

.
Contents of the 'Scheduled Tasks' folder
"2007-10-26 21:00:00 C:\WINDOWS\Tasks\{3CAE9AAD-6521-4A64-A1F2-DD904C96036A}_SRIK-BUILT_nandu.job"
"2007-11-01 21:00:09 C:\WINDOWS\Tasks\{79B68748-0FC3-4B4A-AA68-547468788625}_SRIK-BUILT_nandu.job"
- C:\WINDOWS\system32\mobsync.exe
"2007-11-07 15:00:01 C:\WINDOWS\Tasks\{81C53930-4EE3-40ED-89A3-8E7BF020B9CE}_SRIK-BUILT_nandu.job"
- C:\WINDOWS\system32\mobsync.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-10 07:25:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-10 7:27:36 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-09 18:40
C:\ComboFix3.txt ... 2007-11-08 18:04
.
--- E O F ---


==============================================
HJT
==============================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:29:02 AM, on 11/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rediff.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = www
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\nzsearch\nzsearchenh.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\inetrepl.dll
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe (file missing)
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/24.11/uploader2.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6382 bytes
===============================================
vikraman007
Active Member
 
Posts: 12
Joined: November 7th, 2007, 10:53 am

Unread postby vikraman007 » November 9th, 2007, 10:35 am

My SYMANTEC anti-virus is still finding viruses : in

C:\SYSTEM_VOLUME_INFORMATION\_restor*
vikraman007
Active Member
 
Posts: 12
Joined: November 7th, 2007, 10:53 am

Unread postby Simon V. » November 9th, 2007, 11:56 am

Hi :)

My clock got advanced to Nov 10, Sat. It is only Nov 9, Fri - today. Was it something that these fixes did or is there another malware?


This can be caused by Combofix, it's nothing to worry about.

My SYMANTEC anti-virus is still finding viruses : in

C:\SYSTEM_VOLUME_INFORMATION\_restor*


Those are infected System Restore points. We will clean them once you are fully clean.

Step 1

Copy the file paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

"C:\Program Files\Free Surfer\bak\fs.ini"
"C:\Program Files\Free Surfer\bak\fs20.exe"
"C:\Program Files\Microsoft ActiveSync\bak\WCESCOMM.EXE"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\Program Files\ANI\ANIWZCS2 Service\bak\WZCSLDR2.exe"
"C:\Program Files\Creative\Sync Manager Unicode\bak\CTSyncU.exe"
"C:\Program Files\D-Link\AirPlus G\bak\AirGCFG.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
"C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\bak\vptray.exe"

  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to press any key to continue.
  • Press 2 then Enter.
  • Notepad will open a file named FindAWF.txt. It will appear with instructions to click below the line and paste the list of files to be restored.
  • Right click below this line and select Edit, Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
  • The program will proceed to move the legit files and will perform another scan for bak folders.
  • It may take a few minutes to complete, so please be patient.
  • When it is complete, it will open a text file in Notepad called AWF.txt.

Step 2

Open HijackThis, perform a scan and put a check next to the following items (if present):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rediff.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = www
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab


Close all programs except HijackThis and click on Fix checked.

Step 3

Your Java software is out of date. Follow these instructions to update it:
  • Go to Start and click on Control Panel, then double-click on Add or Remove Programs.
  • Search for previously installed versions of Java (J2SE Runtime Environment), and remove it. It should have this icon next to it: Image
  • Then download and install Java Runtime Environment (JRE) 6 Update 3.
Step 4

In your next reply, please post:
  • the FindAWF report
  • a new HijackThis log
  • How is your computer running now?
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Unread postby vikraman007 » November 9th, 2007, 7:39 pm

AWF
================================================

Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Sat 11/10/2007
The current time is: 17:17:31.53


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\FREESU~1\BAK

10/09/2007 04:19 PM 28 fs.ini
09/18/2002 06:25 PM 720,896 fs20.exe
2 File(s) 720,924 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\MICROS~2\BAK

01/07/2002 03:24 PM 401,496 WCESCOMM.EXE
1 File(s) 401,496 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

11/10/2005 07:14 PM 77,824 qttask.exe
1 File(s) 77,824 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 01:56 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\ANI\ANIWZC~1\BAK

12/16/2004 05:49 PM 49,152 WZCSLDR2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\CREATIVE\SYNCMA~1\BAK

08/07/2006 09:06 AM 700,416 CTSyncU.exe
1 File(s) 700,416 bytes

Directory of C:\PROGRA~1\D-LINK\AIRPLU~1\BAK

03/18/2005 04:34 AM 1,228,800 AirGCFG.exe
1 File(s) 1,228,800 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~2\BAK

05/23/2007 09:47 PM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes

Directory of C:\PROGRA~1\SKYPE\PHONE\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\SYMANT~1\SYMANT~1\BAK

05/21/2003 12:21 AM 90,112 vptray.exe
1 File(s) 90,112 bytes

Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\COMMON~1\WINANT~1\BAK

06/06/2007 09:35 AM 618,496 WAS7Mon.exe.vir
1 File(s) 618,496 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

