Certain Scans Cause Crashes.

[Hobble]

I noticed problems earlier, when I ran Spybot S&D. The first thing that happened is it said the updates had bad CRC's, after restarting Spybot it all downloaded and updated correctly. Then I ran a scan and the computer reset.

After that reset Windows was hanging up and I had to boot in to safe mode, all seemed fine then so I tried doing a disk clean-up, the computer didn't like that much again and reset. However I can now get in to normal mode again.

This is really worrying and I haven't noticed any other problems but I have a feeling it's not good and there is spyware or something causing issues. I followed all of the steps here, unfortunately I can't post the Panda Activescan log, simply because it hangs and resets the computer. (This happened 2 times.)

When I run the Activescan it finds '7 spyware and 3 dialers', about half way through the scan it then hangs, gives me an error to do with gdi32.dll (very quick) and then resets, so I get no log files.

I managed to get all other steps done and have the Deckard information below and attached.

Thank you in advance and I will reply as soon as possible.


Deckard's System Scanner v20070411.38
Run by Mr Bond on 2007-04-16 at 07:28:11
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
77: 2007-04-16 06:28:23 UTC - RP334 - Deckard's System Scanner Restore Point
76: 2007-04-15 21:51:52 UTC - RP333 - System Checkpoint
75: 2007-04-14 20:29:24 UTC - RP332 - System Checkpoint
74: 2007-04-13 19:13:44 UTC - RP331 - System Checkpoint
73: 2007-04-12 18:34:40 UTC - RP330 - Software Distribution Service 2.0


-- First Restore Point --
1: 2007-01-16 16:25:36 UTC - RP258 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Mr Bond.exe) ---------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 07:31:26, on 16/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Mr Bond\Desktop\dss.exe
C:\HJT\Mr Bond.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.btopenworld.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WebCam Go Plus Sti Service Application] Wcgopsvc
O4 - HKLM\..\Run: [DevconDefaultDB] C:\WINDOWS\READREG /PSCONV={NO} /NO_DEFPS
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.btopenworld.com/
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt2_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potd_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_2.2.1.87.cab
O16 - DPF: {4E71E6DD-FB37-4641-A96E-4456399A6DB0} - http://jade.bioware.com/codebaby/codebaby.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/inst...l/pinstall.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/b...soesysinfo.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


-- HijackThis Fixed Entries (C:\HJT\backups\) ----------------------------------

backup-20060709-120258-183 O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTS...nknown&unknown
backup-20060709-120258-565 O16 - DPF: {9A19966F-AE0E-4699-8CCE-9B6F5F1C352C} (NPKXSite Control) - http://kr.pristontale.com/nprotect/k...t/npkxsite.cab
backup-20060709-120258-637 O4 - HKLM\..\RunServices: [] itmv
backup-20060709-120258-720 O2 - BHO: (no name) - {69E28DE5-01EE-6114-9B79-6B63C1CB6FA9} - (no file)
backup-20060709-120258-726 O4 - HKLM\..\RunServices: [msngr services] "C:\WINDOWS\system32\Windows Updates\Ymesngr.exe"
backup-20060709-120258-992 O16 - DPF: {69432678-2906-2705-1128-068943397621} -
backup-20060709-120259-544 O18 - Protocol hijack: mhtml -
backup-20060709-120259-666 O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://kr.pristontale.com/nprotect/nprotect/npx.cab

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 videX32 - c:\windows\system32\drivers\videx32.sys
R1 NPPTNT - c:\windows\system32\npptnt.sys
R1 SSHDRV65 - c:\windows\system32\drivers\sshdrv65.sys
R1 SSHDRV76 - c:\windows\system32\drivers\sshdrv76.sys
R1 SSHDRV77 - c:\windows\system32\drivers\sshdrv77.sys
R1 SSHDRV79 - c:\windows\system32\drivers\sshdrv79.sys
R1 SSHDRV85 - c:\windows\system32\drivers\sshdrv85.sys
R2 enodpl - c:\windows\system32\drivers\enodpl.sys
R2 STEC3 - c:\windows\system32\stec3.sys
R2 tandpl - c:\windows\system32\drivers\tandpl.sys
R2 XPROTECTOR - c:\windows\system32\drivers\xprotector.sys
R3 hamachi (Hamachi Network Interface) - c:\windows\system32\drivers\hamachi.sys
R3 WCGOPHAL - c:\windows\system32\drivers\wcgophal.sys
R3 WCGOPVID (Video Blaster WebCam Go Plus (WDM)) - c:\windows\system32\drivers\wcgopvid.sys

S1 amdtools (AMD Special Tools Driver) - c:\windows\system32\drivers\amdtools.sys (file missing)
S3 alcan5wn (SpeedTouch USB ADSL PPP Networking Driver (NDISWAN)) - c:\windows\system32\drivers\alcan5wn.sys
S3 alcaudsl (SpeedTouch ADSL Modem ATM Transport) - c:\windows\system32\drivers\alcaudsl.sys
S3 AMDMSRIO - c:\docume~1\mrbond~1\locals~1\temp\safe to delete 3_0_4_8\amdmsrio.sys (file missing)
S3 AMDPCI - c:\docume~1\mrbond~1\locals~1\temp\amdpci.sys (file missing)
S3 CO_Mon - c:\windows\system32\drivers\co_mon.sys
S3 FTD2XX (FTD2XX.SYS FT8U2XX device driver) - c:\windows\system32\drivers\ftd2xx.sys
S3 FuckFmn - c:\program files\archpr\fuckfmn.sys (file missing)
S3 gsplittm - c:\docume~1\mrbond~1\locals~1\temp\gsplittm.sys (file missing)
S3 MRENDIS5 (MRENDIS5 NDIS Protocol Driver) - c:\progra~1\common~1\motive\mrendis5.sys (file missing)
S3 npkeyc - c:\windows\system32\npkeyc.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe

S3 MySql - c:/mysql/bin/mysqld-nt.exe
S3 p2pgasvc (Peer Networking Group Authentication) - c:\windows\system32\svchost.exe -k p2psvc


-- Files created between 2007-03-16 and 2007-04-16 -----------------------------

2007-04-16 07:23:13 0 d-------- C:\ie-spyad
2007-04-08 23:55:39 0 d-------- C:\Documents and Settings\Mr Bond\Contacts
2007-03-30 13:02:17 0 d-------- C:\Documents and Settings\Mr Bond\Application Data\Viewpoint<VIEWPO~1>
2007-03-29 09:48:17 409600 --a------ C:\WINDOWS\system32\wrap_oal.dll
2007-03-29 09:48:17 0 d-------- C:\Program Files\OpenAL
2007-03-29 09:48:16 114688 --a------ C:\WINDOWS\system32\OpenAL32.dll
2007-03-29 00:34:51 0 d--hs---- C:\found.000


-- Find3M Report ---------------------------------------------------------------

2007-04-16 07:22:40 0 d-------- C:\Program Files\SpywareGuard<SPYWAR~2>
2007-04-16 07:20:05 0 d-------- C:\Program Files\SpywareBlaster<SPYWAR~1>
2007-04-16 06:53:29 0 d-------- C:\Program Files\WS_FTP Pro<WS_FTP~1>
2007-04-16 06:53:22 0 d-------- C:\Program Files\NavNT
2007-04-16 04:45:24 0 d-------- C:\Documents and Settings\Mr Bond\Application Data\Hamachi
2007-04-15 09:02:31 0 d-------- C:\Program Files\ICQ
2007-03-29 09:47:55 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-03-27 17:50:30 0 d-------- C:\Program Files\btbb_wcm
2007-03-27 04:41:27 0 d-------- C:\Program Files\Yahoo!
2007-03-27 04:09:06 0 d-------- C:\Program Files\BT Home Hub<BTHOME~1>
2007-03-17 14:43:01 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-15 18:13:54 0 d-------- C:\Program Files\GetRight
2007-03-11 21:44:33 0 d-------- C:\Documents and Settings\Mr Bond\Application Data\Yahoo!
2007-03-08 16:36:28 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 16:36:28 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 16:36:28 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 14:47:48 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-07 22:42:28 286720 -----n--- C:\WINDOWS\Setup1.exe
2007-03-03 22:58:24 0 d-------- C:\Program Files\MSN Messenger<MSNMES~1>
2007-02-20 20:28:35 0 d-------- C:\Program Files\Java
2007-02-16 06:32:23 0 d-------- C:\Program Files\Common Files\Blizzard Entertainment<BLIZZA~1>
2007-02-05 21:17:02 185344 --a------ C:\WINDOWS\system32\upnphost.dll
2007-01-19 13:53:04 51056 --a------ C:\WINDOWS\system32\sirenacm.dll


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"SetDefaultMIDI"="MIDIDef.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Alcatel\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"WebCam Go Plus Sti Service Application"="Wcgopsvc"
"DevconDefaultDB"="C:\\WINDOWS\\READREG /PSCONV={NO} /NO_DEFPS"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="itmv"
"hkey"="HKLM"
"command"="itmv"
"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
p2psvc REG_MULTI_SZ p2psvc\0p2pimsvc\0p2pgasvc\0PNRPSvc\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9a1f56b6-81d8-11d8-befe-0090d041b8b2}]
Shell\AutoRun\command F:\AUTORUN.EXE


-- Hosts -----------------------------------------------------------------------

127.0.0.1 reg.edonkey2000.com
127.0.0.1 reg.overnet.com


-- End of Deckard's System Scanner: finished at 2007-04-16 at 07:32:07 ---------

[Hobble]

Bump!

[Hobble]

Bump!

[Ried]

Hello Hobble,

Has your onboard Anti Virus given you any alerts recently?

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

Close any open browsers.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Post the ComboFix.txt in your next reply.

[Hobble]

I have not noticed any virus alerts at all recently... that I remember :/

Here is the log and thank you for your time.

"Mr Bond" - 07-04-21 7:02:15 Service Pack 2
ComboFix 07-04-20.3V - Running from: C:\Documents and Settings\Mr Bond\Desktop\


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\install.log


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NPF


((((((((((((((((((((((((((((((( Files Created from 2007-03-21 to 2007-04-21 ))))))))))))))))))))))))))))))))))


2007-04-16 07:46 <DIR> d-------- C:\Deckard
2007-04-16 07:23 <DIR> d-------- C:\ie-spyad
2007-04-08 23:55 <DIR> d-------- C:\DOCUME~1\MRBOND~1\Contacts
2007-03-30 13:02 <DIR> d-------- C:\DOCUME~1\MRBOND~1\APPLIC~1\Viewpoint
2007-03-29 09:48 409,600 --a------ C:\WINDOWS\system32\wrap_oal.dll
2007-03-29 09:48 114,688 --a------ C:\WINDOWS\system32\OpenAL32.dll
2007-03-29 09:48 <DIR> d-------- C:\Program Files\OpenAL
2007-03-29 00:34 <DIR> d--hs---- C:\found.000


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-20 21:32 -------- d-------- C:\Program Files\java
2007-04-20 21:32 -------- d-------- C:\Program Files\java
2007-04-20 11:22 -------- d-------- C:\Program Files\icq
2007-04-20 11:22 -------- d-------- C:\Program Files\icq
2007-04-16 18:31 -------- d-------- C:\Program Files\kazaa lite k++
2007-04-16 18:31 -------- d-------- C:\Program Files\kazaa lite k++
2007-04-16 18:29 -------- d-------- C:\Program Files\exeem
2007-04-16 18:29 -------- d-------- C:\Program Files\exeem
2007-04-16 07:22 -------- d-------- C:\Program Files\spywareguard
2007-04-16 07:22 -------- d-------- C:\Program Files\spywareguard
2007-04-16 07:20 -------- d-------- C:\Program Files\spywareblaster
2007-04-16 07:20 -------- d-------- C:\Program Files\spywareblaster
2007-04-16 06:53 -------- d-------- C:\Program Files\ws_ftp pro
2007-04-16 06:53 -------- d-------- C:\Program Files\ws_ftp pro
2007-04-16 06:53 -------- d-------- C:\Program Files\navnt
2007-04-16 06:53 -------- d-------- C:\Program Files\navnt
2007-03-29 09:47 -------- d--h----- C:\Program Files\installshield installation information
2007-03-29 09:47 -------- d--h----- C:\Program Files\installshield installation information
2007-03-28 05:09 17480 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2007-03-27 04:41 -------- d-------- C:\Program Files\yahoo!
2007-03-27 04:41 -------- d-------- C:\Program Files\yahoo!
2007-03-17 14:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-15 18:13 -------- d-------- C:\Program Files\getright
2007-03-15 18:13 -------- d-------- C:\Program Files\getright
2007-03-08 16:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 16:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 16:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 14:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-07 22:42 286720 --------- C:\WINDOWS\setup1.exe
2007-03-07 10:08 96256 --a------ C:\WINDOWS\system32\drivers\sptd1021.sys
2007-03-03 22:58 -------- d-------- C:\Program Files\msn messenger
2007-03-03 22:58 -------- d-------- C:\Program Files\msn messenger
2007-02-05 21:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{4A368E80-174F-4872-96B5-0B27DDD11DB2} C:\Program Files\SpywareGuard\dlprotect.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Alcatel\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"WebCam Go Plus Sti Service Application"="Wcgopsvc"
"DevconDefaultDB"="C:\\WINDOWS\\READREG /PSCONV={NO} /NO_DEFPS"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"vptray"="C:\\Program Files\\NavNT\\vptray.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"SetDefaultMIDI"="MIDIDef.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="itmv"
"hkey"="HKLM"
"command"="itmv"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
p2psvc REG_MULTI_SZ p2psvc\0p2pimsvc\0p2pgasvc\0PNRPSvc\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9a1f56b6-81d8-11d8-befe-0090d041b8b2}]
Shell\AutoRun\command F:\AUTORUN.EXE



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20060709-120259-544
O18 - Protocol hijack: mhtml -
backup-20060709-120259-666
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://kr.pristontale.com/nprotect/nprotect/npx.cab
backup-20060709-120258-565
O16 - DPF: {9A19966F-AE0E-4699-8CCE-9B6F5F1C352C} (NPKXSite Control) - http://kr.pristontale.com/nprotect/k...t/npkxsite.cab
backup-20060709-120258-992
O16 - DPF: {69432678-2906-2705-1128-068943397621} -
backup-20060709-120258-183
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTS...nknown&unknown
backup-20060709-120258-726
O4 - HKLM\..\RunServices: [msngr services] "C:\WINDOWS\system32\Windows Updates\Ymesngr.exe"
backup-20060709-120258-637
O4 - HKLM\..\RunServices: [] itmv
backup-20060709-120258-720
O2 - BHO: (no name) - {69E28DE5-01EE-6114-9B79-6B63C1CB6FA9} - (no file)
********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-21 7:09:38
C:\ComboFix-quarantined-files.txt ... 07-04-21 07:09

[Ried]

Hiya,

Quote:

When I run the Activescan it finds '7 spyware and 3 dialers', about half way through the scan it then hangs, gives me an error to do with gdi32.dll (very quick) and then resets, so I get no log files.

Have you installed any new drivers recently?

Your computer restarts unexpectedly when it has encountered a system error.

Click the green Start button in your task bar then right click 'My Computer' and select 'Properties',
*Click the Advanced tab.
*There, under the heading of Startup and Recovery, please click the Settings button.
*Under the headline of System failure, please UNcheck the box that says Automatically restart.

Now the next time it encounters such an error, your pc will show a blue screen including information that may provide some insight. When it happens, either take a picture of it and upload it as an attachment to your reply or write down the message that it gives and include that in your next reply.

[Hobble]

I haven't actually installed any drivers lately on this machine, and I have done scans before with no issue.

My Automatically restart option is actually already unchecked, it's usually how I can see some of the issues, however when the computer restarts it does exactly that, skipping any blue screens or errors.

I will try running an activescan again and see what happens, see if I can get any other information.

[Hobble]

A quick update, I ran activescan but manually stopped it after it found the usual issues and the log is below, I am going to rescan now and just leave it in the hope it finishes without crashing.

Incident Status Location

Adware:adware/keenvalue Not disinfected Windows Registry
Adware:adware/ipbill Not disinfected Windows Registry
Dialer:dialer.xe Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{30CE93AE-4987-483C-9ABE-F2BD5301AB70}
Dialer:dialer.xd Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FF3F0F03-0F01-131A-A3F9-08F02B23E0CC}
Adware:adware/wupd Not disinfected Windows Registry
Spyware:spyware/apropos Not disinfected Windows Registry
Dialer:dialer.dk Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{91433D86-9F27-402C-B5E3-DEBDD122C339}
Spyware:spyware/betterinet Not disinfected Windows Registry
Adware:adware/ist.istbar Not disinfected Windows Registry
Adware:adware/exact.bargainbuddy Not disinfected

[Ried]

Actually, I'd prefer you run an online scan at Kaspersky:

Please perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

If you cannot complete a scan at Kaspersky, then do the following:

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe
Doubleclick the drweb-cureit.exe file and Allow to run the express scan[*]This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.

• Once the short scan has finished, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, look if you can click next icon next to the files found:
• If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  
  This will move it to the %userprofile%DoctorWebquarantaine-folder if it can't be cured. (this in case if we need samples)
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

**If your sysem 'quits' during the scan, try running the scan from Safe Mode.

[Ried]

You replied while I was replying--I just saw that.

Please do the following to remove the dialers:

Download the attached hobble.zip file to your desktop.

Double click on the zip folder, then double click on the .reg file within. Click yes to allow it to merge into your registry.

[Hobble]

It's ok, whilst you were replying I was doing the scans you asked me to in the other reply! ;)

Well, I was in the middle of my second Panda scan and I noticed I had the message from you... and whilst scanning it actually gave me an explorer error, which in turn gave a drwatson error, after this I quit that scanner and moved on to Kaspersky.

Kaspersky Online Scanner gave me an error that my 'license had expired' even though I have only ever used the free scans from it, maybe they are the timed uses.

Then I went on to a scan with Dr.Web CureIt, this crashed my system part of the way through the scan to a Blue screen, the information was;

IRQL_NOT_LESS_OR_EQUAL

0x0000000A (0xFFD9F99C, 0x0000001C, 0x00000000, 0x804E33A4)

Then it did the memory dump, after that I went in to safe mode and ran cureit again, this is a full log from the dr web folder, I totally forgot to save the log seperately on my desktop as I had restarted in safemode :/ So you can see the results of the pre-reset and safemode scans. There is also a quick scan when back in normal mode.

This is going to be a really long post, thank you again for your time.

=============================================================================
Dr.Web(R) Scanner for Windows v4.33.2 (4.33.2.10067)
Copyright (c) Igor Daniloff, 1992-2006
Log generated on: 2007-04-21, 17:52:09 [CRAIG][Mr Bond]
Command-line: "C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\cureit.exe" /lng /ini:cureit_XP.ini
Operating system:Windows XP Professional x86 (Build 2600), Service Pack 2
=============================================================================
Engine version: 4.33 (4.33.5.10110)
Engine API version: 2.01
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crwtoday.cdb - 2430 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43383.cdb - 3927 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43382.cdb - 1811 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43381.cdb - 1262 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43380.cdb - 906 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43379.cdb - 1485 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43378.cdb - 2545 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43377.cdb - 1031 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43376.cdb - 1390 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43375.cdb - 1633 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43374.cdb - 2090 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43373.cdb - 1252 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43372.cdb - 1289 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43371.cdb - 2370 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43370.cdb - 2022 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43369.cdb - 687 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43368.cdb - 1099 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43367.cdb - 1834 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43366.cdb - 4015 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43365.cdb - 1342 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43364.cdb - 1335 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43363.cdb - 1152 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43362.cdb - 1006 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43361.cdb - 878 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43360.cdb - 988 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43359.cdb - 1205 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43358.cdb - 1139 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43357.cdb - 1302 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43356.cdb - 1332 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43355.cdb - 2456 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43354.cdb - 1283 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43353.cdb - 795 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43352.cdb - 2016 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43351.cdb - 941 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43350.cdb - 1020 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43349.cdb - 1008 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43348.cdb - 1096 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43347.cdb - 707 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43346.cdb - 1428 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43345.cdb - 1358 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43344.cdb - 694 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43343.cdb - 1186 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43342.cdb - 744 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43341.cdb - 841 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43340.cdb - 822 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43339.cdb - 1071 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43338.cdb - 989 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43337.cdb - 855 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43336.cdb - 1297 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43335.cdb - 1195 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43334.cdb - 900 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43333.cdb - 1381 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43332.cdb - 1340 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43331.cdb - 2735 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43330.cdb - 2078 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43329.cdb - 2490 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43328.cdb - 743 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43327.cdb - 958 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43326.cdb - 793 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43325.cdb - 713 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43324.cdb - 655 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43323.cdb - 655 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43322.cdb - 778 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43321.cdb - 846 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43320.cdb - 808 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43319.cdb - 764 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43318.cdb - 838 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43317.cdb - 363 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43316.cdb - 730 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43315.cdb - 627 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43314.cdb - 824 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43313.cdb - 842 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43312.cdb - 830 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43311.cdb - 862 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43310.cdb - 853 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43309.cdb - 733 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43308.cdb - 708 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43307.cdb - 839 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43306.cdb - 930 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43305.cdb - 759 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43304.cdb - 721 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp\RarSFX0\crw43303.cdb - 638 virus records
[Virus base] C:\DOCUME~1\MRBOND~1\LOCALS~1\Temp