Hi markamus,
Before I follow your latest instructions, I should let you know that I have been busy trying to do what I can to clean up this PC. I’ve been generally following some of the guidelines suggested in various forum topics on this site (such as “So how did I get infected in the first place page”). I hope that I have not done anything that has wasted your time.
Things I’ve done after my last post and prior to your last post:
(Since I started (Dec 27th) on this ‘clean up my PC quest’, I’ve been keeping a log of major actions I’ve taken - I’m now on page 38 of that document! So please forgive me if I get too verbose - just like to write everything down.)
1) I uninstalled Norton Anti-Virus 2003 and all of the several Norton and Symantec components that were listed in Add//Remove Programs.
2) I installed Avast Anti-Virus Home Edition 4.7 on Jan 3. It did a boot time scan and found: TrojanHunter.exe was infected with win32:Delf-HHG [Trj]. I was given 9 choices as to what to do (delete, delete all, move, move all, repair, repair all, a few others, I chose Exit - and assume I did nothing. I suspect that this was a false infection - but don’t know.
3) NOTE: When I ran ComboFix the first time on Jan 2nd, it changed the system date to the 3rd. I did not notice till the 4th (actually the next day - so the 3rd) - caused a lot of confusion for me since I had written many log entries to my log doc, that all had the wrong date stamp, and the Avast install was also confused because after I installed it, I fixed the date back one day, so it thought that updates were already up to date....
4) I uninstalled the P2P programs. Will not use them again.
5) I ran the online Java version of TrendMicro HouseCall 6.5. It found 67 problems in several categories. All were removed and a second run was clean. (NOTE: The very fisrt time I tried to use version 6.6 of HouseCall - it crashed the browser while installing the components. On a second try, I used 6.5, and it found plenty f problems, but it crashed just as the scan completed. Third try of 6.5 worked fine - odd thing is I have a C:\Documents and Settings\Admin\.housecall6.6 that seems to be where the 6.5 version quarantined the files it found. I'd like to get rid of that whole folder.
5) I installed and ran ATF Cleaner on Jan 4th. I hoped it would delete two index.dat files in C:\Documents and Settings\Admin\Cookies and in C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5 - but both were not deleted. I tried to delete them manually in Safe Mode - but no luck. I suspect they are bad things simple because I can not delete then - and I routinely delete all these files several times a week.
6) I ran Ad-Aware - found nothing.
I ran SpyBot - found nothing.
I ran Avast - it found 4 Trojans - all were from previous, other fix programs - Three were from restore points.
So, based on the above and what I’ve learned so far, I think I can go ahead with all of your instructions.
So, I got the latest ComboFix and ran it! Oops! I forgot that I was supposed to drag in the CFScript file. Hope that was not a really bad thing. The log for that run of ComboFix is just below. I see this run of ComboFix removed the nrwglgiu.ini file, and I already removed all the Symantec files, but I’m still going to drag in the CFScript as is - and post a second log from that down below.
Here is the first combo fix log (run without dropping CFScript.txt):
ComboFix 08-01-07.4 - Admin 2008-01-06 21:26:24.2 -
FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.210 [GMT -6:00]
Running from: D:\Me-XP\Downloads\malware\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\SYSTEM32\nrwglgiu.ini
.
((((((((((((((((((((((((( Files Created from 2007-12-07 to 2008-01-07 )))))))))))))))))))))))))))))))
.
2008-01-04 12:37 . 2007-12-04 07:04 837,496 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2008-01-04 12:37 . 2004-01-09 03:13 380,928 --a------ C:\WINDOWS\SYSTEM32\actskin4.ocx
2008-01-04 12:37 . 2007-12-04 06:54 95,608 --a------ C:\WINDOWS\SYSTEM32\AvastSS.scr
2008-01-04 12:37 . 2007-12-04 08:55 94,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2008-01-04 12:37 . 2007-12-04 08:56 93,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2008-01-04 12:37 . 2007-12-04 08:51 42,912 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2008-01-04 12:37 . 2007-12-04 08:49 26,624 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2008-01-04 12:37 . 2007-12-04 08:53 23,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2008-01-02 12:38 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-01 13:48 . 2008-01-01 13:48 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-01 10:45 . 2008-01-01 10:45 <DIR> d-------- C:\Documents and Settings\Admin\.housecall6.6
2007-12-31 15:34 . 2007-12-31 15:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-31 15:30 . 2007-12-31 15:30 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-31 09:31 . 2007-12-31 09:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-30 18:05 . 2007-12-30 18:06 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\TrojanHunter
2007-12-30 13:21 . 2007-12-30 13:21 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-30 12:09 . 2007-12-30 12:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-30 12:09 . 2007-12-30 12:09 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\PrevxCSI
2007-12-29 09:19 . 2007-12-29 09:19 <DIR> d-------- C:\VundoFix Backups
2007-12-23 07:58 . 2007-12-23 07:58 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\BitTorrent
2007-12-23 07:55 . 2007-12-23 07:55 <DIR> d-------- C:\Program Files\DNA
2007-12-12 10:03 . 2007-12-12 10:06 23,110 --a------ C:\WINDOWS\SYSTEM32\productregistry
2007-12-12 09:44 . 2007-12-12 09:44 <DIR> d-------- C:\Documents and Settings\Admin\.SunDownloadManager
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-09 19:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd
2007-11-09 19:49 --------- d-----w C:\Documents and Settings\Admin\Application Data\Logitech
2007-11-09 19:48 --------- d-----w C:\Program Files\Common Files\Logitech
2007-11-09 19:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2007-11-09 19:48 --------- d-----w C:\Documents and Settings\Admin\Application Data\InstallShield
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\SYSTEM32\dllcache\quartz.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\dllcache\shell32.dll
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wininet.dll
2007-10-10 23:56 671,232 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mstime.dll
2007-10-10 23:56 232,960 ------w C:\WINDOWS\SYSTEM32\dllcache\webcheck.dll
2007-10-10 23:56 105,984 ------w C:\WINDOWS\SYSTEM32\dllcache\url.dll
2007-10-10 23:56 102,400 ------w C:\WINDOWS\SYSTEM32\dllcache\occache.dll
2007-10-10 23:56 1,159,680 ----a-w C:\WINDOWS\SYSTEM32\dllcache\urlmon.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\SYSTEM32\dllcache\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\SYSTEM32\dllcache\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\SYSTEM32\dllcache\msfeedsbs.dll
2007-10-10 23:55 478,208 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\SYSTEM32\dllcache\msfeeds.dll
2007-10-10 23:55 44,544 ------w C:\WINDOWS\SYSTEM32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ------w C:\WINDOWS\SYSTEM32\dllcache\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\SYSTEM32\dllcache\ieapfltr.dll
2007-10-10 23:55 27,648 ----a-w C:\WINDOWS\SYSTEM32\dllcache\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\SYSTEM32\dllcache\iertutil.dll
2007-10-10 23:55 230,400 ------w C:\WINDOWS\SYSTEM32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ----a-w C:\WINDOWS\SYSTEM32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ------w C:\WINDOWS\SYSTEM32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ----a-w C:\WINDOWS\SYSTEM32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINDOWS\SYSTEM32\dllcache\advpack.dll
2007-10-10 10:59 70,656 ------w C:\WINDOWS\SYSTEM32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 ------w C:\WINDOWS\SYSTEM32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\SYSTEM32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ----a-w C:\WINDOWS\SYSTEM32\dllcache\ieakui.dll
2000-09-30 00:58 271 --sh--w C:\Program Files\desktop.ini
2000-09-30 00:58 23,357 ---h--w C:\Program Files\folder.htt
.
