Tech Support Forum - View Single Post

ghsu · 07-04-2007, 08:41 AM

Ok, I did all of it. Here are the logs

ComboFix:

ComboFix 07-06-18.2 - C:\Documents and Settings\Owner\Desktop\misc\ComboFix.exe
"Owner" - 2007-07-03 19:12:33 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\Owner\Desktop\misc\ComboFix-Do.txt

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_DOMAINSERVICE
-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-06-04 to 2007-07-04 )))))))))))))))))))))))))))))))

2007-07-02 21:09 <DIR> d-------- C:\WINDOWS\Prefetch
2007-07-02 19:32 <DIR> d-------- C:\VundoFix Backups
2007-07-01 23:29 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-07-01 22:40 786,432 --ah----- C:\DOCUME~1\ADMINI~1.GEO\NTUSER.DAT
2007-07-01 22:40 <DIR> d---s---- C:\DOCUME~1\ADMINI~1.GEO\UserData
2007-07-01 22:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1.GEO\WINDOWS
2007-07-01 22:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1.GEO\APPLIC~1\VERITAS
2007-07-01 22:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1.GEO\APPLIC~1\Symantec
2007-07-01 22:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1.GEO\APPLIC~1\SampleView
2007-07-01 22:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1.GEO\APPLIC~1\Real
2007-07-01 22:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1.GEO\APPLIC~1\Leadertech
2007-07-01 22:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1.GEO\APPLIC~1\InterTrust
2007-07-01 22:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1.GEO\APPLIC~1\GlobalSCAPE
2007-07-01 22:05 234,718 --a------ C:\Temp\aZ001.exe
2007-07-01 22:05 <DIR> dra------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\SalesMonitor
2007-07-01 22:04 <DIR> d-------- C:\Temp\iee
2007-07-01 13:40 <DIR> d-------- C:\WINDOWS\system32\CO
2007-07-01 13:40 <DIR> d-------- C:\WINDOWS\system32\CG
2007-07-01 13:10 <DIR> d-------- C:\WINDOWS\LG_Inno
2007-06-30 09:44 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2007-06-30 09:38 <DIR> d-------- C:\Program Files\Microsoft Works
2007-06-30 09:37 <DIR> d-------- C:\Program Files\MSBuild
2007-06-30 09:09 <DIR> dr-h----- C:\MSOCache
2007-06-27 16:23 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2007-06-27 16:23 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-04 02:28:25 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-04 02:08:16 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\uTorrent
2007-07-02 05:05:43 -------- d-----w C:\Program Files\Windows NT
2007-07-01 23:57:38 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-01 01:56:51 11,973 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-06-30 16:05:44 -------- d-----w C:\Program Files\Microsoft ActiveSync
2007-06-30 04:01:17 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\dvdcss
2007-06-28 07:00:13 -------- d-----w C:\Program Files\NetAnts
2007-06-06 21:04:09 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-05-10 19:37:22 55,344 -c--a-w C:\DOCUME~1\Owner\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-05-07 14:40:13 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\FALCOM
2007-05-06 16:39:46 -------- d-----w C:\Program Files\DAEMON Tools
2007-05-06 16:34:57 682,232 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-05-05 17:50:06 -------- d-----w C:\Program Files\BFG
2007-05-02 01:00:02 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-04-07 06:22:49 65,536 ----a-w C:\WINDOWS\IFinst27.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 20:38]
{72853161-30C5-4D22-B7F9-0BBC1D38A37E}=C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 00:48]
{BDF3E430-B101-42AD-A544-FADC6B084872}=c:\Program Files\Norton AntiVirus\NavShExt.dll [2002-11-15 08:09]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KBD"="C:\HP\KBD\KBD.EXE" [2001-07-06 21:56]
"StorageGuard"="C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 08:01]
"nwiz"="nwiz.exe" [2002-12-12 03:00 C:\WINDOWS\system32\nwiz.exe]
"NAV CfgWiz"="c:\PROGRA~1\NORTON~1\Cfgwiz.exe" [2002-11-15 08:08]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-11-15 03:29]
"ccRegVfy"="c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-11-15 03:29]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 17:40]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 17:40]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 17:40]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll,nViewLoadHook" []
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 15:29]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [2006-10-27 00:48]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Info.exe folder.htt 480 480

