Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Can NOT receive WAN requests--LAN is OK

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Can NOT receive WAN requests--LAN is OK

Unread postby a1sound » May 28th, 2011, 3:31 am

I have a server I use for my friends to communicate with me and their friends. The server has a mailer, an FTP server, and three lists. There are other functions it has but are not in use now. About four days ago, the FTP site was unreachable as was the mailer. I rebooted every box right up to the modem which refused my login. ATT got that back on line. There are 5 fixed IPs coming in, and I even have a reverse DNS working for the server at <air.zz.com> to make my list mail acceptable. I can reach the Internet from the server, but the Internet can't reach anything on the server.

I replaced the mailer with a whole number upgrade (hMail). I removed the Comodo Suite which probably wasn't updating properly. I loaded Outpost Firewall Free--I have a license, but it won't accept it--I probably didn't load the paid exe, but I'll deal with that later. The Outpost is updated and working. I added AVG and switched off the overlap from Outpost scans.

The server is using a fixed NAT IP with the fixed IP router "air" forwarding requests. This works with other computers in the same subnet with no difficulty. When I switch to another WAN IP with my laptop, nothing gets through the router.

I dropped the DHCP on the server and replaced its address with the fixed IP <air.zz.com>, and then by plugging it in to the modem, I bypassed the disconnected router and switch with no joy. I did notice that Outpost built a rule for the new (first time use of FTP for this install of the firewall), and then the client computer (my droid) reported the connection broken by the server.

When I ran the script to generate a DDS log, I noticed there WAS a reason for the problem--a rootkit.

This is a non commercial computer that has been running for years with no problems--until now. Here are the scans..

DDS.TXT..

.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by buzz at 14:46:01 on 2011-05-27
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1309 [GMT -7:00]
.
AV: Outpost Security Suite *Enabled/Updated* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Outpost Security Suite *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\D4\D4.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\D-Link\D-Link USB VoIP Adapter\DLinkMonitor.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\GEEK SQUAD UPS\pppeuser.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\RhinoSoft.com\Serv-U\Serv-U-Tray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\DU Super Controler\DUSuperControler.exe
C:\Program Files\DU Meter\DUMeter.exe
svchost.exe
D:\Lists\Animal-List\SVList-Animal-List.exe
D:\Lists\UNJO\SVList-UNJO.exe
D:\Lists\WhiteGold-List\SVList-WhiteGold-List.exe
C:\Program Files\DU Super Controler\DUSuperControler.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
svchost.exe
C:\Program Files\D4\D4.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\hMailServer\Bin\hMailServer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\GEEK SQUAD UPS\ppped.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\RhinoSoft.com\Serv-U\Serv-U.exe
C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
C:\Program Files\D-Link\D-Link USB VoIP Adapter\VServ.exe
C:\Program Files\TeamViewer\Version5\TeamViewer.exe
C:\Program Files\D-Link\D-Link USB VoIP Adapter\DPH-50U Utility.exe
C:\Program Files\hMailServer\Bin\hMailAdmin.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\ftp\usr\buzz\110527\dds.scr
C:\WINDOWS\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [PowerPanel Personal Edition User Interaction] "c:\program files\geek squad ups\pppeuser.exe"
uRun: [TransparentIcons]
uRun: [BlockAds]
uRun: [Tweak-XP]
uRun: [TransTask]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
uRun: [ServUTrayIcon] c:\program files\rhinosoft.com\serv-u\Serv-U-Tray.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [Dimension4] c:\program files\d4\D4.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [DLinkMonitor.exe] c:\program files\d-link\d-link usb voip adapter\DLinkMonitor.exe
mRun: [OutpostMonitor] "c:\progra~1\agnitum\outpos~1\op_mon.exe" /tray /noservice
mRun: [OutpostFeedBack] "c:\program files\agnitum\outpost security suite free\feedback.exe" /dump:os_startup
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
StartupFolder: c:\docume~1\buzz\startm~1\programs\startup\d4exe~1.lnk - c:\program files\d4\D4.exe
StartupFolder: c:\docume~1\buzz\startm~1\programs\startup\dumeter.lnk - c:\program files\du meter\DUMeter.exe
StartupFolder: c:\docume~1\buzz\startm~1\programs\startup\svlist~2.lnk - d:\lists\animal-list\SVList-Animal-List.exe
StartupFolder: c:\docume~1\buzz\startm~1\programs\startup\svlist~3.lnk - d:\lists\unjo\SVList-UNJO.exe
StartupFolder: c:\docume~1\buzz\startm~1\programs\startup\svlist~1.lnk - d:\lists\whitegold-list\SVList-WhiteGold-List.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoexec.lnk - c:\autoexec.bat
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dusupe~1.lnk - c:\program files\du super controler\DUSuperControler.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\buzz\application data\mozilla\firefox\profiles\bpgjtaxx.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
R0 TLRecAgent;TLRecAgent;c:\windows\system32\drivers\TLRecAgent.sys [2007-1-2 37208]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2011-5-27 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2011-5-27 29584]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [2011-5-27 710824]
R2 acssrv;Agnitum Client Security Service;c:\progra~1\agnitum\outpos~1\acs.exe [2011-5-27 2072592]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2011-5-27 308136]
R2 hMailServer;hMailServer;c:\program files\hmailserver\bin\hmailserver.exe runasservice --> c:\program files\hmailserver\bin\hMailServer.exe RunAsService [?]
R2 Serv-U;Serv-U File Server;c:\program files\rhinosoft.com\serv-u\Serv-U.exe [2009-7-26 201216]
R2 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-3-18 172328]
R2 VService;VService;c:\program files\d-link\d-link usb voip adapter\VServ.exe [2007-1-2 105208]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [2011-5-27 34280]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [2011-5-27 267624]
R3 ASWFilt;ASWFilt;c:\windows\system32\filt\ASWFilt.dll [2011-5-27 72352]
R3 HomeQOS;HomeQOS Miniport;c:\windows\system32\drivers\homeqos.sys [2004-1-20 36096]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2009-5-28 108032]
R3 slusbvip;SL3800 USB Driver;c:\windows\system32\drivers\slusbvip.sys [2007-1-2 591832]
R3 SLVAD_simple;D-Link Virtual Audio Device;c:\windows\system32\drivers\slvad.sys [2007-1-2 85656]
R3 VBEngNT;VBEngNT;c:\windows\system32\drivers\VBEngNT.sys [2011-5-27 242040]
R3 VBFilt;VBFilt;c:\windows\system32\filt\VBFilt.dll [2011-5-27 36288]
.
=============== File Associations ===============
.
txtfile=c:\pfiles\editpad\EditPad.exe "%1"
.
=============== Created Last 30 ================
.
2011-05-27 10:36:47 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2011-05-27 10:35:16 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-05-27 10:35:00 -------- d-----w- c:\documents and settings\all users\application data\avg9
2011-05-27 10:04:25 710824 ----a-w- c:\windows\system32\drivers\SandBox.sys
2011-05-27 10:04:25 242040 ----a-w- c:\windows\system32\drivers\VBEngNT.sys
2011-05-27 10:03:35 267624 ----a-w- c:\windows\system32\drivers\afwcore.sys
2011-05-27 10:03:17 34280 ----a-w- c:\windows\system32\drivers\afw.sys
2011-05-27 10:03:13 -------- d-----w- c:\documents and settings\buzz\application data\Agnitum
2011-05-27 09:50:43 -------- d-----w- c:\documents and settings\buzz\application data\GlarySoft
2011-05-27 09:50:42 -------- d-----w- c:\program files\Absolute Uninstaller
2011-05-27 07:12:51 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-05-27 07:12:51 -------- d-----w- c:\windows\system32\wbem\Repository
2011-05-27 05:41:16 -------- d-----w- c:\program files\Trend Micro
2011-05-24 03:18:42 -------- d-----w- c:\documents and settings\all users\application data\Common Files
2011-05-24 03:17:33 -------- d-----w- c:\windows\system32\drivers\AVG
2011-05-24 03:17:33 -------- d-----w- c:\documents and settings\all users\application data\AVG10
2011-05-24 03:17:10 -------- d-----w- c:\program files\AVG
2011-05-24 03:03:30 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-05-24 02:43:11 -------- d-----w- c:\windows\system32\Filt
2011-05-24 02:43:11 -------- d-----w- c:\program files\Agnitum
2011-05-24 02:42:45 -------- d-----w- c:\documents and settings\all users\application data\Agnitum
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: SAMSUNG_SP2504C rev.VT100-33 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-12
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A708AB8]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000071[0x8A7249E8]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Ide\IdeDeviceP2T0L0-7[0x8A6A4940]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
user != kernel MBR !!!
.
============= FINISH: 14:46:44.15 ===============

Attach.txt..

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-05-19.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2009.07.24 02:17:05
System Uptime: 2011.05.27 14:00:46 (0 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | M2R32-MVP
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ | Socket AM2 | 2204/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 233 GiB total, 69.076 GiB free.
D: is FIXED (NTFS) - 233 GiB total, 25.47 GiB free.
F: is Removable
G: is Removable
H: is Removable
I: is Removable
J: is CDROM ()
K: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Description: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
Device ID: ACPI\PNP0303\4&258F370F&0
Manufacturer: (Standard keyboards)
Name: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\4&258F370F&0
Service: i8042prt
.
Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: Microsoft PS/2 Mouse
Device ID: ACPI\PNP0F03\4&258F370F&0
Manufacturer: Microsoft
Name: Microsoft PS/2 Mouse
PNP Device ID: ACPI\PNP0F03\4&258F370F&0
Service: i8042prt
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\D465DF11D800
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\D465DF11D800
Service: NIC1394
.
==== System Restore Points ===================
.
RP620: 2011.02.27 01:01:46 - System Checkpoint
RP621: 2011.02.28 01:05:37 - System Checkpoint
RP622: 2011.03.01 17:22:13 - System Checkpoint
RP623: 2011.03.02 17:29:55 - System Checkpoint
RP624: 2011.03.03 17:33:02 - System Checkpoint
RP625: 2011.03.04 19:22:04 - System Checkpoint
RP626: 2011.03.05 20:17:57 - System Checkpoint
RP627: 2011.03.06 21:04:39 - System Checkpoint
RP628: 2011.03.07 21:05:29 - System Checkpoint
RP629: 2011.03.08 22:05:21 - System Checkpoint
RP630: 2011.03.09 23:05:09 - System Checkpoint
RP631: 2011.03.10 03:00:13 - Software Distribution Service 3.0
RP632: 2011.03.11 03:15:56 - System Checkpoint
RP633: 2011.03.12 03:16:44 - System Checkpoint
RP634: 2011.03.13 05:05:40 - System Checkpoint
RP635: 2011.03.14 06:04:51 - System Checkpoint
RP636: 2011.03.15 06:05:34 - System Checkpoint
RP637: 2011.03.16 03:00:13 - Software Distribution Service 3.0
RP638: 2011.03.17 03:17:11 - System Checkpoint
RP639: 2011.03.18 04:05:14 - System Checkpoint
RP640: 2011.03.19 05:05:01 - System Checkpoint
RP641: 2011.03.20 06:05:54 - System Checkpoint
RP642: 2011.03.21 06:19:04 - System Checkpoint
RP643: 2011.03.22 13:16:28 - System Checkpoint
RP644: 2011.03.24 01:43:25 - System Checkpoint
RP645: 2011.03.25 01:47:08 - System Checkpoint
RP646: 2011.03.25 03:00:13 - Software Distribution Service 3.0
RP647: 2011.03.26 03:21:24 - System Checkpoint
RP648: 2011.03.27 03:26:36 - System Checkpoint
RP649: 2011.03.28 04:05:12 - System Checkpoint
RP650: 2011.03.29 05:05:02 - System Checkpoint
RP651: 2011.03.30 06:04:51 - System Checkpoint
RP652: 2011.03.31 07:04:36 - System Checkpoint
RP653: 2011.04.01 08:33:18 - System Checkpoint
RP654: 2011.04.02 10:14:19 - System Checkpoint
RP655: 2011.04.03 11:16:10 - System Checkpoint
RP656: 2011.04.04 12:32:05 - System Checkpoint
RP657: 2011.04.05 12:54:37 - System Checkpoint
RP658: 2011.04.06 13:05:11 - System Checkpoint
RP659: 2011.04.07 14:04:58 - System Checkpoint
RP660: 2011.04.08 15:04:49 - System Checkpoint
RP661: 2011.04.09 16:04:36 - System Checkpoint
RP662: 2011.04.10 16:05:23 - System Checkpoint
RP663: 2011.04.11 17:05:10 - System Checkpoint
RP664: 2011.04.12 18:04:59 - System Checkpoint
RP665: 2011.04.13 19:04:47 - System Checkpoint
RP666: 2011.04.14 19:05:41 - System Checkpoint
RP667: 2011.04.15 20:05:26 - System Checkpoint
RP668: 2011.04.16 03:00:13 - Software Distribution Service 3.0
RP669: 2011.04.17 03:16:04 - System Checkpoint
RP670: 2011.04.18 03:16:51 - System Checkpoint
RP671: 2011.04.19 04:05:28 - System Checkpoint
RP672: 2011.04.20 05:05:16 - System Checkpoint
RP673: 2011.04.21 06:05:01 - System Checkpoint
RP674: 2011.04.22 07:04:47 - System Checkpoint
RP675: 2011.04.23 07:05:41 - System Checkpoint
RP676: 2011.04.24 08:05:32 - System Checkpoint
RP677: 2011.04.25 09:05:22 - System Checkpoint
RP678: 2011.04.26 10:05:07 - System Checkpoint
RP679: 2011.04.27 03:00:13 - Software Distribution Service 3.0
RP680: 2011.04.28 03:16:14 - System Checkpoint
RP681: 2011.04.29 04:04:49 - System Checkpoint
RP682: 2011.04.30 05:04:37 - System Checkpoint
RP683: 2011.05.01 05:05:27 - System Checkpoint
RP684: 2011.05.02 06:05:18 - System Checkpoint
RP685: 2011.05.03 07:05:08 - System Checkpoint
RP686: 2011.05.04 08:04:55 - System Checkpoint
RP687: 2011.05.05 09:04:48 - System Checkpoint
RP688: 2011.05.06 09:32:05 - System Checkpoint
RP689: 2011.05.07 10:05:26 - System Checkpoint
RP690: 2011.05.08 11:05:18 - System Checkpoint
RP691: 2011.05.09 12:05:08 - System Checkpoint
RP692: 2011.05.10 13:04:55 - System Checkpoint
RP693: 2011.05.11 14:04:52 - System Checkpoint
RP694: 2011.05.12 03:02:24 - Software Distribution Service 3.0
RP695: 2011.05.13 03:16:49 - System Checkpoint
RP696: 2011.05.14 04:05:23 - System Checkpoint
RP697: 2011.05.15 05:05:14 - System Checkpoint
RP698: 2011.05.16 06:05:05 - System Checkpoint
RP699: 2011.05.17 06:17:26 - System Checkpoint
RP700: 2011.05.18 07:04:42 - System Checkpoint
RP701: 2011.05.19 07:05:28 - System Checkpoint
RP702: 2011.05.20 08:05:19 - System Checkpoint
RP703: 2011.05.21 09:05:08 - System Checkpoint
RP704: 2011.05.22 10:04:58 - System Checkpoint
RP705: 2011.05.23 11:04:46 - System Checkpoint
RP706: 2011.05.23 19:43:15 - Agnitum Outpost Security Suite Free Restore Point: install
RP707: 2011.05.23 20:16:37 - Installed Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
RP708: 2011.05.23 20:17:10 - Installed AVG 2011
RP709: 2011.05.23 20:17:27 - Installed AVG 2011
RP710: 2011.05.24 20:42:11 - System Checkpoint
RP711: 2011.05.25 04:25:42 - Unsigned driver install
RP712: 2011.05.26 05:05:01 - System Checkpoint
RP713: 2011.05.26 21:44:24 - won't allow input from NET
RP714: 2011.05.26 22:41:16 - Installed HiJackThis
RP715: 2011.05.27 00:08:39 - Restore Operation
RP716: 2011.05.27 00:27:21 - Restore Operation
RP717: 2011.05.27 00:43:17 - Restore Operation
RP718: 2011.05.27 03:00:14 - Software Distribution Service 3.0
RP719: 2011.05.27 03:03:16 - Agnitum Outpost Security Suite Free Restore Point: install
RP720: 2011.05.27 03:35:00 - Installed AVG Free 9.0
RP721: 2011.05.27 03:35:54 - Avg8 Update
RP722: 2011.05.27 03:36:53 - Avg Update
RP723: 2011.05.27 08:05:29 - Avg Update
RP724: 2011.05.27 08:05:59 - Avg Update
.
==== Installed Programs ======================
.
Absolute Uninstaller 2.8.0.636
Adobe Flash Player 10 Plugin
Athlon 64 Processor Driver
AVG Free 9.0
D-Link USB VoIP Adapter
Dimension 4 v4.3
Dimension 4 v5.0
Diskeeper Professional Edition
DU Meter
DU Super Controler (remove only)
GEEK SQUAD POWER MANAGEMENT
hMailServer 5.3.3-B1879
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Java(TM) 6 Update 14
Marvell Miniport Driver
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft SQL Server Compact 3.5 ENU
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.5.6)
Mozilla Thunderbird (2.0.0.23)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB954459)
MySQL Server 5.0
NVIDIA Drivers
Outpost Security Suite 7.1
Sandboxie 3.38
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Serv-U 8.0
Skype Toolbars
Skype™ 5.1
SVList-WCE
SVList32
TeamViewer 5 Host
Tweak-XP Pro
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VirusTotal Uploader
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Imaging Component
Windows Internet Explorer 8
Windows XP Service Pack 3
WinPatrol 2008
.
==== Event Viewer Messages From Past Week ========
.
2011.05.26 20:23:35, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0018F346E34C. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
2011.05.25 00:14:59, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for Type with the following error: Access is denied.
2011.05.20 03:01:56, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt
.
==== End Of File ===========================

Thanks for your time,
Buzz.
Last edited by Carolyn on May 30th, 2011, 8:53 am, edited 1 time in total.
Reason: Removed User's email to prevent SPAM
User avatar
a1sound
Regular Member
 
Posts: 39
Joined: April 18th, 2007, 10:19 pm
Location: Mojave CA
Advertisement
Register to Remove

Re: Can NOT receive WAN requests--LAN is OK

Unread postby askey127 » May 30th, 2011, 11:05 am

Hi a1sound,
-----------------------------------------------
Download Antivir Free
This program is free for personal, non-business use.
Download AntiVir Free from here : http://www.softpedia.com/get/Antivirus/AntiVir-Personal-Edition.shtml
Click the Download button. Then when the "Download Locations" page comes up, choose the first External Mirror (exe)
Save the Installer to your desktop, but don't run it yet. The installer file will be named avira_antivir_personal_en.exe
Double check to be sure you know where to find it.
-----------------------------------------------------------
Remove Programs Using Control Panel
From Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.
Highlight each Entry, as follows, one by one, if it exists, and choose Remove :

AVG 9
Agnitum Outpost Firewall

Take extra care in answering questions posed by any Uninstaller.
--------------------------------------------
TDSSKiller - Rootkit Removal Tool
Please download the TDSSKiller.exe by Kaspersky... save it to your Desktop. <-Important!!!
  1. Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    If TDSSKiller does not run... rename it. Right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. ektfhtw.com).
    If you don't see file extensions, please see: How to change the file extension.
  2. Click the Start Scan button. Do not use the computer during the scan!
  3. If the scan completes with nothing found, click Close to exit.
  4. If malicious objects are found, they will show in the "Scan results - Select action for found objects" and offer 3 options.
    • Ensure Cure (default) is selected... then click Continue > Reboot now to finish the cleaning process.
    • If Cure is not offered as an option, choose Skip.
  5. A log file named TDSSKiller_version_dd.mm.yyyy_hh.mm.ss_log.txt will be created and saved to the main directory of C:
    (the dd.mm.yyyy_hh.mm.ss numbers in the filename represent the time/date stamp)
  6. Copy and paste the contents of that file in your next reply.
If, for some reason,you can't locate the text file to paste into your reply, just tell me, but DO NOT run the program a second time.

If the machine doesn't reboot itself after running TDSSKiller, do it manually
-----------------------------------------------
From the Control Panel, Start up the Windows Firewall
-----------------------------------------------
Install Antivir
Double click the Avira Antivir Installer you saved on your desktop, and let it Install Antivir.
-----------------------------------------------
Update and Scan with Antivir
Right click the red umbrella icon and choose Start Antivir.
When the window comes up click Start Update.
When the update is complete, click on Scan System Now.
This full scan could take a hour or more.
It will ask what to do with any item it finds.
IMPORTANT >> tell it to DELETE or QUARANTINE any items it finds.
-----------------------------------------------
Get Last Avira Report
Right click the red umbrella icon in the system tray and click Start Antivir
In the left pane, click Overview, then click Reports
There wil be reports titled Update and reports titled Scan. Find the most recent report in the list titled Scan
Click on the Report File button, or Right click the report and choose Display Report.
The report contents will come up in Notepad. Highlight the entire report (Ctrl+A) and copy to the clipboard (Ctrl+C).
Paste the contents (Ctrl+V) into your next reply.

So we will be looking for the TDSSKiller log and the log from Antivir.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Can NOT receive WAN requests--LAN is OK

Unread postby a1sound » May 31st, 2011, 3:55 am

Hi Askey127!

Thank-you for your quick reply. Below are the two scans you requested. I could not get local service to run through Windows Firewall, but after reinstalling Outpost, I could manually run the lists. There still is no access to <air.zz.com> from points outside the LAN.

The DDS scan said there was a rootkit. TDSSKiller found none. Avira was quite busy, however. Still, no joy with outside access..

Here is the output from the scans..

2011/05/30 15:15:32.0046 2920 TDSS rootkit removing tool 2.5.3.0 May 25 2011 07:09:24
2011/05/30 15:15:32.0609 2920 ================================================================================
2011/05/30 15:15:32.0609 2920 SystemInfo:
2011/05/30 15:15:32.0609 2920
2011/05/30 15:15:32.0609 2920 OS Version: 5.1.2600 ServicePack: 3.0
2011/05/30 15:15:32.0609 2920 Product type: Workstation
2011/05/30 15:15:32.0609 2920 ComputerName: SVENSKATEC
2011/05/30 15:15:32.0609 2920 UserName: buzz
2011/05/30 15:15:32.0609 2920 Windows directory: C:\WINDOWS
2011/05/30 15:15:32.0609 2920 System windows directory: C:\WINDOWS
2011/05/30 15:15:32.0609 2920 Processor architecture: Intel x86
2011/05/30 15:15:32.0609 2920 Number of processors: 2
2011/05/30 15:15:32.0609 2920 Page size: 0x1000
2011/05/30 15:15:32.0609 2920 Boot type: Normal boot
2011/05/30 15:15:32.0609 2920 ================================================================================
2011/05/30 15:15:33.0609 2920 Initialize success
2011/05/30 15:16:08.0187 3804 ================================================================================
2011/05/30 15:16:08.0187 3804 Scan started
2011/05/30 15:16:08.0187 3804 Mode: Manual;
2011/05/30 15:16:08.0187 3804 ================================================================================
2011/05/30 15:16:08.0390 3804 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/05/30 15:16:08.0421 3804 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/05/30 15:16:08.0468 3804 ADIHdAudAddService (df2f3edef7054a73dfb796c9dd29b9d2) C:\WINDOWS\system32\drivers\ADIHdAud.sys
2011/05/30 15:16:08.0484 3804 AEAudio (03be587e90c8b37c7ff1fe2e9c1d1c90) C:\WINDOWS\system32\drivers\AEAudio.sys
2011/05/30 15:16:08.0515 3804 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/05/30 15:16:08.0546 3804 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
2011/05/30 15:16:08.0656 3804 AmdK8 (59301936898ae62245a6f09c0aba9475) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
2011/05/30 15:16:08.0703 3804 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/05/30 15:16:08.0765 3804 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/05/30 15:16:08.0781 3804 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/05/30 15:16:08.0812 3804 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/05/30 15:16:08.0859 3804 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/05/30 15:16:08.0890 3804 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/05/30 15:16:08.0921 3804 BthEnum (b279426e3c0c344893ed78a613a73bde) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
2011/05/30 15:16:08.0953 3804 BthPan (80602b8746d3738f5886ce3d67ef06b6) C:\WINDOWS\system32\DRIVERS\bthpan.sys
2011/05/30 15:16:09.0000 3804 BTHPORT (662bfd909447dd9cc15b1a1c366583b4) C:\WINDOWS\system32\Drivers\BTHport.sys
2011/05/30 15:16:09.0078 3804 BTHUSB (61364cd71ef63b0f038b7e9df00f1efa) C:\WINDOWS\system32\Drivers\BTHUSB.sys
2011/05/30 15:16:09.0109 3804 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/05/30 15:16:09.0140 3804 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/05/30 15:16:09.0156 3804 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/05/30 15:16:09.0187 3804 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/05/30 15:16:09.0234 3804 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/05/30 15:16:09.0312 3804 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/05/30 15:16:09.0359 3804 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/05/30 15:16:09.0406 3804 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/05/30 15:16:09.0421 3804 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/05/30 15:16:09.0468 3804 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/05/30 15:16:09.0500 3804 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/05/30 15:16:09.0546 3804 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/05/30 15:16:09.0578 3804 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/05/30 15:16:09.0593 3804 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/05/30 15:16:09.0609 3804 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/05/30 15:16:09.0640 3804 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/05/30 15:16:09.0671 3804 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/05/30 15:16:09.0687 3804 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/05/30 15:16:09.0703 3804 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/05/30 15:16:09.0734 3804 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/05/30 15:16:09.0750 3804 HidBatt (748031ff4fe45ccc47546294905feab8) C:\WINDOWS\system32\DRIVERS\HidBatt.sys
2011/05/30 15:16:09.0781 3804 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/05/30 15:16:09.0828 3804 HomeQOS (62c8712b93ccb0b6ae20f29a897c2144) C:\WINDOWS\system32\DRIVERS\homeqos.sys
2011/05/30 15:16:09.0875 3804 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/05/30 15:16:09.0921 3804 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/05/30 15:16:09.0953 3804 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/05/30 15:16:10.0015 3804 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/05/30 15:16:10.0046 3804 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/05/30 15:16:10.0062 3804 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/05/30 15:16:10.0093 3804 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/05/30 15:16:10.0109 3804 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/05/30 15:16:10.0140 3804 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/05/30 15:16:10.0171 3804 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/05/30 15:16:10.0187 3804 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/05/30 15:16:10.0203 3804 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/05/30 15:16:10.0234 3804 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/05/30 15:16:10.0265 3804 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/05/30 15:16:10.0312 3804 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/05/30 15:16:10.0343 3804 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/05/30 15:16:10.0359 3804 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/05/30 15:16:10.0390 3804 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/05/30 15:16:10.0406 3804 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/05/30 15:16:10.0453 3804 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/05/30 15:16:10.0500 3804 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/05/30 15:16:10.0515 3804 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/05/30 15:16:10.0546 3804 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/05/30 15:16:10.0578 3804 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/05/30 15:16:10.0593 3804 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/05/30 15:16:10.0609 3804 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/05/30 15:16:10.0640 3804 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
2011/05/30 15:16:10.0656 3804 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/05/30 15:16:10.0703 3804 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/05/30 15:16:10.0718 3804 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/05/30 15:16:10.0734 3804 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/05/30 15:16:10.0750 3804 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/05/30 15:16:10.0781 3804 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/05/30 15:16:10.0796 3804 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/05/30 15:16:10.0828 3804 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/05/30 15:16:10.0859 3804 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/05/30 15:16:10.0875 3804 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/05/30 15:16:10.0906 3804 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/05/30 15:16:10.0937 3804 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/05/30 15:16:11.0046 3804 nv (5645072033c2e51386e91bc137c0beb5) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/05/30 15:16:11.0125 3804 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/05/30 15:16:11.0140 3804 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/05/30 15:16:11.0171 3804 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/05/30 15:16:11.0203 3804 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/05/30 15:16:11.0203 3804 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/05/30 15:16:11.0234 3804 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/05/30 15:16:11.0265 3804 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/05/30 15:16:11.0296 3804 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/05/30 15:16:11.0328 3804 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/05/30 15:16:11.0453 3804 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/05/30 15:16:11.0484 3804 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/05/30 15:16:11.0500 3804 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/05/30 15:16:11.0515 3804 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/05/30 15:16:11.0609 3804 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/05/30 15:16:11.0625 3804 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/05/30 15:16:11.0640 3804 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/05/30 15:16:11.0656 3804 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/05/30 15:16:11.0687 3804 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/05/30 15:16:11.0687 3804 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/05/30 15:16:11.0734 3804 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/05/30 15:16:11.0765 3804 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/05/30 15:16:11.0796 3804 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/05/30 15:16:11.0843 3804 RFCOMM (851c30df2807fcfa21e4c681a7d6440e) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
2011/05/30 15:16:11.0921 3804 SbieDrv (f3361a17903ae09979db9db472072149) C:\Program Files\Sandboxie\SbieDrv.sys
2011/05/30 15:16:11.0953 3804 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/05/30 15:16:11.0984 3804 SenFiltService (b6a6b409fda9d9ebd3aadb838d3d7173) C:\WINDOWS\system32\drivers\Senfilt.sys
2011/05/30 15:16:12.0015 3804 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/05/30 15:16:12.0031 3804 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/05/30 15:16:12.0062 3804 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/05/30 15:16:12.0140 3804 slusbvip (bba26f21c45aa3e559e77231c865ac95) C:\WINDOWS\system32\DRIVERS\slusbvip.sys
2011/05/30 15:16:12.0156 3804 SLVAD_simple (9d63f2a2fcd92a4d01036d366b18eba9) C:\WINDOWS\system32\drivers\slvad.sys
2011/05/30 15:16:12.0203 3804 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/05/30 15:16:12.0218 3804 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/05/30 15:16:12.0265 3804 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/05/30 15:16:12.0296 3804 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/05/30 15:16:12.0312 3804 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/05/30 15:16:12.0406 3804 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/05/30 15:16:12.0453 3804 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/05/30 15:16:12.0484 3804 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/05/30 15:16:12.0500 3804 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/05/30 15:16:12.0531 3804 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/05/30 15:16:12.0562 3804 TLRecAgent (51fd091db0ad469b962ce0d83679fec3) C:\WINDOWS\system32\DRIVERS\TLRecAgent.sys
2011/05/30 15:16:12.0609 3804 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/05/30 15:16:12.0671 3804 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/05/30 15:16:12.0703 3804 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/05/30 15:16:12.0703 3804 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/05/30 15:16:12.0734 3804 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/05/30 15:16:12.0765 3804 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/05/30 15:16:12.0765 3804 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/05/30 15:16:12.0796 3804 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/05/30 15:16:12.0843 3804 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/05/30 15:16:12.0890 3804 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/05/30 15:16:12.0984 3804 yukonwxp (228d0403f0210d6d67a9acf907597efe) C:\WINDOWS\system32\DRIVERS\yk51x86.sys
2011/05/30 15:16:13.0031 3804 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/05/30 15:16:13.0171 3804 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1
2011/05/30 15:16:13.0187 3804 ================================================================================
2011/05/30 15:16:13.0187 3804 Scan finished
2011/05/30 15:16:13.0187 3804 ================================================================================
2011/05/30 15:16:13.0187 3728 Detected object count: 0
2011/05/30 15:16:13.0187 3728 Actual detected object count: 0
2011/05/30 15:17:20.0031 2924 Deinitialize success

-=-=-



Avira AntiVir Personal
Report file date: Monday, 30 May, 2011 22:30

Scanning for 2777566 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : SVENSKATEC

Version information:
BUILD.DAT : 10.0.0.648 31823 Bytes 2011-04-01 18:36:00
AVSCAN.EXE : 10.0.4.2 442024 Bytes 2011-04-02 00:07:43
AVSCAN.DLL : 10.0.3.0 46440 Bytes 2011-04-02 00:07:57
LUKE.DLL : 10.0.3.2 104296 Bytes 2011-04-02 00:07:53
LUKERES.DLL : 10.0.0.1 12648 Bytes 2010-02-11 07:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 2009-11-06 17:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 2010-12-14 23:15:47
VBASE002.VDF : 7.11.3.0 1950720 Bytes 2011-02-09 23:15:47
VBASE003.VDF : 7.11.5.225 1980416 Bytes 2011-04-07 22:29:52
VBASE004.VDF : 7.11.5.226 2048 Bytes 2011-04-07 22:29:52
VBASE005.VDF : 7.11.5.227 2048 Bytes 2011-04-07 22:29:52
VBASE006.VDF : 7.11.5.228 2048 Bytes 2011-04-07 22:29:52
VBASE007.VDF : 7.11.5.229 2048 Bytes 2011-04-07 22:29:52
VBASE008.VDF : 7.11.5.230 2048 Bytes 2011-04-07 22:29:53
VBASE009.VDF : 7.11.5.231 2048 Bytes 2011-04-07 22:29:53
VBASE010.VDF : 7.11.5.232 2048 Bytes 2011-04-07 22:29:53
VBASE011.VDF : 7.11.5.233 2048 Bytes 2011-04-07 22:29:53
VBASE012.VDF : 7.11.5.234 2048 Bytes 2011-04-07 22:29:53
VBASE013.VDF : 7.11.6.28 158208 Bytes 2011-04-11 22:29:54
VBASE014.VDF : 7.11.6.74 116224 Bytes 2011-04-13 22:29:55
VBASE015.VDF : 7.11.6.113 137728 Bytes 2011-04-14 22:29:55
VBASE016.VDF : 7.11.6.150 146944 Bytes 2011-04-18 22:29:56
VBASE017.VDF : 7.11.6.192 138240 Bytes 2011-04-20 22:29:57
VBASE018.VDF : 7.11.6.237 156160 Bytes 2011-04-22 22:29:57
VBASE019.VDF : 7.11.7.45 427520 Bytes 2011-04-27 22:29:59
VBASE020.VDF : 7.11.7.64 192000 Bytes 2011-04-28 22:30:00
VBASE021.VDF : 7.11.7.97 182272 Bytes 2011-05-02 22:30:01
VBASE022.VDF : 7.11.7.127 467968 Bytes 2011-05-04 22:30:02
VBASE023.VDF : 7.11.7.183 185856 Bytes 2011-05-09 22:30:03
VBASE024.VDF : 7.11.7.218 133120 Bytes 2011-05-11 22:30:04
VBASE025.VDF : 7.11.7.234 139776 Bytes 2011-05-11 22:30:05
VBASE026.VDF : 7.11.8.16 147456 Bytes 2011-05-13 22:30:05
VBASE027.VDF : 7.11.8.46 169472 Bytes 2011-05-17 22:30:06
VBASE028.VDF : 7.11.8.109 181760 Bytes 2011-05-24 22:30:07
VBASE029.VDF : 7.11.8.158 191488 Bytes 2011-05-27 22:30:07
VBASE030.VDF : 7.11.8.159 2048 Bytes 2011-05-27 22:30:08
VBASE031.VDF : 7.11.8.172 95232 Bytes 2011-05-30 22:30:08
Engineversion : 8.2.5.6
AEVDF.DLL : 8.1.2.1 106868 Bytes 2011-03-28 23:15:27
AESCRIPT.DLL : 8.1.3.65 1606010 Bytes 2011-05-30 22:30:20
AESCN.DLL : 8.1.7.2 127349 Bytes 2011-03-28 23:15:27
AESBX.DLL : 8.2.1.33 323956 Bytes 2011-05-30 22:30:21
AERDL.DLL : 8.1.9.9 639347 Bytes 2011-03-25 19:21:38
AEPACK.DLL : 8.2.6.8 557430 Bytes 2011-05-30 22:30:18
AEOFFICE.DLL : 8.1.1.23 205178 Bytes 2011-05-30 22:30:17
AEHEUR.DLL : 8.1.2.122 3494263 Bytes 2011-05-30 22:30:17
AEHELP.DLL : 8.1.17.2 246135 Bytes 2011-05-30 22:30:11
AEGEN.DLL : 8.1.5.6 401780 Bytes 2011-05-30 22:30:10
AEEMU.DLL : 8.1.3.0 393589 Bytes 2011-03-28 23:15:19
AECORE.DLL : 8.1.21.1 196983 Bytes 2011-05-30 22:30:10
AEBB.DLL : 8.1.1.0 53618 Bytes 2011-03-28 23:15:19
AVWINLL.DLL : 10.0.0.0 19304 Bytes 2011-03-28 23:15:31
AVPREF.DLL : 10.0.0.0 44904 Bytes 2011-04-02 00:07:42
AVREP.DLL : 10.0.0.10 174120 Bytes 2011-05-30 22:30:22
AVREG.DLL : 10.0.3.2 53096 Bytes 2011-04-02 00:07:42
AVSCPLR.DLL : 10.0.4.2 84840 Bytes 2011-04-02 00:07:43
AVARKT.DLL : 10.0.22.6 231784 Bytes 2011-04-02 00:07:38
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 2011-04-02 00:07:41
SQLITE3.DLL : 3.6.19.0 355688 Bytes 2010-06-17 22:27:22
AVSMTP.DLL : 10.0.0.17 63848 Bytes 2011-03-28 23:15:30
NETNT.DLL : 10.0.0.0 11624 Bytes 2011-03-28 23:15:39
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 2011-04-02 00:07:58
RCTEXT.DLL : 10.0.58.0 97128 Bytes 2011-03-28 23:15:52

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Monday, 30 May, 2011 22:30

Starting search for hidden objects.
An ARK library instance is already running.

The scan of running processes will be started
Scan process 'avscan.exe' - '61' Module(s) have been scanned
Scan process 'avscan.exe' - '72' Module(s) have been scanned
Scan process 'EditPad.exe' - '23' Module(s) have been scanned
Scan process 'msdtc.exe' - '40' Module(s) have been scanned
Scan process 'dllhost.exe' - '62' Module(s) have been scanned
Scan process 'avcenter.exe' - '63' Module(s) have been scanned
Scan process 'avgnt.exe' - '51' Module(s) have been scanned
Scan process 'sched.exe' - '45' Module(s) have been scanned
Scan process 'avshadow.exe' - '25' Module(s) have been scanned
Scan process 'avguard.exe' - '57' Module(s) have been scanned
Scan process 'jucheck.exe' - '48' Module(s) have been scanned
Scan process 'alg.exe' - '33' Module(s) have been scanned
Scan process 'DPH-50U Utility.exe' - '33' Module(s) have been scanned
Scan process 'TeamViewer.exe' - '75' Module(s) have been scanned
Scan process 'VServ.exe' - '18' Module(s) have been scanned
Scan process 'TeamViewer_Service.exe' - '30' Module(s) have been scanned
Scan process 'Serv-U.exe' - '53' Module(s) have been scanned
Scan process 'SbieSvc.exe' - '22' Module(s) have been scanned
Scan process 'ppped.exe' - '27' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '36' Module(s) have been scanned
Scan process 'mysqld-nt.exe' - '22' Module(s) have been scanned
Scan process 'jqs.exe' - '33' Module(s) have been scanned
Scan process 'hMailServer.exe' - '55' Module(s) have been scanned
Scan process 'DkService.exe' - '54' Module(s) have been scanned
Scan process 'D4.exe' - '45' Module(s) have been scanned
Scan process 'svchost.exe' - '34' Module(s) have been scanned
Scan process 'svchost.exe' - '34' Module(s) have been scanned
Scan process 'SVList-WhiteGold-List.exe' - '54' Module(s) have been scanned
Scan process 'SVList-UNJO.exe' - '54' Module(s) have been scanned
Scan process 'SVList-Animal-List.exe' - '54' Module(s) have been scanned
Scan process 'DUMeter.exe' - '36' Module(s) have been scanned
Scan process 'DUSuperControler.exe' - '45' Module(s) have been scanned
Scan process 'DUSuperControler.exe' - '14' Module(s) have been scanned
Scan process 'Skype.exe' - '83' Module(s) have been scanned
Scan process 'Serv-U-Tray.exe' - '36' Module(s) have been scanned
Scan process 'SbieCtrl.exe' - '30' Module(s) have been scanned
Scan process 'ctfmon.exe' - '26' Module(s) have been scanned
Scan process 'pppeuser.exe' - '26' Module(s) have been scanned
Scan process 'DLinkMonitor.exe' - '25' Module(s) have been scanned
Scan process 'jusched.exe' - '25' Module(s) have been scanned
Scan process 'smax4pnp.exe' - '32' Module(s) have been scanned
Scan process 'D4.exe' - '28' Module(s) have been scanned
Scan process 'winpatrol.exe' - '50' Module(s) have been scanned
Scan process 'RUNDLL32.EXE' - '29' Module(s) have been scanned
Scan process 'rundll32.exe' - '34' Module(s) have been scanned
Scan process 'Explorer.EXE' - '112' Module(s) have been scanned
Scan process 'spoolsv.exe' - '54' Module(s) have been scanned
Scan process 'svchost.exe' - '38' Module(s) have been scanned
Scan process 'svchost.exe' - '32' Module(s) have been scanned
Scan process 'svchost.exe' - '157' Module(s) have been scanned
Scan process 'svchost.exe' - '40' Module(s) have been scanned
Scan process 'svchost.exe' - '51' Module(s) have been scanned
Scan process 'lsass.exe' - '58' Module(s) have been scanned
Scan process 'services.exe' - '35' Module(s) have been scanned
Scan process 'winlogon.exe' - '80' Module(s) have been scanned
Scan process 'csrss.exe' - '12' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
Master boot sector HD3
[INFO] No virus was found!
Master boot sector HD4
[INFO] No virus was found!
Master boot sector HD5
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '376' files ).


Starting the file scan:

Begin scan in 'C:\' <Svenskatec>
C:\Documents and Settings\buzz\Local Settings\Temp\HouseCall\log\7A854A26-2420-40AB-8A57-174DBB4E5C21\backup\150
[0] Archive type: HIDDEN
[DETECTION] Is the TR/Agent.47481.A Trojan
--> FIL\\\?\C:\Documents and Settings\buzz\Local Settings\Temp\HouseCall\log\7A854A26-2420-40AB-8A57-174DBB4E5C21\backup\150
[DETECTION] Is the TR/Agent.47481.A Trojan
C:\Documents and Settings\buzz\Local Settings\Temp\HouseCall\log\7A854A26-2420-40AB-8A57-174DBB4E5C21\backup\151
[0] Archive type: HIDDEN
[DETECTION] Contains recognition pattern of the WORM/Mydoom.O.1 worm
--> FIL\\\?\C:\Documents and Settings\buzz\Local Settings\Temp\HouseCall\log\7A854A26-2420-40AB-8A57-174DBB4E5C21\backup\151
[DETECTION] Contains recognition pattern of the WORM/Mydoom.O.1 worm
C:\Documents and Settings\buzz\Local Settings\Temp\HouseCall\log\7A854A26-2420-40AB-8A57-174DBB4E5C21\backup\152
[0] Archive type: HIDDEN
[DETECTION] Contains recognition pattern of the WORM/Mydoom.O.1 worm
--> FIL\\\?\C:\Documents and Settings\buzz\Local Settings\Temp\HouseCall\log\7A854A26-2420-40AB-8A57-174DBB4E5C21\backup\152
[DETECTION] Contains recognition pattern of the WORM/Mydoom.O.1 worm
C:\Documents and Settings\buzz\Local Settings\Temp\HouseCall\log\backup\TSC_GENCLEAN_2011_01_21_21_37_42_156_175.DAT
[DETECTION] Contains recognition pattern of the WORM/Mydoom.M worm
C:\Documents and Settings\buzz\Local Settings\Temp\HouseCall\log\backup\TSC_GENCLEAN_2011_01_21_21_37_52_640_128.DAT
[DETECTION] Contains recognition pattern of the WORM/Mydoom.M worm
C:\System Volume Information\_restore{55E51D74-47A8-424D-9E0D-4D79F0354BDA}\RP727\A0108829.exe
[DETECTION] Is the TR/Renaz.17104 Trojan
C:\System Volume Information\_restore{55E51D74-47A8-424D-9E0D-4D79F0354BDA}\RP727\A0109729.exe
[DETECTION] Is the TR/Packed.6813 Trojan
C:\System Volume Information\_restore{55E51D74-47A8-424D-9E0D-4D79F0354BDA}\RP730\A0111421.exe
[DETECTION] Is the TR/Packed.6813 Trojan
C:\System Volume Information\_restore{55E51D74-47A8-424D-9E0D-4D79F0354BDA}\RP730\A0111710.exe
[DETECTION] Is the TR/Agent.64512.BO Trojan
Begin scan in 'D:\' <HoneyPot>
D:\ftp\_install\irc\bewareircd.zip
[0] Archive type: ZIP
[DETECTION] Is the TR/Genlot.IRC.13 Trojan
--> bircd.exe
[DETECTION] Is the TR/Genlot.IRC.13 Trojan
D:\Lists\WhiteGold-List\MsgStore\Attachments\DHL_Delivery_Label_1bb1c02.zip
[0] Archive type: ZIP
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
--> DHL_Delivery_Label_1bb1c02.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
D:\Lists\WhiteGold-List\MsgStore\Attachments\DHL_invoice_NR1478.zip
[0] Archive type: ZIP
[DETECTION] Is the TR/Spy.ZBot.AW Trojan
--> DHL_invoice_NR1478.exe
[DETECTION] Is the TR/Spy.ZBot.AW Trojan
D:\Lists\WhiteGold-List\MsgStore\Attachments\DHL_label_NR35832.zip
[0] Archive type: ZIP
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
--> DHL_label_NR35832.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
D:\Lists\WhiteGold-List\MsgStore\Attachments\DHL_Print_label_47640.zip
[0] Archive type: ZIP
[DETECTION] Is the TR/Dropper.Gen Trojan
--> DHL_Print_label_47640.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
D:\Lists\WhiteGold-List\MsgStore\Attachments\upsinvoice0710325.zip
[0] Archive type: ZIP
[DETECTION] Is the TR/Zbot.HNN Trojan
--> UPSINVOICE.exe
[DETECTION] Is the TR/Zbot.HNN Trojan
D:\Lists\WhiteGold-List\MsgStore\Attachments\whitegold-request@zz.com
[DETECTION] Contains recognition pattern of the WORM/Mydoom.O.1 worm
D:\Lists\WhiteGold-List\MsgStore\Attachments\zz.com
[DETECTION] Contains recognition pattern of the WORM/Mydoom.O.1 worm
D:\Lists\WhiteGold-List\MsgStore\Attachments\zz.com.zip
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the WORM/Mydoom.M worm
--> zz.com.htm .com
[DETECTION] Contains recognition pattern of the WORM/Mydoom.O.1 worm
D:\RECYCLER\S-1-5-21-839522115-1979792683-725345543-1003\Dn1476.exe
[0] Archive type: RAR SFX (self extracting)
[DETECTION] Is the TR/Spy.Gampass.A Trojan
--> PowerDVD7.2 keygen\keygen.exe
[DETECTION] Is the TR/Spy.Gampass.A Trojan
D:\System Volume Information\_restore{4E03E6D2-23CA-4C0E-A5BC-270C390C94D2}\RP57\A0005929.exe
[DETECTION] Is the TR/Small.59392 Trojan
D:\System Volume Information\_restore{55E51D74-47A8-424D-9E0D-4D79F0354BDA}\RP730\A0110585.exe
[DETECTION] Is the TR/Agent.73728.BX Trojan
D:\System Volume Information\_restore{55E51D74-47A8-424D-9E0D-4D79F0354BDA}\RP730\A0110586.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
D:\System Volume Information\_restore{55E51D74-47A8-424D-9E0D-4D79F0354BDA}\RP730\A0110888.exe
[DETECTION] Contains recognition pattern of the DR/Small.xut.11 dropper
D:\System Volume Information\_restore{55E51D74-47A8-424D-9E0D-4D79F0354BDA}\RP730\A0110889.exe
[DETECTION] Is the TR/Spy.126976.17 Trojan
D:\System Volume Information\_restore{55E51D74-47A8-424D-9E0D-4D79F0354BDA}\RP730\A0110897.exe
[DETECTION] Is the TR/Spy.126976.17 Trojan
D:\System Volume Information\_restore{55E51D74-47A8-424D-9E0D-4D79F0354BDA}\RP730\A0110945.exe
[DETECTION] Is the TR/Spy.51712.11 Trojan
D:\System Volume Information\_restore{55E51D74-47A8-424D-9E0D-4D79F0354BDA}\RP730\A0110956.exe
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Hupigon.kzad back-door program
--> Object
[1] Archive type: RSRC
--> Object
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Hupigon.kzad back-door program
D:\System Volume Information\_restore{55E51D74-47A8-424D-9E0D-4D79F0354BDA}\RP730\A0111119.exe
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Hupigon.kzad back-door program
--> Object
[1] Archive type: RSRC
--> Object
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Hupigon.kzad back-door program
D:\System Volume Information\_restore{55E51D74-47A8-424D-9E0D-4D79F0354BDA}\RP730\A0111513.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
--> Object
[DETECTION] Is the TR/Dropper.Gen Trojan
D:\System Volume Information\_restore{55E51D74-47A8-424D-9E0D-4D79F0354BDA}\RP730\A0111522.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
D:\System Volume Information\_restore{55E51D74-47A8-424D-9E0D-4D79F0354BDA}\RP730\A0111527.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
D:\System Volume Information\_restore{55E51D74-47A8-424D-9E0D-4D79F0354BDA}\RP730\A0111528.exe
[DETECTION] Is the TR/Spy.53760.G Trojan
D:\System Volume Information\_restore{55E51D74-47A8-424D-9E0D-4D79F0354BDA}\RP730\A0111532.exe
[DETECTION] Is the TR/Spy.53760.G Trojan
D:\System Volume Information\_restore{55E51D74-47A8-424D-9E0D-4D79F0354BDA}\RP730\A0111537.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
D:\System Volume Information\_restore{55E51D74-47A8-424D-9E0D-4D79F0354BDA}\RP730\A0111714.exe
[DETECTION] Contains recognition pattern of the DR/Dldr.Injecter.ahh.29 dropper
D:\System Volume Information\_restore{55E51D74-47A8-424D-9E0D-4D79F0354BDA}\RP730\A0111719.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
D:\System Volume Information\_restore{66059927-D996-435A-B538-31E4B4A250C7}\RP11\A0007117.exe
[DETECTION] Is the TR/Spy.53760.G Trojan
D:\System Volume Information\_restore{DA13C240-2FA3-4DFF-82EC-FD6EAA99E673}\RP1\A0000244.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
D:\System Volume Information\_restore{DA13C240-2FA3-4DFF-82EC-FD6EAA99E673}\RP1\A0000254.exe
[DETECTION] Is the TR/Agent.82944.I Trojan
D:\_xfer\Glenn\Audio\Winamp\Winamp 5.5.4.2189 Pro Full Keygen.exe
[DETECTION] Contains recognition pattern of the DR/Small.yaf.2 dropper
D:\_xfer\Glenn\Internet\irc\bewareircd.zip
[0] Archive type: ZIP
[DETECTION] Is the TR/Genlot.IRC.13 Trojan
--> bircd.exe
[DETECTION] Is the TR/Genlot.IRC.13 Trojan

Beginning disinfection:
D:\_xfer\Glenn\Internet\irc\bewareircd.zip
[DETECTION] Is the TR/Genlot.IRC.13 Trojan
[NOTE] The file was moved to the quarantine directory under the name '4d1835b9.qua'.
D:\_xfer\Glenn\Audio\Winamp\Winamp 5.5.4.2189 Pro Full Keygen.exe
[DETECTION] Contains recognition pattern of the DR/Small.yaf.2 dropper
[NOTE] The file was moved to the quarantine directory under the name '55861a12.qua'.
D:\System Volume Information\_restore{DA13C240-2FA3-4DFF-82EC-FD6EAA99E673}\RP1\A0000254.exe
[DETECTION] Is the TR/Agent.82944.I Trojan
[NOTE] The file was moved to the quarantine directory under the name '079f40c1.qua'.
D:\System Volume Information\_restore{DA13C240-2FA3-4DFF-82EC-FD6EAA99E673}\RP1\A0000244.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '61a80f03.qua'.
D:\System Volume Information\_restore{66059927-D996-435A-B538-31E4B4A250C7}\RP11\A0007117.exe
[DETECTION] Is the TR/Spy.53760.G Trojan
[NOTE] The file was moved to the quarantine directory under the name '242c223d.qua'.
D:\System Volume Information\_restore{55E51D74-47A8-424D-9E0D-4D79F0354BDA}\RP730\A0111719.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '5b36105c.qua'.
D:\System Volume Information\_restore{55E51D74-47A8-424D-9E0D-4D79F0354BDA}\RP730\A0111714.exe
[DETECTION] Contains recognition pattern of the DR/Dldr.Injecter.ahh.29 dropper
[NOTE] The file was moved to the quarantine directory under the name '178e3c16.qua'.
D:\System Volume Information\_restore{55E51D74-47A8-424D-9E0D-4D79F0354BDA}\RP730\A0111537.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '6b967c46.qua'.
D:\System Volume Information\_restore{55E51D74-47A8-424D-9E0D-4D79F0354BDA}\RP730\A0111532.exe
[DETECTION] Is the TR/Spy.53760.G Trojan
[NOTE] The file was moved to the quarantine directory under the name '46cc530b.qua'.
D:\System Volume Information\_restore{55E51D74-47A8-424D-9E0D-4D79F0354BDA}\RP730\A0111528.exe
[DETECTION] Is the TR/Spy.53760.G Trojan
[NOTE] The file was moved to the quarantine directory under the name '5fa46891.qua'.
D:\System Volume Information\_restore{55E51D74-47A8-424D-9E0D-4D79F0354BDA}\RP730\A0111527.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '33f844a1.qua'.
D:\System Volume Information\_restore{55E51D74-47A8-424D-9E0D-4D79F0354BDA}\RP730\A0111522.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '42417d34.qua'.
D:\System Volume Information\_restore{55E51D74-47A8-424D-9E0D-4D79F0354BDA}\RP730\A0111513.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '4c5b4df3.qua'.
D:\System Volume Information\_restore{55E51D74-47A8-424D-9E0D-4D79F0354BDA}\RP730\A0111119.exe
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Hupigon.kzad back-door program
[NOTE] The file was moved to the quarantine directory under the name '097234b1.qua'.
D:\System Volume Information\_restore{55E51D74-47A8-424D-9E0D-4D79F0354BDA}\RP730\A0110956.exe
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Hupigon.kzad back-door program
[NOTE] The file was moved to the quarantine directory under the name '0079301a.qua'.
D:\System Volume Information\_restore{55E51D74-47A8-424D-9E0D-4D79F0354BDA}\RP730\A0110945.exe
[DETECTION] Is the TR/Spy.51712.11 Trojan
[NOTE] The file was moved to the quarantine directory under the name '58382973.qua'.
D:\System Volume Information\_restore{55E51D74-47A8-424D-9E0D-4D79F0354BDA}\RP730\A0110897.exe
[DETECTION] Is the TR/Spy.126976.17 Trojan
[NOTE] The file was moved to the quarantine directory under the name '74cc50bf.qua'.
D:\System Volume Information\_restore{55E51D74-47A8-424D-9E0D-4D79F0354BDA}\RP730\A0110889.exe
[DETECTION] Is the TR/Spy.126976.17 Trojan
[NOTE] The file was moved to the quarantine directory under the name '4a323065.qua'.
D:\System Volume Information\_restore{55E51D74-47A8-424D-9E0D-4D79F0354BDA}\RP730\A0110888.exe
[DETECTION] Contains recognition pattern of the DR/Small.xut.11 dropper
[NOTE] The file was moved to the quarantine directory under the name '293c1b16.qua'.
D:\System Volume Information\_restore{55E51D74-47A8-424D-9E0D-4D79F0354BDA}\RP730\A0110586.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '0ff45b08.qua'.
D:\System Volume Information\_restore{55E51D74-47A8-424D-9E0D-4D79F0354BDA}\RP730\A0110585.exe
[DETECTION] Is the TR/Agent.73728.BX Trojan
[NOTE] The file was moved to the quarantine directory under the name '3d6020ad.qua'.
D:\System Volume Information\_restore{4E03E6D2-23CA-4C0E-A5BC-270C390C94D2}\RP57\A0005929.exe
[DETECTION] Is the TR/Small.59392 Trojan
[NOTE] The file was moved to the quarantine directory under the name '37240bd3.qua'.
D:\RECYCLER\S-1-5-21-839522115-1979792683-725345543-1003\Dn1476.exe
[DETECTION] Is the TR/Spy.Gampass.A Trojan
[NOTE] The file was moved to the quarantine directory under the name '08766fd4.qua'.
D:\Lists\WhiteGold-List\MsgStore\Attachments\zz.com.zip
[DETECTION] Contains recognition pattern of the WORM/Mydoom.M worm
[NOTE] The file was moved to the quarantine directory under the name '765d63eb.qua'.
D:\Lists\WhiteGold-List\MsgStore\Attachments\zz.com
[DETECTION] Contains recognition pattern of the WORM/Mydoom.O.1 worm
[NOTE] The file was moved to the quarantine directory under the name '23256720.qua'.
D:\Lists\WhiteGold-List\MsgStore\Attachments\whitegold-request@zz.com
[DETECTION] Contains recognition pattern of the WORM/Mydoom.O.1 worm
[NOTE] The file was moved to the quarantine directory under the name '2eec1616.qua'.
D:\Lists\WhiteGold-List\MsgStore\Attachments\upsinvoice0710325.zip
[DETECTION] Is the TR/Zbot.HNN Trojan
[NOTE] The file was moved to the quarantine directory under the name '32ab0217.qua'.
D:\Lists\WhiteGold-List\MsgStore\Attachments\DHL_Print_label_47640.zip
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '031f4fb1.qua'.
D:\Lists\WhiteGold-List\MsgStore\Attachments\DHL_label_NR35832.zip
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '6f495b87.qua'.
D:\Lists\WhiteGold-List\MsgStore\Attachments\DHL_invoice_NR1478.zip
[DETECTION] Is the TR/Spy.ZBot.AW Trojan
[NOTE] The file was moved to the quarantine directory under the name '26d37e80.qua'.
D:\Lists\WhiteGold-List\MsgStore\Attachments\DHL_Delivery_Label_1bb1c02.zip
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '7d467651.qua'.
D:\ftp\_install\irc\bewareircd.zip
[DETECTION] Is the TR/Genlot.IRC.13 Trojan
[NOTE] The file was moved to the quarantine directory under the name '1b9f7add.qua'.
C:\System Volume Information\_restore{55E51D74-47A8-424D-9E0D-4D79F0354BDA}\RP730\A0111710.exe
[DETECTION] Is the TR/Agent.64512.BO Trojan
[NOTE] The file was moved to the quarantine directory under the name '4c5f0838.qua'.
C:\System Volume Information\_restore{55E51D74-47A8-424D-9E0D-4D79F0354BDA}\RP730\A0111421.exe
[DETECTION] Is the TR/Packed.6813 Trojan
[NOTE] The file was moved to the quarantine directory under the name '6e2f5f4c.qua'.
C:\System Volume Information\_restore{55E51D74-47A8-424D-9E0D-4D79F0354BDA}\RP727\A0109729.exe
[DETECTION] Is the TR/Packed.6813 Trojan
[NOTE] The file was moved to the quarantine directory under the name '063f25da.qua'.
C:\System Volume Information\_restore{55E51D74-47A8-424D-9E0D-4D79F0354BDA}\RP727\A0108829.exe
[DETECTION] Is the TR/Renaz.17104 Trojan
[NOTE] The file was moved to the quarantine directory under the name '2649215f.qua'.
C:\Documents and Settings\buzz\Local Settings\Temp\HouseCall\log\backup\TSC_GENCLEAN_2011_01_21_21_37_52_640_128.DAT
[DETECTION] Contains recognition pattern of the WORM/Mydoom.M worm
[NOTE] The file was moved to the quarantine directory under the name '735f67d7.qua'.
C:\Documents and Settings\buzz\Local Settings\Temp\HouseCall\log\backup\TSC_GENCLEAN_2011_01_21_21_37_42_156_175.DAT
[DETECTION] Contains recognition pattern of the WORM/Mydoom.M worm
[NOTE] The file was moved to the quarantine directory under the name '127f4668.qua'.
C:\Documents and Settings\buzz\Local Settings\Temp\HouseCall\log\7A854A26-2420-40AB-8A57-174DBB4E5C21\backup\152
[DETECTION] Contains recognition pattern of the WORM/Mydoom.O.1 worm
[NOTE] The file was moved to the quarantine directory under the name '77e104ed.qua'.
C:\Documents and Settings\buzz\Local Settings\Temp\HouseCall\log\7A854A26-2420-40AB-8A57-174DBB4E5C21\backup\151
[DETECTION] Contains recognition pattern of the WORM/Mydoom.O.1 worm
[NOTE] The file was moved to the quarantine directory under the name '1236704c.qua'.
C:\Documents and Settings\buzz\Local Settings\Temp\HouseCall\log\7A854A26-2420-40AB-8A57-174DBB4E5C21\backup\150
[DETECTION] Is the TR/Agent.47481.A Trojan
[NOTE] The file was moved to the quarantine directory under the name '01d24cdf.qua'.


End of the scan: Monday, 30 May, 2011 23:55
Used time: 1:23:33 Hour(s)

The scan has been done completely.

8025 Scanned directories
822011 Files were scanned
42 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
41 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
821969 Files not concerned
27894 Archives were scanned
0 Warnings
41 Notes

-=-=-

I'm so glad this machine came back online after quarantining(sp?) the hits, that I started breathing again. Windows Firewall would not allow the list software to access the local mailer even after I entered every port and program and whatever I could think of. Outpost loaded right up, and the list software can communicate with the mailer again. Still, no outside access is allowed. Avira is still installed and working.

I noticed that the Avira scan reported 42 items and removed 41. I don't know what I missed--I did the default quarantine step.

http://air.zz.com

wll start an HTML access to the FTP site locally, but not from the outside. I did not run another DDS scan because you didn't ask for it.

Again, thank-you for your time,

Buzz.
User avatar
a1sound
Regular Member
 
Posts: 39
Joined: April 18th, 2007, 10:19 pm
Location: Mojave CA

Re: Can NOT receive WAN requests--LAN is OK

Unread postby a1sound » May 31st, 2011, 6:38 am

I was walking by the computer and saw yet another badboy caught in a scan, so I told Avira to quarantine it. Does Avira continue to scan all the time? Here is what it put in a report..