28 Oct 9 2007 "C:\Program Files\Free Surfer\fs.ini"
28 Oct 9 2007 "C:\Program Files\Free Surfer\bak\fs.ini"
720896 Sep 18 2002 "C:\Program Files\Free Surfer\fs20.exe"
720896 Sep 18 2002 "C:\Program Files\Free Surfer\bak\fs20.exe"
401496 Jan 7 2002 "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
401496 Jan 7 2002 "C:\Program Files\Microsoft ActiveSync\bak\WCESCOMM.EXE"
77824 Nov 10 2005 "C:\Program Files\QuickTime\qttask.exe"
77824 Nov 10 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
49152 Dec 16 2004 "C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe"
49152 Dec 16 2004 "C:\Program Files\ANI\ANIWZCS2 Service\bak\WZCSLDR2.exe"
700416 Aug 7 2006 "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
700416 Aug 7 2006 "C:\Program Files\Creative\Sync Manager Unicode\bak\CTSyncU.exe"
1228800 Mar 18 2005 "C:\Program Files\D-Link\AirPlus G\AirGCFG.exe"
1228800 Mar 18 2005 "C:\Program Files\D-Link\AirPlus G\bak\AirGCFG.exe"
52272 Feb 16 2007 "C:\Program Files\Google\googletoolbar3user.exe"
3739648 Jan 1 2007 "C:\Program Files\Google\Google Talk\googletalk.exe"
68856 May 23 2007 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
559784 Jan 27 2007 "C:\Program Files\Common Files\Real\GToolbar\GoogleToolbarInstaller.exe"
138168 Feb 16 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
1581768 Oct 29 2006 "C:\Program Files\Google\Google Talk\googletalk-1.0.0.100\googletalk-setup-upgrade.exe"
1606064 Feb 4 2007 "C:\Program Files\Google\Google Talk\googletalk-1.0.0.104\googletalk-setup-upgrade.exe"
862136 Dec 4 2005 "C:\Program Files\Google\Google Talk\googletalk-1.0.0.78\googletalk-setup-upgrade.exe"
893408 Jan 21 2006 "C:\Program Files\Google\Google Talk\googletalk-1.0.0.82\googletalk-setup-upgrade.exe"
892080 Feb 5 2006 "C:\Program Files\Google\Google Talk\googletalk-1.0.0.84\googletalk-setup-upgrade.exe"
896720 Apr 5 2006 "C:\Program Files\Google\Google Talk\googletalk-1.0.0.86\googletalk-setup-upgrade.exe"
68856 May 23 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
559784 Mar 15 2006 "C:\Documents and Settings\nandu\Application Data\Real\GOOGLE_TOOLBAR\googletoolbarinstaller.exe"
90112 May 21 2003 "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe"
90112 May 21 2003 "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\bak\vptray.exe"
618496 Jun 6 2007 "C:\qoobox\Quarantine\C\Program Files\Common Files\WinAntiSpyware 2007\bak\WAS7Mon.exe.vir"


end of report

===============================================
HJT
===============================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:20:50 PM, on 11/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\nzsearch\nzsearchenh.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\inetrepl.dll
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/24.11/uploader2.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5752 bytes
===============================================

Comp Status :

No pop-ups.
I switched to Firefox , so not sure if IE still has the security toolbar infection - i am betting it doesn't but don't care to find out :)
The Symantec AV icon no longer appears in the task tray in the right bottom.
The clock is off by a day.


Thanks a lot. A couple of Qs:

I know you warned me in the beginning that there could still be something left around that lowers the security of my system. If that indeed is the case, what symptoms should i watch out for?

I should probably download a firewall program since I read that the windows firewall is no good?
vikraman007
Active Member
 
Posts: 12
Joined: November 7th, 2007, 10:53 am

Unread postby Simon V. » November 10th, 2007, 9:30 am

Hi :)

Copy the paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\Program Files\Free Surfer\bak
C:\Program Files\Free Surfer\bak
C:\Program Files\Microsoft ActiveSync\bak
C:\Program Files\QuickTime\bak
C:\WINDOWS\system32\bak
C:\Program Files\ANI\ANIWZCS2 Service\bak
C:\Program Files\Creative\Sync Manager Unicode\bak
C:\Program Files\D-Link\AirPlus G\bak
C:\Program Files\Google\GoogleToolbarNotifier\bak
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\bak

  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to press any key to continue.
  • Select Option 3 from the menu and press Enter.
  • A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
  • Right-click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
  • The program will proceed to remove the folders and will perform another scan for bak folders.
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in Notepad called AWF.txt.
Before you close FindAWF, Select Option 4 from the menu and press Enter.
When it's finished the tool will return to the main menu.
Press E to close FindAWF.

The Symantec AV icon no longer appears in the task tray in the right bottom.


That can be caused by the AWF infection. If the problem persists, please let me know and I'll search for a solution.

The clock is off by a day.


This can be solved by double-clicking the clock in the lower right, then select the correct date and hit Enter.

I know you warned me in the beginning that there could still be something left around that lowers the security of my system. If that indeed is the case, what symptoms should i watch out for?


Anything that's not the way it's supposed to be. Even a slow computer can be a sign for the infection returning. If you suspect the infection has come back, it's good to post a HijackThis log to be sure.

I should probably download a firewall program since I read that the windows firewall is no good?


The Windows firewall only monitors incoming connections. That's why a third party firewall is a must; I'll give you some recommendations.

Here are a few (free) firewalls, please download and install one of them:

Please post back to me with the FindAWF report, and tell me how everything is working. If everything is OK, I'll give you some prevention tips to stay clean in the future.
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 383 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware