Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help
ETrust EZ Antivirus hit - eqnclassa.dll ETrust EZ Antivirus hit - eqnclassa.dll
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help.

Reply
 
Thread Tools
Old 06-29-2008, 10:42 AM   #1 (permalink)
Registered User
 
Join Date: Jun 2008
Posts: 4
OS: Win XP SP2


ETrust EZ Antivirus hit - eqnclassa.dll
Hi, I have sometype of virus that cant be deleted with EZ Antivirus or Trojan Remover. ETrust EZ Antivirus would pop up with a virus detected (eqnclassa.dll) everytime I would initiate IE or windows explorer. I noticed that IE "manage add-ons" had an entry with a file name of eqnclassa.dll. I disabled that entry in the IE "manage add-ons" window and now when I run IE or explorer the virus detected does not show up. Below is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:17:35 PM, on 6/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-2.1.215.15\QOELoader.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe
C:\Program Files\America Online 9.0\waol.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: (no name) - {F1D17ABE-2591-4870-B108-1BED7B5A2A4B} - c:\windows\system32\eqnclassa.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-2.1.215.15\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...tup1.0.1.0.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://usfulfillment.puretracks.com/onager.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase9563.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O20 - Winlogon Notify: tuzzmwjq - C:\WINDOWS\SYSTEM32\eqnclassa.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6454 bytes

Thanks - Cosmos....
cosmos123 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 07-01-2008, 08:06 PM   #2 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,565
OS: Windows XP Pro


Re: ETrust EZ Antivirus hit - eqnclassa.dll
Hi cosmos123,

Sorry for the delay in looking into your log, as we are extremely busy in this section of the forums. If you still require assistance and are not seeking help elsewhere, then please carry out my instructions.

Please subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Add Subscription.

--------------------------------------------------------------

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
  5. Please attach extra.txt to your post.
To attach a file to a new post, simply
  1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
  2. copy and paste the following into the "Upload File from your Computer" box:
    C:\Deckard\System Scanner\extra.txt
  3. Click Upload.
What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

--------------------------------------------------------------

Please include the following in your next reply:

C:\Deckard\System Scanner\main.txt
C:\Deckard\System Scanner\extra.txt - Attached please
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 07-03-2008, 06:57 PM   #3 (permalink)
Registered User
 
Join Date: Jun 2008
Posts: 4
OS: Win XP SP2


Re: ETrust EZ Antivirus hit - eqnclassa.dll
Hi forhockey, I had to run dds.exe with registry hives and temp cleanup off otherwise I would get the following message "dss.exe has encountered a problem and needs to close.."

Results follow:

Deckard's System Scanner v20071014.68
Run by Owner on 2008-07-03 20:31:09
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 2 Restore Point(s) --
2: 2008-07-04 00:50:11 UTC - RP2 - Deckard's System Scanner Restore Point
1: 2008-07-04 00:47:04 UTC - RP1 - System Checkpoint


Total Physical Memory: 447 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:31:29 PM, on 7/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-2.1.215.15\QOELoader.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\AOL\1141427966\ee\aolsoftware.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Documents and Settings\Owner\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: (no name) - {F1D17ABE-2591-4870-B108-1BED7B5A2A4B} - c:\windows\system32\eqnclassa.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-2.1.215.15\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...tup1.0.1.0.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://usfulfillment.puretracks.com/onager.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase9563.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O20 - Winlogon Notify: tuzzmwjq - C:\WINDOWS\SYSTEM32\eqnclassa.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6502 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080427-151900-433 O4 - HKCU\..\Run: [f62fcifwxt] C:\WINDOWS\system32\f62fcifwxt.exe
backup-20080427-151900-578 O4 - HKLM\..\Run: [f62fcifwxt] C:\WINDOWS\system32\f62fcifwxt.exe
backup-20080427-155333-193 O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
backup-20080516-193808-154 O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
backup-20080516-193808-737 O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
backup-20080516-193808-768 O4 - HKLM\..\Run: [MyWebSearch Plugin] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL,UPF
backup-20080516-193808-923 O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
backup-20080516-193808-934 O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
backup-20080516-193927-947 O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)
backup-20080516-200430-926 O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)
backup-20080517-081125-279 O2 - BHO: (no name) - {F1D17ABE-2591-4870-B108-1BED7B5A2A4B} - c:\windows\system32\eqnclassa.dll
backup-20080517-081125-926 O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)
backup-20080619-105918-713 O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)
backup-20080619-112256-300 O20 - Winlogon Notify: tuzzmwjq - C:\WINDOWS\SYSTEM32\eqnclassa.dll
backup-20080620-100623-201 O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZJxdm088NUUS
backup-20080620-100623-204 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...s=PTB&M=MX3228
backup-20080620-100623-487 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.h...s=PTB&M=MX3228
backup-20080620-100623-548 O2 - BHO: (no name) - {F1D17ABE-2591-4870-B108-1BED7B5A2A4B} - c:\windows\system32\eqnclassa.dll
backup-20080620-100623-632 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.h...s=PTB&M=MX3228
backup-20080620-100623-726 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
backup-20080620-100623-863 O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)
backup-20080620-100623-870 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
backup-20080620-100623-911 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.h...s=PTB&M=MX3228
backup-20080620-204431-784 O2 - BHO: (no name) - {F1D17ABE-2591-4870-B108-1BED7B5A2A4B} - c:\windows\system32\eqnclassa.dll
backup-20080620-204431-835 O20 - Winlogon Notify: tuzzmwjq - C:\WINDOWS\SYSTEM32\eqnclassa.dll
backup-20080620-204856-534 O2 - BHO: (no name) - {F1D17ABE-2591-4870-B108-1BED7B5A2A4B} - c:\windows\system32\eqnclassa.dll
backup-20080620-204856-982 O20 - Winlogon Notify: tuzzmwjq - C:\WINDOWS\SYSTEM32\eqnclassa.dll
backup-20080620-210616-719 O2 - BHO: (no name) - {F1D17ABE-2591-4870-B108-1BED7B5A2A4B} - c:\windows\system32\eqnclassa.dll
backup-20080620-210616-793 O20 - Winlogon Notify: tuzzmwjq - C:\WINDOWS\SYSTEM32\eqnclassa.dll
backup-20080627-160615-101 O2 - BHO: (no name) - {F1D17ABE-2591-4870-B108-1BED7B5A2A4B} - c:\windows\system32\eqnclassa.dll
backup-20080627-160616-907 O20 - Winlogon Notify: tuzzmwjq - C:\WINDOWS\SYSTEM32\eqnclassa.dll

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 mglpewgn - c:\windows\system32\drivers\mglpewgn.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 VETFDDNT (VET Floppy Boot Sector Monitor) - c:\windows\system32\drivers\vetfddnt.sys <Not Verified; Computer Associates International, Inc.; Computer Associates Antivirus>
R1 VET-FILT (VET File System Filter) - c:\windows\system32\drivers\vet-filt.sys <Not Verified; Computer Associates International, Inc.; Computer Associates Antivirus>
R1 VETMONNT (VET File Monitor) - c:\windows\system32\drivers\vetmonnt.sys <Not Verified; Computer Associates International, Inc.; Computer Associates Antivirus>
R1 VET-REC (VET File System Recognizer) - c:\windows\system32\drivers\vet-rec.sys <Not Verified; Computer Associates International, Inc.; Computer Associates Antivirus>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>

S2 MyWebSearchService (My Web Search Service) - c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-06-03 and 2008-07-03 -----------------------------

2008-07-03 20:30:14 0 dr-h----- C:\Documents and Settings\Owner\Recent
2008-06-28 15:39:05 0 d-------- C:\Program Files\Windows Live Safety Center
2008-06-27 18:24:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-06-27 13:29:11 162304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-06-27 13:29:11 77312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-06-27 13:29:11 69632 --a------ C:\WINDOWS\system32\ztvcabinet.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>
2008-06-27 13:29:10 153088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-06-27 13:29:10 75264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-06-27 13:29:08 0 d-------- C:\Program Files\Trojan Remover
2008-06-27 13:29:08 0 d-------- C:\Documents and Settings\Owner\Application Data\Simply Super Software
2008-06-27 13:29:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-06-20 20:52:54 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-06-20 20:52:54 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-06-20 20:52:54 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-06-20 20:52:54 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-06-20 20:52:54 0 d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-06-20 20:52:54 0 d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-06-20 20:52:54 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-20 20:52:54 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-06-20 20:52:54 0 d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-06-20 20:52:53 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-06-20 20:52:53 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-06-20 20:52:53 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-06-20 20:52:53 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-06-20 20:52:53 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-06-20 20:52:53 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-06-20 20:52:53 679936 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-20 20:52:53 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-06-20 20:52:53 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-06-20 20:52:53 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-06-20 12:53:03 0 d-------- C:\myweb
2008-06-20 11:13:34 0 d-------- C:\Music
2008-06-19 07:14:12 0 d-------- C:\qrnt
2008-06-19 06:55:28 0 d-------- C:\Program Files\Exterminate It!
2008-06-18 17:55:00 0 d-------- C:\Program Files\Microsoft SQL Server
2008-06-15 18:07:31 0 d-------- C:\Documents and Settings\All Users\Application Data\OLYMPUS
2008-06-15 1816 0 d-------- C:\WINDOWS\system32\QuickTime
2008-06-15 1811 0 d-------- C:\Program Files\OLYMPUS
2008-06-07 13:57:38 0 d-------- C:\WINDOWS\Mozilla
2008-06-04 20:14:26 0 d-------- C:\Program Files\iTunes
2008-06-04 20:11:06 0 d-------- C:\Program Files\Bonjour
2008-06-04 20:09:47 0 d-------- C:\Program Files\QuickTime
2008-06-04 2049 0 d-------- C:\Program Files\Apple Software Update
2008-06-04 2013 0 d-------- C:\Program Files\Common Files\Apple
2008-06-04 2011 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple


-- Find3M Report ---------------------------------------------------------------

2008-06-29 20:52:12 0 d-------- C:\Documents and Settings\Owner\Application Data\U3
2008-06-29 16:57:28 0 d-------- C:\Documents and Settings\Owner\Application Data\Mozilla
2008-06-25 10:35:51 0 d-------- C:\Program Files\Starry Night Pro 4
2008-06-18 17:57:23 0 d-------- C:\Program Files\Microsoft.NET
2008-06-15 1807 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-04 20:14:48 0 d-------- C:\Program Files\iPod
2008-06-04 2013 0 d-------- C:\Program Files\Common Files
2008-06-02 17:59:56 76296 --a------ C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-05-30 17:50:03 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2008-05-30 17:09:41 0 d-------- C:\Program Files\MSBuild
2008-05-30 17:09:23 0 d-------- C:\Program Files\Reference Assemblies
2008-05-30 16:59:38 0 d-------- C:\Program Files\MSXML 6.0
2008-05-24 13:51:50 0 d-------- C:\Program Files\Napster
2008-05-16 21:00:06 0 d-------- C:\Program Files\TrojanHunter 5.0
2008-05-16 20:58:34 0 d-------- C:\Documents and Settings\Owner\Application Data\TrojanHunter
2008-05-16 19:04:40 0 d-------- C:\Documents and Settings\Owner\Application Data\gboivpfj
2008-05-16 18:22:09 0 d-------- C:\Program Files\Common Files\Mozilla Shared
2008-05-15 18:20:08 0 d-------- C:\Documents and Settings\Owner\Application Data\FunWebProducts


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F1D17ABE-2591-4870-B108-1BED7B5A2A4B}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [01/12/2005 06:01 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [10/07/2005 04:52 PM]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"VTTimer"="VTTimer.exe" [03/08/2005 07:33 AM C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [11/01/2005 08:15 AM C:\WINDOWS\system32\VTTrayp.exe]
"AGRSMMSG"="AGRSMMSG.exe" [10/14/2005 06:29 PM C:\WINDOWS\AGRSMMSG.exe]
"QOELOADER"="C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-2.1.215.15\QOELoader.exe" [09/04/2006 01:46 PM]
"CaAvTray"="C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe" [09/04/2006 01:46 PM]
"CAVRID"="C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe" [09/04/2006 01:46 PM]
"Zone Labs Client"="C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe" [06/03/2005 05:39 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOL Fast Start"="C:\Program Files\America Online 9.0\AOL.exe" [07/25/2005 10:30 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuzzmwjq]
eqnclassa.dll 08/04/2004 02:00 PM 84992 C:\WINDOWS\system32\eqnclassa.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
"C:\Program Files\America Online 9.0\AOL.EXE" -b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
C:\PROGRA~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1141427966\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]
C:\Program Files\Trojan Remover\Trjscan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"W32Time"=2 (0x2)
"RDSessMgr"=3 (0x3)
"CiSvc"=3 (0x3)
"ImapiService"=3 (0x3)
"helpsvc"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
"aawservice"=2 (0x2)

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
xkgvuusd




-- End of Deckard's System Scanner: finished at 2008-07-03 20:35:06 ------------
Attached Files
File Type: txt extra.txt (15.0 KB, 1 views)
cosmos123 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 07-05-2008, 01:33 PM   #4 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,565
OS: Windows XP Pro


Re: ETrust EZ Antivirus hit - eqnclassa.dll
Hi cosmos123,

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix


IMPORTANT: Make sure you install the Recovery Console before running ComboFix.

Reply back with the following:
  • C:\ComboFix.txt
  • New HiJackThis Log
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 07-05-2008, 04:25 PM   #5 (permalink)
Registered User
 
Join Date: Jun 2008
Posts: 4
OS: Win XP SP2


Re: ETrust EZ Antivirus hit - eqnclassa.dll
Forhockey, see below:

ComboFix 08-07-04.6 - Owner 2008-07-05 17:53:02.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.162 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\FunWebProducts
C:\Documents and Settings\Owner\Application Data\FunWebProducts\Data\Owner\avatar.dat
C:\Program Files\internet explorer\msimg32.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-05 to 2008-07-05 )))))))))))))))))))))))))))))))
.

2008-07-03 19:46 . 2008-07-03 19:46 <DIR> d-------- C:\Deckard
2008-06-28 15:39 . 2008-06-28 16:27 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-06-27 18:24 . 2008-06-27 18:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-06-27 13:29 . 2008-06-27 14:16 <DIR> d-------- C:\Program Files\Trojan Remover
2008-06-27 13:29 . 2008-06-27 13:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Simply Super Software
2008-06-27 13:29 . 2008-06-27 13:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-06-27 13:29 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-06-27 13:29 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-06-27 13:29 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-06-27 13:29 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-06-27 13:29 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-06-20 20:52 . 2004-08-27 04:54 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-06-20 20:52 . 2006-03-03 18:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-06-20 20:52 . 2006-03-03 18:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-06-20 20:52 . 2006-03-03 18:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-06-20 20:52 . 2008-06-27 18:24 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-20 12:53 . 2008-06-30 18:57 <DIR> d-------- C:\myweb
2008-06-20 11:13 . 2008-06-20 11:39 <DIR> d-------- C:\Music
2008-06-19 07:14 . 2008-06-19 07:14 <DIR> d-------- C:\qrnt
2008-06-19 06:55 . 2008-06-20 21:18 <DIR> d-------- C:\Program Files\Exterminate It!
2008-06-18 17:55 . 2008-06-18 18:00 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2008-06-15 18:07 . 2008-06-15 18:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\OLYMPUS
2008-06-15 18:06 . 2008-06-15 18:06 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2008-06-15 18:06 . 2008-06-15 18:06 <DIR> d-------- C:\Program Files\OLYMPUS
2008-06-15 16:30 . 2008-04-14 06:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-15 16:30 . 2008-04-14 06:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-07 13:57 . 2008-06-07 13:57 <DIR> d-------- C:\WINDOWS\Mozilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-05 19:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-03 11:57 1,868,983 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-06-30 01:52 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
2008-06-28 20:27 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-25 15:35 --------- d-----w C:\Program Files\Starry Night Pro 4
2008-06-18 22:57 --------- d-----w C:\Program Files\Microsoft.NET
2008-06-17 00:24 3,804,672 ----a-w C:\WINDOWS\Internet Logs\xDB15.tmp
2008-06-17 00:24 2,804,736 ----a-w C:\WINDOWS\Internet Logs\xDB14.tmp
2008-06-15 23:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-05 01:15 --------- d-----w C:\Program Files\iTunes
2008-06-05 01:14 --------- d-----w C:\Program Files\iPod
2008-06-05 01:11 --------- d-----w C:\Program Files\Bonjour
2008-06-05 01:10 --------- d-----w C:\Program Files\QuickTime
2008-06-05 01:06 --------- d-----w C:\Program Files\Common Files\Apple
2008-06-05 01:06 --------- d-----w C:\Program Files\Apple Software Update
2008-06-05 01:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-06-02 22:59 76,296 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-05-30 22:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-30 22:50 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-05-30 22:09 --------- d-----w C:\Program Files\Reference Assemblies
2008-05-30 22:09 --------- d-----w C:\Program Files\MSBuild
2008-05-30 21:59 --------- d-----w C:\Program Files\MSXML 6.0
2008-05-24 18:51 --------- d-----w C:\Program Files\Napster
2008-05-24 18:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2008-05-24 16:34 3,024,384 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp
2008-05-24 16:34 2,622,976 ----a-w C:\WINDOWS\Internet Logs\xDB12.tmp
2008-05-17 12:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-05-17 02:00 --------- d-----w C:\Program Files\TrojanHunter 5.0
2008-05-17 01:58 --------- d-----w C:\Documents and Settings\Owner\Application Data\TrojanHunter
2008-05-17 00:04 --------- d-----w C:\Documents and Settings\Owner\Application Data\gboivpfj
2008-05-16 23:22 --------- d-----w C:\Program Files\Common Files\Mozilla Shared
2008-05-16 23:22 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\gboivpfj
2008-05-09 23:38 836,608 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp
2008-05-09 23:36 2,569,216 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 19:00 3,782,144 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2008-05-07 19:00 2,569,216 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-27 18:26 196,608 ----a-w C:\WINDOWS\system32\libssl32.dll
2008-04-27 18:26 1,015,808 ----a-w C:\WINDOWS\system32\libeay32.dll
2008-04-21 06:56 666,624 ----a-w C:\WINDOWS\system32\wininet.dll
2006-11-04 14:49 0 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOL Fast Start"="C:\Program Files\America Online 9.0\AOL.EXE" [2005-07-25 22:30 50776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 06:01 32768]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-07 16:52 737370]
"QOELOADER"="C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-2.1.215.15\QOELoader.exe" [2006-09-04 13:46 6656]
"CaAvTray"="C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe" [2006-09-04 13:46 230952]
"CAVRID"="C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe" [2006-09-04 13:46 185896]
"Zone Labs Client"="C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe" [2005-06-03 05:39 943880]
"VTTimer"="VTTimer.exe" [2005-03-08 07:33 53248 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-11-01 08:15 163840 C:\WINDOWS\system32\VTTrayp.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-14 18:29 88203 C:\WINDOWS\AGRSMMSG.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
"vidc.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
--a------ 2005-07-25 22:30 50776 C:\Program Files\America Online 9.0\aol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
--a------ 2004-10-18 20:42 79448 C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
-ra------ 2006-10-23 07:50 71216 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-09-25 19:52 50736 C:\Program Files\Common Files\AOL\1141427966\EE\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
--a------ 2004-04-05 16:33 99480 C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]
--a------ 2008-06-03 20:33 878672 C:\Program Files\Trojan Remover\Trjscan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"W32Time"=2 (0x2)
"RDSessMgr"=3 (0x3)
"CiSvc"=3 (0x3)
"ImapiService"=3 (0x3)
"helpsvc"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\1141427966\\EE\\aolsoftware.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 mglpewgn;mglpewgn;C:\WINDOWS\system32\drivers\mglpewgn.sys [2004-08-04 14:00]
S2 MyWebSearchService;My Web Search Service;C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe []
S2 xkgvuusd;Remote Access Auto Connection Controller;C:\WINDOWS\System32\svchost.exe [2004-08-04 14:00]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
xkgvuusd

*Newly Created Service* - CATCHME
.
- - - - ORPHANS REMOVED - - - -

BHO-{F1D17ABE-2591-4870-B108-1BED7B5A2A4B} - c:\windows\system32\eqnclassa.dll
Notify-tuzzmwjq - eqnclassa.dll
MSConfigStartUp-AVG8_TRAY - C:\PROGRA~1\AVG\AVG8\avgtray.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-05 18:09:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-05 18:12:31
ComboFix-quarantined-files.txt 2008-07-05 23:11:50

Pre-Run: 40,408,436,736 bytes free
Post-Run: 40,399,462,400 bytes free

185 --- E O F --- 2008-06-15 21:45:48


----------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:21:32 PM, on 7/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-2.1.215.15\QOELoader.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: (no name) - {F1D17ABE-2591-4870-B108-1BED7B5A2A4B} - c:\windows\system32\eqnclassa.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-2.1.215.15\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...tup1.0.1.0.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://usfulfillment.puretracks.com/onager.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase9563.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O20 - Winlogon Notify: tuzzmwjq - C:\WINDOWS\SYSTEM32\eqnclassa.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6603 bytes
cosmos123 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 07-06-2008, 11:33 AM   #6 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,565
OS: Windows XP Pro


Re: ETrust EZ Antivirus hit - eqnclassa.dll
Hello,

Open notepad and copy/paste the text in the quotebox below into it:

Quote:
KILLALL::

File::
c:\windows\system32\eqnclassa.dll
Folder::
C:\PROGRA~1\MYWEBS~1
Driver::
MyWebSearchService
DirLook::
C:\Documents and Settings\NetworkService\Application Data\gboivpfj
C:\Documents and Settings\Owner\Application Data\gboivpfj
Save this as CFScript




Referring to the picture above, drag CFScript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------

Perform an online scan with Panda ActiveScan
  • Click on Scan Your PC Now
  • A "pop up" window will appear, or a new tab will open.
  • Click on Register
  • Choose the option you like most, but we recommend the Free Registration.
  • Click on Register
  • Enter your e-mail address, and create a password.
  • Select "I do not want to receive any type of information". (unless you want to receive such information)
  • Click on Send
  • Confirm registration, and continue by entering your user name and password, then click on Enter
  • Select Full Scan, then Click on Scan Now
  • Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
  • If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
  • Please ignore the offer to buy the program. Click on Export To
  • Export the log and save it to your desktop.
  • Please attach the contents of that log in your next reply.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

--------------------------------------------------------------

Please reply back with the following:

C:\ComboFix.txt
Panda online scan results
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 07-06-2008, 06:49 PM   #7 (permalink)
Registered User
 
Join Date: Jun 2008
Posts: 4
OS: Win XP SP2


Re: ETrust EZ Antivirus hit - eqnclassa.dll
Hello -

Latest results

ComboFix 08-07-04.6 - Owner 2008-07-06 15:25:05.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.218 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\eqnclassa.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Service_MyWebSearchService


((((((((((((((((((((((((( Files Created from 2008-06-06 to 2008-07-06 )))))))))))))))))))))))))))))))
.

2008-07-03 19:46 . 2008-07-03 19:46 <DIR> d-------- C:\Deckard
2008-06-28 15:39 . 2008-06-28 16:27 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-06-27 18:24 . 2008-06-27 18:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-06-27 13:29 . 2008-06-27 14:16 <DIR> d-------- C:\Program Files\Trojan Remover
2008-06-27 13:29 . 2008-06-27 13:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Simply Super Software
2008-06-27 13:29 . 2008-06-27 13:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-06-27 13:29 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-06-27 13:29 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-06-27 13:29 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-06-27 13:29 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-06-27 13:29 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-06-20 20:52 . 2004-08-27 04:54 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-06-20 20:52 . 2006-03-03 18:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-06-20 20:52 . 2006-03-03 18:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-06-20 20:52 . 2006-03-03 18:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-06-20 20:52 . 2008-06-27 18:24 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-20 12:53 . 2008-07-06 15:01 <DIR> d-------- C:\myweb
2008-06-20 11:13 . 2008-06-20 11:39 <DIR> d-------- C:\Music
2008-06-19 07:14 . 2008-06-19 07:14 <DIR> d-------- C:\qrnt
2008-06-19 06:55 . 2008-06-20 21:18 <DIR> d-------- C:\Program Files\Exterminate It!
2008-06-18 17:55 . 2008-06-18 18:00 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2008-06-15 18:07 . 2008-06-15 18:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\OLYMPUS
2008-06-15 18:06 . 2008-06-15 18:06 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2008-06-15 18:06 . 2008-06-15 18:06 <DIR> d-------- C:\Program Files\OLYMPUS
2008-06-15 16:30 . 2008-04-14 06:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-15 16:30 . 2008-04-14 06:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-07 13:57 . 2008-06-07 13:57 <DIR> d-------- C:\WINDOWS\Mozilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-05 19:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-03 11:57 1,868,983 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-06-30 01:52 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
2008-06-28 20:27 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-25 15:35 --------- d-----w C:\Program Files\Starry Night Pro 4
2008-06-18 22:57 --------- d-----w C:\Program Files\Microsoft.NET
2008-06-17 00:24 3,804,672 ----a-w C:\WINDOWS\Internet Logs\xDB15.tmp
2008-06-17 00:24 2,804,736 ----a-w C:\WINDOWS\Internet Logs\xDB14.tmp
2008-06-15 23:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-05 01:15 --------- d-----w C:\Program Files\iTunes
2008-06-05 01:14 --------- d-----w C:\Program Files\iPod
2008-06-05 01:11 --------- d-----w C:\Program Files\Bonjour
2008-06-05 01:10 --------- d-----w C:\Program Files\QuickTime
2008-06-05 01:06 --------- d-----w C:\Program Files\Common Files\Apple
2008-06-05 01:06 --------- d-----w C:\Program Files\Apple Software Update
2008-06-05 01:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-06-02 22:59 76,296 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-05-30 22:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-30 22:50 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-05-30 22:09 --------- d-----w C:\Program Files\Reference Assemblies
2008-05-30 22:09 --------- d-----w C:\Program Files\MSBuild
2008-05-30 21:59 --------- d-----w C:\Program Files\MSXML 6.0
2008-05-24 18:51 --------- d-----w C:\Program Files\Napster
2008-05-24 18:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2008-05-24 16:34 3,024,384 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp
2008-05-24 16:34 2,622,976 ----a-w C:\WINDOWS\Internet Logs\xDB12.tmp
2008-05-17 12:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-05-17 02:00 --------- d-----w C:\Program Files\TrojanHunter 5.0
2008-05-17 01:58 --------- d-----w C:\Documents and Settings\Owner\Application Data\TrojanHunter
2008-05-17 00:04 --------- d-----w C:\Documents and Settings\Owner\Application Data\gboivpfj
2008-05-16 23:22 --------- d-----w C:\Program Files\Common Files\Mozilla Shared
2008-05-16 23:22 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\gboivpfj
2008-05-09 23:38 836,608 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp
2008-05-09 23:36 2,569,216 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 19:00 3,782,144 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2008-05-07 19:00 2,569,216 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-27 18:26 196,608 ----a-w C:\WINDOWS\system32\libssl32.dll
2008-04-27 18:26 1,015,808 ----a-w C:\WINDOWS\system32\libeay32.dll
2008-04-21 06:56 666,624 ----a-w C:\WINDOWS\system32\wininet.dll
2006-11-04 14:49 0 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\NetworkService\Application Data\gboivpfj ----

2008-06-17 07:44 95669 --a------ C:\Documents and Settings\NetworkService\Application Data\gboivpfj\Profiles\930snaos.default\xpti.dat
2008-06-17 07:44 4096 --a------ C:\Documents and Settings\NetworkService\Application Data\gboivpfj\Profiles\930snaos.default\formhistory.sqlite
2008-06-17 07:44 367 --a------ C:\Documents and Settings\NetworkService\Application Data\gboivpfj\Profiles\930snaos.default\prefs.js
2008-06-17 07:44 3088 --a------ C:\Documents and Settings\NetworkService\Application Data\gboivpfj\Profiles\930snaos.default\formhistory.sqlite-journal
2008-06-17 07:44 207 --a------ C:\Documents and Settings\NetworkService\Application Data\gboivpfj\Profiles\930snaos.default\compatibility.ini
2008-06-17 07:44 126626 --a------ C:\Documents and Settings\NetworkService\Application Data\gboivpfj\Profiles\930snaos.default\compreg.dat
2008-06-17 07:44 0 --a------ C:\Documents and Settings\NetworkService\Application Data\gboivpfj\Profiles\930snaos.default\parent.lock
2008-05-30 12:10 169 --a------ C:\Documents and Settings\NetworkService\Application Data\gboivpfj\Profiles\930snaos.default\localstore.rdf
2008-05-16 18:25 65536 --a------ C:\Documents and Settings\NetworkService\Application Data\gboivpfj\Profiles\930snaos.default\cert8.db
2008-05-16 18:25 2048 --a------ C:\Documents and Settings\NetworkService\Application Data\gboivpfj\Profiles\930snaos.default\permissions.sqlite
2008-05-16 18:25 2048 --a------ C:\Documents and Settings\NetworkService\Application Data\gboivpfj\Profiles\930snaos.default\cookies.sqlite
2008-05-16 18:25 16384 --a------ C:\Documents and Settings\NetworkService\Application Data\gboivpfj\Profiles\930snaos.default\secmod.db
2008-05-16 18:25 16384 --a------ C:\Doc