Avira AntiVir Personal
Report file date: Tuesday, 31 May, 2011 03:17

Scanning for 2777566 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : SVENSKATEC

Version information:
BUILD.DAT : 10.0.0.648 31823 Bytes 2011-04-01 18:36:00
AVSCAN.EXE : 10.0.4.2 442024 Bytes 2011-04-02 00:07:43
AVSCAN.DLL : 10.0.3.0 46440 Bytes 2011-04-02 00:07:57
LUKE.DLL : 10.0.3.2 104296 Bytes 2011-04-02 00:07:53
LUKERES.DLL : 10.0.0.1 12648 Bytes 2010-02-11 07:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 2009-11-06 17:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 2010-12-14 23:15:47
VBASE002.VDF : 7.11.3.0 1950720 Bytes 2011-02-09 23:15:47
VBASE003.VDF : 7.11.5.225 1980416 Bytes 2011-04-07 22:29:52
VBASE004.VDF : 7.11.5.226 2048 Bytes 2011-04-07 22:29:52
VBASE005.VDF : 7.11.5.227 2048 Bytes 2011-04-07 22:29:52
VBASE006.VDF : 7.11.5.228 2048 Bytes 2011-04-07 22:29:52
VBASE007.VDF : 7.11.5.229 2048 Bytes 2011-04-07 22:29:52
VBASE008.VDF : 7.11.5.230 2048 Bytes 2011-04-07 22:29:53
VBASE009.VDF : 7.11.5.231 2048 Bytes 2011-04-07 22:29:53
VBASE010.VDF : 7.11.5.232 2048 Bytes 2011-04-07 22:29:53
VBASE011.VDF : 7.11.5.233 2048 Bytes 2011-04-07 22:29:53
VBASE012.VDF : 7.11.5.234 2048 Bytes 2011-04-07 22:29:53
VBASE013.VDF : 7.11.6.28 158208 Bytes 2011-04-11 22:29:54
VBASE014.VDF : 7.11.6.74 116224 Bytes 2011-04-13 22:29:55
VBASE015.VDF : 7.11.6.113 137728 Bytes 2011-04-14 22:29:55
VBASE016.VDF : 7.11.6.150 146944 Bytes 2011-04-18 22:29:56
VBASE017.VDF : 7.11.6.192 138240 Bytes 2011-04-20 22:29:57
VBASE018.VDF : 7.11.6.237 156160 Bytes 2011-04-22 22:29:57
VBASE019.VDF : 7.11.7.45 427520 Bytes 2011-04-27 22:29:59
VBASE020.VDF : 7.11.7.64 192000 Bytes 2011-04-28 22:30:00
VBASE021.VDF : 7.11.7.97 182272 Bytes 2011-05-02 22:30:01
VBASE022.VDF : 7.11.7.127 467968 Bytes 2011-05-04 22:30:02
VBASE023.VDF : 7.11.7.183 185856 Bytes 2011-05-09 22:30:03
VBASE024.VDF : 7.11.7.218 133120 Bytes 2011-05-11 22:30:04
VBASE025.VDF : 7.11.7.234 139776 Bytes 2011-05-11 22:30:05
VBASE026.VDF : 7.11.8.16 147456 Bytes 2011-05-13 22:30:05
VBASE027.VDF : 7.11.8.46 169472 Bytes 2011-05-17 22:30:06
VBASE028.VDF : 7.11.8.109 181760 Bytes 2011-05-24 22:30:07
VBASE029.VDF : 7.11.8.158 191488 Bytes 2011-05-27 22:30:07
VBASE030.VDF : 7.11.8.159 2048 Bytes 2011-05-27 22:30:08
VBASE031.VDF : 7.11.8.172 95232 Bytes 2011-05-30 22:30:08
Engineversion : 8.2.5.6
AEVDF.DLL : 8.1.2.1 106868 Bytes 2011-03-28 23:15:27
AESCRIPT.DLL : 8.1.3.65 1606010 Bytes 2011-05-30 22:30:20
AESCN.DLL : 8.1.7.2 127349 Bytes 2011-03-28 23:15:27
AESBX.DLL : 8.2.1.33 323956 Bytes 2011-05-30 22:30:21
AERDL.DLL : 8.1.9.9 639347 Bytes 2011-03-25 19:21:38
AEPACK.DLL : 8.2.6.8 557430 Bytes 2011-05-30 22:30:18
AEOFFICE.DLL : 8.1.1.23 205178 Bytes 2011-05-30 22:30:17
AEHEUR.DLL : 8.1.2.122 3494263 Bytes 2011-05-30 22:30:17
AEHELP.DLL : 8.1.17.2 246135 Bytes 2011-05-30 22:30:11
AEGEN.DLL : 8.1.5.6 401780 Bytes 2011-05-30 22:30:10
AEEMU.DLL : 8.1.3.0 393589 Bytes 2011-03-28 23:15:19
AECORE.DLL : 8.1.21.1 196983 Bytes 2011-05-30 22:30:10
AEBB.DLL : 8.1.1.0 53618 Bytes 2011-03-28 23:15:19
AVWINLL.DLL : 10.0.0.0 19304 Bytes 2011-03-28 23:15:31
AVPREF.DLL : 10.0.0.0 44904 Bytes 2011-04-02 00:07:42
AVREP.DLL : 10.0.0.10 174120 Bytes 2011-05-30 22:30:22
AVREG.DLL : 10.0.3.2 53096 Bytes 2011-04-02 00:07:42
AVSCPLR.DLL : 10.0.4.2 84840 Bytes 2011-04-02 00:07:43
AVARKT.DLL : 10.0.22.6 231784 Bytes 2011-04-02 00:07:38
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 2011-04-02 00:07:41
SQLITE3.DLL : 3.6.19.0 355688 Bytes 2010-06-17 22:27:22
AVSMTP.DLL : 10.0.0.17 63848 Bytes 2011-03-28 23:15:30
NETNT.DLL : 10.0.0.0 11624 Bytes 2011-03-28 23:15:39
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 2011-04-02 00:07:58
RCTEXT.DLL : 10.0.58.0 97128 Bytes 2011-03-28 23:15:52

Configuration settings for the scan:
Jobname.............................: avguard_async_scan
Configuration file..................: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVGUARD_4e1cbd61\guard_slideup.avp
Logging.............................: low
Primary action......................: repair
Secondary action....................: quarantine
Scan master boot sector.............: on
Scan boot sector....................: off
Process scan........................: on
Scan registry.......................: off
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: high

Start of the scan: Tuesday, 31 May, 2011 03:17

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'jucheck.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'DPH-50U Utility.exe' - '1' Module(s) have been scanned
Scan process 'VServ.exe' - '1' Module(s) have been scanned
Scan process 'TeamViewer_Service.exe' - '1' Module(s) have been scanned
Scan process 'Serv-U.exe' - '1' Module(s) have been scanned
Scan process 'SbieSvc.exe' - '1' Module(s) have been scanned
Scan process 'ppped.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'mysqld-nt.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'hMailServer.exe' - '1' Module(s) have been scanned
Scan process 'avshadow.exe' - '1' Module(s) have been scanned
Scan process 'DkService.exe' - '1' Module(s) have been scanned
Scan process 'D4.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'SVList-WhiteGold-List.exe' - '1' Module(s) have been scanned
Scan process 'SVList-UNJO.exe' - '1' Module(s) have been scanned
Scan process 'SVList-Animal-List.exe' - '1' Module(s) have been scanned
Scan process 'DUMeter.exe' - '1' Module(s) have been scanned
Scan process 'DUSuperControler.exe' - '1' Module(s) have been scanned
Scan process 'DUSuperControler.exe' - '1' Module(s) have been scanned
Scan process 'Skype.exe' - '1' Module(s) have been scanned
Scan process 'Serv-U-Tray.exe' - '1' Module(s) have been scanned
Scan process 'SbieCtrl.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'pppeuser.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'DLinkMonitor.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'smax4pnp.exe' - '1' Module(s) have been scanned
Scan process 'D4.exe' - '1' Module(s) have been scanned
Scan process 'winpatrol.exe' - '1' Module(s) have been scanned
Scan process 'RUNDLL32.EXE' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned

Starting the file scan:

Begin scan in 'D:\System Volume Information\_restore{55E51D74-47A8-424D-9E0D-4D79F0354BDA}\RP730\A0111720.exe'
D:\System Volume Information\_restore{55E51D74-47A8-424D-9E0D-4D79F0354BDA}\RP730\A0111720.exe
[DETECTION] Contains recognition pattern of the DR/Small.yaf.2 dropper
[NOTE] The file was moved to the quarantine directory under the name '4cf661c2.qua'.

-=-=-

I hope this makes sense to your crew. Thanks for looking!

Cheers,
Buzz.
User avatar
a1sound
Regular Member
 
Posts: 39
Joined: April 18th, 2007, 10:19 pm
Location: Mojave CA

Re: Can NOT receive WAN requests--LAN is OK

Unread postby askey127 » May 31st, 2011, 6:58 am

Your old antivirus programs must have been taking a snooze.
OK on re-installing Outpost. Please don't install, uninstall, or scan with anything else unless I ask. Thanks.
Makes it hard to keep track of what's going on.

Most of this junk comes from using P2P, and then spreading it around in e-mails. (Your "friends" are suspect).
There may be more infections than we can realistically find, but we can try.
------------------------------------------------
Reset System Restore Points
  • Click Start, All Programs, Accessories, System Tools, System Restore
  • Click Create A Restore Point then click Next. Give it a name and then click Create, then Close.
  • Click Start, Run and type Cleanmgr
  • Select the Windows drive (usually C:), then click OK.
  • After it scans, Click the More Options tab.
  • Click Clean Up in the System Restore Section.
This will remove all previous restore points except the newly created one.

Reboot your machine to record the changes you have made.
This System Restore sequence is not to be done regularly, but only as a Special Case after the removal of malware or changes in the Restore settings.
---------------------------------------------
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :filefind
    shimgapi.dll
    *taskmon*
    explorer.exe
    
    :regfind
    E6FB5E20-DE35-11CF-9C87-00AA005127ED
    taskmon
    
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

-----------------------------------------------------------
Download and Run ComboFix
IMPORTANT NOTE: ComboFix is a VERY POWERFUL tool. DO NOT use it without guidance.
ComboFix uses very forceful tactics to remove malware from your system. Your antivirus software may warn you about the file.
You will need to disable all your antivirus software after downloading but BEFORE running ComboFix.
.
  • Download ComboFix from here
  • Rename it while saving the download to zzz.exe and save it to your Desktop. Do not try to rename it after it has been saved to your desktop, or the infection may prevent you from using it.
    **Note: It is important that it is saved directly to your desktop and run from the desktop, not from any other folder on your computer**
  • DISABLE AVIRA ANTIVIR
    Please navigate to the system tray on the bottom right hand corner and look for an open umbrella on red background (looks like this:Image )
    • Right click it and untick any of the options AntiVir Guard enable, Antivir Webguard enable, and Antivir Mailguard enable, that are present.
    • You should now see a closed umbrella on a red background (looks like this: Image )
    The AntiVir Guards are now disabled.
  • Now start ComboFix (zzz.exe)
  • The tool will check whether the Recovery Console is present on your system. If it is not, ComboFix will prompt you whether you would like to install it. (You would).
  • If it is not, make sure you are connected to the internet as ComboFix needs to download a file. When you are connected to the internet, click Yes and follow the prompts.
    When asked whether to continue scanning or to exit, click Yes to continue scanning (no need to disconnect from the internet as ComboFix breaks your internet connection for you).
  • It will run through about 50 procedures, then take a while to assemble its output log.
  • Do not touch the computer AT ALL while ComboFix is running.
  • When finished, the report will open. Post the log in your next reply, and then Reenable your Antivirus protection software
A copy of the log will be located here if you need it-> C:\ComboFix.txt
If you cannot connect to the internet after running ComboFix, unplug the cable you use to connect to the internet and plug it back in.

The Recovery Console produces a brief (2 second) black screen at bootup which allows an additional technical resource for repair in case of a major failure. In regular operation, you can ignore it.

So we are looking for the contents of SystemLook.txt and the log from Combofox(zzz.exe)
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Can NOT receive WAN requests--LAN is OK

Unread postby a1sound » May 31st, 2011, 3:20 pm

Hi askey127!

I did what you requested, and below are the logs..

SystemLook.txt

SystemLook 04.09.10 by jpshortstuff
Log created at 11:17 on 31/05/2011 by buzz
Administrator - Elevation successful

No Context: :filefind

No Context: shimgapi.dll

No Context: *taskmon*

No Context: explorer.exe

No Context: :regfind

No Context: E6FB5E20-DE35-11CF-9C87-00AA005127ED

No Context: taskmon

-= EOF =-


Here is the ComboFix log..

ComboFix 11-05-31.01 - buzz 2011.05.31 11:27:42.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1517 [GMT -7:00]
Running from: c:\documents and settings\buzz\Desktop\zzz.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Outpost Security Suite *Disabled/Updated* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
FW: Outpost Security Suite *Enabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\buzz\WINDOWS
c:\progra~1\COMMON~1\{525D3~1
c:\progra~1\COMMON~1\{525D3~1\SLMSICA.ini
c:\progra~1\COMMON~1\{525D3~1\slscp.log
c:\progra~1\COMMON~1\{525D3~1\SLTLINK\autorun.inf
c:\progra~1\COMMON~1\{525D3~1\SLTLINK\Ivr.scp
c:\progra~1\COMMON~1\{525D3~1\SLTLINK\readme.txt
c:\progra~1\COMMON~1\{525D3~1\SLTLINK\Setup.exe
c:\progra~1\COMMON~1\{525D3~1\SLTLINK\Setup.MSI
c:\progra~1\COMMON~1\{525D3~1\SLTLINK\Setup.scp
c:\progra~1\COMMON~1\{525D3~1\SLTLINK\SLExtBU\ivr.scp
c:\progra~1\COMMON~1\{525D3~1\SLTLINK\SLExtBU\Setup.scp
c:\progra~1\COMMON~1\{525D3~1\SLTLINK\slusbvip.cat
c:\progra~1\COMMON~1\{525D3~1\SLTLINK\slusbvip.inf
c:\progra~1\COMMON~1\{525D3~1\SLTLINK\slusbvip.sys
c:\progra~1\COMMON~1\{525D3~1\SLTLINK\slvad.cat
c:\progra~1\COMMON~1\{525D3~1\SLTLINK\slvad.inf
c:\progra~1\COMMON~1\{525D3~1\SLTLINK\slvad.sys
c:\progra~1\COMMON~1\{525D3~1\SLTLINK\slvipco.dll
c:\progra~1\COMMON~1\{525D3~1\SLTLINK\slvipgx.dll
c:\progra~1\COMMON~1\{525D3~1\SLTLINK\TLRecAgent.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_SERV-U
-------\Service_Serv-U
.
.
((((((((((((((((((((((((( Files Created from 2011-04-28 to 2011-05-31 )))))))))))))))))))))))))))))))
.
.
2011-05-31 07:33 . 2011-05-30 14:16 1025824 ----a-w- c:\windows\system32\drivers\vbcorent.sys
2011-05-31 07:21 . 2011-02-02 23:04 242040 ----a-w- c:\windows\system32\drivers\VBEngNT.sys
2011-05-31 07:21 . 2011-02-02 22:52 710824 ----a-w- c:\windows\system32\drivers\SandBox.sys
2011-05-31 07:21 . 2010-09-27 22:40 267624 ----a-w- c:\windows\system32\drivers\afwcore.sys
2011-05-31 07:21 . 2010-04-20 22:05 34280 ----a-w- c:\windows\system32\drivers\afw.sys
2011-05-31 07:21 . 2011-05-31 17:00 -------- d-----w- c:\windows\system32\Filt
2011-05-31 07:21 . 2011-05-31 07:21 -------- d-----w- c:\documents and settings\buzz\Application Data\Agnitum
2011-05-31 07:21 . 2011-05-31 07:21 -------- d-----w- c:\program files\Agnitum
2011-05-31 07:20 . 2011-05-31 07:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Agnitum
2011-05-30 22:32 . 2011-05-31 06:22 -------- d-----w- c:\windows\system32\NtmsData
2011-05-30 22:31 . 2011-05-30 22:31 -------- d-----w- c:\documents and settings\buzz\Application Data\Avira
2011-05-30 22:26 . 2011-05-30 22:26 -------- d-----w- c:\program files\Avira
2011-05-30 22:26 . 2011-05-30 22:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-05-30 22:26 . 2011-04-02 00:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-05-30 22:26 . 2011-04-02 00:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-05-30 22:26 . 2010-06-17 22:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-05-30 22:26 . 2010-06-17 22:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-05-30 21:36 . 2011-05-30 21:36 -------- d-----w- C:\$AVG
2011-05-27 10:35 . 2011-05-30 22:05 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2011-05-27 09:50 . 2011-05-27 09:50 -------- d-----w- c:\documents and settings\buzz\Application Data\GlarySoft
2011-05-27 09:50 . 2011-05-27 09:50 -------- d-----w- c:\program files\Absolute Uninstaller
2011-05-27 07:12 . 2011-05-27 07:12 -------- d-----w- c:\windows\system32\wbem\Repository
2011-05-27 05:41 . 2011-05-27 05:41 -------- d-----w- c:\program files\Trend Micro
2011-05-24 03:18 . 2011-05-27 15:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Common Files
2011-05-24 03:17 . 2011-05-27 07:09 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-05-24 03:17 . 2011-05-27 10:35 -------- d-----w- c:\program files\AVG
2011-05-24 03:03 . 2011-05-27 07:09 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2009-07-24 09:13 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2006-02-28 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2006-02-28 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Outpost]
@="{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"
[HKEY_CLASSES_ROOT\CLSID\{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}]
2011-02-07 21:14 468128 ----a-w- c:\program files\Agnitum\Outpost Security Suite Free\op_shell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PowerPanel Personal Edition User Interaction"="c:\program files\GEEK SQUAD UPS\pppeuser.exe" [2007-03-10 270336]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2009-05-28 380416]
"ServUTrayIcon"="c:\program files\RhinoSoft.com\Serv-U\Serv-U-Tray.exe" [2009-04-06 525824]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-01-27 15026056]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-12 7630848]
"nwiz"="nwiz.exe" [2006-08-12 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-12 86016]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-10-09 333120]
"Dimension4"="c:\program files\D4\D4.exe" [2004-02-04 200704]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-06-23 847872]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 148888]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-23 221184]
"DLinkMonitor.exe"="c:\program files\D-Link\D-Link USB VoIP Adapter\DLinkMonitor.exe" [2007-01-03 651264]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2011-02-07 3107736]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Security Suite Free\feedback.exe" [2011-02-07 517056]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
c:\documents and settings\buzz\Start Menu\Programs\Startup\
D4.exe.lnk - c:\program files\D4\D4.exe [2004-2-4 200704]
DUMeter.lnk - c:\program files\DU Meter\DUMeter.exe [2009-7-24 1161216]
SVList-Animal-List.lnk - d:\lists\Animal-List\SVList-Animal-List.exe [2008-2-15 1495040]
SVList-UNJO.lnk - d:\lists\UNJO\SVList-UNJO.exe [2008-2-15 1495040]
SVList-WhiteGold-List.lnk - d:\lists\WhiteGold-List\SVList-WhiteGold-List.exe [2008-2-15 1495040]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
autoexec.lnk - C:\autoexec.bat [2009-7-27 405]
DUSuperControler.lnk - c:\program files\DU Super Controler\DUSuperControler.exe [2004-1-20 724992]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"d:\\Lists\\WhiteGold-List\\SVList-WhiteGold-List.exe"=
"d:\\Lists\\Animal-List\\SVList-Animal-List.exe"=
"d:\\Lists\\UNJO\\SVList-UNJO.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 TLRecAgent;TLRecAgent;c:\windows\system32\drivers\TLRecAgent.sys [2007.01.02 12:30 37208]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [2011.05.31 00:21 710824]
R2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [2011.05.31 00:21 2072592]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011.05.30 15:26 136360]
R2 hMailServer;hMailServer;c:\program files\hMailServer\Bin\hMailServer.exe RunAsService --> c:\program files\hMailServer\Bin\hMailServer.exe RunAsService [?]
R2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [2010.03.18 02:26 172328]
R2 VService;VService;c:\program files\D-Link\D-Link USB VoIP Adapter\VServ.exe [2007.01.02 14:07 105208]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [2011.05.31 00:21 34280]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [2011.05.31 00:21 267624]
R3 HomeQOS;HomeQOS Miniport;c:\windows\system32\drivers\homeqos.sys [2004.01.20 13:09 36096]
R3 slusbvip;SL3800 USB Driver;c:\windows\system32\drivers\slusbvip.sys [2007.01.02 12:31 591832]
R3 SLVAD_simple;D-Link Virtual Audio Device;c:\windows\system32\drivers\slvad.sys [2007.01.02 13:38 85656]
S3 ASWFilt;ASWFilt;c:\windows\system32\Filt\ASWFilt.dll [2011.05.31 00:22 72352]
S3 VBEngNT;VBEngNT;c:\windows\system32\drivers\VBEngNT.sys [2011.05.31 00:21 242040]
S3 VBFilt;VBFilt;c:\windows\system32\Filt\VBFilt.dll [2011.05.31 00:22 36288]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-31 c:\windows\Tasks\reboot01.job
- c:\pfiles\shutdown.exe [2009-07-26 09:00]
.
2009-08-22 c:\windows\Tasks\reboot02.job
- c:\pfiles\shutdown.exe [2009-07-26 09:00]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 64.160.192.70 206.13.29.12
FF - ProfilePath - c:\documents and settings\buzz\Application Data\Mozilla\Firefox\Profiles\bpgjtaxx.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
------- File Associations -------
.
txtfile=c:\pfiles\EditPad\EditPad.exe "%1"
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-TransparentIcons - (no file)
HKCU-Run-BlockAds - (no file)
HKCU-Run-Tweak-XP - (no file)
HKCU-Run-TransTask - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-31 11:33
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: SAMSUNG_SP2504C rev.VT100-33 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-12
.
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user != kernel MBR !!!
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3500)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\program files\Agnitum\Outpost Security Suite Free\op_shell.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\hMailServer\Bin\hMailServer.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
c:\windows\system32\nvsvc32.exe
c:\program files\GEEK SQUAD UPS\ppped.exe
c:\program files\Sandboxie\SbieSvc.exe
c:\program files\D-Link\D-Link USB VoIP Adapter\DPH-50U Utility.exe
.
**************************************************************************
.
Completion time: 2011-05-31 11:35:44 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-31 18:35
.
Pre-Run: 88,918,798,336 bytes free
Post-Run: 89,746,743,296 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
.
- - End Of File - - FE40C84FD095EB56D346B172129D8063


-=-=-


The server still is not available on the WAN side. The FTP server loaded but did not enable, requiring a manual kick. The lists that are moderated do not accept mail from anyone not on the list. This puts the rejected posts in a "Rejected" directory, and may be responsible for some hits that have not been run. I delete these regularly. Unfortunately, the spam and junk and badboys can't be stopped, only blocked. Only members and moderators can post.

Thanks again for your time,
Buzz.
User avatar
a1sound
Regular Member
 
Posts: 39
Joined: April 18th, 2007, 10:19 pm
Location: Mojave CA

Re: Can NOT receive WAN requests--LAN is OK

Unread postby askey127 » May 31st, 2011, 3:45 pm

You have a Master Boot record "bootkit" infection.
We have to be extremely careful in attempting to fix it, and even then there is serious risk of an unbootable machine result.

I need for you to tell me how many physical disks are on the machine, and whether this is a multi-boot setup.
Also, is it an OEM machine with a recovery partition?

Typing "diskmgmt.msc" into Start, Run will give some info.

We may be able to fix it using the Recovery Console, but I also need to know whether you have an original Windows XP disk.
Please tell me what you can.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Can NOT receive WAN requests--LAN is OK

Unread postby a1sound » May 31st, 2011, 6:45 pm

Hi askey127,

The machine has two hard drives, C and D, a CD writer, and a DVD writer all on IDE pairs. The hard drives are 7200 rpm 250GB Samsung drives spaced well apart for heat dissipation. This system used to be a sound editor, but that equipment has been long ago removed and the computer retired. It has a legal winXP Pro system installed. I do have bootable copies of the xp disk as well as the sparkling original from Microsoft. This is a single boot machine that I have had auto boot every day at 0300 hours. This machine was built from parts originally, and there is no recovery partition. Since each HD contains a single primary partition, regeneration of the partitions should not be complex should that be necessary. *gulp*

I'll dig out the Microsoft CD and see where we can go next. I have been communicating here with my laptop to keep the computer in the dark about what's going on. I am able to map drives on the LAN and move downloads in and out for these posts.

"Disk Management" lists two HDs C and D with the system on C with about 90GB free on C and 71GB free on D, and both disks are running single primary partitions. There are two DVDs listed, and four removable drives mapping a multi size chip (sd, etc) reader that is lit but not used for anything. The machine is pretty much empty with the exception of drives and a video card.

What purpose would anyone have in creating such an odd attack by blocking incoming WAN requests? I do get at least one request per week from the Pacific Rim wanting to buy zz.com for peanuts--I do not want to sell the domain. This could be related to that. ZZ is a lucky symbol to the Chinese. zz.com was once appraised in the millions. I just got in on day zero a long time ago when there was no charge to register a domain. Some offers are polite and silly, and others are forceful and serious. My registrar watches it like a hawk.

I believe that once this machine is corrected and clean again, with the strong port forwarding and filtering in the <air.zz.com> router and the tight grip that Outpost has on the running processes--not to mention Avira, that I can watch for these attacks and prevent their gaining a foothold. Your help here is definitely appreciated.


OK, Chief--What next?

Cheers,
Buzz.
User avatar
a1sound
Regular Member
 
Posts: 39
Joined: April 18th, 2007, 10:19 pm
Location: Mojave CA

Re: Can NOT receive WAN requests--LAN is OK

Unread postby askey127 » June 1st, 2011, 9:02 am

a1sound,
Please follow this exactly:

Let's back up your MBR (Master Boot Record) as a reserve in case we need it:
  • First create a new folder on your Desktop and name it MBR (must be this name and must be on your Desktop)
  • Please download mbr.exe and save it to the new MBR folder. (must be in this location)
  • Click Start > Run type Notepad click OK.
  • This will open an empty Notepad file.
  • Copy/Paste the contents of the box below into Notepad.
Code: Select all
@ECHO OFF
CD "%userprofile%\Desktop\MBR"
MBR -c 0 1 "%userprofile%\Desktop\MBR\backup_mbr.dat"
DEL %0

  • Click Format and ensure Wordwrap is unchecked.
  • Save as mbrcopy.bat to your Desktop. Save as file type All Files or it won't work.
  • Now double click on mbrcopy.bat to run it.
  • A file backup_mbr will be created in the MBR folder on your Desktop, as well as a file mbr.log
  • Please post back the contents of mbr.log

I would suggest you burn a copy of backup_mbr to a CD.
It also can be saved to a freshly cleaned flash, but is less secure that way, since it could be altered by the infection.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Can NOT receive WAN requests--LAN is OK

Unread postby a1sound » June 1st, 2011, 2:52 pm

Hi askey127,

OK. Saved a copy on my laptop as well..

Cheers,
Buzz.

Forgot the log. Here..

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: SAMSUNG_SP2504C rev.VT100-33 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-12

0x1 sector(s) have been successfully saved to "C:\Documents and Settings\buzz\Desktop\MBR\backup_mbr.dat".
User avatar
a1sound
Regular Member
 
Posts: 39
Joined: April 18th, 2007, 10:19 pm
Location: Mojave CA

Re: Can NOT receive WAN requests--LAN is OK

Unread postby askey127 » June 1st, 2011, 7:49 pm

a1sound,
  1. Restart your computer
  2. Before Windows loads, you will be prompted to choose which Operating System to start
  3. Use the up and down arrow key to select Microsoft Windows Recovery Console
  4. You must enter which Windows installation to log onto. Type 1 and press enter.
  5. At the C:\Windows prompt, type the following bolded text, and press Enter:

    fixmbr

    • NOTE: If you are prompted asking "Are you sure you want to write a new MBR", type Y & press enter.

  6. At the next prompt, type the following bolded text, and press Enter:

    Exit

Restart the PC and boot into normal mode.
Let me know how it worked. (If you can boot up)

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Can NOT receive WAN requests--LAN is OK

Unread postby a1sound » June 1st, 2011, 10:48 pm

Hi askey127,

I rewrote the MBR as requested. The system was still not reachable from the WAN side.

The router will pass these requests on the LAN side. I know port forwarding is working because one port comes in as :5150 and is passed to the LAN as :5051. This works on LAN computers but not on WAN computers. Nothing works from the WAN side.

I rebooted again just to be sure, and still it did not work. You mentioned not to run any scans without being asked, so I stopped there.

What is the next step?

Cheers,
Buzz.
User avatar
a1sound
Regular Member
 
Posts: 39
Joined: April 18th, 2007, 10:19 pm
Location: Mojave CA

Re: Can NOT receive WAN requests--LAN is OK

Unread postby askey127 » June 2nd, 2011, 5:48 am

a1sound,
OK.
Now let's see whether any infected files, etc. have been uncovered.
-----------------------------------------------
Update and Scan with Antivir
Right click the red umbrella icon and choose Start Antivir.
When the window comes up click Start Update.
When the update is complete, click on Scan System Now.
This full scan could take a hour or more.
It will ask what to do with any item it finds.
IMPORTANT >> tell it to DELETE or QUARANTINE any items it finds.
-----------------------------------------------
Get Last Avira Report
Right click the red umbrella icon in the system tray and click Start Antivir
In the left pane, click Overview, then click Reports
There wil be reports titled Update and reports titled Scan. Find the most recent report in the list titled Scan
Click on the Report File button, or Right click the report and choose Display Report.
The report contents will come up in Notepad. Highlight the entire report (Ctrl+A) and copy to the clipboard (Ctrl+C).
Paste the contents (Ctrl+V) into your next reply.
----------------------------------------------------------------------------------
Download and Run MalwareBytes' Anti-Malware It is free for non-business use.
Please go here to the Download Location, click on Download.
  • After clicking on the download and choosing Save, the "Save to location" dialog will come up.
  • Choose Desktop as the location to save the installer and click Save again.
  • You should now have a desktop icon named mbam-setup.exe. Double-click it.
  • Let it install the program where it wants to, with the default settings, and click Finish.
  • If an update is found, it will download and install the latest version.
  • If necessary, start Malwarebytes Anti-Malware again.
  • Once the program is running, select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • If it found any malware items. Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location, and post the contents in your reply.
  • The log can also be found using the "Logs" tab in the program. You can click any "Scan" log listed to open its contents.
  • Recent logs are named by time/date stamp in this format : mbam-log-2011-mm-dd(hour-min-sec).txt
  • You can now delete the installer icon, named mbam-setup.exe from your desktop.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Can NOT receive WAN requests--LAN is OK

Unread postby a1sound » June 2nd, 2011, 2:43 pm

Hi askey127,

I ran Avira and did a scan. The results are posted below. I loaded mbam and it found nothing. That log is below as well.

After the run, I restarted the server and still had no improvement. I have noticed that before this run, the FTP server had to be manually started--it used to start itself, and now TeamViewer will not work as the destination. I have looked over the settings on Outpost and found nothing wrong.

Here are the logs..

Avira AntiVir Personal - Free Antivirus Updater
Complete product update

Creation time: Thu Jun 02 03:27:20 2011


Operating system:
Windows XP (Service Pack 3) [5.1.2600] 32 bit

Product information:
Product version: 10.0.0.648
Updater: C:\Program Files\Avira\AntiVir Desktop\update.exe 10.0.0.37
Update resource: C:\Program Files\Avira\AntiVir Desktop\updaterc.dll 10.0.9.0
Library: C:\Program Files\Avira\AntiVir Desktop\update.dll 0.1.0.44
Plugin: C:\Program Files\Avira\AntiVir Desktop\updext.dll 10.0.0.8
GUI: C:\Program Files\Avira\AntiVir Desktop\updgui.dll 10.0.2.0

Temp Directory: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\
Backup folder: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\BACKUP\
Installation Directory: C:\Program Files\Avira\AntiVir Desktop\
Updater folder: C:\Program Files\Avira\AntiVir Desktop\
AppData folder: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\

Proxy settings:
System settings used

03:27:21 [UPD] [INFO] Checking whether newer files are available.
03:27:21 [UPD] [INFO] Select update server 'http://80.190.143.240/update'.
03:27:21 [UPD] [INFO] Downloading of 'http://80.190.143.240/update/idx/master.idx' to 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\idx\master.idx'.
03:27:27 [UPD] [INFO] Downloading of 'http://80.190.143.240/update/idx/wks_avira10-win32-en-pecl.idx' to 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\idx\wks_avira10-win32-en-pecl.idx'.
03:27:27 [UPD] [INFO] Downloading of 'http://80.190.143.240/update/idx/wks_avira10-win32-en-pecl.info.gz' to 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\idx\wks_avira10-win32-en-pecl.info.gz'.
03:27:28 [UPD] [INFO] Downloading of 'http://80.190.143.240/update/idx/vdf.info.gz' to 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\idx\vdf.info.gz'.
03:27:32 [UPD] [INFO] Downloading of 'http://80.190.143.240/update/idx/rdf-common-int.info.gz' to 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\idx\rdf-common-int.info.gz'.
03:27:32 [UPD] [INFO] Downloading of 'http://80.190.143.240/update/idx/ave2-win32-int.info.gz' to 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\idx\ave2-win32-int.info.gz'.
03:27:33 [UPD] [INFO] Downloading of 'http://80.190.143.240/update/idx/wks_avira10-win32-en-pecl-info.info.gz' to 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\idx\wks_avira10-win32-en-pecl-info.info.gz'.
03:27:33 [UPD] [INFO] Downloading of 'http://80.190.143.240/update/idx/hips-win32-int.info.gz' to 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\idx\hips-win32-int.info.gz'.
03:27:33 [UPD] [INFO] Downloading of 'http://80.190.143.240/update/idx/scanner-win32-int.info.gz' to 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\idx\scanner-win32-int.info.gz'.
03:27:33 [UPD] [INFO] Compare local files with status of update server
03:27:33 [UPD] [INFO] Checking module SELFUPDATE:
03:27:33 [UPD] [INFO] Checking module VDF:
03:27:33 [UPD] [INFO] File 'n_vdf/vbase013.vdf' (local, server): 7.11.8.187 < 7.11.8.222
03:27:33 [UPD] [INFO] File 'n_vdf/vbase014.vdf' (local, server): 7.11.8.188 < 7.11.8.223
03:27:33 [UPD] [INFO] File 'n_vdf/vbase015.vdf' (local, server): 7.11.8.189 < 7.11.8.224
03:27:33 [UPD] [INFO] File 'n_vdf/vbase016.vdf' (local, server): 7.11.8.190 < 7.11.8.225
03:27:33 [UPD] [INFO] File 'n_vdf/vbase017.vdf' (local, server): 7.11.8.191 < 7.11.8.226
03:27:33 [UPD] [INFO] File 'n_vdf/vbase018.vdf' (local, server): 7.11.8.192 < 7.11.8.227
03:27:33 [UPD] [INFO] File 'n_vdf/vbase019.vdf' (local, server): 7.11.8.193 < 7.11.8.228
03:27:33 [UPD] [INFO] File 'n_vdf/vbase020.vdf' (local, server): 7.11.8.194 < 7.11.8.229
03:27:33 [UPD] [INFO] File 'n_vdf/vbase021.vdf' (local, server): 7.11.8.195 < 7.11.8.230
03:27:33 [UPD] [INFO] File 'n_vdf/vbase022.vdf' (local, server): 7.11.8.196 < 7.11.8.231
03:27:33 [UPD] [INFO] File 'n_vdf/vbase023.vdf' (local, server): 7.11.8.197 < 7.11.8.232
03:27:33 [UPD] [INFO] File 'n_vdf/vbase024.vdf' (local, server): 7.11.8.198 < 7.11.8.233
03:27:33 [UPD] [INFO] File 'n_vdf/vbase025.vdf' (local, server): 7.11.8.199 < 7.11.8.234
03:27:33 [UPD] [INFO] File 'n_vdf/vbase026.vdf' (local, server): 7.11.8.200 < 7.11.8.235
03:27:33 [UPD] [INFO] File 'n_vdf/vbase027.vdf' (local, server): 7.11.8.201 < 7.11.8.236
03:27:33 [UPD] [INFO] File 'n_vdf/vbase028.vdf' (local, server): 7.11.8.202 < 7.11.8.237
03:27:33 [UPD] [INFO] File 'n_vdf/vbase029.vdf' (local, server): 7.11.8.203 < 7.11.8.238
03:27:33 [UPD] [INFO] File 'n_vdf/vbase030.vdf' (local, server): 7.11.8.204 < 7.11.8.239
03:27:33 [UPD] [INFO] File 'n_vdf/vbase031.vdf' (local, server): 7.11.8.220 < 7.11.8.245
03:27:33 [UPD] [INFO] File 'n_vdf/aevdf.dat' (local, server): 7.11.8.220 < 7.11.8.245
03:27:33 [UPD] [INFO] Checking module RDF:
03:27:33 [UPD] [INFO] Checking module AVE2:
03:27:33 [UPD] [INFO] File 'ave2/win32/int/aeheur.dll' (local, server): 8.1.2.122 < 8.1.2.123
03:27:33 [UPD] [INFO] File 'ave2/win32/int/aeoffice.dll' (local, server): 8.1.1.23 < 8.1.1.25
03:27:33 [UPD] [INFO] File 'ave2/win32/int/aesbx.dll' (local, server): 8.2.1.33 < 8.2.1.34
03:27:33 [UPD] [INFO] File 'ave2/win32/int/aeset.dat' (local, server): 8.2.5.6 < 8.2.5.12
03:27:33 [UPD] [INFO] Checking module MAIN:
03:27:34 [UPD] [INFO] The IGNORE flag is set for the file 'wks_avira10/win32/en/pecl/filelist.ini'. The file will therefore not be taken into account.
03:27:34 [UPD] [INFO] The IGNORE flag is set for the file 'wks_avira10/win32/en/pecl/insthlp.exe'. The file will therefore not be taken into account.
03:27:34 [UPD] [INFO] The IGNORE flag is set for the file 'wks_avira10/win32/en/pecl/presetup.exe'. The file will therefore not be taken into account.
03:27:34 [UPD] [INFO] File'wks_avira10/win32/en/pecl/en-us/quicksysscan.avp' is already installed and is not being updated.
03:27:34 [UPD] [INFO] The IGNORE flag is set for the file 'wks_avira10/win32/en/pecl/vcredist_x86.exe'. The file will therefore not be taken into account.
03:27:34 [UPD] [INFO] Checking module COMMAPPDATA_AV:
03:27:34 [UPD] [INFO] File'wks_avira10/win32/en/pecl/addr_file.html' is already installed and is not being updated.
03:27:34 [UPD] [INFO] Checking module COMMAPP:
03:27:34 [UPD] [INFO] File'wks_avira10/win32/en/pecl/en-us/produpd.avj' is already installed and is not being updated.
03:27:34 [UPD] [INFO] File'wks_avira10/win32/en/pecl/en-us/scanjob.avj' is already installed and is not being updated.
03:27:34 [UPD] [INFO] File'wks_avira10/win32/en/pecl/en-us/startupd.avj' is already installed and is not being updated.
03:27:34 [UPD] [INFO] File'wks_avira10/win32/en/pecl/en-us/updjob.avj' is already installed and is not being updated.
03:27:34 [UPD] [INFO] Checking module COMMAPDATA_AV_PROFILES:
03:27:34 [UPD] [INFO] File'wks_avira10/win32/en/pecl/en-us/folder.avp' is already installed and is not being updated.
03:27:34 [UPD] [INFO] Checking module TEXT:
03:27:34 [UPD] [INFO] The IGNORE flag is set for the file 'wks_avira10/win32/en/pecl/en-us/eula.txt'. The file will therefore not be taken into account.
03:27:34 [UPD] [INFO] Checking module DRV:
03:27:34 [UPD] [INFO] Checking module PRODINFO:
03:27:34 [UPD] [INFO] Checking module HIPS:
03:27:34 [UPD] [INFO] Checking module SCANNER:
03:27:35 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\BACKUP\' requires 4182522 bytes of free disk space.
03:27:35 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\' requires 8449024 bytes of free disk space.
03:27:35 [UPD] [INFO] 'C:\Program Files\Avira\AntiVir Desktop\' requires 4224512 bytes of free disk space.
03:27:35 [UPD] [INFO] Disk space OK.
03:27:35 [UPD] [INFO] Drive: C:\, free capacity: 3834519552 bytes.
03:27:35 [UPD] [INFO] New files are being downloaded...
03:27:35 [UPD] [INFO] Downloading of 'http://80.190.143.240/update/n_vdf/vbase013.vdf.gz' to 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\n_vdf\vbase013.vdf.gz'.
03:27:44 [UPD] [INFO] Downloading of 'http://80.190.143.240/update/n_vdf/vbase014.vdf.gz' to 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\n_vdf\vbase014.vdf.gz'.
03:27:44 [UPD] [INFO] Downloading of 'http://80.190.143.240/update/n_vdf/vbase015.vdf.gz' to 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\n_vdf\vbase015.vdf.gz'.
03:27:44 [UPD] [INFO] Downloading of 'http://80.190.143.240/update/n_vdf/vbase016.vdf.gz' to 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\n_vdf\vbase016.vdf.gz'.
03:27:44 [UPD] [INFO] Downloading of 'http://80.190.143.240/update/n_vdf/vbase017.vdf.gz' to 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\n_vdf\vbase017.vdf.gz'.
03:27:45 [UPD] [INFO] Downloading of 'http://80.190.143.240/update/n_vdf/vbase018.vdf.gz' to 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\n_vdf\vbase018.vdf.gz'.
03:27:45 [UPD] [INFO] Downloading of 'http://80.190.143.240/update/n_vdf/vbase019.vdf.gz' to 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\n_vdf\vbase019.vdf.gz'.
03:27:46 [UPD] [INFO] Downloading of 'http://80.190.143.240/update/n_vdf/vbase020.vdf.gz' to 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\n_vdf\vbase020.vdf.gz'.
03:27:46 [UPD] [INFO] Downloading of 'http://80.190.143.240/update/n_vdf/vbase021.vdf.gz' to 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\n_vdf\vbase021.vdf.gz'.
03:27:46 [UPD] [INFO] Downloading of 'http://80.190.143.240/update/n_vdf/vbase022.vdf.gz' to 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\n_vdf\vbase022.vdf.gz'.
03:27:47 [UPD] [INFO] Downloading of 'http://80.190.143.240/update/n_vdf/vbase023.vdf.gz' to 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\n_vdf\vbase023.vdf.gz'.
03:27:47 [UPD] [INFO] Downloading of 'http://80.190.143.240/update/n_vdf/vbase024.vdf.gz' to 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\n_vdf\vbase024.vdf.gz'.
03:27:47 [UPD] [INFO] Downloading of 'http://80.190.143.240/update/n_vdf/vbase025.vdf.gz' to 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\n_vdf\vbase025.vdf.gz'.
03:27:47 [UPD] [INFO] Downloading of 'http://80.190.143.240/update/n_vdf/vbase026.vdf.gz' to 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\n_vdf\vbase026.vdf.gz'.
03:27:48 [UPD] [INFO] Downloading of 'http://80.190.143.240/update/n_vdf/vbase027.vdf.gz' to 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\n_vdf\vbase027.vdf.gz'.
03:27:49 [UPD] [INFO] Downloading of 'http://80.190.143.240/update/n_vdf/vbase028.vdf.gz' to 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\n_vdf\vbase028.vdf.gz'.
03:27:49 [UPD] [INFO] Downloading of 'http://80.190.143.240/update/n_vdf/vbase029.vdf.gz' to 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\n_vdf\vbase029.vdf.gz'.
03:27:50 [UPD] [INFO] Downloading of 'http://80.190.143.240/update/n_vdf/vbase030.vdf.gz' to 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\n_vdf\vbase030.vdf.gz'.
03:27:50 [UPD] [INFO] Downloading of 'http://80.190.143.240/update/n_vdf/vbase031.vdf.gz' to 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\n_vdf\vbase031.vdf.gz'.
03:27:53 [UPD] [INFO] Downloading of 'http://80.190.143.240/update/n_vdf/aevdf.dat.gz' to 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\n_vdf\aevdf.dat.gz'.
03:27:53 [UPD] [INFO] Downloading of 'http://80.190.143.240/update/ave2/win32/int/aeheur.dll.gz' to 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\ave2\win32\int\aeheur.dll.gz'.
03:29:36 [UPD] [INFO] Downloading of 'http://80.190.143.240/update/ave2/win32/int/aeoffice.dll.gz' to 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\ave2\win32\int\aeoffice.dll.gz'.
03:29:43 [UPD] [INFO] Downloading of 'http://80.190.143.240/update/ave2/win32/int/aesbx.dll.gz' to 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\ave2\win32\int\aesbx.dll.gz'.
03:29:53 [UPD] [INFO] Downloading of 'http://80.190.143.240/update/ave2/win32/int/aeset.dat.gz' to 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\ave2\win32\int\aeset.dat.gz'.
03:29:53 [UPD] [INFO] The program is running as an unrestricted full version.
03:30:05 [UPD] [INFO] The engine was successfully validated.
03:30:05 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\n_vdf\vbase013.vdf' was copied to 'C:\Program Files\Avira\AntiVir Desktop\vbase013.vdf'.
03:30:05 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\n_vdf\vbase014.vdf' was copied to 'C:\Program Files\Avira\AntiVir Desktop\vbase014.vdf'.
03:30:05 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\n_vdf\vbase015.vdf' was copied to 'C:\Program Files\Avira\AntiVir Desktop\vbase015.vdf'.
03:30:05 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\n_vdf\vbase016.vdf' was copied to 'C:\Program Files\Avira\AntiVir Desktop\vbase016.vdf'.
03:30:05 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\n_vdf\vbase017.vdf' was copied to 'C:\Program Files\Avira\AntiVir Desktop\vbase017.vdf'.
03:30:05 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\n_vdf\vbase018.vdf' was copied to 'C:\Program Files\Avira\AntiVir Desktop\vbase018.vdf'.
03:30:05 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\n_vdf\vbase019.vdf' was copied to 'C:\Program Files\Avira\AntiVir Desktop\vbase019.vdf'.
03:30:05 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\n_vdf\vbase020.vdf' was copied to 'C:\Program Files\Avira\AntiVir Desktop\vbase020.vdf'.
03:30:05 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\n_vdf\vbase021.vdf' was copied to 'C:\Program Files\Avira\AntiVir Desktop\vbase021.vdf'.
03:30:05 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\n_vdf\vbase022.vdf' was copied to 'C:\Program Files\Avira\AntiVir Desktop\vbase022.vdf'.
03:30:05 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\n_vdf\vbase023.vdf' was copied to 'C:\Program Files\Avira\AntiVir Desktop\vbase023.vdf'.
03:30:05 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\n_vdf\vbase024.vdf' was copied to 'C:\Program Files\Avira\AntiVir Desktop\vbase024.vdf'.
03:30:05 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\n_vdf\vbase025.vdf' was copied to 'C:\Program Files\Avira\AntiVir Desktop\vbase025.vdf'.
03:30:05 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\n_vdf\vbase026.vdf' was copied to 'C:\Program Files\Avira\AntiVir Desktop\vbase026.vdf'.
03:30:05 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\n_vdf\vbase027.vdf' was copied to 'C:\Program Files\Avira\AntiVir Desktop\vbase027.vdf'.
03:30:05 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\n_vdf\vbase028.vdf' was copied to 'C:\Program Files\Avira\AntiVir Desktop\vbase028.vdf'.
03:30:05 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\n_vdf\vbase029.vdf' was copied to 'C:\Program Files\Avira\AntiVir Desktop\vbase029.vdf'.
03:30:05 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\n_vdf\vbase030.vdf' was copied to 'C:\Program Files\Avira\AntiVir Desktop\vbase030.vdf'.
03:30:05 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\n_vdf\vbase031.vdf' was copied to 'C:\Program Files\Avira\AntiVir Desktop\vbase031.vdf'.
03:30:05 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\n_vdf\aevdf.dat' was copied to 'C:\Program Files\Avira\AntiVir Desktop\aevdf.dat'.
03:30:07 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\ave2\win32\int\aeheur.dll' was copied to 'C:\Program Files\Avira\AntiVir Desktop\aeheur.dll'.
03:30:08 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\ave2\win32\int\aeoffice.dll' was copied to 'C:\Program Files\Avira\AntiVir Desktop\aeoffice.dll'.
03:30:09 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\ave2\win32\int\aesbx.dll' was copied to 'C:\Program Files\Avira\AntiVir Desktop\aesbx.dll'.
03:30:09 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\ave2\win32\int\aeset.dat' was copied to 'C:\Program Files\Avira\AntiVir Desktop\aeset.dat'.
03:30:15 [UPD] [INFO] Re-initialization of Avira AntiVir Guard was successful.