- Code: Select all
<pre>
----a-w 54,296 2007-12-30 15:48:02 C:\Program Files\Common Files\Symantec Shared\ccApp .exe
</pre>
((((((((((((((((((((((((((((( snapshot@2008-01-03_12.47.02.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2000-08-31 14:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
+ 2008-01-07 01:40:34 16,384 ----a-w C:\WINDOWS\TEMP\Perflib_Perfdata_3c0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS0]
@={5d1cb710-1c4b-11d4-bed5-005004b1f42f}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS1]
@={5d1cb711-1c4b-11d4-bed5-005004b1f42f}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS2]
@={5d1cb712-1c4b-11d4-bed5-005004b1f42f}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS3]
@={5d1cb713-1c4b-11d4-bed5-005004b1f42f}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS4]
@={5d1cb714-1c4b-11d4-bed5-005004b1f42f}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS5]
@={5d1cb715-1c4b-11d4-bed5-005004b1f42f}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS6]
@={5d1cb716-1c4b-11d4-bed5-005004b1f42f}
[HKEY_CLASSES_ROOT\CLSID\{5d1cb710-1c4b-11d4-bed5-005004b1f42f}]
2005-03-04 22:05 1073152 --a------ D:\Me-XP\Util\TortoiseCVS\TrtseShl.dll
[HKEY_CLASSES_ROOT\CLSID\{5d1cb711-1c4b-11d4-bed5-005004b1f42f}]
2005-03-04 22:05 1073152 --a------ D:\Me-XP\Util\TortoiseCVS\TrtseShl.dll
[HKEY_CLASSES_ROOT\CLSID\{5d1cb712-1c4b-11d4-bed5-005004b1f42f}]
2005-03-04 22:05 1073152 --a------ D:\Me-XP\Util\TortoiseCVS\TrtseShl.dll
[HKEY_CLASSES_ROOT\CLSID\{5d1cb713-1c4b-11d4-bed5-005004b1f42f}]
2005-03-04 22:05 1073152 --a------ D:\Me-XP\Util\TortoiseCVS\TrtseShl.dll
[HKEY_CLASSES_ROOT\CLSID\{5d1cb714-1c4b-11d4-bed5-005004b1f42f}]
2005-03-04 22:05 1073152 --a------ D:\Me-XP\Util\TortoiseCVS\TrtseShl.dll
[HKEY_CLASSES_ROOT\CLSID\{5d1cb715-1c4b-11d4-bed5-005004b1f42f}]
2005-03-04 22:05 1073152 --a------ D:\Me-XP\Util\TortoiseCVS\TrtseShl.dll
[HKEY_CLASSES_ROOT\CLSID\{5d1cb716-1c4b-11d4-bed5-005004b1f42f}]
2005-03-04 22:05 1073152 --a------ D:\Me-XP\Util\TortoiseCVS\TrtseShl.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="D:\Me-XP\Downloads\malware\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 01:07 8491008]
"nwiz"="nwiz.exe" [2007-09-17 01:07 1626112 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 01:07 81920]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"THGuard"="D:\Me-XP\Downloads\malware\TrojanHunter 5.0\THGuard.exe" [2007-09-09 09:31 1046688]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" [2001-01-03 14:50 66048 C:\WINDOWS\SYSTEM32\SK9910DM.EXE]
"avast!"="D:\Me-XP\UTILAV~1\ashDisp.exe" [2007-12-04 07:00 79224]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [ ]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ZoneAlarm.lnk - D:\Me-XP\Util\ZoneAlarm\zonealarm.exe [2003-04-10 00:44:56]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"BCMDMMSG"=BCMDMMSG.exe
"Speed racer"=C:\Program Files\Creative\PlayCenter\CTSRReg.exe
"UpdReg"=C:\WINDOWS\Updreg.exe
"NvCplDaemon"=RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
"nwiz"=nwiz.exe /install
"Hot Key Kbd 9910 Daemon"=SK9910DM.EXE
"GRA"=C:\CABS\grainstall\GRA.exe
"Corel Reminder"="C:\PROGRAM FILES\COREL\GRAPHICS10\REGISTER\NAVBROWSER.EXE" /r /i "C:\PROGRAM FILES\COREL\GRAPHICS10\REGISTER\NavLoad.ini"
"QAGENT"=C:\PROGRAM FILES\QUICKENW\QAGENT.EXE
R2 CVS;CVSNT;D:\Me-XP\Util\cvsnt\cvsservice.exe [2004-10-29 14:03]
R2 IOPort;IOPort;C:\WINDOWS\system32\DRIVERS\IOPORT.SYS [1998-11-27 15:57]
R2 msftesql$SQLEXPRESS;SQL Server FullText Search (SQLEXPRESS);"d:\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 []
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
R3 HCWBT8XX;Hauppauge WinTV 848/9 WDM Video Driver;C:\WINDOWS\system32\DRIVERS\HCWBT8XX.sys [2002-03-01 00:35]
S4 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys [2001-08-17 12:11]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
"2008-01-04 14:40:34 C:\WINDOWS\Tasks\Uninstall Expiration Reminder.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-01-06 21:29:05
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msftesql$SQLEXPRESS]
"ImagePath"="\"d:\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:SQLEXPRESS"
--
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySql]
"ImagePath"="D:/Me-XP/mysql/bin/mysqld-nt.exe"
.
Completion time: 2008-01-06 21:29:42
ComboFix-quarantined-files.txt 2008-01-07 03:29:40
ComboFix2.txt 2008-01-03 19:03:22
.
2007-12-12 09:04:05 --- E O F ---
Here is the second combo fix log (run with dropping CFScript.txt):
ComboFix 08-01-07.4 - Admin 2008-01-07 10:20:23.3 -
FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.190 [GMT -6:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\WINDOWS\SYSTEM32\nrwglgiu.ini
.
((((((((((((((((((((((((( Files Created from 2007-12-07 to 2008-01-07 )))))))))))))))))))))))))))))))
.
2008-01-04 12:37 . 2007-12-04 07:04 837,496 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2008-01-04 12:37 . 2004-01-09 03:13 380,928 --a------ C:\WINDOWS\SYSTEM32\actskin4.ocx
2008-01-04 12:37 . 2007-12-04 06:54 95,608 --a------ C:\WINDOWS\SYSTEM32\AvastSS.scr
2008-01-04 12:37 . 2007-12-04 08:55 94,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2008-01-04 12:37 . 2007-12-04 08:56 93,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2008-01-04 12:37 . 2007-12-04 08:51 42,912 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2008-01-04 12:37 . 2007-12-04 08:49 26,624 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2008-01-04 12:37 . 2007-12-04 08:53 23,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2008-01-02 12:38 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-01 13:48 . 2008-01-01 13:48 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-01 10:45 . 2008-01-01 10:45 <DIR> d-------- C:\Documents and Settings\Admin\.housecall6.6
2007-12-31 15:34 . 2007-12-31 15:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-31 15:30 . 2007-12-31 15:30 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-31 09:31 . 2007-12-31 09:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-30 18:05 . 2007-12-30 18:06 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\TrojanHunter
2007-12-30 13:21 . 2007-12-30 13:21 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-30 12:09 . 2007-12-30 12:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-30 12:09 . 2007-12-30 12:09 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\PrevxCSI
2007-12-29 09:19 . 2007-12-29 09:19 <DIR> d-------- C:\VundoFix Backups
2007-12-23 07:58 . 2007-12-23 07:58 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\BitTorrent
2007-12-23 07:55 . 2007-12-23 07:55 <DIR> d-------- C:\Program Files\DNA
2007-12-12 10:03 . 2007-12-12 10:06 23,110 --a------ C:\WINDOWS\SYSTEM32\productregistry
2007-12-12 09:44 . 2007-12-12 09:44 <DIR> d-------- C:\Documents and Settings\Admin\.SunDownloadManager
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-09 19:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd
2007-11-09 19:49 --------- d-----w C:\Documents and Settings\Admin\Application Data\Logitech
2007-11-09 19:48 --------- d-----w C:\Program Files\Common Files\Logitech
2007-11-09 19:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2007-11-09 19:48 --------- d-----w C:\Documents and Settings\Admin\Application Data\InstallShield
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\SYSTEM32\dllcache\quartz.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\dllcache\shell32.dll
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wininet.dll
2007-10-10 23:56 671,232 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mstime.dll
2007-10-10 23:56 232,960 ------w C:\WINDOWS\SYSTEM32\dllcache\webcheck.dll
2007-10-10 23:56 105,984 ------w C:\WINDOWS\SYSTEM32\dllcache\url.dll
2007-10-10 23:56 102,400 ------w C:\WINDOWS\SYSTEM32\dllcache\occache.dll
2007-10-10 23:56 1,159,680 ----a-w C:\WINDOWS\SYSTEM32\dllcache\urlmon.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\SYSTEM32\dllcache\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\SYSTEM32\dllcache\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\SYSTEM32\dllcache\msfeedsbs.dll
2007-10-10 23:55 478,208 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\SYSTEM32\dllcache\msfeeds.dll
2007-10-10 23:55 44,544 ------w C:\WINDOWS\SYSTEM32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ------w C:\WINDOWS\SYSTEM32\dllcache\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\SYSTEM32\dllcache\ieapfltr.dll
2007-10-10 23:55 27,648 ----a-w C:\WINDOWS\SYSTEM32\dllcache\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\SYSTEM32\dllcache\iertutil.dll
2007-10-10 23:55 230,400 ------w C:\WINDOWS\SYSTEM32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ----a-w C:\WINDOWS\SYSTEM32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ------w C:\WINDOWS\SYSTEM32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ----a-w C:\WINDOWS\SYSTEM32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINDOWS\SYSTEM32\dllcache\advpack.dll
2007-10-10 10:59 70,656 ------w C:\WINDOWS\SYSTEM32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 ------w C:\WINDOWS\SYSTEM32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\SYSTEM32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ----a-w C:\WINDOWS\SYSTEM32\dllcache\ieakui.dll
2000-09-30 00:58 271 --sh--w C:\Program Files\desktop.ini
2000-09-30 00:58 23,357 ---h--w C:\Program Files\folder.htt
.
((((((((((((((((((((((((((((( snapshot@2008-01-03_12.47.02.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2000-08-31 14:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
+ 2008-01-07 01:40:34 16,384 ----a-w C:\WINDOWS\TEMP\Perflib_Perfdata_3c0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS0]
@={5d1cb710-1c4b-11d4-bed5-005004b1f42f}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS1]
@={5d1cb711-1c4b-11d4-bed5-005004b1f42f}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS2]
@={5d1cb712-1c4b-11d4-bed5-005004b1f42f}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS3]
@={5d1cb713-1c4b-11d4-bed5-005004b1f42f}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS4]
@={5d1cb714-1c4b-11d4-bed5-005004b1f42f}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS5]
@={5d1cb715-1c4b-11d4-bed5-005004b1f42f}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS6]
@={5d1cb716-1c4b-11d4-bed5-005004b1f42f}
[HKEY_CLASSES_ROOT\CLSID\{5d1cb710-1c4b-11d4-bed5-005004b1f42f}]
2005-03-04 22:05 1073152 --a------ D:\Me-XP\Util\TortoiseCVS\TrtseShl.dll
[HKEY_CLASSES_ROOT\CLSID\{5d1cb711-1c4b-11d4-bed5-005004b1f42f}]
2005-03-04 22:05 1073152 --a------ D:\Me-XP\Util\TortoiseCVS\TrtseShl.dll
[HKEY_CLASSES_ROOT\CLSID\{5d1cb712-1c4b-11d4-bed5-005004b1f42f}]
2005-03-04 22:05 1073152 --a------ D:\Me-XP\Util\TortoiseCVS\TrtseShl.dll
[HKEY_CLASSES_ROOT\CLSID\{5d1cb713-1c4b-11d4-bed5-005004b1f42f}]
2005-03-04 22:05 1073152 --a------ D:\Me-XP\Util\TortoiseCVS\TrtseShl.dll
[HKEY_CLASSES_ROOT\CLSID\{5d1cb714-1c4b-11d4-bed5-005004b1f42f}]
2005-03-04 22:05 1073152 --a------ D:\Me-XP\Util\TortoiseCVS\TrtseShl.dll
[HKEY_CLASSES_ROOT\CLSID\{5d1cb715-1c4b-11d4-bed5-005004b1f42f}]
2005-03-04 22:05 1073152 --a------ D:\Me-XP\Util\TortoiseCVS\TrtseShl.dll
[HKEY_CLASSES_ROOT\CLSID\{5d1cb716-1c4b-11d4-bed5-005004b1f42f}]
2005-03-04 22:05 1073152 --a------ D:\Me-XP\Util\TortoiseCVS\TrtseShl.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="D:\Me-XP\Downloads\malware\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 01:07 8491008]
"nwiz"="nwiz.exe" [2007-09-17 01:07 1626112 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 01:07 81920]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"THGuard"="D:\Me-XP\Downloads\malware\TrojanHunter 5.0\THGuard.exe" [2007-09-09 09:31 1046688]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" [2001-01-03 14:50 66048 C:\WINDOWS\SYSTEM32\SK9910DM.EXE]
"avast!"="D:\Me-XP\UTILAV~1\ashDisp.exe" [2007-12-04 07:00 79224]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [ ]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ZoneAlarm.lnk - D:\Me-XP\Util\ZoneAlarm\zonealarm.exe [2003-04-10 00:44:56]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"BCMDMMSG"=BCMDMMSG.exe
"Speed racer"=C:\Program Files\Creative\PlayCenter\CTSRReg.exe
"UpdReg"=C:\WINDOWS\Updreg.exe
"NvCplDaemon"=RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
"nwiz"=nwiz.exe /install
"Hot Key Kbd 9910 Daemon"=SK9910DM.EXE
"GRA"=C:\CABS\grainstall\GRA.exe
"Corel Reminder"="C:\PROGRAM FILES\COREL\GRAPHICS10\REGISTER\NAVBROWSER.EXE" /r /i "C:\PROGRAM FILES\COREL\GRAPHICS10\REGISTER\NavLoad.ini"
"QAGENT"=C:\PROGRAM FILES\QUICKENW\QAGENT.EXE
R2 CVS;CVSNT;D:\Me-XP\Util\cvsnt\cvsservice.exe [2004-10-29 14:03]
R2 IOPort;IOPort;C:\WINDOWS\system32\DRIVERS\IOPORT.SYS [1998-11-27 15:57]
R2 msftesql$SQLEXPRESS;SQL Server FullText Search (SQLEXPRESS);"d:\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 []
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
R3 HCWBT8XX;Hauppauge WinTV 848/9 WDM Video Driver;C:\WINDOWS\system32\DRIVERS\HCWBT8XX.sys [2002-03-01 00:35]
S4 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys [2001-08-17 12:11]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
"2008-01-04 14:40:34 C:\WINDOWS\Tasks\Uninstall Expiration Reminder.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-01-07 10:22:46
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msftesql$SQLEXPRESS]
"ImagePath"="\"d:\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:SQLEXPRESS"
--
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySql]
"ImagePath"="D:/Me-XP/mysql/bin/mysqld-nt.exe"
.
Completion time: 2008-01-07 10:23:40
ComboFix-quarantined-files.txt 2008-01-07 16:23:38
ComboFix3.txt 2008-01-03 19:03:22
ComboFix2.txt 2008-01-07 03:29:44
.
2007-12-12 09:04:05 --- E O F ---
I then ran CCleaner (and wish I had a log, just because), but it sure did delete a ton of crap - some 665MB!
I then ran the Kaspersky Online Scanner - but, I should say that I had a hard time finding it. Your link to
http://www.kaspersky.com/virusscanner brought me to the site ok, but there was no clear indication of how or where to start an online scan. I even did a search of the Kaspersky site for 'Online scanner' and only got hits on news articles about the top 20 infections found with online scanner - but not a clue as to where or how to start the online scanner. But Google led me to
http://www.kaspersky.com/kos/eng/partne ... bscan.html and the scan took over 5 hours, and found 5 viruses and 22 infected objects.
The Kaspersky log is below: (NOTE, I redacted the email names of me and my sister who I now see sent me a bad joke virus many years ago. All the crap from the pclink.com email account are very old junk.)
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, January 07, 2008 5:40:36 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/01/2008
Kaspersky Anti-Virus database records: 503726
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
T:\
U:\
Scan Statistics:
Total number of scanned objects: 201089
Number of viruses found: 5
Number of infected objects: 22
Number of suspicious objects: 0
Duration of the scan process: 05:17:17
Infected Object Name / Virus Name / Last Action
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_3bc.dat Object is locked skipped
C:\WINDOWS\TEMP\ZLT07be8.TMP Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\GATEWAY1200.ldb Object is locked skipped
C:\WINDOWS\SchedLog.Txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{9532B7DF-E6EF-41E4-B65E-013C9C1E22BE}.bin Object is locked skipped
C:\WINDOWS\pfirewall.log Object is locked skipped
C:\Program Files\Corel\WordPerfect Office 2000\programs\pfdtlr.dat Object is locked skipped
C:\Program Files\Corel\WordPerfect Office 2000\programs\pfdtlr.ndx Object is locked skipped
C:\Program Files\Corel\WordPerfect Office 2000\template\Custom WP Templates\qw9en.wpt Object is locked skipped
C:\Program Files\Corel\WordPerfect Office 2000\template\Custom WP Templates\XML\XML.wpt Object is locked skipped
C:\Program Files\Corel\WordPerfect Office 2000\template\Custom WP Templates\wp9US.wpt Object is locked skipped
C:\Program Files\Apache Group\Apache2\logs\access.log Object is locked skipped
C:\Program Files\Apache Group\Apache2\logs\error.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\InboxLOG.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\OutboxLOG.txt Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_7a0.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Admin\ntuser.dat Object is locked skipped
C:\Documents and Settings\Admin\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\History\History.IE5\MSHist012008010720080108\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temp\wt95FF.tmp Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temp\wt9600.tmp Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temp\~DF4E75.tmp Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temp\~DF4E7F.tmp Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temp\wt9A.tmp Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temp\wt9B.tmp Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temp\wt9C.tmp Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temp\wt9D.tmp Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temp\wt9E.tmp Object is locked skipped
C:\Documents and Settings\Admin\My Documents\Corel User Files\WT9US.UWL Object is locked skipped
C:\Documents and Settings\Admin\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Admin\.housecall6.6\Quarantine\opnnkkl.dll.bad.bac_a02948 Infected: not-a-virus:AdWare.Win32.Virtumonde.clz skipped
C:\Documents and Settings\Admin\.housecall6.6\Quarantine\msmetvfy.dll.bad.bac_a02948 Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\Documents and Settings\Admin\.housecall6.6\Quarantine\backups.zip.bac_a02948/backups/Yazzle1552OinAdmin.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Documents and Settings\Admin\.housecall6.6\Quarantine\backups.zip.bac_a02948 ZIP: infected - 1 skipped
C:\Documents and Settings\Admin\.housecall6.6\Quarantine\backups.zip.bac_a02948 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Admin\.housecall6.6\Quarantine\ursqp.exe.vir.bac_a02948 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Admin\.housecall6.6\Quarantine\A0211503.EXE.bac_a02948 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Admin\.housecall6.6\Quarantine\A0211599.exe.bac_a02948 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Admin\.housecall6.6\Quarantine\A0211617.exe.bac_a02948 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Admin\.housecall6.6\Quarantine\A0211626.exe.bac_a02948 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Admin\.housecall6.6\Quarantine\A0211739.exe.bac_a02948 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Admin\.housecall6.6\Quarantine\A0211807.exe.bac_a02948 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Admin\.housecall6.6\Quarantine\A0211819.exe.bac_a02948 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Admin\.housecall6.6\Quarantine\A0211856.exe.bac_a02948 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Admin\.housecall6.6\Quarantine\A0211865.EXE.bac_a02948 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Admin\.housecall6.6\Quarantine\A0211888.exe.bac_a02948 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Admin\.housecall6.6\Quarantine\ursqp.exe.bad.bac_a02948 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{DCA9B734-B7CB-4718-A8C0-CB56CC72EB4E}\RP1658\change.log Object is locked skipped
D:\Me-XP\My WordPerfect\Trojan.wpd Object is locked skipped
D:\Me-XP\My Saved Files\Nec266\Mozilla\Profiles\-----@pclink-1.com\8zqr0fc3.slt\Mail\pclink.com\Inbox.sbd\Personal/[From
-----@msi-insurance.com][Date Mon, 4 Mar 2002 14:58:27 -0600]/text/[From
-----@msi-insurance.com][Date Wed, 13 Mar 2002 12:10:33 -0600]/text/[From
-----@msi-insurance.com][Date Wed, 15 Jan 2003 12:36:10 -0600]/text/[From ----- ----- <-----@mm.com>][Date Thu, 22 Jan 1998 15:19:07 -0600]/small.exe Infected: not-virus:BadJoke.Win16.Stupid.a skipped
D:\Me-XP\My Saved Files\Nec266\Mozilla\Profiles\-----@pclink-1.com\8zqr0fc3.slt\Mail\pclink.com\Inbox.sbd\Personal/[From
-----@msi-insurance.com][Date Mon, 4 Mar 2002 14:58:27 -0600]/text/[From
-----@msi-insurance.com][Date Wed, 13 Mar 2002 12:10:33 -0600]/text/[From
-----@msi-insurance.com][Date Wed, 15 Jan 2003 12:36:10 -0600]/text Infected: not-virus:BadJoke.Win16.Stupid.a skipped
D:\Me-XP\My Saved Files\Nec266\Mozilla\Profiles\mzappa@pclink-1.com\8zqr0fc3.slt\Mail\pclink.com\Inbox.sbd\Personal/[From
-----@msi-insurance.com][Date Mon, 4 Mar 2002 14:58:27 -0600]/text/[From
-----@msi-insurance.com][Date Wed, 13 Mar 2002 12:10:33 -0600]/text Infected: not-virus:BadJoke.Win16.Stupid.a skipped
D:\Me-XP\My Saved Files\Nec266\Mozilla\Profiles\-----@pclink-1.com\8zqr0fc3.slt\Mail\pclink.com\Inbox.sbd\Personal/[From
-----@msi-insurance.com][Date Mon, 4 Mar 2002 14:58:27 -0600]/text Infected: not-virus:BadJoke.Win16.Stupid.a skipped
D:\Me-XP\My Saved Files\Nec266\Mozilla\Profiles\-----@pclink-1.com\8zqr0fc3.slt\Mail\pclink.com\Inbox.sbd\Personal Mail Berkeley mbox: infected - 4 skipped
D:\Me-XP\mysql\data\mysql.err Object is locked skipped
D:\Me-XP\UtilAvast\DATA\log\nshield.log Object is locked skipped
D:\Me-XP\UtilAvast\DATA\aswResp.dat Object is locked skipped
D:\Me-XP\UtilAvast\DATA\Avast4.db Object is locked skipped
D:\System Volume Information\_restore{DCA9B734-B7CB-4718-A8C0-CB56CC72EB4E}\RP1658\change.log Object is locked skipped
D:\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG Object is locked skipped
D:\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log_68.trc Object is locked skipped
D:\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf Object is locked skipped
D:\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mastlog.ldf Object is locked skipped
D:\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdbdata.mdf Object is locked skipped
D:\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf Object is locked skipped
D:\Microsoft SQL Server\MSSQL.1\MSSQL\Data\model.mdf Object is locked skipped
D:\Microsoft SQL Server\MSSQL.1\MSSQL\Data\modellog.ldf Object is locked skipped
D:\Microsoft SQL Server\MSSQL.1\MSSQL\Data\tempdb.mdf Object is locked skipped
D:\Microsoft SQL Server\MSSQL.1\MSSQL\Data\templog.ldf Object is locked skipped
Scan process completed.
How is my PC running? Pretty good (thanks to you) for a 5 year old XP install on a 7 year old computer.
Thanks for your help,
bison7120