Contents of the 'Scheduled Tasks' folder
2007-07-02 15:27:01 C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-03 19:27:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-07-03 19:32:40 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-03 19:32
C:\ComboFix2.txt ... 2007-07-02 19:17
C:\ComboFix3.txt ... 2007-07-02 08:45

--- E O F ---

HJT:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:35:35 PM, on 7/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\conime.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Owner\Desktop\misc\HiJackThis_v2.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [NAV CfgWiz] c:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1174424474562
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1174424615750
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 5502 bytes

AntiVirus:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, July 04, 2007 7:40:22 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 4/07/2007
Kaspersky Anti-Virus database records: 335462
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 205808
Number of viruses found: 24
Number of infected objects: 55
Number of suspicious objects: 2
Duration of the scan process: 07:43:04

Infected Object Name / Virus Name / Last Action
C:\b26d20fef67befae984c33\common\eula.txt Object is locked skipped
C:\b26d20fef67befae984c33\common\spcustom.dll Object is locked skipped
C:\b26d20fef67befae984c33\common\spmsg.dll Object is locked skipped
C:\b26d20fef67befae984c33\common\spuninst.exe Object is locked skipped
C:\b26d20fef67befae984c33\common\update.exe Object is locked skipped
C:\b26d20fef67befae984c33\sp1\cryptui.dll Object is locked skipped
C:\b26d20fef67befae984c33\sp1\update\kb823182.cat Object is locked skipped
C:\b26d20fef67befae984c33\sp1\update\update.inf Object is locked skipped
C:\b26d20fef67befae984c33\sp1\update\update.ver Object is locked skipped
C:\b26d20fef67befae984c33\sp2\cryptui.dll Object is locked skipped
C:\b26d20fef67befae984c33\sp2\spmsg.dll Object is locked skipped
C:\b26d20fef67befae984c33\sp2\spuninst.exe Object is locked skipped
C:\b26d20fef67befae984c33\sp2\update\eula.txt Object is locked skipped
C:\b26d20fef67befae984c33\sp2\update\kb823182.cat Object is locked skipped
C:\b26d20fef67befae984c33\sp2\update\spcustom.dll Object is locked skipped
C:\b26d20fef67befae984c33\sp2\update\update.exe Object is locked skipped
C:\b26d20fef67befae984c33\sp2\update\update.inf Object is locked skipped
C:\b26d20fef67befae984c33\sp2\update\update.ver Object is locked skipped
C:\b26d20fef67befae984c33\xpsp1hfm.exe Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\60f714519f3ca43c6b1879489a93ebdb_309be83e-d71e-4a2d-ad86-cbcaa0af4ef1 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ea563f5ed0b8ea72081a19b9b561dd25_309be83e-d71e-4a2d-ad86-cbcaa0af4ef1 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\java.jar-8fba448-7160b407.zip/GetAccess.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\java.jar-8fba448-7160b407.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\java.jar-8fba448-7160b407.zip ZIP: infected - 2 skipped
C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\javainstaller.jar-31f00108-504ba244.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w skipped
C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\javainstaller.jar-31f00108-504ba244.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\javainstaller.jar-31f09a69-6670cbe8.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w skipped
C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\javainstaller.jar-31f09a69-6670cbe8.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\javainstaller.jar-4514e5ea-69e89e9c.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w skipped
C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\javainstaller.jar-4514e5ea-69e89e9c.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\loaderadv698.jar-b667ebb-59488282.zip/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c skipped
C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\loaderadv698.jar-b667ebb-59488282.zip/Counter.class Infected: Trojan.Java.ClassLoader.h skipped
C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\loaderadv698.jar-b667ebb-59488282.zip/Parser.class Infected: Trojan.Java.ClassLoader.d skipped
C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\loaderadv698.jar-b667ebb-59488282.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\h5i69d9v.default\cert8.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\h5i69d9v.default\history.dat Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\h5i69d9v.default\key3.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\h5i69d9v.default\parent.lock Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\h5i69d9v.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\h5i69d9v.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\h5i69d9v.default\Cache\0DA6FE7Fd01 Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\h5i69d9v.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\h5i69d9v.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\h5i69d9v.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\h5i69d9v.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DFC139.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\hp\region\EN_US-ie.reg Infected: Trojan.WinREG.StartPage skipped
C:\Program Files\NetPumper\ZM\minime.exe Infected: Trojan.Win32.Obfuscated.en skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton AntiVirus\Quarantine\04BD2FA5.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\055B31A9.htm Suspicious: Exploit.HTML.Mht skipped
C:\Program Files\Norton AntiVirus\Quarantine\098158DC.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\098402D8.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\0A172BB3.class Infected: Trojan.Java.ClassLoader.Dummy.d skipped
C:\Program Files\Norton AntiVirus\Quarantine\115064A6.exe Infected: Backdoor.Win32.Livup.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\14DD58BA.htm Infected: Exploit.HTML.Mht skipped
C:\Program Files\Norton AntiVirus\Quarantine\1A810C6A.class Infected: Trojan.Java.ClassLoader.Dummy.d skipped
C:\Program Files\Norton AntiVirus\Quarantine\2A864CDA.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\32685C4F.htm Infected: Exploit.HTML.Mht skipped
C:\Program Files\Norton AntiVirus\Quarantine\3C413690.exe Infected: P2P-Worm.Win32.SpyBot.dg skipped
C:\Program Files\Norton AntiVirus\Quarantine\40BC2651.htm Suspicious: Exploit.HTML.Mht skipped
C:\Program Files\Norton AntiVirus\Quarantine\40C35282.htm Infected: Exploit.HTML.Mht skipped
C:\Program Files\Norton AntiVirus\Quarantine\48B34005.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\491B565E.htm Infected: Exploit.HTML.Mht skipped
C:\Program Files\Norton AntiVirus\Quarantine\501819E3.htm Infected: Exploit.HTML.Mht skipped
C:\Program Files\Norton AntiVirus\Quarantine\5865446A.class Infected: Trojan.Java.ClassLoader.Dummy.d skipped
C:\Program Files\Norton AntiVirus\Quarantine\5A752D0A.htm Infected: Trojan-Downloader.JS.Small.d skipped
C:\Program Files\Norton AntiVirus\Quarantine\5AF16882.htm Infected: Trojan-Downloader.JS.Small.d skipped
C:\Program Files\Norton AntiVirus\Quarantine\60297CC4.htm Infected: Exploit.HTML.Mht skipped
C:\Program Files\Norton AntiVirus\Quarantine\611D49B6.htm Infected: Exploit.HTML.Mht skipped
C:\Program Files\Norton AntiVirus\Quarantine\657B4B19.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\6CC26613.htm Infected: Exploit.HTML.Mht skipped
C:\Program Files\Norton AntiVirus\Quarantine\73981520 Infected: Exploit.HTML.Mht skipped
C:\Program Files\Outlook Express\w2.exe Infected: Backdoor.Win32.Hupigon.pv skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1549OinAdmin.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP234\A0019698.exe/data0079 Infected: Trojan.Win32.Obfuscated.en skipped
C:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP234\A0019698.exe Inno: infected - 1 skipped
C:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP234\A0019795.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP234\A0019796.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP234\A0019803.sys Infected: Rootkit.Win32.Agent.eq skipped
C:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP234\A0019809.exe Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP234\A0019810.exe Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP234\A0019812.exe Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP234\A0019822.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP234\change.log Object is locked skipped
C:\Temp\aZ001.exe/data0006 Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\Temp\aZ001.exe/data0007 Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\Temp\aZ001.exe NSIS: infected - 2 skipped
C:\WINDOWS\$NtUninstallKB824141$\kb824141.cat Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\dhcpcsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\ndis.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\ndisuio.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\netshell.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcdlg.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcsapi.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828028$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Down(0).exe Infected: Backdoor.Win32.Hupigon.bog skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\cdees.exe Infected: Packed.Win32.NSAnti.a skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\Down(0).exe Infected: Packed.Win32.NSAnti.a skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\msCMTsrvc.exe Infected: Trojan-Downloader.Win32.Presario skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP234\change.log Object is locked skipped

Scan process completed.

Computer Condition:
The pop-ups have gone away, but I still suspect something foul is still here

07-04-2007, 08:41 AM	#5 (permalink)
ghsu Registered User Join Date: Jul 2007 Posts: 6 OS: XP SP2	Re: Please help me... Comp infected Ok, I did all of it. Here are the logs ComboFix: ComboFix 07-06-18.2 - C:\Documents and Settings\Owner\Desktop\misc\ComboFix.exe "Owner" - 2007-07-03 19:12:33 - Service Pack 2 NTFS Command switches used :: C:\Documents and Settings\Owner\Desktop\misc\ComboFix-Do.txt ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_DOMAINSERVICE -------\DomainService ((((((((((((((((((((((((( Files Created from 2007-06-04 to 2007-07-04 ))))))))))))))))))))))))))))))) 2007-07-02 21:09 <DIR> d-------- C:\WINDOWS\Prefetch 2007-07-02 19:32 <DIR> d-------- C:\VundoFix Backups 2007-07-01 23:29 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-07-01 22:40 786,432 --ah----- C:\DOCUME~1\ADMINI~1.GEO\NTUSER.DAT 2007-07-01 22:40 <DIR> d---s---- C:\DOCUME~1\ADMINI~1.GEO\UserData 2007-07-01 22:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1.GEO\WINDOWS 2007-07-01 22:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1.GEO\APPLIC~1\VERITAS 2007-07-01 22:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1.GEO\APPLIC~1\Symantec 2007-07-01 22:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1.GEO\APPLIC~1\SampleView 2007-07-01 22:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1.GEO\APPLIC~1\Real 2007-07-01 22:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1.GEO\APPLIC~1\Leadertech 2007-07-01 22:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1.GEO\APPLIC~1\InterTrust 2007-07-01 22:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1.GEO\APPLIC~1\GlobalSCAPE 2007-07-01 22:05 234,718 --a------ C:\Temp\aZ001.exe 2007-07-01 22:05 <DIR> dra------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\SalesMonitor 2007-07-01 22:04 <DIR> d-------- C:\Temp\iee 2007-07-01 13:40 <DIR> d-------- C:\WINDOWS\system32\CO 2007-07-01 13:40 <DIR> d-------- C:\WINDOWS\system32\CG 2007-07-01 13:10 <DIR> d-------- C:\WINDOWS\LG_Inno 2007-06-30 09:44 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll 2007-06-30 09:38 <DIR> d-------- C:\Program Files\Microsoft Works 2007-06-30 09:37 <DIR> d-------- C:\Program Files\MSBuild 2007-06-30 09:09 <DIR> dr-h----- C:\MSOCache 2007-06-27 16:23 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll 2007-06-27 16:23 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-04 02:28:25 -------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-07-04 02:08:16 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\uTorrent 2007-07-02 05:05:43 -------- d-----w C:\Program Files\Windows NT 2007-07-01 23:57:38 -------- d--h--w C:\Program Files\InstallShield Installation Information 2007-07-01 01:56:51 11,973 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-06-30 16:05:44 -------- d-----w C:\Program Files\Microsoft ActiveSync 2007-06-30 04:01:17 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\dvdcss 2007-06-28 07:00:13 -------- d-----w C:\Program Files\NetAnts 2007-06-06 21:04:09 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll 2007-05-10 19:37:22 55,344 -c--a-w C:\DOCUME~1\Owner\APPLIC~1\GDIPFONTCACHEV1.DAT 2007-05-07 14:40:13 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\FALCOM 2007-05-06 16:39:46 -------- d-----w C:\Program Files\DAEMON Tools 2007-05-06 16:34:57 682,232 ----a-w C:\WINDOWS\system32\drivers\sptd.sys 2007-05-05 17:50:06 -------- d-----w C:\Program Files\BFG 2007-05-02 01:00:02 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll 2007-04-07 06:22:49 65,536 ----a-w C:\WINDOWS\IFinst27.exe ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 20:38] {72853161-30C5-4D22-B7F9-0BBC1D38A37E}=C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 00:48] {BDF3E430-B101-42AD-A544-FADC6B084872}=c:\Program Files\Norton AntiVirus\NavShExt.dll [2002-11-15 08:09] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "KBD"="C:\HP\KBD\KBD.EXE" [2001-07-06 21:56] "StorageGuard"="C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 08:01] "nwiz"="nwiz.exe" [2002-12-12 03:00 C:\WINDOWS\system32\nwiz.exe] "NAV CfgWiz"="c:\PROGRA~1\NORTON~1\Cfgwiz.exe" [2002-11-15 08:08] "ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-11-15 03:29] "ccRegVfy"="c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-11-15 03:29] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 17:40] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 17:40] "ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 17:40] "GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NVIEW"="nview.dll,nViewLoadHook" [] "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 15:29] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [2006-10-27 00:48] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] AutoRun\command- D:\Info.exe folder.htt 480 480 Contents of the 'Scheduled Tasks' folder 2007-07-02 15:27:01 C:\WINDOWS\tasks\Symantec NetDetect.job ************************************************************************ catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-03 19:27:49 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... ************************************************************************ Completion time: 2007-07-03 19:32:40 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-07-03 19:32 C:\ComboFix2.txt ... 2007-07-02 19:17 C:\ComboFix3.txt ... 2007-07-02 08:45 --- E O F --- HJT: Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 7:35:35 PM, on 7/3/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\conime.exe c:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\svchost.exe C:\HP\KBD\KBD.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\DAEMON Tools\daemon.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wscntfy.exe c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\notepad.exe C:\Documents and Settings\Owner\Desktop\misc\HiJackThis_v2.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded O4 - HKLM\..\Run: [NAV CfgWiz] c:\PROGRA~1\NORTON~1\Cfgwiz.exe /R O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1174424474562 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1174424615750 O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe -- End of file - 5502 bytes AntiVirus: ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Wednesday, July 04, 2007 7:40:22 AM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.93.0 Kaspersky Anti-Virus database last update: 4/07/2007 Kaspersky Anti-Virus database records: 335462 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: standard Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ F:\ G:\ H:\ Scan Statistics: Total number of scanned objects: 205808 Number of viruses found: 24 Number of infected objects: 55 Number of suspicious objects: 2 Duration of the scan process: 07:43:04 Infected Object Name / Virus Name / Last Action C:\b26d20fef67befae984c33\common\eula.txt Object is locked skipped C:\b26d20fef67befae984c33\common\spcustom.dll Object is locked skipped C:\b26d20fef67befae984c33\common\spmsg.dll Object is locked skipped C:\b26d20fef67befae984c33\common\spuninst.exe Object is locked skipped C:\b26d20fef67befae984c33\common\update.exe Object is locked skipped C:\b26d20fef67befae984c33\sp1\cryptui.dll Object is locked skipped C:\b26d20fef67befae984c33\sp1\update\kb823182.cat Object is locked skipped C:\b26d20fef67befae984c33\sp1\update\update.inf Object is locked skipped C:\b26d20fef67befae984c33\sp1\update\update.ver Object is locked skipped C:\b26d20fef67befae984c33\sp2\cryptui.dll Object is locked skipped C:\b26d20fef67befae984c33\sp2\spmsg.dll Object is locked skipped C:\b26d20fef67befae984c33\sp2\spuninst.exe Object is locked skipped C:\b26d20fef67befae984c33\sp2\update\eula.txt Object is locked skipped C:\b26d20fef67befae984c33\sp2\update\kb823182.cat Object is locked skipped C:\b26d20fef67befae984c33\sp2\update\spcustom.dll Object is locked skipped C:\b26d20fef67befae984c33\sp2\update\update.exe Object is locked skipped C:\b26d20fef67befae984c33\sp2\update\update.inf Object is locked skipped C:\b26d20fef67befae984c33\sp2\update\update.ver Object is locked skipped C:\b26d20fef67befae984c33\xpsp1hfm.exe Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\60f714519f3ca43c6b1879489a93ebdb_309be83e-d71e-4a2d-ad86-cbcaa0af4ef1 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ea563f5ed0b8ea72081a19b9b561dd25_309be83e-d71e-4a2d-ad86-cbcaa0af4ef1 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\java.jar-8fba448-7160b407.zip/GetAccess.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\java.jar-8fba448-7160b407.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\java.jar-8fba448-7160b407.zip ZIP: infected - 2 skipped C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\javainstaller.jar-31f00108-504ba244.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w skipped C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\javainstaller.jar-31f00108-504ba244.zip ZIP: infected - 1 skipped C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\javainstaller.jar-31f09a69-6670cbe8.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w skipped C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\javainstaller.jar-31f09a69-6670cbe8.zip ZIP: infected - 1 skipped C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\javainstaller.jar-4514e5ea-69e89e9c.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w skipped C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\javainstaller.jar-4514e5ea-69e89e9c.zip ZIP: infected - 1 skipped C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\loaderadv698.jar-b667ebb-59488282.zip/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c skipped C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\loaderadv698.jar-b667ebb-59488282.zip/Counter.class Infected: Trojan.Java.ClassLoader.h skipped C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\loaderadv698.jar-b667ebb-59488282.zip/Parser.class Infected: Trojan.Java.ClassLoader.d skipped C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\loaderadv698.jar-b667ebb-59488282.zip ZIP: infected - 3 skipped C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\h5i69d9v.default\cert8.db Object is locked skipped C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\h5i69d9v.default\history.dat Object is locked skipped C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\h5i69d9v.default\key3.db Object is locked skipped C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\h5i69d9v.default\parent.lock Object is locked skipped C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\h5i69d9v.default\search.sqlite Object is locked skipped C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\h5i69d9v.default\urlclassifier2.sqlite Object is locked skipped C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\h5i69d9v.default\Cache\0DA6FE7Fd01 Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\h5i69d9v.default\Cache\_CACHE_001_ Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\h5i69d9v.default\Cache\_CACHE_002_ Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\h5i69d9v.default\Cache\_CACHE_003_ Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\h5i69d9v.default\Cache\_CACHE_MAP_ Object is locked skipped C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Temp\~DFC139.tmp Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped C:\hp\region\EN_US-ie.reg Infected: Trojan.WinREG.StartPage skipped C:\Program Files\NetPumper\ZM\minime.exe Infected: Trojan.Win32.Obfuscated.en skipped C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped C:\Program Files\Norton AntiVirus\Quarantine\04BD2FA5.class Infected: Exploit.Java.ByteVerify skipped C:\Program Files\Norton AntiVirus\Quarantine\055B31A9.htm Suspicious: Exploit.HTML.Mht skipped C:\Program Files\Norton AntiVirus\Quarantine\098158DC.class Infected: Exploit.Java.ByteVerify skipped C:\Program Files\Norton AntiVirus\Quarantine\098402D8.class Infected: Exploit.Java.ByteVerify skipped C:\Program Files\Norton AntiVirus\Quarantine\0A172BB3.class Infected: Trojan.Java.ClassLoader.Dummy.d skipped C:\Program Files\Norton AntiVirus\Quarantine\115064A6.exe Infected: Backdoor.Win32.Livup.a skipped C:\Program Files\Norton AntiVirus\Quarantine\14DD58BA.htm Infected: Exploit.HTML.Mht skipped C:\Program Files\Norton AntiVirus\Quarantine\1A810C6A.class Infected: Trojan.Java.ClassLoader.Dummy.d skipped C:\Program Files\Norton AntiVirus\Quarantine\2A864CDA.class Infected: Exploit.Java.ByteVerify skipped C:\Program Files\Norton AntiVirus\Quarantine\32685C4F.htm Infected: Exploit.HTML.Mht skipped C:\Program Files\Norton AntiVirus\Quarantine\3C413690.exe Infected: P2P-Worm.Win32.SpyBot.dg skipped C:\Program Files\Norton AntiVirus\Quarantine\40BC2651.htm Suspicious: Exploit.HTML.Mht skipped C:\Program Files\Norton AntiVirus\Quarantine\40C35282.htm Infected: Exploit.HTML.Mht skipped C:\Program Files\Norton AntiVirus\Quarantine\48B34005.class Infected: Exploit.Java.ByteVerify skipped C:\Program Files\Norton AntiVirus\Quarantine\491B565E.htm Infected: Exploit.HTML.Mht skipped C:\Program Files\Norton AntiVirus\Quarantine\501819E3.htm Infected: Exploit.HTML.Mht skipped C:\Program Files\Norton AntiVirus\Quarantine\5865446A.class Infected: Trojan.Java.ClassLoader.Dummy.d skipped C:\Program Files\Norton AntiVirus\Quarantine\5A752D0A.htm Infected: Trojan-Downloader.JS.Small.d skipped C:\Program Files\Norton AntiVirus\Quarantine\5AF16882.htm Infected: Trojan-Downloader.JS.Small.d skipped C:\Program Files\Norton AntiVirus\Quarantine\60297CC4.htm Infected: Exploit.HTML.Mht skipped C:\Program Files\Norton AntiVirus\Quarantine\611D49B6.htm Infected: Exploit.HTML.Mht skipped C:\Program Files\Norton AntiVirus\Quarantine\657B4B19.class Infected: Exploit.Java.ByteVerify skipped C:\Program Files\Norton AntiVirus\Quarantine\6CC26613.htm Infected: Exploit.HTML.Mht skipped C:\Program Files\Norton AntiVirus\Quarantine\73981520 Infected: Exploit.HTML.Mht skipped C:\Program Files\Outlook Express\w2.exe Infected: Backdoor.Win32.Hupigon.pv skipped C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1549OinAdmin.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.eg skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP234\A0019698.exe/data0079 Infected: Trojan.Win32.Obfuscated.en skipped C:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP234\A0019698.exe Inno: infected - 1 skipped C:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP234\A0019795.dll Infected: Trojan.Win32.BHO.bd skipped C:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP234\A0019796.exe Infected: Trojan.Win32.Agent.aoy skipped C:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP234\A0019803.sys Infected: Rootkit.Win32.Agent.eq skipped C:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP234\A0019809.exe Infected: Trojan-Dropper.Win32.Agent.bfr skipped C:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP234\A0019810.exe Infected: Trojan-Downloader.Win32.Small.eqn skipped C:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP234\A0019812.exe Infected: Trojan-Downloader.Win32.VB.awj skipped C:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP234\A0019822.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped C:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP234\change.log Object is locked skipped C:\Temp\aZ001.exe/data0006 Infected: Trojan-Downloader.Win32.Small.eqn skipped C:\Temp\aZ001.exe/data0007 Infected: Trojan-Dropper.Win32.Agent.bfr skipped C:\Temp\aZ001.exe NSIS: infected - 2 skipped C:\WINDOWS\$NtUninstallKB824141$\kb824141.cat Object is locked skipped C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped C:\WINDOWS\$NtUninstallKB826942$\dhcpcsvc.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826942$\ndis.sys Object is locked skipped C:\WINDOWS\$NtUninstallKB826942$\ndisuio.sys Object is locked skipped C:\WINDOWS\$NtUninstallKB826942$\netshell.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826942$\wzcdlg.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826942$\wzcsapi.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826942$\wzcsvc.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828028$\msasn1.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\Down(0).exe Infected: Backdoor.Win32.Hupigon.bog skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\cdees.exe Infected: Packed.Win32.NSAnti.a skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped C:\WINDOWS\system32\config\OSession.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\Down(0).exe Infected: Packed.Win32.NSAnti.a skipped C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\msCMTsrvc.exe Infected: Trojan-Downloader.Win32.Presario skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped D:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP234\change.log Object is locked skipped Scan process completed. Computer Condition: The pop-ups have gone away, but I still suspect something foul is still here