Summary:
********
24 Files downloaded
24 Files installed
Downloaded file(s): vbase013.vdf 7.11.8.222; vbase014.vdf 7.11.8.223; vbase015.vdf 7.11.8.224; vbase016.vdf 7.11.8.225; vbase017.vdf 7.11.8.226; vbase018.vdf 7.11.8.227; vbase019.vdf 7.11.8.228;
vbase020.vdf 7.11.8.229; vbase021.vdf 7.11.8.230; vbase022.vdf 7.11.8.231; vbase023.vdf 7.11.8.232; vbase024.vdf 7.11.8.233; vbase025.vdf 7.11.8.234; vbase026.vdf 7.11.8.235;
vbase027.vdf 7.11.8.236; vbase028.vdf 7.11.8.237; vbase029.vdf 7.11.8.238; vbase030.vdf 7.11.8.239; vbase031.vdf 7.11.8.245; aevdf.dat 7.11.8.245; aeheur.dll 8.1.2.123;
aeoffice.dll 8.1.1.25; aesbx.dll 8.2.1.34; aeset.dat 8.2.5.12;

Thu Jun 02 03:30:19 2011
The update was carried out successfully!


-=-=-




Avira AntiVir Personal
Report file date: Thursday, 02 June, 2011 03:31

Scanning for 2707773 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : SVENSKATEC

Version information:
BUILD.DAT : 10.0.0.648 31823 Bytes 2011-04-01 18:36:00
AVSCAN.EXE : 10.0.4.2 442024 Bytes 2011-04-02 00:07:43
AVSCAN.DLL : 10.0.3.0 46440 Bytes 2011-04-02 00:07:57
LUKE.DLL : 10.0.3.2 104296 Bytes 2011-04-02 00:07:53
LUKERES.DLL : 10.0.0.1 12648 Bytes 2010-02-11 07:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 2009-11-06 17:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 2010-12-14 23:15:47
VBASE002.VDF : 7.11.3.0 1950720 Bytes 2011-02-09 23:15:47
VBASE003.VDF : 7.11.5.225 1980416 Bytes 2011-04-07 22:29:52
VBASE004.VDF : 7.11.8.178 2354176 Bytes 2011-05-31 18:59:24
VBASE005.VDF : 7.11.8.179 2048 Bytes 2011-05-31 18:59:25
VBASE006.VDF : 7.11.8.180 2048 Bytes 2011-05-31 18:59:25
VBASE007.VDF : 7.11.8.181 2048 Bytes 2011-05-31 18:59:25
VBASE008.VDF : 7.11.8.182 2048 Bytes 2011-05-31 18:59:26
VBASE009.VDF : 7.11.8.183 2048 Bytes 2011-05-31 18:59:26
VBASE010.VDF : 7.11.8.184 2048 Bytes 2011-05-31 18:59:27
VBASE011.VDF : 7.11.8.185 2048 Bytes 2011-05-31 18:59:27
VBASE012.VDF : 7.11.8.186 2048 Bytes 2011-05-31 18:59:27
VBASE013.VDF : 7.11.8.222 121856 Bytes 2011-06-02 10:27:44
VBASE014.VDF : 7.11.8.223 2048 Bytes 2011-06-02 10:27:44
VBASE015.VDF : 7.11.8.224 2048 Bytes 2011-06-02 10:27:44
VBASE016.VDF : 7.11.8.225 2048 Bytes 2011-06-02 10:27:44
VBASE017.VDF : 7.11.8.226 2048 Bytes 2011-06-02 10:27:45
VBASE018.VDF : 7.11.8.227 2048 Bytes 2011-06-02 10:27:45
VBASE019.VDF : 7.11.8.228 2048 Bytes 2011-06-02 10:27:46
VBASE020.VDF : 7.11.8.229 2048 Bytes 2011-06-02 10:27:46
VBASE021.VDF : 7.11.8.230 2048 Bytes 2011-06-02 10:27:46
VBASE022.VDF : 7.11.8.231 2048 Bytes 2011-06-02 10:27:47
VBASE023.VDF : 7.11.8.232 2048 Bytes 2011-06-02 10:27:47
VBASE024.VDF : 7.11.8.233 2048 Bytes 2011-06-02 10:27:47
VBASE025.VDF : 7.11.8.234 2048 Bytes 2011-06-02 10:27:47
VBASE026.VDF : 7.11.8.235 2048 Bytes 2011-06-02 10:27:48
VBASE027.VDF : 7.11.8.236 2048 Bytes 2011-06-02 10:27:49
VBASE028.VDF : 7.11.8.237 2048 Bytes 2011-06-02 10:27:49
VBASE029.VDF : 7.11.8.238 2048 Bytes 2011-06-02 10:27:50
VBASE030.VDF : 7.11.8.239 2048 Bytes 2011-06-02 10:27:50
VBASE031.VDF : 7.11.8.245 32768 Bytes 2011-06-02 10:27:53
Engineversion : 8.2.5.12
AEVDF.DLL : 8.1.2.1 106868 Bytes 2011-03-28 23:15:27
AESCRIPT.DLL : 8.1.3.65 1606010 Bytes 2011-05-30 22:30:20
AESCN.DLL : 8.1.7.2 127349 Bytes 2011-03-28 23:15:27
AESBX.DLL : 8.2.1.34 323957 Bytes 2011-06-02 10:29:53
AERDL.DLL : 8.1.9.9 639347 Bytes 2011-03-25 19:21:38
AEPACK.DLL : 8.2.6.8 557430 Bytes 2011-05-30 22:30:18
AEOFFICE.DLL : 8.1.1.25 205178 Bytes 2011-06-02 10:29:43
AEHEUR.DLL : 8.1.2.123 3502456 Bytes 2011-06-02 10:29:36
AEHELP.DLL : 8.1.17.2 246135 Bytes 2011-05-30 22:30:11
AEGEN.DLL : 8.1.5.6 401780 Bytes 2011-05-30 22:30:10
AEEMU.DLL : 8.1.3.0 393589 Bytes 2011-03-28 23:15:19
AECORE.DLL : 8.1.21.1 196983 Bytes 2011-05-30 22:30:10
AEBB.DLL : 8.1.1.0 53618 Bytes 2011-03-28 23:15:19
AVWINLL.DLL : 10.0.0.0 19304 Bytes 2011-03-28 23:15:31
AVPREF.DLL : 10.0.0.0 44904 Bytes 2011-04-02 00:07:42
AVREP.DLL : 10.0.0.10 174120 Bytes 2011-05-30 22:30:22
AVREG.DLL : 10.0.3.2 53096 Bytes 2011-04-02 00:07:42
AVSCPLR.DLL : 10.0.4.2 84840 Bytes 2011-04-02 00:07:43
AVARKT.DLL : 10.0.22.6 231784 Bytes 2011-04-02 00:07:38
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 2011-04-02 00:07:41
SQLITE3.DLL : 3.6.19.0 355688 Bytes 2010-06-17 22:27:22
AVSMTP.DLL : 10.0.0.17 63848 Bytes 2011-03-28 23:15:30
NETNT.DLL : 10.0.0.0 11624 Bytes 2011-03-28 23:15:39
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 2011-04-02 00:07:58
RCTEXT.DLL : 10.0.58.0 97128 Bytes 2011-03-28 23:15:52

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Thursday, 02 June, 2011 03:31

Starting search for hidden objects.
c:\program files\teamviewer\version5\teamviewer.exe
c:\program files\teamviewer\version5\teamviewer.exe
[NOTE] The process is not visible.

The scan of running processes will be started
Scan process 'rsmsink.exe' - '28' Module(s) have been scanned
Scan process 'msdtc.exe' - '40' Module(s) have been scanned
Scan process 'dllhost.exe' - '62' Module(s) have been scanned
Scan process 'dllhost.exe' - '45' Module(s) have been scanned
Scan process 'vssvc.exe' - '48' Module(s) have been scanned
Scan process 'avscan.exe' - '67' Module(s) have been scanned
Scan process 'avcenter.exe' - '63' Module(s) have been scanned
Scan process 'jucheck.exe' - '48' Module(s) have been scanned
Scan process 'Serv-U.exe' - '56' Module(s) have been scanned
Scan process 'alg.exe' - '33' Module(s) have been scanned
Scan process 'DPH-50U Utility.exe' - '33' Module(s) have been scanned
Scan process 'VServ.exe' - '18' Module(s) have been scanned
Scan process 'TeamViewer_Service.exe' - '30' Module(s) have been scanned
Scan process 'SbieSvc.exe' - '22' Module(s) have been scanned
Scan process 'ppped.exe' - '27' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '36' Module(s) have been scanned
Scan process 'mysqld-nt.exe' - '22' Module(s) have been scanned
Scan process 'jqs.exe' - '33' Module(s) have been scanned
Scan process 'avshadow.exe' - '25' Module(s) have been scanned
Scan process 'hMailServer.exe' - '55' Module(s) have been scanned
Scan process 'DkService.exe' - '54' Module(s) have been scanned
Scan process 'D4.exe' - '45' Module(s) have been scanned
Scan process 'svchost.exe' - '34' Module(s) have been scanned
Scan process 'avguard.exe' - '56' Module(s) have been scanned
Scan process 'SVList-WhiteGold-List.exe' - '54' Module(s) have been scanned
Scan process 'SVList-UNJO.exe' - '54' Module(s) have been scanned
Scan process 'SVList-Animal-List.exe' - '54' Module(s) have been scanned
Scan process 'DUMeter.exe' - '36' Module(s) have been scanned
Scan process 'DUSuperControler.exe' - '45' Module(s) have been scanned
Scan process 'DUSuperControler.exe' - '14' Module(s) have been scanned
Scan process 'ctfmon.exe' - '26' Module(s) have been scanned
Scan process 'Skype.exe' - '83' Module(s) have been scanned
Scan process 'Serv-U-Tray.exe' - '54' Module(s) have been scanned
Scan process 'SbieCtrl.exe' - '30' Module(s) have been scanned
Scan process 'pppeuser.exe' - '26' Module(s) have been scanned
Scan process 'avgnt.exe' - '52' Module(s) have been scanned
Scan process 'DLinkMonitor.exe' - '25' Module(s) have been scanned
Scan process 'jusched.exe' - '26' Module(s) have been scanned
Scan process 'smax4pnp.exe' - '32' Module(s) have been scanned
Scan process 'D4.exe' - '28' Module(s) have been scanned
Scan process 'winpatrol.exe' - '43' Module(s) have been scanned
Scan process 'RUNDLL32.EXE' - '29' Module(s) have been scanned
Scan process 'rundll32.exe' - '34' Module(s) have been scanned
Scan process 'svchost.exe' - '34' Module(s) have been scanned
Scan process 'Explorer.EXE' - '94' Module(s) have been scanned
Scan process 'sched.exe' - '44' Module(s) have been scanned
Scan process 'spoolsv.exe' - '54' Module(s) have been scanned
Scan process 'svchost.exe' - '38' Module(s) have been scanned
Scan process 'svchost.exe' - '32' Module(s) have been scanned
Scan process 'svchost.exe' - '159' Module(s) have been scanned
Scan process 'svchost.exe' - '40' Module(s) have been scanned
Scan process 'svchost.exe' - '51' Module(s) have been scanned
Scan process 'lsass.exe' - '58' Module(s) have been scanned
Scan process 'services.exe' - '27' Module(s) have been scanned
Scan process 'winlogon.exe' - '79' Module(s) have been scanned
Scan process 'csrss.exe' - '12' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
Master boot sector HD3
[INFO] No virus was found!
Master boot sector HD4
[INFO] No virus was found!
Master boot sector HD5
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '385' files ).


Starting the file scan:

Begin scan in 'C:\' <Svenskatec>
C:\Documents and Settings\buzz\Desktop\zzz.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

[0] Archive type: NSIS
--> ProgramFilesDir/handle.cfxxe
[1] Archive type: RSRC
--> Object
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
Begin scan in 'D:\' <HoneyPot>
D:\_downloads\2011\110531\zzz.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

[0] Archive type: NSIS
--> ProgramFilesDir/handle.cfxxe
[1] Archive type: RSRC
--> Object
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

Beginning disinfection:
D:\_downloads\2011\110531\zzz.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '4c9c2359.qua'.
C:\Documents and Settings\buzz\Desktop\zzz.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '540b0cfe.qua'.


End of the scan: Thursday, 02 June, 2011 05:51
Used time: 1:08:25 Hour(s)

The scan has been done completely.

7483 Scanned directories
571343 Files were scanned
2 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
2 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
571341 Files not concerned
23942 Archives were scanned
0 Warnings
3 Notes
264617 Objects were scanned with rootkit scan
1 Hidden objects were found


-=-=-


Malwarebytes' Anti-Malware 1.51.0.1200
http://www.malwarebytes.org

Database version: 6754

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2011.06.02 11:00:38
mbam-log-2011-06-02 (11-00-38).txt

Scan type: Quick scan
Objects scanned: 148318
Time elapsed: 3 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


-=-=-


Hope this helps. Can you think of any settings I missed? Remember, I have earlier tried giving the server the fixed IP of <air.zz.com> and bypassed the router and switch and plugged right into the modem. The server could call out with the browsers, but went invisible on incoming requests. Outpost flagged the attempt to connect coming in, the list software responded, and then the connection was shut down by the server somehow. I reverted the system back to LAN and reconnected it to the <air.zz.com> router.

I'm wondering if the MBR was rewritten on shutdown. Should all this be done in Safe Mode with Internet? Each shot at this is a bit stressful, and I hate to see the server degrade as it seems to be doing. I'm not sure I can find the install for the FTP site--the modern version is expensive and must be renewed yearly. Mine was a one shot permanent payment.

I caught your post at ~0300 and got some of the work done hoping to respond before you logged off, but by 0700, I was too zonked to work securely.

Thanks for helping. Any other thoughts?

Cheers,
Buzz.
User avatar
a1sound
Regular Member
 
Posts: 39
Joined: April 18th, 2007, 10:19 pm
Location: Mojave CA

Re: Can NOT receive WAN requests--LAN is OK

Unread postby askey127 » June 2nd, 2011, 4:15 pm

buzz,
I do think your system is free of malware now.
However, since a bootkit has complete control over the machine while it's in residence, there is no way to know what modifications or system settings corruptions may have occurred.

This site will not be able to help you with the Server Setup issues. You will need a Systems/Networking site for that.
We are completely Security oriented, and have all we can do keeping up with that side of things.

You may need to Uninstall/Re-Install some software to get things running the way you want.
At least, now, any changes you make will not have the bootkit interfering with the results.

If you open OTL and hit the cleanup button, it will clean out the tools we use.
(As you can see from the log, Antivir already wiped ComboFix, zzz.exe).

Good Luck,
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 43 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware