|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
05-18-2009, 06:15 PM
|
#1 (permalink) |
|
Registered User
Join Date: May 2009
Posts: 15
OS: vista sp1
|
Trojan on system?
Hello,
I am running vista and came across this problem several days ago. When starting up, I found a Windows Security Alert immediately popped up telling my that the firewall had blocked an unknown program from accepting incoming network connections. The name appears to be a random string of letters that changes every time I boot (ex: xwzjpguh.exe) and is located on the following path: C:\windows\system32\xwzjpguh.exe. After checking in system32, found 2 hidden files with the following names: 7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 and 7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Additional files found were perfc009.dat, perfh009.dat and PerfStringBackup. I have not noticed any problems with the normal functioning of my computer... yet. Thanks for your help, here is my DDS log: DDS (Ver_09-05-14.01) - NTFSx86 Run by Jason at 19:54:05.10 on Mon 05/18/2009 Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_12 Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.3326.2431 [GMT -4:00] SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} ============== Running Processes =============== C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k rpcss C:\Windows\System32\svchost.exe -k secsvcs C:\Windows\system32\Ati2evxx.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k GPSvcGroup C:\Windows\system32\SLsvc.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\system32\Ati2evxx.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskeng.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Windows\system32\svchost.exe -k bthsvcs C:\Windows\System32\svchost.exe -k HPZ12 C:\Windows\System32\svchost.exe -k HPZ12 C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Windows\system32\svchost.exe -k imgsvc C:\Windows\System32\svchost.exe -k WerSvcGroup C:\Windows\system32\SearchIndexer.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe C:\Windows\System32\rundll32.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Users\Jason\AppData\Local\Google\Update\GoogleUpdate.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe C:\Windows\system32\xwzjpguh.exe C:\Windows\System32\rundll32.exe C:\Program Files\iPod\bin\iPodService.exe C:\Users\Jason\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Jason\AppData\Local\Google\Chrome\Application\chrome.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\SearchFilterHost.exe C:\Users\Jason\Desktop\dds.pif C:\Users\Jason\Desktop\dds.pif \\?\C:\Windows\system32\wbem\WMIADAP.EXE C:\Windows\system32\wbem\wmiprvse.exe C:\Users\Jason\Desktop\dds.pif ============== Pseudo HJT Report =============== uInternet Settings,ProxyOverride = *.local BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll uRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup uRun: [Google Update] "c:\users\jason\appdata\local\google\update\GoogleUpdate.exe" /c mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun mRun: [VolPanel] "c:\program files\creative\sbaudigy\volume panel\VolPanlu.exe" /r mRun: [P17RunE] RunDll32 P17RunE.dll,RunDLLEntry mRun: [UpdReg] c:\windows\UpdReg.EXE mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [DRam prosessor] xwzjpguh.exe mRunOnce: [GBTUpd] c:\program files\gigabyte\gbtupd\PreRun.exe mRunServices: [DRam prosessor] xwzjpguh.exe StartupFolder: c:\users\jason\appdata\roaming\micros~1\windows\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe mPolicies-system: EnableLUA = 0 (0x0) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su2/ocx/15106/CTPID.cab STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll ================= FIREFOX =================== FF - ProfilePath - c:\users\jason\appdata\roaming\mozilla\firefox\profiles\no784l8k.default\ FF - prefs.js: browser.startup.homepage - igoogle.com FF - component: c:\program files\mozilla firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll FF - plugin: c:\users\jason\appdata\local\google\update\1.2.145.5\npGoogleOneClick8.dll ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true ============= SERVICES / DRIVERS =============== R2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt60.sys [2009-2-20 27648] S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\common files\creative labs shared\service\AL6Licensing.exe [2009-2-20 79360] S3 RTTEAMPT;Realtek Teaming Protocol Driver (NDIS 6.0);c:\windows\system32\drivers\RtTeam60.sys [2009-2-20 42496] S3 RTVLANPT;Realtek Vlan Protocol Driver (NDIS 6.0);c:\windows\system32\drivers\RtVlan60.sys [2009-2-20 19968] S3 TEAM;Realtek Virtual Miniport Driver for Teaming (NDIS 6.0);c:\windows\system32\drivers\RtTeam60.sys [2009-2-20 42496] =============== Created Last 30 ================ 2009-04-22 21:08 <DIR> --d----- c:\program files\common files\Control Panels 2009-04-22 20:37 <DIR> --d-h--- c:\program files\Zero G Registry 2009-04-22 20:36 <DIR> --d-h--- c:\users\jason\InstallAnywhere 2009-04-21 19:47 <DIR> --d--r-- c:\program files\Skype 2009-04-21 19:47 <DIR> --d----- c:\programdata\Skype ==================== Find3M ==================== 2009-04-29 23:53 615,992 a------- c:\windows\system32\ci.dll 2009-04-13 20:15 86,016 a------- c:\windows\inf\infstrng.dat 2009-04-13 20:15 51,200 a------- c:\windows\inf\infpub.dat 2009-04-13 20:15 86,016 a------- c:\windows\inf\infstor.dat 2009-03-16 23:38 40,960 a------- c:\windows\apppatch\apihex86.dll 2009-03-16 23:38 13,824 a------- c:\windows\system32\apilogen.dll 2009-03-16 23:38 24,064 a------- c:\windows\system32\amxread.dll 2009-03-08 13:03 410,984 a------- c:\windows\system32\deploytk.dll 2009-03-05 23:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll 2009-03-05 13:42 121,326 a------- c:\windows\hpoins15.dat 2009-03-03 00:46 3,599,328 a------- c:\windows\system32\ntkrnlpa.exe 2009-03-03 00:46 3,547,632 a------- c:\windows\system32\ntoskrnl.exe 2009-03-03 00:40 827,392 a------- c:\windows\system32\wininet.dll 2009-03-03 00:39 183,296 a------- c:\windows\system32\sdohlp.dll 2009-03-03 00:39 551,424 a------- c:\windows\system32\rpcss.dll 2009-03-03 00:39 26,112 a------- c:\windows\system32\printfilterpipelineprxy.dll 2009-03-03 00:37 78,336 a------- c:\windows\system32\ieencode.dll 2009-03-03 00:37 98,304 a------- c:\windows\system32\iasrecst.dll 2009-03-03 00:37 54,784 a------- c:\windows\system32\iasads.dll 2009-03-03 00:37 44,032 a------- c:\windows\system32\iasdatastore.dll 2009-03-02 23:04 666,624 a------- c:\windows\system32\printfilterpipelinesvc.exe 2009-03-02 22:38 17,408 a------- c:\windows\system32\iashost.exe 2009-03-02 22:28 26,624 a------- c:\windows\system32\ieUnatt.exe 2009-02-20 21:22 174 a--sh--- c:\program files\desktop.ini 2009-02-20 21:17 665,600 a------- c:\windows\inf\drvindex.dat 2009-02-20 20:52 101,888 a------- c:\windows\system32\ifxcardm.dll 2009-02-20 20:52 82,432 a------- c:\windows\system32\axaltocm.dll 2009-02-20 19:38 241,152 a------- c:\windows\system32\PortableDeviceApi.dll 2009-02-20 19:38 160,768 a------- c:\windows\system32\PortableDeviceTypes.dll 2009-02-20 19:38 94,720 a------- c:\windows\system32\PortableDeviceClassExtension.dll 2009-02-20 19:36 233,888 a------- c:\windows\system32\DreamScene.dll 2009-02-20 19:36 269,312 a------- c:\windows\system32\es.dll 2009-02-20 19:35 428,544 a------- c:\windows\system32\EncDec.dll 2009-02-20 19:35 293,376 a------- c:\windows\system32\psisdecd.dll 2009-02-20 19:33 6,656 a------- c:\windows\system32\kbd106n.dll 2009-02-20 19:33 988,216 a------- c:\windows\system32\winload.exe 2009-02-20 19:33 927,288 a------- c:\windows\system32\winresume.exe 2009-02-20 19:33 378,368 a------- c:\windows\system32\srcore.dll 2009-02-20 19:33 318,464 a------- c:\windows\system32\rstrui.exe 2009-02-20 19:33 46,592 a------- c:\windows\system32\setbcdlocale.dll 2009-02-20 19:33 40,960 a------- c:\windows\system32\srclient.dll 2009-02-20 19:33 19,000 a------- c:\windows\system32\kd1394.dll 2009-02-20 19:33 14,848 a------- c:\windows\system32\srdelayed.exe 2009-02-20 19:31 712,704 a------- c:\windows\system32\WindowsCodecs.dll 2009-02-20 19:31 425,472 a------- c:\windows\system32\PhotoMetadataHandler.dll 2009-02-20 19:31 347,136 a------- c:\windows\system32\WindowsCodecsExt.dll 2009-02-20 19:30 678,408 a------- c:\windows\system32\gpprefcl.dll 2009-02-20 19:30 1,645,568 a------- c:\windows\system32\connect.dll 2009-02-20 18:31 409,600 a------- c:\windows\system32\wrap_oal.dll 2009-02-20 18:31 114,688 a------- c:\windows\system32\OpenAL32.dll 2009-02-20 15:50 361,984 a------- c:\windows\system32\IPSECSVC.DLL 2009-02-20 15:50 272,896 a------- c:\windows\system32\polstore.dll 2009-02-20 15:50 61,440 a------- c:\windows\system32\winipsec.dll 2009-02-20 15:50 28,672 a------- c:\windows\system32\FwRemoteSvr.dll 2009-02-20 15:44 296,960 a------- c:\windows\system32\gdi32.dll 2009-02-20 15:42 28,672 a------- c:\windows\system32\Apphlpdm.dll 2009-02-20 15:42 2,560 a------- c:\windows\apppatch\AcRes.dll 2009-02-20 15:42 2,154,496 a------- c:\windows\apppatch\AcGenral.dll 2009-02-20 15:42 541,696 a------- c:\windows\apppatch\AcLayers.dll 2009-02-20 15:42 460,288 a------- c:\windows\apppatch\AcSpecfc.dll 2009-02-20 15:42 173,056 a------- c:\windows\apppatch\AcXtrnal.dll 2009-02-20 15:42 52,736 a------- c:\windows\apppatch\iebrshim.dll 2009-02-20 15:42 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll 2009-02-20 15:42 1,695,744 a------- c:\windows\system32\gameux.dll 2009-02-20 15:41 303,616 a------- c:\windows\system32\wmpeffects.dll 2009-02-20 15:40 1,191,936 a------- c:\windows\system32\msxml3.dll 2009-02-20 15:40 2,048 a------- c:\windows\system32\msxml3r.dll 2009-02-20 15:37 2,048 a------- c:\windows\system32\tzres.dll 2009-02-20 15:34 2,927,104 a------- c:\windows\explorer.exe 2009-02-20 15:34 306,202 ---shr-- c:\windows\system32\zugdcjkx.exe 2009-02-20 15:34 306,202 ---shr-- c:\windows\system32\ymafemxq.exe 2009-02-20 15:34 306,202 ---shr-- c:\windows\system32\xwzjpguh.exe 2009-02-20 15:34 306,202 ---shr-- c:\windows\system32\opsahwyc.exe 2009-02-20 15:34 306,202 ---shr-- c:\windows\system32\lhuztbwv.exe 2009-02-20 15:34 306,202 ---shr-- c:\windows\system32\ieqbdtdp.exe 2009-02-20 15:34 306,202 ---shr-- c:\windows\system32\ewwueioi.exe 2009-02-20 15:34 306,202 ---shr-- c:\windows\system32\binfyhet.exe 2009-02-20 15:29 181,760 a------- c:\windows\system32\fsquirt.exe 2009-02-20 15:27 443,392 a------- c:\windows\system32\win32spl.dll 2009-02-20 15:27 37,888 a------- c:\windows\system32\printcom.dll 2009-02-20 15:27 14,848 a------- c:\windows\system32\wshrm.dll 2009-02-20 15:22 622,080 a------- c:\windows\system32\icardagt.exe 2009-02-20 15:22 97,800 a------- c:\windows\system32\infocardapi.dll 2009-02-20 15:22 11,264 a------- c:\windows\system32\icardres.dll 2009-02-20 15:22 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll 2009-02-20 15:22 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll 2009-02-20 15:22 326,160 a------- c:\windows\system32\PresentationHost.exe 2009-02-20 15:22 43,544 a------- c:\windows\system32\PresentationHostProxy.dll 2009-02-20 15:10 96,760 a------- c:\windows\system32\dfshim.dll 2009-02-20 15:10 41,984 a------- c:\windows\system32\netfxperf.dll 2009-02-20 15:10 282,112 a------- c:\windows\system32\mscoree.dll 2009-02-20 15:10 158,720 a------- c:\windows\system32\mscorier.dll 2009-02-20 15:10 83,968 a------- c:\windows\system32\mscories.dll 2009-02-20 15:00 2,868,736 a------- c:\windows\system32\mf.dll 2009-02-20 15:00 98,816 a------- c:\windows\system32\mfps.dll 2009-02-20 15:00 53,248 a------- c:\windows\system32\rrinstaller.exe 2009-02-20 15:00 24,576 a------- c:\windows\system32\mfpmp.exe 2009-02-20 15:00 2,048 a------- c:\windows\system32\mferror.dll 2009-02-20 15:00 996,352 a------- c:\windows\system32\WMNetMgr.dll 2009-02-20 15:00:23 A------- 94,720 c:\windows\system32\logagent.exe ============= FINISH: 19:54:38.26 =============== |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
05-18-2009, 08:25 PM
|
#2 (permalink) |
|
Analyst, Security Team
Join Date: Jun 2008
Location: Midwest, U.S.A.
Posts: 564
OS: Dual Boot Setup, Vista SP2 and XPSP3
|
Re: Trojan on system?
Greetings slice123 and Welcome to the Forums,
It looks to me like you have the WORM_RBOT.CSG. Your GMER scan looked fine by the way. You should uninstall these: Java(TM) 6 Update 7 Out dated and not needed Vuze File sharing software...you might consider that this is the reason for your current issues Click start-->control panel-->programs and features...click on the program name to highlight it...From the menu at the top, select Uninstall or Remove. Do this for each item listed above and reboot when finished uninstalling. You can update your Java from the control panel. Click on the start button (Globe), select Control Panel (Classic View)...look for the Java icon...it would appear as a coffee cup. When the Java Control Panel opens, click the "Update" tab, then click the Update Now button at the bottom. By the way, your Adobe Acrobat Reader is out of date and exploited. You can install the latest version Here. Please download combofix from This Webpage...and read through the instructions there for running the tool. ***Important Note*** Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED. You have Windows Vista so you can skip the recovery console step...in Vista it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems. Info for the benefit of other readers, the Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments. Once installed, a blue screen prompt should appear that reads as follows: The Recovery Console was successfully installed. Next:
When the tool is finished, it will produce a report for you. Please post that log back here on your next reply. Thanks! Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
__________________
Disabled Veteran, U.S.C.G. 1972 - 1978  Windows XP Performance and Maintenance Windows Vista Performance and Maintenance 
|
|
|
|
|
05-18-2009, 09:06 PM
|
#3 (permalink) |
|
Registered User
Join Date: May 2009
Posts: 15
OS: vista sp1
|
Re: Trojan on system?
Hey 1972vet, thank you for the quick response. I followed your instructions, still getting the same problem though. Here is the log from combofix:
ComboFix 09-05-18.02 - Jason 05/18/2009 22:53.1 - NTFSx86 Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.3326.2382 [GMT -4:00] Running from: c:\users\Jason\Desktop\ComboFix.exe SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\programdata\Microsoft\Network\Downloader\qmgr0.dat c:\programdata\Microsoft\Network\Downloader\qmgr1.dat c:\users\Jason\AppData\Roaming\Adobe\Player.exe c:\windows\system32\AutoRun.inf ----- BITS: Possible infected sites ----- hxxp://78.157.143.163 . ((((((((((((((((((((((((( Files Created from 2009-04-19 to 2009-05-19 ))))))))))))))))))))))))))))))) . 2009-05-10 03:46 . 2009-05-10 03:46 -------- d-----w c:\users\Jason\AppData\Local\Google 2009-04-23 01:08 . 2009-04-23 01:08 -------- d-----w c:\program files\Common Files\Control Panels 2009-04-23 00:46 . 2009-04-23 00:46 -------- d-----w c:\users\Jason\AppData\Local\Installer2792 2009-04-23 00:43 . 2009-04-23 00:43 -------- d-----w c:\users\Jason\AppData\Local\Installer3676 2009-04-23 00:37 . 2009-04-23 00:38 -------- d--h--w c:\program files\Zero G Registry 2009-04-23 00:36 . 2009-04-23 00:36 -------- d--h--w c:\users\Jason\InstallAnywhere 2009-04-21 23:48 . 2009-05-18 23:00 -------- d-----w c:\users\Jason\AppData\Roaming\Skype 2009-04-21 23:47 . 2009-04-21 23:47 -------- d-----r c:\program files\Skype 2009-04-21 23:47 . 2009-04-21 23:47 -------- d-----w c:\programdata\Skype 2009-04-21 23:47 . 2009-04-21 23:47 -------- d-----w c:\users\All Users\Skype . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-19 02:44 . 2009-02-21 05:28 -------- d-----w c:\program files\Java 2009-05-19 02:01 . 2009-03-04 18:00 12 ----a-w c:\windows\bthservsdp.dat 2009-05-17 20:09 . 2009-02-21 03:02 -------- d-----w c:\program files\Warcraft III 2009-05-16 16:43 . 2009-02-24 00:32 -------- d-----w c:\program files\Common Files\Adobe 2009-05-11 01:26 . 2009-02-20 19:29 -------- d-----w c:\program files\Vuze 2009-04-30 03:53 . 2009-02-20 23:33 615992 ----a-w c:\windows\system32\ci.dll 2009-04-14 00:45 . 2009-02-20 18:23 52776 ----a-w c:\users\Jason\AppData\Local\GDIPFONTCACHEV1.DAT 2009-03-26 23:11 . 2009-03-26 23:11 -------- d-----w c:\program files\Common Files\Macrovision Shared 2009-03-17 03:38 . 2009-04-17 22:23 13824 ----a-w c:\windows\system32\apilogen.dll 2009-03-17 03:38 . 2009-04-17 22:23 24064 ----a-w c:\windows\system32\amxread.dll 2009-03-09 09:19 . 2009-02-24 03:38 410984 ----a-w c:\windows\system32\deploytk.dll 2009-03-06 03:59 . 2009-03-06 03:59 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys 2009-03-06 03:59 . 2009-03-06 03:59 1900544 ----a-w c:\windows\system32\usbaaplrc.dll 2009-03-05 17:42 . 2009-03-05 17:39 121326 ----a-w c:\windows\hpoins15.dat 2009-03-03 04:46 . 2009-04-17 22:23 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe 2009-03-03 04:46 . 2009-04-17 22:23 3547632 ----a-w c:\windows\system32\ntoskrnl.exe 2009-03-03 04:40 . 2009-04-17 22:22 827392 ----a-w c:\windows\system32\wininet.dll 2009-03-03 04:39 . 2009-04-17 22:23 183296 ----a-w c:\windows\system32\sdohlp.dll 2009-03-03 04:39 . 2009-04-17 22:23 551424 ----a-w c:\windows\system32\rpcss.dll 2009-03-03 04:39 . 2009-04-17 22:23 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll 2009-03-03 04:37 . 2009-04-17 22:22 78336 ----a-w c:\windows\system32\ieencode.dll 2009-03-03 04:37 . 2009-04-17 22:23 98304 ----a-w c:\windows\system32\iasrecst.dll 2009-03-03 04:37 . 2009-04-17 22:23 54784 ----a-w c:\windows\system32\iasads.dll 2009-03-03 04:37 . 2009-04-17 22:23 44032 ----a-w c:\windows\system32\iasdatastore.dll 2009-03-03 03:04 . 2009-04-17 22:23 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe 2009-03-03 02:38 . 2009-04-17 22:23 17408 ----a-w c:\windows\system32\iashost.exe 2009-03-03 02:28 . 2009-04-17 22:22 26624 ----a-w c:\windows\system32\ieUnatt.exe 2009-02-22 02:59 . 2009-02-22 02:59 52776 ----a-w c:\users\Home Slice\AppData\Local\GDIPFONTCACHEV1.DAT 2009-02-21 03:03 . 2009-02-21 03:03 552 ----a-w c:\users\Jason\AppData\Local\d3d8caps.dat 2009-02-21 01:22 . 2006-11-02 12:49 174 --sha-w c:\program files\desktop.ini 2009-02-21 00:52 . 2006-11-02 10:32 101888 ----a-w c:\windows\system32\ifxcardm.dll 2009-02-21 00:52 . 2006-11-02 10:32 82432 ----a-w c:\windows\system32\axaltocm.dll 2009-02-20 23:38 . 2009-02-20 23:38 94720 ----a-w c:\windows\system32\PortableDeviceClassExtension.dll 2009-02-20 23:38 . 2009-02-20 23:38 241152 ----a-w c:\windows\system32\PortableDeviceApi.dll 2009-02-20 23:38 . 2009-02-20 23:38 160768 ----a-w c:\windows\system32\PortableDeviceTypes.dll 2009-02-20 23:36 . 2009-02-20 23:36 233888 ----a-w c:\windows\system32\DreamScene.dll 2009-02-20 23:36 . 2009-02-20 23:36 269312 ----a-w c:\windows\system32\es.dll 2009-02-20 23:35 . 2009-02-20 23:35 428544 ----a-w c:\windows\system32\EncDec.dll 2009-02-20 23:35 . 2009-02-20 23:35 293376 ----a-w c:\windows\system32\psisdecd.dll 2009-02-20 23:33 . 2009-02-20 23:33 6656 ----a-w c:\windows\system32\kbd106n.dll 2009-02-20 23:33 . 2009-02-20 23:33 988216 ----a-w c:\windows\system32\winload.exe 2009-02-20 23:33 . 2009-02-20 23:33 927288 ----a-w c:\windows\system32\winresume.exe 2009-02-20 23:33 . 2009-02-20 23:33 46592 ----a-w c:\windows\system32\setbcdlocale.dll 2009-02-20 23:33 . 2009-02-20 23:33 40960 ----a-w c:\windows\system32\srclient.dll 2009-02-20 23:33 . 2009-02-20 23:33 378368 ----a-w c:\windows\system32\srcore.dll 2009-02-20 23:33 . 2009-02-20 23:33 318464 ----a-w c:\windows\system32\rstrui.exe 2009-02-20 23:33 . 2009-02-20 23:33 19000 ----a-w c:\windows\system32\kd1394.dll 2009-02-20 23:33 . 2009-02-20 23:33 14848 ----a-w c:\windows\system32\srdelayed.exe 2009-02-20 23:31 . 2009-02-20 23:31 712704 ----a-w c:\windows\system32\WindowsCodecs.dll 2009-02-20 23:31 . 2009-02-20 23:31 425472 ----a-w c:\windows\system32\PhotoMetadataHandler.dll 2009-02-20 23:31 . 2009-02-20 23:31 347136 ----a-w c:\windows\system32\WindowsCodecsExt.dll 2009-02-20 23:30 . 2009-02-20 23:30 678408 ----a-w c:\windows\system32\gpprefcl.dll 2009-02-20 23:30 . 2009-02-20 23:30 1645568 ----a-w c:\windows\system32\connect.dll 2009-02-20 22:31 . 2009-02-20 20:13 409600 ----a-w c:\windows\system32\wrap_oal.dll 2009-02-20 22:31 . 2009-02-20 20:13 114688 ----a-w c:\windows\system32\OpenAL32.dll 2009-02-20 20:26 . 2009-02-20 20:26 0 ----a-w c:\windows\ativpsrm.bin 2009-02-20 20:11 . 2009-02-20 20:11 0 ----a-w c:\windows\nsreg.dat 2009-02-20 20:04 . 2009-02-20 18:23 680 ----a-w c:\users\Jason\AppData\Local\d3d9caps.dat 2009-02-20 19:50 . 2009-02-20 19:50 61440 ----a-w c:\windows\system32\winipsec.dll 2009-02-20 19:50 . 2009-02-20 19:50 361984 ----a-w c:\windows\system32\IPSECSVC.DLL 2009-02-20 19:50 . 2009-02-20 19:50 28672 ----a-w c:\windows\system32\FwRemoteSvr.dll 2009-02-20 19:50 . 2009-02-20 19:50 272896 ----a-w c:\windows\system32\polstore.dll 2009-02-20 19:44 . 2009-02-20 19:44 296960 ----a-w c:\windows\system32\gdi32.dll 2009-02-20 19:43 . 2009-02-20 19:43 212480 ----a-w c:\windows\system32\drivers\mrxsmb10.sys 2009-02-20 19:42 . 2009-02-20 19:42 28672 ----a-w c:\windows\system32\Apphlpdm.dll 2009-02-20 19:42 . 2009-02-20 19:42 4240384 ----a-w c:\windows\system32\GameUXLegacyGDFs.dll 2009-02-20 19:42 . 2009-02-20 19:42 1695744 ----a-w c:\windows\system32\gameux.dll 2009-02-20 19:41 . 2009-02-20 19:41 303616 ----a-w c:\windows\system32\wmpeffects.dll 2009-02-20 19:40 . 2009-02-20 19:40 2048 ----a-w c:\windows\system32\msxml3r.dll 2009-02-20 19:40 . 2009-02-20 19:40 1191936 ----a-w c:\windows\system32\msxml3.dll 2009-02-20 19:37 . 2009-02-20 19:37 2048 ----a-w c:\windows\system32\tzres.dll 2009-02-20 19:34 . 2009-02-20 19:34 306202 --sh--r c:\windows\system32\zugdcjkx.exe 2009-02-20 19:34 . 2009-02-20 19:34 306202 --sh--r c:\windows\system32\ymafemxq.exe 2009-02-20 19:34 . 2009-02-20 19:34 306202 --sh--r c:\windows\system32\xwzjpguh.exe 2009-02-20 19:34 . 2009-02-20 19:34 306202 --sh--r c:\windows\system32\opsahwyc.exe 2009-02-20 19:34 . 2009-02-20 19:34 306202 --sh--r c:\windows\system32\lhuztbwv.exe 2009-02-20 19:34 . 2009-02-20 19:34 306202 --sh--r c:\windows\system32\kerudnuw.exe 2009-02-20 19:34 . 2009-02-20 19:34 306202 --sh--r c:\windows\system32\ieqbdtdp.exe 2009-02-20 19:34 . 2009-02-20 19:34 306202 --sh--r c:\windows\system32\ewwueioi.exe 2009-02-20 19:34 . 2009-02-20 19:34 306202 --sh--r c:\windows\system32\binfyhet.exe 2009-02-20 19:34 . 2009-02-20 19:34 2927104 ----a-w c:\windows\explorer.exe 2009-02-20 19:29 . 2009-02-20 19:29 29184 ----a-w c:\windows\system32\drivers\BTHUSB.SYS 2009-02-20 19:29 . 2009-02-20 19:29 220160 ----a-w c:\windows\system32\drivers\bthport.sys 2009-02-20 19:29 . 2009-02-20 19:29 19456 ----a-w c:\windows\system32\drivers\bthenum.sys 2009-02-20 19:29 . 2009-02-20 19:29 181760 ----a-w c:\windows\system32\fsquirt.exe 2009-02-20 19:27 . 2009-02-20 19:27 443392 ----a-w c:\windows\system32\win32spl.dll 2009-02-20 19:27 . 2009-02-20 19:27 37888 ----a-w c:\windows\system32\printcom.dll 2009-02-20 19:27 . 2009-02-20 19:27 14848 ----a-w c:\windows\system32\wshrm.dll 2009-02-20 19:27 . 2009-02-20 19:27 113664 ----a-w c:\windows\system32\drivers\rmcast.sys 2009-02-20 19:25 . 2009-02-20 19:25 288768 ----a-w c:\windows\system32\drivers\srv.sys 2009-02-20 19:22 . 2009-02-20 19:22 622080 ----a-w c:\windows\system32\icardagt.exe 2009-02-20 19:22 . 2009-02-20 19:22 97800 ----a-w c:\windows\system32\infocardapi.dll 2009-02-20 19:22 . 2009-02-20 19:22 11264 ----a-w c:\windows\system32\icardres.dll 2009-02-20 19:22 . 2009-02-20 19:22 105016 ----a-w c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll 2009-02-20 19:22 . 2009-02-20 19:22 781344 ----a-w c:\windows\system32\PresentationNative_v0300.dll 2009-02-20 19:22 . 2009-02-20 19:22 43544 ----a-w c:\windows\system32\PresentationHostProxy.dll 2009-02-20 19:22 . 2009-02-20 19:22 326160 ----a-w c:\windows\system32\PresentationHost.exe 2009-02-20 19:10 . 2009-02-20 19:10 96760 ----a-w c:\windows\system32\dfshim.dll 2009-02-20 19:10 . 2009-02-20 19:10 41984 ----a-w c:\windows\system32\netfxperf.dll 2009-02-20 19:10 . 2009-02-20 19:10 83968 ----a-w c:\windows\system32\mscories.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184] "Google Update"="c:\users\Jason\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-05-10 133104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-04 61440] "VolPanel"="c:\program files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" [2007-02-28 180224] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888] "P17RunE"="P17RunE.dll" - c:\windows\System32\P17RunE.dll [2007-04-09 14848] "DRam prosessor"="kerudnuw.exe" - c:\windows\System32\kerudnuw.exe [2009-02-20 306202] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "GrpConv"="grpconv -o" [X] "GBTUpd"="c:\program files\Gigabyte\GBTUpd\PreRun.exe" [2008-04-03 297480] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] "DRam prosessor"="kerudnuw.exe" - c:\windows\System32\kerudnuw.exe [2009-02-20 306202] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "TCP Query User{F43C6E00-E943-4131-9530-8351741C5304}c:\\program files\\vuze\\azureus.exe"= UDP:c:\program files\vuze\azureus.exe:Azureus "UDP Query User{C0036DE2-1994-4CB5-B494-8D6B1E2E268F}c:\\program files\\vuze\\azureus.exe"= TCP:c:\program files\vuze\azureus.exe:Azureus "{4CADBCAE-93A3-4EA8-9FB8-55080F88050E}"= UDP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe "{9D2812A4-9B10-43BE-B35E-58AB65CAA355}"= TCP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe "TCP Query User{5CEDCF5D-3A3D-4BD2-AAAD-9A73E3982A24}c:\\program files\\gigabyte\\gbtupd\\gbtupd.exe"= UDP:c:\program files\gigabyte\gbtupd\gbtupd.exe:GBTUpd.exe "UDP Query User{51341F95-567D-41AA-881E-12066D115E22}c:\\program files\\gigabyte\\gbtupd\\gbtupd.exe"= TCP:c:\program files\gigabyte\gbtupd\gbtupd.exe:GBTUpd.exe "TCP Query User{A2CF0233-C8DA-43D7-9E13-AEFD4B182DE7}c:\\program files\\gigabyte\\gbtupd\\runupd.exe"= UDP:c:\program files\gigabyte\gbtupd\runupd.exe:RunUpd "UDP Query User{80B64A8C-E1D2-4D7C-B746-EEBED54C8D79}c:\\program files\\gigabyte\\gbtupd\\runupd.exe"= TCP:c:\program files\gigabyte\gbtupd\runupd.exe:RunUpd "{B4FCB717-8DB6-4293-B229-03C1743EB47B}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire "{DFF4F805-8D71-413B-8B17-6E9F5AB5DAC5}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire "{582E0F2B-CB34-4AEB-883D-416BED25680A}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour "{255A09A2-EF8B-4EFC-BBB7-B4E85AD7489D}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour "{844156CA-4386-44A8-82EA-E22C3CEBC024}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes "{1B157187-B768-4B5C-9029-4B65392CB7B5}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes "{6E52D9F4-D839-4FBA-890A-089195E2256F}"= c:\program files\Skype\Phone\Skype.exe:Skype "TCP Query User{5055678C-9514-4822-949F-0D8F41938A97}c:\\program files\\adobe\\flex builder 3\\jre\\bin\\javaw.exe"= UDP:c:\program files\adobe\flex builder 3\jre\bin\javaw.exe:Java(TM) 2 Platform Standard Edition binary "UDP Query User{9D355E55-C7B1-4A53-88C6-A7C5CA4DFFEC}c:\\program files\\adobe\\flex builder 3\\jre\\bin\\javaw.exe"= TCP:c:\program files\adobe\flex builder 3\jre\bin\javaw.exe:Java(TM) 2 Platform Standard Edition binary "{62040431-6D6D-4D8C-8913-76328FE23F09}"= c:\program files\Skype\Phone\Skype.exe:Skype "{4569753A-A93E-4C35-9B29-BD5A7EE40BAA}"= c:\program files\Skype\Phone\Skype.exe:Skype "{7FEFBAD7-6A9F-4BDC-8722-903D892B7E10}"= c:\program files\Skype\Phone\Skype.exe:Skype "{ABD0323B-1CB0-4FB0-BB8A-260D4DE739CC}"= c:\program files\Skype\Phone\Skype.exe:Skype R2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\System32\drivers\RtNdPt60.sys [2/20/2009 2:35 PM 27648] S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2/20/2009 7:18 PM 79360] S3 RTTEAMPT;Realtek Teaming Protocol Driver (NDIS 6.0);c:\windows\System32\drivers\RtTeam60.sys [2/20/2009 2:35 PM 42496] S3 RTVLANPT;Realtek Vlan Protocol Driver (NDIS 6.0);c:\windows\System32\drivers\RtVlan60.sys [2/20/2009 2:35 PM 19968] S3 TEAM;Realtek Virtual Miniport Driver for Teaming (NDIS 6.0);c:\windows\System32\drivers\RtTeam60.sys [2/20/2009 2:35 PM 42496] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] bthsvcs REG_MULTI_SZ BthServ HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 . Contents of the 'Scheduled Tasks' folder 2009-05-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2610806045-715070848-1434627518-1000.job - c:\users\Jason\AppData\Local\Google\Update\GoogleUpdate.exe [2009-05-10 03:46] 2009-05-18 c:\windows\Tasks\User_Feed_Synchronization-{DCE319F5-1940-4AFB-BF99-0810A84B7016}.job - c:\windows\system32\msfeedssync.exe [2009-02-21 07:33] . - - - - ORPHANS REMOVED - - - - HKLM-RunOnce-<NO NAME> - (no file) . ------- Supplementary Scan ------- . uInternet Settings,ProxyOverride = *.local FF - ProfilePath - c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\no784l8k.default\ FF - prefs.js: browser.startup.homepage - igoogle.com FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll FF - component: c:\program files\Mozilla Firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll FF - plugin: c:\users\Jason\AppData\Local\Google\Update\1.2.145.5\npGoogleOneClick8.dll ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true. ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-18 22:55 Windows 6.0.6001 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2009-05-19 22:57 ComboFix-quarantined-files.txt 2009-05-19 02:56 Pre-Run: 103,847,575,552 bytes free Post-Run: 105,188,028,416 bytes free 224 --- E O F --- 2009-05-18 22:48 |
|
|
|
|
05-19-2009, 05:45 AM
|
#4 (permalink) |
|
Analyst, Security Team
Join Date: Jun 2008
Location: Midwest, U.S.A.
Posts: 564
OS: Dual Boot Setup, Vista SP2 and XPSP3
|
Re: Trojan on system?
Please open a blank Notepad by clicking start-->run
Then, in the run box type Notepad.exe and click "OK". Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe Combofix will run again automatically. Please post back the new log that will be generated. Thanks! Note: Do not mouseclick combofix's window while it's running. That may cause it to stall File:: c:\windows\system32\zugdcjkx.exe c:\windows\system32\ymafemxq.exe c:\windows\system32\xwzjpguh.exe c:\windows\system32\opsahwyc.exe c:\windows\system32\lhuztbwv.exe c:\windows\system32\kerudnuw.exe c:\windows\system32\ieqbdtdp.exe c:\windows\system32\ewwueioi.exe c:\windows\system32\binfyhet.exe c:\windows\System32\kerudnuw.exe Folder:: c:\users\Jason\AppData\Local\Installer2792 c:\users\Jason\AppData\Local\Installer3676 c:\program files\Vuze c:\program files\LimeWire Registry:: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DRam prosessor"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] "DRam prosessor"=-
__________________
Disabled Veteran, U.S.C.G. 1972 - 1978 Windows XP Performance and Maintenance Windows Vista Performance and Maintenance
|
|
|
|
|
05-19-2009, 06:26 PM
|
#5 (permalink) |
|
Registered User
Join Date: May 2009
Posts: 15
OS: vista sp1
|
Re: Trojan on system?
Here is the contents of the log report, thanks again.
ComboFix 09-05-18.02 - Jason 05/19/2009 20:20.2 - NTFSx86 Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.3326.2521 [GMT -4:00] Running from: c:\users\Jason\Desktop\ComboFix.exe Command switches used :: c:\users\Jason\Desktop\CFScript.txt SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} FILE :: c:\windows\system32\binfyhet.exe c:\windows\system32\ewwueioi.exe c:\windows\system32\ieqbdtdp.exe c:\windows\System32\kerudnuw.exe c:\windows\system32\lhuztbwv.exe c:\windows\system32\opsahwyc.exe c:\windows\system32\xwzjpguh.exe c:\windows\system32\ymafemxq.exe c:\windows\system32\zugdcjkx.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\Vuze c:\program files\Vuze\plugins\azemp\azemp_2.1.02.jar c:\program files\Vuze\plugins\azemp\azemp_2.1.02.zip c:\program files\Vuze\plugins\azemp\azmplay.exe.bak c:\program files\Vuze\plugins\azemp\cp1250-a.raw.bak c:\program files\Vuze\plugins\azemp\cp1250-b.raw.bak c:\program files\Vuze\plugins\azemp\font.desc.bak c:\program files\Vuze\plugins\azemp\osd-mplayer-a.raw.bak c:\program files\Vuze\plugins\azemp\osd-mplayer-b.raw.bak c:\program files\Vuze\plugins\azemp\plugin.properties_2.1.02 c:\program files\Vuze\plugins\azupnpav\azupnpav_0.2.17.jar c:\program files\Vuze\plugins\azupnpav\azupnpav_0.2.17.zip c:\program files\Vuze\plugins\azupnpav\plugin.properties_0.2.17 c:\users\Jason\AppData\Local\Installer2792 c:\users\Jason\AppData\Local\Installer2792\Deployment.xml c:\users\Jason\AppData\Local\Installer2792\payloads\AdobeColorCommonSet1.0.1All\AdobeColorCommonSet1.0.1All.boot.xml c:\users\Jason\AppData\Local\Installer2792\payloads\AdobeColorCommonSet1.0.1All\AdobeColorCommonSet1.0.1All.msi c:\users\Jason\AppData\Local\Installer2792\payloads\AdobeColorCommonSet1.0.1All\AdobeColorCommonSet1.0.1All.proxy.xml c:\users\Jason\AppData\Local\Installer2792\payloads\AdobeColorCommonSet1.0.1All\AdobeColorCommonSet1.0.1All1.cab c:\users\Jason\AppData\Local\Installer2792\payloads\Setup.xml c:\users\Jason\AppData\Local\Installer2792\redist\WindowsInstaller-KB893803-v2-x86.exe c:\users\Jason\AppData\Local\Installer2792\redist\WindowsServer2003-KB898715-ia64-enu.exe c:\users\Jason\AppData\Local\Installer2792\redist\WindowsServer2003-KB898715-x64-enu.exe c:\users\Jason\AppData\Local\Installer2792\redist\WindowsServer2003-KB898715-x86-enu.exe c:\users\Jason\AppData\Local\Installer2792\redist\WindowsXP-KB898715-x64-enu.exe c:\users\Jason\AppData\Local\Installer2792\resources\common\alert\alert.css c:\users\Jason\AppData\Local\Installer2792\resources\common\alert\alert.html c:\users\Jason\AppData\Local\Installer2792\resources\common\alert\alert_ie.css c:\users\Jason\AppData\Local\Installer2792\resources\common\scripts\ContainerProxy.js c:\users\Jason\AppData\Local\Installer2792\resources\common\scripts\localization.js c:\users\Jason\AppData\Local\Installer2792\resources\common\scripts\silentWorkflow.js c:\users\Jason\AppData\Local\Installer2792\resources\common\scripts\utils.js c:\users\Jason\AppData\Local\Installer2792\resources\main.html c:\users\Jason\AppData\Local\Installer2792\resources\main.xml c:\users\Jason\AppData\Local\Installer2792\resources\media\css\styles.css c:\users\Jason\AppData\Local\Installer2792\resources\media\img\progbar_on.png c:\users\Jason\AppData\Local\Installer2792\resources\media\img\progbarLeft_on.png c:\users\Jason\AppData\Local\Installer2792\resources\media\img\progbarRight.png c:\users\Jason\AppData\Local\Installer2792\resources\media\img\progbox.png c:\users\Jason\AppData\Local\Installer2792\Setup.exe c:\users\Jason\AppData\Local\Installer2792\WinBootstrapper.msi c:\users\Jason\AppData\Local\Installer2792\WinBootstrapper1.cab c:\users\Jason\AppData\Local\Installer3676 c:\users\Jason\AppData\Local\Installer3676\Deployment.xml c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\AdobeExtendScriptToolkit2.0.2All.boot.xml c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\AdobeExtendScriptToolkit2.0.2All.msi c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\AdobeExtendScriptToolkit2.0.2All.proxy.xml c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\AdobeExtendScriptToolkit2.0.2All1.cab c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\ar_AE.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\be_BY.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\bg_BG.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\ca_ES.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\cs_CZ.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\da_DK.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\de_DE.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\el_GR.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\en_GB.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\en_US.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\en_XC.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\en_XM.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\es_ES.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\es_QM.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\et_EE.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\fi_FI.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\fr_FR.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\fr_XM.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\he_IL.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\hi_IN.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\hr_HR.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\hu_HU.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\is_IS.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\it_IT.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\ja_JP.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\ko_KR.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\lt_LT.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\lv_LV.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\mk_MK.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\nb_NO.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\nl_NL.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\pl_PL.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\pt_BR.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\ro_RO.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\ru_RU.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\sh_YU.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\sk_SK.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\sl_SI.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\sq_AL.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\sv_SE.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\th_TH.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\tr_TR.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\uk_UA.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\vi_VN.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\zh_CN.mst c:\users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\zh_TW.mst c:\users\Jason\AppData\Local\Installer3676\payloads\Setup.xml c:\users\Jason\AppData\Local\Installer3676\redist\WindowsInstaller-KB893803-v2-x86.exe c:\users\Jason\AppData\Local\Installer3676\redist\WindowsServer2003-KB898715-ia64-enu.exe c:\users\Jason\AppData\Local\Installer3676\redist\WindowsServer2003-KB898715-x64-enu.exe c:\users\Jason\AppData\Local\Installer3676\redist\WindowsServer2003-KB898715-x86-enu.exe c:\users\Jason\AppData\Local\Installer3676\redist\WindowsXP-KB898715-x64-enu.exe c:\users\Jason\AppData\Local\Installer3676\resources\common\alert\alert.css c:\users\Jason\AppData\Local\Installer3676\resources\common\alert\alert.html c:\users\Jason\AppData\Local\Installer3676\resources\common\alert\alert_ie.css c:\users\Jason\AppData\Local\Installer3676\resources\common\alert\alert_rtl.css c:\users\Jason\AppData\Local\Installer3676\resources\common\alert\alert_rtl_ie.css c:\users\Jason\AppData\Local\Installer3676\resources\common\scripts\ContainerProxy.js c:\users\Jason\AppData\Local\Installer3676\resources\common\scripts\localization.js c:\users\Jason\AppData\Local\Installer3676\resources\common\scripts\silentWorkflow.js c:\users\Jason\AppData\Local\Installer3676\resources\common\scripts\utils.js c:\users\Jason\AppData\Local\Installer3676\resources\main.html c:\users\Jason\AppData\Local\Installer3676\resources\main.xml c:\users\Jason\AppData\Local\Installer3676\resources\media\css\styles.css c:\users\Jason\AppData\Local\Installer3676\resources\media\img\progbar_on.png c:\users\Jason\AppData\Local\Installer3676\resources\media\img\progbarLeft_on.png c:\users\Jason\AppData\Local\Installer3676\resources\media\img\progbarRight.png c:\users\Jason\AppData\Local\Installer3676\resources\media\img\progbox.png c:\users\Jason\AppData\Local\Installer3676\Setup.exe c:\users\Jason\AppData\Local\Installer3676\WinBootstrapper.msi c:\users\Jason\AppData\Local\Installer3676\WinBootstrapper1.cab c:\windows\system32\binfyhet.exe c:\windows\system32\ewwueioi.exe c:\windows\system32\ieqbdtdp.exe c:\windows\System32\kerudnuw.exe c:\windows\system32\lhuztbwv.exe c:\windows\system32\opsahwyc.exe c:\windows\system32\xwzjpguh.exe c:\windows\system32\ymafemxq.exe c:\windows\system32\zugdcjkx.exe . ((((((((((((((((((((((((( Files Created from 2009-04-20 to 2009-05-20 ))))))))))))))))))))))))))))))) . 2009-05-10 03:46 . 2009-05-10 03:46 -------- d-----w c:\users\Jason\AppData\Local\Google 2009-04-23 01:08 . 2009-04-23 01:08 -------- d-----w c:\program files\Common Files\Control Panels 2009-04-23 00:37 . 2009-04-23 00:38 -------- d--h--w c:\program files\Zero G Registry 2009-04-23 00:36 . 2009-04-23 00:36 -------- d--h--w c:\users\Jason\InstallAnywhere 2009-04-21 23:48 . 2009-05-18 23:00 -------- d-----w c:\users\Jason\AppData\Roaming\Skype 2009-04-21 23:47 . 2009-04-21 23:47 -------- d-----r c:\program files\Skype 2009-04-21 23:47 . 2009-04-21 23:47 -------- d-----w c:\programdata\Skype 2009-04-21 23:47 . 2009-04-21 23:47 -------- d-----w c:\users\All Users\Skype . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-19 03:08 . 2009-03-04 18:00 12 ----a-w c:\windows\bthservsdp.dat 2009-05-19 02:44 . 2009-02-21 05:28 -------- d-----w c:\program files\Java 2009-05-17 20:09 . 2009-02-21 03:02 -------- d-----w c:\program files\Warcraft III 2009-05-16 16:43 . 2009-02-24 00:32 -------- d-----w c:\program files\Common Files\Adobe 2009-04-30 03:53 . 2009-02-20 23:33 615992 ----a-w c:\windows\system32\ci.dll 2009-04-14 00:45 . 2009-02-20 18:23 52776 ----a-w c:\users\Jason\AppData\Local\GDIPFONTCACHEV1.DAT 2009-03-26 23:11 . 2009-03-26 23:11 -------- d-----w c:\program files\Common Files\Macrovision Shared 2009-03-17 03:38 . 2009-04-17 22:23 13824 ----a-w c:\windows\system32\apilogen.dll 2009-03-17 03:38 . 2009-04-17 22:23 24064 ----a-w c:\windows\system32\amxread.dll 2009-03-09 09:19 . 2009-02-24 03:38 410984 ----a-w c:\windows\system32\deploytk.dll 2009-03-06 03:59 . 2009-03-06 03:59 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys 2009-03-06 03:59 . 2009-03-06 03:59 1900544 ----a-w c:\windows\system32\usbaaplrc.dll 2009-03-05 17:42 . 2009-03-05 17:39 121326 ----a-w c:\windows\hpoins15.dat 2009-03-03 04:46 . 2009-04-17 22:23 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe 2009-03-03 04:46 . 2009-04-17 22:23 3547632 ----a-w c:\windows\system32\ntoskrnl.exe 2009-03-03 04:40 . 2009-04-17 22:22 827392 ----a-w c:\windows\system32\wininet.dll 2009-03-03 04:39 . 2009-04-17 22:23 183296 ----a-w c:\windows\system32\sdohlp.dll 2009-03-03 04:39 . 2009-04-17 22:23 551424 ----a-w c:\windows\system32\rpcss.dll 2009-03-03 04:39 . 2009-04-17 22:23 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll 2009-03-03 04:37 . 2009-04-17 22:22 78336 ----a-w c:\windows\system32\ieencode.dll 2009-03-03 04:37 . 2009-04-17 22:23 98304 ----a-w c:\windows\system32\iasrecst.dll 2009-03-03 04:37 . 2009-04-17 22:23 54784 ----a-w c:\windows\system32\iasads.dll 2009-03-03 04:37 . 2009-04-17 22:23 44032 ----a-w c:\windows\system32\iasdatastore.dll 2009-03-03 03:04 . 2009-04-17 22:23 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe 2009-03-03 02:38 . 2009-04-17 22:23 17408 ----a-w c:\windows\system32\iashost.exe 2009-03-03 02:28 . 2009-04-17 22:22 26624 ----a-w c:\windows\system32\ieUnatt.exe 2009-02-22 02:59 . 2009-02-22 02:59 52776 ----a-w c:\users\Home Slice\AppData\Local\GDIPFONTCACHEV1.DAT 2009-02-21 03:03 . 2009-02-21 03:03 552 ----a-w c:\users\Jason\AppData\Local\d3d8caps.dat 2009-02-21 01:22 . 2006-11-02 12:49 174 --sha-w c:\program files\desktop.ini 2009-02-21 00:52 . 2006-11-02 10:32 101888 ----a-w c:\windows\system32\ifxcardm.dll 2009-02-21 00:52 . 2006-11-02 10:32 82432 ----a-w c:\windows\system32\axaltocm.dll 2009-02-20 23:38 . 2009-02-20 23:38 94720 ----a-w c:\windows\system32\PortableDeviceClassExtension.dll 2009-02-20 23:38 . 2009-02-20 23:38 241152 ----a-w c:\windows\system32\PortableDeviceApi.dll 2009-02-20 23:38 . 2009-02-20 23:38 160768 ----a-w c:\windows\system32\PortableDeviceTypes.dll 2009-02-20 23:36 . 2009-02-20 23:36 233888 ----a-w c:\windows\system32\DreamScene.dll 2009-02-20 23:36 . 2009-02-20 23:36 269312 ----a-w c:\windows\system32\es.dll 2009-02-20 23:35 . 2009-02-20 23:35 428544 ----a-w c:\windows\system32\EncDec.dll 2009-02-20 23:35 . 2009-02-20 23:35 293376 ----a-w c:\windows\system32\psisdecd.dll 2009-02-20 23:33 . 2009-02-20 23:33 6656 ----a-w c:\windows\system32\kbd106n.dll 2009-02-20 23:33 . 2009-02-20 23:33 988216 ----a-w c:\windows\system32\winload.exe 2009-02-20 23:33 . 2009-02-20 23:33 927288 ----a-w c:\windows\system32\winresume.exe 2009-02-20 23:33 . 2009-02-20 23:33 46592 ----a-w c:\windows\system32\setbcdlocale.dll 2009-02-20 23:33 . 2009-02-20 23:33 40960 ----a-w c:\windows\system32\srclient.dll 2009-02-20 23:33 . 2009-02-20 23:33 378368 ----a-w c:\windows\system32\srcore.dll 2009-02-20 23:33 . 2009-02-20 23:33 318464 ----a-w c:\windows\system32\rstrui.exe 2009-02-20 23:33 . 2009-02-20 23:33 19000 ----a-w c:\windows\system32\kd1394.dll 2009-02-20 23:33 . 2009-02-20 23:33 14848 ----a-w c:\windows\system32\srdelayed.exe 2009-02-20 23:31 . 2009-02-20 23:31 712704 ----a-w c:\windows\system32\WindowsCodecs.dll 2009-02-20 23:31 . 2009-02-20 23:31 425472 ----a-w c:\windows\system32\PhotoMetadataHandler.dll 2009-02-20 23:31 . 2009-02-20 23:31 347136 ----a-w c:\windows\system32\WindowsCodecsExt.dll 2009-02-20 23:30 . 2009-02-20 23:30 678408 ----a-w c:\windows\system32\gpprefcl.dll 2009-02-20 23:30 . 2009-02-20 23:30 1645568 ----a-w c:\windows\system32\connect.dll 2009-02-20 22:31 . 2009-02-20 20:13 409600 ----a-w c:\windows\system32\wrap_oal.dll 2009-02-20 22:31 . 2009-02-20 20:13 114688 ----a-w c:\windows\system32\OpenAL32.dll 2009-02-20 20:26 . 2009-02-20 20:26 0 ----a-w c:\windows\ativpsrm.bin 2009-02-20 20:11 . 2009-02-20 20:11 0 ----a-w c:\windows\nsreg.dat 2009-02-20 20:04 . 2009-02-20 18:23 680 ----a-w c:\users\Jason\AppData\Local\d3d9caps.dat 2009-02-20 19:50 . 2009-02-20 19:50 61440 ----a-w c:\windows\system32\winipsec.dll 2009-02-20 19:50 . 2009-02-20 19:50 361984 ----a-w c:\windows\system32\IPSECSVC.DLL 2009-02-20 19:50 . 2009-02-20 19:50 28672 ----a-w c:\windows\system32\FwRemoteSvr.dll 2009-02-20 19:50 . 2009-02-20 19:50 272896 ----a-w c:\windows\system32\polstore.dll 2009-02-20 19:44 . 2009-02-20 19:44 296960 ----a-w c:\windows\system32\gdi32.dll 2009-02-20 19:43 . 2009-02-20 19:43 212480 ----a-w c:\windows\system32\drivers\mrxsmb10.sys 2009-02-20 19:42 . 2009-02-20 19:42 28672 ----a-w c:\windows\system32\Apphlpdm.dll 2009-02-20 19:42 . 2009-02-20 19:42 4240384 ----a-w c:\windows\system32\GameUXLegacyGDFs.dll 2009-02-20 19:42 . 2009-02-20 19:42 1695744 ----a-w c:\windows\system32\gameux.dll 2009-02-20 19:41 . 2009-02-20 19:41 303616 ----a-w c:\windows\system32\wmpeffects.dll 2009-02-20 19:40 . 2009-02-20 19:40 2048 ----a-w c:\windows\system32\msxml3r.dll 2009-02-20 19:40 . 2009-02-20 19:40 1191936 ----a-w c:\windows\system32\msxml3.dll 2009-02-20 19:37 . 2009-02-20 19:37 2048 ----a-w c:\windows\system32\tzres.dll 2009-02-20 19:34 . 2009-02-20 19:34 306202 --sh--r c:\windows\system32\vtyjbctb.exe 2009-02-20 19:34 . 2009-02-20 19:34 306202 --sh--r c:\windows\system32\rhkpmcje.exe 2009-02-20 19:34 . 2009-02-20 19:34 2927104 ----a-w c:\windows\explorer.exe 2009-02-20 19:29 . 2009-02-20 19:29 29184 ----a-w c:\windows\system32\drivers\BTHUSB.SYS 2009-02-20 19:29 . 2009-02-20 19:29 220160 ----a-w c:\windows\system32\drivers\bthport.sys 2009-02-20 19:29 . 2009-02-20 19:29 19456 ----a-w c:\windows\system32\drivers\bthenum.sys 2009-02-20 19:29 . 2009-02-20 19:29 181760 ----a-w c:\windows\system32\fsquirt.exe 2009-02-20 19:27 . 2009-02-20 19:27 443392 ----a-w c:\windows\system32\win32spl.dll 2009-02-20 19:27 . 2009-02-20 19:27 37888 ----a-w c:\windows\system32\printcom.dll 2009-02-20 19:27 . 2009-02-20 19:27 14848 ----a-w c:\windows\system32\wshrm.dll 2009-02-20 19:27 . 2009-02-20 19:27 113664 ----a-w c:\windows\system32\drivers\rmcast.sys 2009-02-20 19:25 . 2009-02-20 19:25 288768 ----a-w c:\windows\system32\drivers\srv.sys 2009-02-20 19:22 . 2009-02-20 19:22 622080 ----a-w c:\windows\system32\icardagt.exe 2009-02-20 19:22 . 2009-02-20 19:22 97800 ----a-w c:\windows\system32\infocardapi.dll 2009-02-20 19:22 . 2009-02-20 19:22 11264 ----a-w c:\windows\system32\icardres.dll 2009-02-20 19:22 . 2009-02-20 19:22 105016 ----a-w c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll 2009-02-20 19:22 . 2009-02-20 19:22 781344 ----a-w c:\windows\system32\PresentationNative_v0300.dll 2009-02-20 19:22 . 2009-02-20 19:22 43544 ----a-w c:\windows\system32\PresentationHostProxy.dll 2009-02-20 19:22 . 2009-02-20 19:22 326160 ----a-w c:\windows\system32\PresentationHost.exe 2009-02-20 19:10 . 2009-02-20 19:10 96760 ----a-w c:\windows\system32\dfshim.dll 2009-02-20 19:10 . 2009-02-20 19:10 41984 ----a-w c:\windows\system32\netfxperf.dll 2009-02-20 19:10 . 2009-02-20 19:10 83968 ----a-w c:\windows\system32\mscories.dll 2009-02-20 19:10 . 2009-02-20 19:10 282112 ----a-w c:\windows\system32\mscoree.dll 2009-02-20 19:10 . 2009-02-20 19:10 158720 ----a-w c:\windows\system32\mscorier.dll 2009-02-20 19:00 . 2009-02-20 19:00 98816 ----a-w c:\windows\system32\mfps.dll 2009-02-20 19:00 . 2009-02-20 19:00 53248 ----a-w c:\windows\system32\rrinstaller.exe 2009-02-20 19:00 . 2009-02-20 19:00 2868736 ----a-w c:\windows\system32\mf.dll 2009-02-20 19:00 . 2009-02-20 19:00 24576 ----a-w c:\windows\system32\mfpmp.exe 2009-02-20 19:00 . 2009-02-20 19:00 2048 ----a-w c:\windows\system32\mferror.dll 2009-02-20 19:00 . 2009-02-20 19:00 996352 ----a-w c:\windows\system32\WMNetMgr.dll . ((((((((((((((((((((((((((((( SnapShot@2009-05-19_02.56.02 ))))))))))))))))))))))))))))))))))))))))) . + 2009-02-20 20:05 . 2009-05-19 23:42 31660 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin + 2006-11-02 13:03 . 2009-05-19 23:42 51206 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin + 2009-02-20 18:24 . 2009-05-19 23:42 7050 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2610806045-715070848-1434627518-1000_UserData.bin - 2009-05-19 02:38 . 2009-05-19 02:38 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat + 2009-05-19 23:40 . 2009-05-19 23:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat - 2009-05-19 02:38 . 2009-05-19 02:38 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat + 2009-05-19 23:40 . 2009-05-19 23:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat + 2006-11-02 10:33 . 2009-05-19 23:47 595446 c:\windows\System32\perfh009.dat - 2006-11-02 10:33 . 2009-05-19 02:44 595446 c:\windows\System32\perfh009.dat + 2006-11-02 10:33 . 2009-05-19 23:47 101144 c:\windows\System32\perfc009.dat - 2006-11-02 10:33 . 2009-05-19 02:44 101144 c:\windows\System32\perfc009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184] "Google Update"="c:\users\Jason\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-05-10 133104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-04 61440] "VolPanel"="c:\program files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" [2007-02-28 180224] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888] "P17RunE"="P17RunE.dll" - c:\windows\System32\P17RunE.dll [2007-04-09 14848] "DRam prosessor"="rhkpmcje.exe" - c:\windows\System32\rhkpmcje.exe [2009-02-20 306202] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "GrpConv"="grpconv -o" [X] "GBTUpd"="c:\program files\Gigabyte\GBTUpd\PreRun.exe" [2008-04-03 297480] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] "DRam prosessor"="rhkpmcje.exe" - c:\windows\System32\rhkpmcje.exe [2009-02-20 306202] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "TCP Query User{F43C6E00-E943-4131-9530-8351741C5304}c:\\program files\\vuze\\azureus.exe"= UDP:c:\program files\vuze\azureus.exe:Azureus "UDP Query User{C0036DE2-1994-4CB5-B494-8D6B1E2E268F}c:\\program files\\vuze\\azureus.exe"= TCP:c:\program files\vuze\azureus.exe:Azureus "{4CADBCAE-93A3-4EA8-9FB8-55080F88050E}"= UDP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe "{9D2812A4-9B10-43BE-B35E-58AB65CAA355}"= TCP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe "TCP Query User{5CEDCF5D-3A3D-4BD2-AAAD-9A73E3982A24}c:\\program files\\gigabyte\\gbtupd\\gbtupd.exe"= UDP:c:\program files\gigabyte\gbtupd\gbtupd.exe:GBTUpd.exe "UDP Query User{51341F95-567D-41AA-881E-12066D115E22}c:\\program files\\gigabyte\\gbtupd\\gbtupd.exe"= TCP:c:\program files\gigabyte\gbtupd\gbtupd.exe:GBTUpd.exe "TCP Query User{A2CF0233-C8DA-43D7-9E13-AEFD4B182DE7}c:\\program files\\gigabyte\\gbtupd\\runupd.exe"= UDP:c:\program files\gigabyte\gbtupd\runupd.exe:RunUpd "UDP Query User{80B64A8C-E1D2-4D7C-B746-EEBED54C8D79}c:\\program files\\gigabyte\\gbtupd\\runupd.exe"= TCP:c:\program files\gigabyte\gbtupd\runupd.exe:RunUpd "{B4FCB717-8DB6-4293-B229-03C1743EB47B}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire "{DFF4F805-8D71-413B-8B17-6E9F5AB5DAC5}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire "{582E0F2B-CB34-4AEB-883D-416BED25680A}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour "{255A09A2-EF8B-4EFC-BBB7-B4E85AD7489D}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour "{844156CA-4386-44A8-82EA-E22C3CEBC024}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes "{1B157187-B768-4B5C-9029-4B65392CB7B5}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes "{6E52D9F4-D839-4FBA-890A-089195E2256F}"= c:\program files\Skype\Phone\Skype.exe:Skype "TCP Query User{5055678C-9514-4822-949F-0D8F41938A97}c:\\program files\\adobe\\flex builder 3\\jre\\bin\\javaw.exe"= UDP:c:\program files\adobe\flex builder 3\jre\bin\javaw.exe:Java(TM) 2 Platform Standard Edition binary "UDP Query User{9D355E55-C7B1-4A53-88C6-A7C5CA4DFFEC}c:\\program files\\adobe\\flex builder 3\\jre\\bin\\javaw.exe"= TCP:c:\program files\adobe\flex builder 3\jre\bin\javaw.exe:Java(TM) 2 Platform Standard Edition binary "{62040431-6D6D-4D8C-8913-76328FE23F09}"= c:\program files\Skype\Phone\Skype.exe:Skype "{4569753A-A93E-4C35-9B29-BD5A7EE40BAA}"= c:\program files\Skype\Phone\Skype.exe:Skype "{7FEFBAD7-6A9F-4BDC-8722-903D892B7E10}"= c:\program files\Skype\Phone\Skype.exe:Skype "{ABD0323B-1CB0-4FB0-BB8A-260D4DE739CC}"= c:\program files\Skype\Phone\Skype.exe:Skype R2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\System32\drivers\RtNdPt60.sys [2/20/2009 2:35 PM 27648] S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2/20/2009 7:18 PM 79360] S3 RTTEAMPT;Realtek Teaming Protocol Driver (NDIS 6.0);c:\windows\System32\drivers\RtTeam60.sys [2/20/2009 2:35 PM 42496] S3 RTVLANPT;Realtek Vlan Protocol Driver (NDIS 6.0);c:\windows\System32\drivers\RtVlan60.sys [2/20/2009 2:35 PM 19968] S3 TEAM;Realtek Virtual Miniport Driver for Teaming (NDIS 6.0);c:\windows\System32\drivers\RtTeam60.sys [2/20/2009 2:35 PM 42496] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] bthsvcs REG_MULTI_SZ BthServ HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 . Contents of the 'Scheduled Tasks' folder 2009-05-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2610806045-715070848-1434627518-1000.job - c:\users\Jason\AppData\Local\Google\Update\GoogleUpdate.exe [2009-05-10 03:46] 2009-05-19 c:\windows\Tasks\User_Feed_Synchronization-{DCE319F5-1940-4AFB-BF99-0810A84B7016}.job - c:\windows\system32\msfeedssync.exe [2009-02-21 07:33] . - - - - ORPHANS REMOVED - - - - HKLM-RunOnce-<NO NAME> - (no file) . ------- Supplementary Scan ------- . uInternet Settings,ProxyOverride = *.local FF - ProfilePath - c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\no784l8k.default\ FF - prefs.js: browser.startup.homepage - igoogle.com FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll FF - component: c:\program files\Mozilla Firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll FF - plugin: c:\users\Jason\AppData\Local\Google\Update\1.2.145.5\npGoogleOneClick8.dll ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true. ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-19 20:22 Windows 6.0.6001 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2009-05-20 20:23 ComboFix-quarantined-files.txt 2009-05-20 00:23 ComboFix2.txt 2009-05-19 02:57 Pre-Run: 104,403,283,968 bytes free Post-Run: 104,371,634,176 bytes free 370 --- E O F --- 2009-05-18 22:48 |
|
|
|
|
05-19-2009, 08:15 PM
|
#6 (permalink) |
|
Analyst, Security Team
Join Date: Jun 2008
Location: Midwest, U.S.A.
Posts: 564
OS: Dual Boot Setup, Vista SP2 and XPSP3
|
Re: Trojan on system?
As we already uninstalled Vuze, it is in your best interest to return to your add/remove programs listing to look for Azureus. While it is true that Vuze is what was once known as Azureus, the two can still be installed side by side. The file paths for each would be:
c:\Program Files\Azureus c:\program files\Vuze<--This one has already been removed If you find it in the list, click to uninstall it. Additionally, look for LimeWire and remove that too. Adobe Acrobat 7.0 is out of date and exploited. You should uninstall what you have and install the latest version Here. Please open a blank Notepad by clicking start-->run Then, in the run box type Notepad.exe and click "OK". Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe Combofix will run again automatically. Please post back the new log that will be generated. Thanks! Note: Do not mouseclick combofix's window while it's running. That may cause it to stall KILLALL:: File:: c:\windows\system32\vtyjbctb.exe c:\windows\system32\rhkpmcje.exe Folder:: c:\program files\LimeWire Registry:: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DRam prosessor"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] "DRam prosessor"=- [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "TCP Query User{F43C6E00-E943-4131-9530-8351741C5304}c:\program files\vuze\azureus.exe"=- "UDP Query User{C0036DE2-1994-4CB5-B494-8D6B1E2E268F}c:\program files\vuze\azureus.exe"=- "{B4FCB717-8DB6-4293-B229-03C1743EB47B}"=- "{DFF4F805-8D71-413B-8B17-6E9F5AB5DAC5}"=-
__________________
Disabled Veteran, U.S.C.G. 1972 - 1978 Windows XP Performance and Maintenance Windows Vista Performance and Maintenance
|
|
|
|
|
05-19-2009, 09:08 PM
|
#7 (permalink) |
|
Registered User
Join Date: May 2009
Posts: 15
OS: vista sp1
|
Re: Trojan on system?
Hey,
I went through and deleted all files associated with azureus/vuze/limewire and updated acrobat. I then ran the script you provided through combofix and, as it was finishing up the check, a message came up saying that windows had failed and needed to reboot (there was an exe associated with this message, though I stupidly forgot to write it down - I think it might have included "catchme", which I believe is a malware scanner?). Afterwards, windows rebooted, and combofix loaded and said that it was preparing a report but never did so (idled for about 10 minutes). Good news - the windows defender message did not pop up asking whether or not to block the malware .exe and no malware .exe was running (as it was previously) in the task manager. I still see the files I mentioned in the first post in system32 though. |
|
|
|
|
05-20-2009, 08:28 AM
|
#8 (permalink) |
|
Analyst, Security Team
Join Date: Jun 2008
Location: Midwest, U.S.A.
Posts: 564
OS: Dual Boot Setup, Vista SP2 and XPSP3
|
Re: Trojan on system?
The combofix log will overwrite the previously run combofix log. The log is located here:
C:\Combofix.txt ...Navigate to that location, hover your mouse over that text file and it should show you the date and time the log was modified. Make note of that date and time...next, please navigate to: C:\Qoobox ...located within that folder are two more folders, "BackEnv" and "Quarantine" and some other files. Copy the contents of the "Add-Remove Programs.txt, the "Combofix-quarantined-files.txt and post them back here on your next reply along with the date and time of the log you found at c:\Combofix.txt ...Thanks!
__________________
Disabled Veteran, U.S.C.G. 1972 - 1978 Windows XP Performance and Maintenance Windows Vista Performance and Maintenance
|
|
|
|
|
05-20-2009, 06:44 PM
|
#9 (permalink) |
|
Registered User
Join Date: May 2009
Posts: 15
OS: vista sp1
|
Re: Trojan on system?
The date and time of the log is 5/19/09 at 10:57 PM (the correct time for when I ran the combofix scan that I got an error message on last night). Here are the contents of the "add-remove" and "quarantine" files:
add/remove: @BIOS Ver.2.03 32 Bit HP CIO Components Installer Ableton Live v7.0.2 Adobe Anchor Service CS4 Adobe Asset Services CS3 Adobe Bridge CS3 Adobe Bridge Start Meeting Adobe Camera Raw 4.0 Adobe CMaps Adobe Color Common Settings Adobe Color EU Extra Settings Adobe Color JA Extra Settings Adobe Color NA Recommended Settings Adobe Default Language CS3 Adobe ExtendScript Toolkit 2 Adobe Flash Player 10 ActiveX Adobe Flash Player Plugin Adobe Flex Builder 3 Adobe Fonts All Adobe Help Viewer CS3 Adobe InDesign CS3 Adobe InDesign CS3 Icon Handler Adobe Linguistics CS3 Adobe PDF Library Files Adobe Reader 7.0 Adobe Setup Adobe SING CS3 Adobe Stock Photos CS3 Adobe Type Support Adobe Update Manager CS3 Adobe Version Cue CS3 Client Adobe WinSoft Linguistics Plugin Adobe XMP Panels CS3 AIO_Scan Apple Mobile Device Support Apple Software Update ASIO4ALL ATI Catalyst Install Manager Bonjour Catalyst Control Center - Branding Catalyst Control Center Core Implementation Catalyst Control Center Graphics Full Existing Catalyst Control Center Graphics Full New Catalyst Control Center Graphics Light Catalyst Control Center Graphics Previews Common Catalyst Control Center Graphics Previews Vista Catalyst Control Center HydraVision Full Catalyst Control Center InstallProxy ccc-core-static ccc-utility CCC Help English Creative ALchemy Creative MediaSource 5 Creative Software AutoUpdate Creative System Information Creative WaveStudio 7 Diagnostic Utility Face_Wizard B08.0908.01 Google Chrome Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) HP Photosmart All-In-One Software 9.0 iTunes Java(TM) 6 Update 13 Microsoft .NET Framework 3.5 SP1 Microsoft Visual C++ 2005 Redistributable Mozilla Firefox (3.0.10) MSXML 4.0 SP2 (KB954430) OpenOffice.org 3.0 PDF Settings PS_AIO_Software_min Python 2.5 QuickTime Scan Skins Skype™ 4.0 Sound Blaster Audigy Toolbox Update Manager B08.1027.1 Ventrilo Client VLC media player 0.9.8a Warcraft III WinRAR archiver WinZip 11.1 quarantine: 2009-05-20 00:20:23 . 2009-05-20 00:20:24 1,508,163 ----a-w C:\Qoobox\Quarantine\[4]-Submit_2009-05-19_20.20.14.zip 2009-05-19 02:55:34 . 2009-05-20 00:21:53 5,021 ----a-w C:\Qoobox\Quarantine\Registry_backups\tcpip.reg 2009-05-19 02:52:50 . 2009-05-20 00:19:26 124 ----a-w C:\Qoobox\Quarantine\catchme.log 2009-05-11 01:28:22 . 2009-05-11 01:28:22 210,455 ----a-w C:\Qoobox\Quarantine\C\Program Files\Vuze\plugins\azupnpav\azupnpav_0.2.17.jar.vir 2009-05-11 01:28:22 . 2009-05-11 01:28:22 125 ----a-w C:\Qoobox\Quarantine\C\Program Files\Vuze\plugins\azupnpav\plugin.properties_0.2.17.vir 2009-05-11 01:28:22 . 2009-05-11 01:28:22 194,790 ----a-w C:\Qoobox\Quarantine\C\Program Files\Vuze\plugins\azupnpav\azupnpav_0.2.17.zip.vir 2009-05-11 01:28:06 . 2009-05-11 01:28:06 325,992 ----a-w C:\Qoobox\Quarantine\C\Program Files\Vuze\plugins\azemp\azemp_2.1.02.jar.vir 2009-05-11 01:28:06 . 2009-05-11 01:28:06 205 ----a-w C:\Qoobox\Quarantine\C\Program Files\Vuze\plugins\azemp\plugin.properties_2.1.02.vir 2009-05-11 01:28:05 . 2009-05-11 01:28:05 3,307,056 ----a-w C:\Qoobox\Quarantine\C\Program Files\Vuze\plugins\azemp\azemp_2.1.02.zip.vir 2009-03-26 23:07:18 . 2008-10-15 21:17:14 16,896 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Roaming\Adobe\Player.exe.vir 2009-03-05 17:38:56 . 2007-09-21 15:15:14 307,237 ----a-w C:\Qoobox\Quarantine\C\Windows\System32\autorun.inf.vir 2009-02-20 19:34:23 . 2009-02-20 19:34:23 306,202 ----a-w C:\Qoobox\Quarantine\C\Windows\System32\binfyhet.exe.vir 2009-02-20 19:34:23 . 2009-02-20 19:34:23 306,202 ----a-w C:\Qoobox\Quarantine\C\Windows\System32\ewwueioi.exe.vir 2009-02-20 19:34:23 . 2009-02-20 19:34:23 306,202 ----a-w C:\Qoobox\Quarantine\C\Windows\System32\ieqbdtdp.exe.vir 2009-02-20 19:34:23 . 2009-02-20 19:34:23 306,202 ----a-w C:\Qoobox\Quarantine\C\Windows\System32\kerudnuw.exe.vir 2009-02-20 19:34:23 . 2009-02-20 19:34:23 306,202 ----a-w C:\Qoobox\Quarantine\C\Windows\System32\lhuztbwv.exe.vir 2009-02-20 19:34:23 . 2009-02-20 19:34:23 306,202 ----a-w C:\Qoobox\Quarantine\C\Windows\System32\opsahwyc.exe.vir 2009-02-20 19:34:23 . 2009-02-20 19:34:23 306,202 ----a-w C:\Qoobox\Quarantine\C\Windows\System32\xwzjpguh.exe.vir 2009-02-20 19:34:23 . 2009-02-20 19:34:23 306,202 ----a-w C:\Qoobox\Quarantine\C\Windows\System32\ymafemxq.exe.vir 2009-02-20 19:34:23 . 2009-02-20 19:34:23 306,202 ----a-w C:\Qoobox\Quarantine\C\Windows\System32\zugdcjkx.exe.vir 2009-02-20 19:29:51 . 2009-01-22 23:05:16 6,696 ----a-w C:\Qoobox\Quarantine\C\Program Files\Vuze\plugins\azemp\font.desc.bak.vir 2009-02-20 19:29:51 . 2009-01-22 23:05:16 8,864 ----a-w C:\Qoobox\Quarantine\C\Program Files\Vuze\plugins\azemp\osd-mplayer-a.raw.bak.vir 2009-02-20 19:29:51 . 2009-01-22 23:05:16 8,864 ----a-w C:\Qoobox\Quarantine\C\Program Files\Vuze\plugins\azemp\osd-mplayer-b.raw.bak.vir 2009-02-20 19:29:51 . 2009-01-22 23:05:16 106,464 ----a-w C:\Qoobox\Quarantine\C\Program Files\Vuze\plugins\azemp\cp1250-a.raw.bak.vir 2009-02-20 19:29:51 . 2009-01-22 23:05:16 106,464 ----a-w C:\Qoobox\Quarantine\C\Program Files\Vuze\plugins\azemp\cp1250-b.raw.bak.vir 2009-02-20 19:29:51 . 2009-01-22 23:05:16 5,472,734 ----a-w C:\Qoobox\Quarantine\C\Program Files\Vuze\plugins\azemp\azmplay.exe.bak.vir 2007-12-19 17:46:28 . 2007-12-19 17:46:28 2,688,392 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\Setup.exe.vir 2007-12-19 17:46:18 . 2007-12-19 17:46:18 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\tr_TR.mst.vir 2007-12-19 17:46:18 . 2007-12-19 17:46:18 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\uk_UA.mst.vir 2007-12-19 17:46:18 . 2007-12-19 17:46:18 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\vi_VN.mst.vir 2007-12-19 17:46:18 . 2007-12-19 17:46:18 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\zh_CN.mst.vir 2007-12-19 17:46:18 . 2007-12-19 17:46:18 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\zh_TW.mst.vir 2007-12-19 17:46:16 . 2007-12-19 17:46:16 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\pt_BR.mst.vir 2007-12-19 17:46:16 . 2007-12-19 17:46:16 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\ro_RO.mst.vir 2007-12-19 17:46:16 . 2007-12-19 17:46:16 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\ru_RU.mst.vir 2007-12-19 17:46:16 . 2007-12-19 17:46:16 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\sh_YU.mst.vir 2007-12-19 17:46:16 . 2007-12-19 17:46:16 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\sk_SK.mst.vir 2007-12-19 17:46:16 . 2007-12-19 17:46:16 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\sl_SI.mst.vir 2007-12-19 17:46:16 . 2007-12-19 17:46:16 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\sq_AL.mst.vir 2007-12-19 17:46:16 . 2007-12-19 17:46:16 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\sv_SE.mst.vir 2007-12-19 17:46:16 . 2007-12-19 17:46:16 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\th_TH.mst.vir 2007-12-19 17:46:14 . 2007-12-19 17:46:14 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\hi_IN.mst.vir 2007-12-19 17:46:14 . 2007-12-19 17:46:14 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\hr_HR.mst.vir 2007-12-19 17:46:14 . 2007-12-19 17:46:14 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\hu_HU.mst.vir 2007-12-19 17:46:14 . 2007-12-19 17:46:14 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\is_IS.mst.vir 2007-12-19 17:46:14 . 2007-12-19 17:46:14 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\it_IT.mst.vir 2007-12-19 17:46:14 . 2007-12-19 17:46:14 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\ja_JP.mst.vir 2007-12-19 17:46:14 . 2007-12-19 17:46:14 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\ko_KR.mst.vir 2007-12-19 17:46:14 . 2007-12-19 17:46:14 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\lt_LT.mst.vir 2007-12-19 17:46:14 . 2007-12-19 17:46:14 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\lv_LV.mst.vir 2007-12-19 17:46:14 . 2007-12-19 17:46:14 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\mk_MK.mst.vir 2007-12-19 17:46:14 . 2007-12-19 17:46:14 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\nb_NO.mst.vir 2007-12-19 17:46:14 . 2007-12-19 17:46:14 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\nl_NL.mst.vir 2007-12-19 17:46:14 . 2007-12-19 17:46:14 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\pl_PL.mst.vir 2007-12-19 17:46:12 . 2007-12-19 17:46:12 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\el_GR.mst.vir 2007-12-19 17:46:12 . 2007-12-19 17:46:12 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\en_GB.mst.vir 2007-12-19 17:46:12 . 2007-12-19 17:46:12 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\en_XC.mst.vir 2007-12-19 17:46:12 . 2007-12-19 17:46:12 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\en_XM.mst.vir 2007-12-19 17:46:12 . 2007-12-19 17:46:12 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\es_ES.mst.vir 2007-12-19 17:46:12 . 2007-12-19 17:46:12 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\es_QM.mst.vir 2007-12-19 17:46:12 . 2007-12-19 17:46:12 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\et_EE.mst.vir 2007-12-19 17:46:12 . 2007-12-19 17:46:12 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\fi_FI.mst.vir 2007-12-19 17:46:12 . 2007-12-19 17:46:12 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\fr_FR.mst.vir 2007-12-19 17:46:12 . 2007-12-19 17:46:12 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\fr_XM.mst.vir 2007-12-19 17:46:12 . 2007-12-19 17:46:12 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\he_IL.mst.vir 2007-12-19 17:46:10 . 2007-12-19 17:46:10 2,437,632 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\AdobeExtendScriptToolkit2.0.2All.msi.vir 2007-12-19 17:46:10 . 2007-12-19 17:46:10 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\ar_AE.mst.vir 2007-12-19 17:46:10 . 2007-12-19 17:46:10 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\be_BY.mst.vir 2007-12-19 17:46:10 . 2007-12-19 17:46:10 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\bg_BG.mst.vir 2007-12-19 17:46:10 . 2007-12-19 17:46:10 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\ca_ES.mst.vir 2007-12-19 17:46:10 . 2007-12-19 17:46:10 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\cs_CZ.mst.vir 2007-12-19 17:46:10 . 2007-12-19 17:46:10 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\da_DK.mst.vir 2007-12-19 17:46:10 . 2007-12-19 17:46:10 4,608 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\de_DE.mst.vir 2007-12-19 17:46:10 . 2007-12-19 17:46:10 4,096 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\en_US.mst.vir 2007-12-19 17:46:08 . 2007-12-19 17:46:08 6,407,837 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\AdobeExtendScriptToolkit2.0.2All1.cab.vir 2007-12-19 17:45:50 . 2007-12-19 17:45:50 1,900,544 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\WinBootstrapper.msi.vir 2007-12-19 17:45:46 . 2007-12-19 17:45:46 7,196 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\AdobeExtendScriptToolkit2.0.2All.boot.xml.vir 2007-12-19 17:45:46 . 2007-12-19 17:45:46 1,898,247 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\AdobeExtendScriptToolkit2.0.2All\AdobeExtendScriptToolkit2.0.2All.proxy.xml.vir 2007-12-19 17:45:30 . 2009-04-23 00:43:14 2,819 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\Deployment.xml.vir 2007-12-19 17:45:30 . 2007-12-19 17:45:30 320 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\payloads\Setup.xml.vir 2007-12-19 11:54:40 . 2007-12-19 11:54:40 514,375 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\WinBootstrapper1.cab.vir 2007-12-19 11:54:40 . 2007-12-19 11:54:40 7,292 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\resources\main.html.vir 2007-12-19 11:54:40 . 2007-12-19 11:54:40 25,990 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\resources\main.xml.vir 2007-12-19 11:54:40 . 2007-12-19 11:54:40 583 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\resources\common\alert\alert.css.vir 2007-12-19 11:54:40 . 2007-12-19 11:54:40 2,412 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\resources\common\alert\alert.html.vir 2007-12-19 11:54:40 . 2007-12-19 11:54:40 508 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\resources\common\alert\alert_ie.css.vir 2007-12-19 11:54:40 . 2007-12-19 11:54:40 623 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\resources\common\alert\alert_rtl.css.vir 2007-12-19 11:54:40 . 2007-12-19 11:54:40 548 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\resources\common\alert\alert_rtl_ie.css.vir 2007-12-19 11:54:40 . 2007-12-19 11:54:40 32,241 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\resources\common\scripts\ContainerProxy.js.vir 2007-12-19 11:54:40 . 2007-12-19 11:54:40 10,366 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\resources\common\scripts\localization.js.vir 2007-12-19 11:54:40 . 2007-12-19 11:54:40 46,303 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\resources\common\scripts\silentWorkflow.js.vir 2007-12-19 11:54:40 . 2007-12-19 11:54:40 109,621 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\resources\common\scripts\utils.js.vir 2007-12-19 11:54:40 . 2007-12-19 11:54:40 1,572 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\resources\media\css\styles.css.vir 2007-12-19 11:54:40 . 2007-12-19 11:54:40 270 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\resources\media\img\progbarLeft_on.png.vir 2007-12-19 11:54:40 . 2007-12-19 11:54:40 273 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\resources\media\img\progbarRight.png.vir 2007-12-19 11:54:40 . 2007-12-19 11:54:40 162 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\resources\media\img\progbar_on.png.vir 2007-12-19 11:54:40 . 2007-12-19 11:54:40 1,692 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\resources\media\img\progbox.png.vir 2007-12-19 11:54:04 . 2007-12-19 11:54:04 4,584,688 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\redist\WindowsXP-KB898715-x64-enu.exe.vir 2007-12-19 11:54:02 . 2007-12-19 11:54:02 4,584,688 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\redist\WindowsServer2003-KB898715-x64-enu.exe.vir 2007-12-19 11:54:02 . 2007-12-19 11:54:02 1,536,752 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\redist\WindowsServer2003-KB898715-x86-enu.exe.vir 2007-12-19 11:54:00 . 2007-12-19 11:54:00 5,960,944 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\redist\WindowsServer2003-KB898715-ia64-enu.exe.vir 2007-12-19 11:53:58 . 2007-12-19 11:53:58 2,585,872 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer3676\redist\WindowsInstaller-KB893803-v2-x86.exe.vir 2007-05-29 15:05:56 . 2009-04-23 00:46:07 2,193 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer2792\Deployment.xml.vir 2007-05-29 15:05:56 . 2007-05-29 15:05:56 312 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer2792\payloads\Setup.xml.vir 2007-05-29 15:05:48 . 2007-05-29 15:05:48 1,815,552 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer2792\payloads\AdobeColorCommonSet1.0.1All\AdobeColorCommonSet1.0.1All.msi.vir 2007-05-29 15:05:48 . 2007-05-29 15:05:48 5,548,570 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer2792\payloads\AdobeColorCommonSet1.0.1All\AdobeColorCommonSet1.0.1All1.cab.vir 2007-05-29 15:05:40 . 2007-05-29 15:05:40 1,900,544 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer2792\WinBootstrapper.msi.vir 2007-05-29 15:05:36 . 2007-05-29 15:05:36 5,882 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer2792\payloads\AdobeColorCommonSet1.0.1All\AdobeColorCommonSet1.0.1All.boot.xml.vir 2007-05-29 15:05:36 . 2007-05-29 15:05:36 8,230 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer2792\payloads\AdobeColorCommonSet1.0.1All\AdobeColorCommonSet1.0.1All.proxy.xml.vir 2007-05-29 15:01:56 . 2007-05-29 15:01:56 511,676 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer2792\WinBootstrapper1.cab.vir 2007-05-29 15:01:56 . 2007-05-29 15:01:56 7,292 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer2792\resources\main.html.vir 2007-05-29 15:01:56 . 2007-05-29 15:01:56 25,993 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer2792\resources\main.xml.vir 2007-05-29 15:01:56 . 2007-05-29 15:01:56 583 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer2792\resources\common\alert\alert.css.vir 2007-05-29 15:01:56 . 2007-05-29 15:01:56 2,418 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer2792\resources\common\alert\alert.html.vir 2007-05-29 15:01:56 . 2007-05-29 15:01:56 508 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer2792\resources\common\alert\alert_ie.css.vir 2007-05-29 15:01:56 . 2007-05-29 15:01:56 32,241 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer2792\resources\common\scripts\ContainerProxy.js.vir 2007-05-29 15:01:56 . 2007-05-29 15:01:56 9,181 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer2792\resources\common\scripts\localization.js.vir 2007-05-29 15:01:56 . 2007-05-29 15:01:56 46,303 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer2792\resources\common\scripts\silentWorkflow.js.vir 2007-05-29 15:01:56 . 2007-05-29 15:01:56 110,156 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer2792\resources\common\scripts\utils.js.vir 2007-05-29 15:01:56 . 2007-05-29 15:01:56 1,572 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer2792\resources\media\css\styles.css.vir 2007-05-29 15:01:56 . 2007-05-29 15:01:56 270 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer2792\resources\media\img\progbarLeft_on.png.vir 2007-05-29 15:01:56 . 2007-05-29 15:01:56 273 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer2792\resources\media\img\progbarRight.png.vir 2007-05-29 15:01:56 . 2007-05-29 15:01:56 162 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer2792\resources\media\img\progbar_on.png.vir 2007-05-29 15:01:56 . 2007-05-29 15:01:56 1,692 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer2792\resources\media\img\progbox.png.vir 2007-05-29 15:01:54 . 2007-05-29 15:01:54 2,641,920 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer2792\Setup.exe.vir 2007-05-29 15:00:48 . 2007-05-29 15:00:48 4,584,688 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer2792\redist\WindowsXP-KB898715-x64-enu.exe.vir 2007-05-29 15:00:42 . 2007-05-29 15:00:42 1,536,752 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer2792\redist\WindowsServer2003-KB898715-x86-enu.exe.vir 2007-05-29 15:00:40 . 2007-05-29 15:00:40 4,584,688 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer2792\redist\WindowsServer2003-KB898715-x64-enu.exe.vir 2007-05-29 15:00:34 . 2007-05-29 15:00:34 5,960,944 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer2792\redist\WindowsServer2003-KB898715-ia64-enu.exe.vir 2007-05-29 15:00:26 . 2007-05-29 15:00:26 2,585,872 ----a-w C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\Installer2792\redist\WindowsInstaller-KB893803-v2-x86.exe.vir 2006-11-02 13:02:36 . 2009-05-19 02:43:12 4,194,304 ----a-w C:\Qoobox\Quarantine\C\ProgramData\Microsoft\Network\Downloader\qmgr1.dat.vir 2006-11-02 13:02:36 . 2009-05-19 02:42:14 4,194,304 ----a-w C:\Qoobox\Quarantine\C\ProgramData\Microsoft\Network\Downloader\qmgr0.dat.vir |
|
|
|
|
05-20-2009, 08:51 PM
|
#11 (permalink) | |
|
Analyst, Security Team
Join Date: Jun 2008
Location: Midwest, U.S.A.
Posts: 564
OS: Dual Boot Setup, Vista SP2 and XPSP3
|
Re: Trojan on system?
Quote:
C:\Combofix.txt ...open the file, copy and paste it's contents back here on your next reply. Meanwhile, I'll be reviewing the logs you posted awaiting your response. Thanks!
__________________
Disabled Veteran, U.S.C.G. 1972 - 1978 Windows XP Performance and Maintenance Windows Vista Performance and Maintenance
|
|
|
|
|
|
05-20-2009, 09:29 PM
|
#12 (permalink) |
|
Analyst, Security Team
Join Date: Jun 2008
Location: Midwest, U.S.A.
Posts: 564
OS: Dual Boot Setup, Vista SP2 and XPSP3
|
Re: Trojan on system?
Is "Ableton Live v7.0.2" one of the applications you downloaded using the file sharing software? Only reason I ask is because a google search returns pages and pages of downloads, and all of them are either torrents, or warez.
While we're on the subject, I really should advise you to remove ANY file or program you know with certainty that you downloaded using the file sharing software. Considering the issues you've had, I have no doubt that the file sharing software is behind it. Click here for information regarding the risks of using File Sharing software. Please post back the contents of the combofix log previously requested. Thanks!
__________________
Disabled Veteran, U.S.C.G. 1972 - 1978 Windows XP Performance and Maintenance Windows Vista Performance and Maintenance
|
|
|
|
|
05-21-2009, 05:28 AM
|
#13 (permalink) |
|
Registered User
Join Date: May 2009
Posts: 15
OS: vista sp1
|
Re: Trojan on system?
Sorry for the delay, log contents:
ComboFix 09-05-18.02 - Jason 05/19/2009 22:52:06.3 - NTFSx86 Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.3326.2433 [GMT -4:00] Running from: C:\Users\Jason\Desktop\ComboFix.exe Command switches used :: C:\Users\Jason\Desktop\CFScript.txt SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} FILE :: c:\windows\system32\rhkpmcje.exe c:\windows\system32\vtyjbctb.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\rhkpmcje.exe c:\windows\system32\vtyjbctb.exe . ((((((((((((((((((((((((( Files Created from 2009-04-20 to 2009-05-20 ))))))))))))))))))))))))))))))) . 2009-05-20 02:48:04 . 2009-05-20 02:48:04 0 d-----w C:\Program Files\Common Files\Adobe AIR 2009-05-10 03:46:14 . 2009-05-10 03:46:33 0 d-----w C:\Users\Jason\AppData\Local\Google 2009-04-23 01:08:02 . 2009-04-23 01:08:02 0 d-----w C:\Program Files\Common Files\Control Panels 2009-04-23 00:37:43 . 2009-04-23 00:38:37 0 d--h--w C:\Program Files\Zero G Registry 2009-04-23 00:36:55 . 2009-04-23 00:36:55 0 d--h--w C:\Users\Jason\InstallAnywhere 2009-04-21 23:48:18 . 2009-05-18 23:00:08 0 d-----w C:\Users\Jason\AppData\Roaming\Skype 2009-04-21 23:47:59 . 2009-04-21 23:47:59 0 d-----r C:\Program Files\Skype 2009-04-21 23:47:55 . 2009-04-21 23:47:59 0 d-----w C:\ProgramData\Skype 2009-04-21 23:47:55 . 2009-04-21 23:47:59 0 d-----w C:\Users\All Users\Skype . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-20 02:53:32 . 2009-03-04 18:00:11 12 ----a-w C:\Windows\bthservsdp.dat 2009-05-20 02:47:11 . 2009-02-24 00:32:19 0 d-----w C:\Program Files\Common Files\Adobe 2009-05-19 02:44:09 . 2009-02-21 05:28:27 0 d-----w C:\Program Files\Java 2009-05-17 20:09:06 . 2009-02-21 03:02:08 0 d-----w C:\Program Files\Warcraft III 2009-04-30 03:53:41 . 2009-02-20 23:33:11 615992 ----a-w C:\Windows\system32\ci.dll 2009-04-14 00:45:11 . 2009-02-20 18:23:30 52776 ----a-w C:\Users\Jason\AppData\Local\GDIPFONTCACHEV1.DAT 2009-03-26 23:11:45 . 2009-03-26 23:11:45 0 d-----w C:\Program Files\Common Files\Macrovision Shared 2009-03-17 03:38:46 . 2009-04-17 22:23:40 13824 ----a-w C:\Windows\system32\apilogen.dll 2009-03-17 03:38:44 . 2009-04-17 22:23:40 24064 ----a-w C:\Windows\system32\amxread.dll 2009-03-09 09:19:08 . 2009-02-24 03:38:01 410984 ----a-w C:\Windows\system32\deploytk.dll 2009-03-06 03:59:00 . 2009-03-06 03:59:00 36864 ----a-w C:\Windows\system32\drivers\usbaapl.sys 2009-03-06 03:59:00 . 2009-03-06 03:59:00 1900544 ----a-w C:\Windows\system32\usbaaplrc.dll 2009-03-05 17:42:56 . 2009-03-05 17:39:00 121326 ----a-w C:\Windows\hpoins15.dat 2009-03-03 04:46:01 . 2009-04-17 22:23:44 3599328 ----a-w C:\Windows\system32\ntkrnlpa.exe 2009-03-03 04:46:01 . 2009-04-17 22:23:44 3547632 ----a-w C:\Windows\system32\ntoskrnl.exe 2009-03-03 04:40:12 . 2009-04-17 22:22:57 827392 ----a-w C:\Windows\system32\wininet.dll 2009-03-03 04:39:36 . 2009-04-17 22:23:43 183296 ----a-w C:\Windows\system32\sdohlp.dll 2009-03-03 04:39:32 . 2009-04-17 22:23:45 551424 ----a-w C:\Windows\system32\rpcss.dll 2009-03-03 04:39:22 . 2009-04-17 22:23:43 26112 ----a-w C:\Windows\system32\printfilterpipelineprxy.dll 2009-03-03 04:37:14 . 2009-04-17 22:22:56 78336 ----a-w C:\Windows\system32\ieencode.dll 2009-03-03 04:37:11 . 2009-04-17 22:23:43 98304 ----a-w C:\Windows\system32\iasrecst.dll 2009-03-03 04:37:11 . 2009-04-17 22:23:43 54784 ----a-w C:\Windows\system32\iasads.dll 2009-03-03 04:37:11 . 2009-04-17 22:23:43 44032 ----a-w C:\Windows\system32\iasdatastore.dll 2009-03-03 03:04:59 . 2009-04-17 22:23:43 666624 ----a-w C:\Windows\system32\printfilterpipelinesvc.exe 2009-03-03 02:38:13 . 2009-04-17 22:23:43 17408 ----a-w C:\Windows\system32\iashost.exe 2009-03-03 02:28:19 . 2009-04-17 22:22:56 26624 ----a-w C:\Windows\system32\ieUnatt.exe 2009-02-22 02:59:07 . 2009-02-22 02:59:07 52776 ----a-w C:\Users\Home Slice\AppData\Local\GDIPFONTCACHEV1.DAT 2009-02-21 03:03:33 . 2009-02-21 03:03:33 552 ----a-w C:\Users\Jason\AppData\Local\d3d8caps.dat 2009-02-21 01:22:58 . 2006-11-02 12:49:43 174 --sha-w C:\Program Files\desktop.ini 2009-02-21 00:52:39 . 2006-11-02 10:32:57 101888 ----a-w C:\Windows\system32\ifxcardm.dll 2009-02-21 00:52:38 . 2006-11-02 10:32:57 82432 ----a-w C:\Windows\system32\axaltocm.dll 2009-02-20 23:38:28 . 2009-02-20 23:38:28 94720 ----a-w C:\Windows\system32\PortableDeviceClassExtension.dll 2009-02-20 23:38:28 . 2009-02-20 23:38:28 241152 ----a-w C:\Windows\system32\PortableDeviceApi.dll 2009-02-20 23:38:28 . 2009-02-20 23:38:28 160768 ----a-w C:\Windows\system32\PortableDeviceTypes.dll 2009-02-20 23:36:50 . 2009-02-20 23:36:50 233888 ----a-w C:\Windows\system32\DreamScene.dll 2009-02-20 23:36:08 . 2009-02-20 23:36:08 269312 ----a-w C:\Windows\system32\es.dll 2009-02-20 23:35:32 . 2009-02-20 23:35:32 428544 ----a-w C:\Windows\system32\EncDec.dll 2009-02-20 23:35:31 . 2009-02-20 23:35:31 293376 ----a-w C:\Windows\system32\psisdecd.dll 2009-02-20 23:33:12 . 2009-02-20 23:33:12 6656 ----a-w C:\Windows\system32\kbd106n.dll 2009-02-20 23:33:11 . 2009-02-20 23:33:11 988216 ----a-w C:\Windows\system32\winload.exe 2009-02-20 23:33:11 . 2009-02-20 23:33:11 927288 ----a-w C:\Windows\system32\winresume.exe 2009-02-20 23:33:11 . 2009-02-20 23:33:11 46592 ----a-w C:\Windows\system32\setbcdlocale.dll 2009-02-20 23:33:11 . 2009-02-20 23:33:11 40960 ----a-w C:\Windows\system32\srclient.dll 2009-02-20 23:33:11 . 2009-02-20 23:33:11 378368 ----a-w C:\Windows\system32\srcore.dll 2009-02-20 23:33:11 . 2009-02-20 23:33:11 318464 ----a-w C:\Windows\system32\rstrui.exe 2009-02-20 23:33:11 . 2009-02-20 23:33:11 19000 ----a-w C:\Windows\system32\kd1394.dll 2009-02-20 23:33:11 . 2009-02-20 23:33:11 14848 ----a-w C:\Windows\system32\srdelayed.exe 2009-02-20 23:31:54 . 2009-02-20 23:31:54 712704 ----a-w C:\Windows\system32\WindowsCodecs.dll 2009-02-20 23:31:54 . 2009-02-20 23:31:54 425472 ----a-w C:\Windows\system32\PhotoMetadataHandler.dll 2009-02-20 23:31:54 . 2009-02-20 23:31:54 347136 ----a-w C:\Windows\system32\WindowsCodecsExt.dll 2009-02-20 23:30:53 . 2009-02-20 23:30:53 678408 ----a-w C:\Windows\system32\gpprefcl.dll 2009-02-20 23:30:28 . 2009-02-20 23:30:28 1645568 ----a-w C:\Windows\system32\connect.dll 2009-02-20 22:31:42 . 2009-02-20 20:13:32 409600 ----a-w C:\Windows\system32\wrap_oal.dll 2009-02-20 22:31:42 . 2009-02-20 20:13:31 114688 ----a-w C:\Windows\system32\OpenAL32.dll 2009-02-20 20:26:28 . 2009-02-20 20:26:28 0 ----a-w C:\Windows\ativpsrm.bin 2009-02-20 20:11:15 . 2009-02-20 20:11:15 0 ----a-w C:\Windows\nsreg.dat 2009-02-20 20:04:43 . 2009-02-20 18:23:13 680 ----a-w C:\Users\Jason\AppData\Local\d3d9caps.dat 2009-02-20 19:50:16 . 2009-02-20 19:50:16 61440 ----a-w C:\Windows\system32\winipsec.dll 2009-02-20 19:50:16 . 2009-02-20 19:50:16 361984 ----a-w C:\Windows\system32\IPSECSVC.DLL 2009-02-20 19:50:16 . 2009-02-20 19:50:16 28672 ----a-w C:\Windows\system32\FwRemoteSvr.dll 2009-02-20 19:50:16 . 2009-02-20 19:50:16 272896 ----a-w C:\Windows\system32\polstore.dll 2009-02-20 19:44:25 . 2009-02-20 19:44:25 296960 ----a-w C:\Windows\system32\gdi32.dll 2009-02-20 19:43:46 . 2009-02-20 19:43:46 212480 ----a-w C:\Windows\system32\drivers\mrxsmb10.sys 2009-02-20 19:42:33 . 2009-02-20 19:42:33 28672 ----a-w C:\Windows\system32\Apphlpdm.dll 2009-02-20 19:42:31 . 2009-02-20 19:42:31 4240384 ----a-w C:\Windows\system32\GameUXLegacyGDFs.dll 2009-02-20 19:42:31 . 2009-02-20 19:42:31 1695744 ----a-w C:\Windows\system32\gameux.dll 2009-02-20 19:41:50 . 2009-02-20 19:41:50 303616 ----a-w C:\Windows\system32\wmpeffects.dll 2009-02-20 19:40:32 . 2009-02-20 19:40:32 2048 ----a-w C:\Windows\system32\msxml3r.dll 2009-02-20 19:40:32 . 2009-02-20 19:40:32 1191936 ----a-w C:\Windows\system32\msxml3.dll 2009-02-20 19:37:58 . 2009-02-20 19:37:58 2048 ----a-w C:\Windows\system32\tzres.dll 2009-02-20 19:34:23 . 2009-02-20 19:34:23 306202 --sh--r C:\Windows\system32\oexyxdhv.exe 2009-02-20 19:34:23 . 2009-02-20 19:34:23 306202 --sh--r C:\Windows\system32\mnzcxocl.exe 2009-02-20 19:34:23 . 2009-02-20 19:34:23 2927104 ----a-w C:\Windows\explorer.exe 2009-02-20 19:29:29 . 2009-02-20 19:29:29 29184 ----a-w C:\Windows\system32\drivers\BTHUSB.SYS 2009-02-20 19:29:29 . 2009-02-20 19:29:29 220160 ----a-w C:\Windows\system32\drivers\bthport.sys 2009-02-20 19:29:29 . 2009-02-20 19:29:29 19456 ----a-w C:\Windows\system32\drivers\bthenum.sys 2009-02-20 19:29:29 . 2009-02-20 19:29:29 181760 ----a-w C:\Windows\system32\fsquirt.exe 2009-02-20 19:27:40 . 2009-02-20 19:27:40 443392 ----a-w C:\Windows\system32\win32spl.dll 2009-02-20 19:27:40 . 2009-02-20 19:27:40 37888 ----a-w C:\Windows\system32\printcom.dll 2009-02-20 19:27:06 . 2009-02-20 19:27:06 14848 ----a-w C:\Windows\system32\wshrm.dll 2009-02-20 19:27:06 . 2009-02-20 19:27:06 113664 ----a-w C:\Windows\system32\drivers\rmcast.sys 2009-02-20 19:25:36 . 2009-02-20 19:25:36 288768 ----a-w C:\Windows\system32\drivers\srv.sys 2009-02-20 19:22:52 . 2009-02-20 19:22:52 622080 ----a-w C:\Windows\system32\icardagt.exe 2009-02-20 19:22:51 . 2009-02-20 19:22:51 97800 ----a-w C:\Windows\system32\infocardapi.dll 2009-02-20 19:22:51 . 2009-02-20 19:22:51 11264 ----a-w C:\Windows\system32\icardres.dll 2009-02-20 19:22:50 . 2009-02-20 19:22:50 105016 ----a-w C:\Windows\system32\PresentationCFFRasterizerNative_v0300.dll 2009-02-20 19:22:49 . 2009-02-20 19:22:49 781344 ----a-w C:\Windows\system32\PresentationNative_v0300.dll 2009-02-20 19:22:49 . 2009-02-20 19:22:49 43544 ----a-w C:\Windows\system32\PresentationHostProxy.dll 2009-02-20 19:22:49 . 2009-02-20 19:22:49 326160 ----a-w C:\Windows\system32\PresentationHost.exe 2009-02-20 19:10:55 . 2009-02-20 19:10:55 96760 ----a-w C:\Windows\system32\dfshim.dll 2009-02-20 19:10:55 . 2009-02-20 19:10:55 41984 ----a-w C:\Windows\system32\netfxperf.dll 2009-02-20 19:10:54 . 2009-02-20 19:10:54 83968 ----a-w C:\Windows\system32\mscories.dll 2009-02-20 19:10:54 . 2009-02-20 19:10:54 282112 ----a-w C:\Windows\system32\mscoree.dll 2009-02-20 19:10:54 . 2009-02-20 19:10:54 158720 ----a-w C:\Windows\system32\mscorier.dll 2009-02-20 19:00:24 . 2009-02-20 19:00:24 98816 ----a-w C:\Windows\system32\mfps.dll 2009-02-20 19:00:24 . 2009-02-20 19:00:24 53248 ----a-w C:\Windows\system32\rrinstaller.exe 2009-02-20 19:00:24 . 2009-02-20 19:00:24 2868736 ----a-w C:\Windows\system32\mf.dll 2009-02-20 19:00:24 . 2009-02-20 19:00:24 24576 ----a-w C:\Windows\system32\mfpmp.exe 2009-02-20 19:00:24 . 2009-02-20 19:00:24 2048 ----a-w C:\Windows\system32\mferror.dll 2009-02-20 19:00:23 . 2009-02-20 19:00:23 996352 ----a-w C:\Windows\system32\WMNetMgr.dll . |
|
|
|
|
05-21-2009, 08:45 AM
|
#14 (permalink) | |
|
Analyst, Security Team
Join Date: Jun 2008
Location: Midwest, U.S.A.
Posts: 564
OS: Dual Boot Setup, Vista SP2 and XPSP3
|
Re: Trojan on system?
That does not appear to be the entire log. Please have another look...also, you've said nothing in response to:
Quote:
__________________
Disabled Veteran, U.S.C.G. 1972 - 1978 Windows XP Performance and Maintenance Windows Vista Performance and Maintenance
|
|
|
|
|
|
05-21-2009, 05:14 PM
|
#15 (permalink) |
|
Registered User
Join Date: May 2009
Posts: 15
OS: vista sp1
|
Re: Trojan on system?
I checked again and what I posted is the complete contents of the log. Remember that last time I ran combofix I got the "windows failed" message and after the computer rebooted, I waited for about twenty minutes for the log to finish, which it never did. I ended up closing it, figuring it had stalled out.
The ableton live that I have was given to me by a friend, and I do not know its origins. I have had it installed for quite some time though and have had no problems as of yet. Let me know what you would like me to do about the log, thanks. |
|
|
|
|
05-21-2009, 06:43 PM
|
#16 (permalink) |
|
Analyst, Security Team
Join Date: Jun 2008
Location: Midwest, U.S.A.
Posts: 564
OS: Dual Boot Setup, Vista SP2 and XPSP3
|
Re: Trojan on system?
Thanks for the reply slice123. The combofix log you posted will do for now.
Were you able to recall if there were any files or software on your system that you downloaded using the file sharing software? I need to emphasize how imprudent it really is to download and install ANYTHING without an installed antivirus...even more so when downloading any file or program using the file sharing applications you had on board. Please select and install One of these free antivirus applications: AVG Free for Windows AntiVir Personal Edition Classic Avast! 4 Home Edition After successful installation, please reboot the computer. When the system comes back up, open the antivirus program you just installed and run a manual update. Install all the updates it finds and run the updater again. Continue in this manner until the updater finds no more udpates to install. Reboot the computer into Safe mode. Run a complete system scan using your newly installed antivirus program. Allow the software to quarantine anything it complains of. Reboot and post back the log results and let us know how the system performs for you now. Thanks!
__________________
Disabled Veteran, U.S.C.G. 1972 - 1978 Windows XP Performance and Maintenance Windows Vista Performance and Maintenance
|
|
|
|
|
05-26-2009, 06:41 PM
|
#17 (permalink) |
|
Analyst, Security Team
Join Date: Jun 2008
Location: Midwest, U.S.A.
Posts: 564
OS: Dual Boot Setup, Vista SP2 and XPSP3
|
Re: Trojan on system?
Results?
__________________
Disabled Veteran, U.S.C.G. 1972 - 1978 Windows XP Performance and Maintenance Windows Vista Performance and Maintenance
|
|
|
|
|
05-27-2009, 07:17 PM
|
#18 (permalink) |
|
Registered User
Join Date: May 2009
Posts: 15
OS: vista sp1
|
Re: Trojan on system?
Hey and sorry for the delay.
I installed the AVG antivirus and it ended up finding two infected files. Everything seems to be running perfectly now. Here are the log contents: AVG 8.5 Anti-Virus command line scanner Copyright (c) 1992 - 2009 AVG Technologies Program version 8.0.300, engine 8.0.339 Virus Database: Version 270.12.43/2138 2009-05-27 C:\Boot\BCD Locked file. Not tested. C:\Boot\BCD.LOG Locked file. Not tested. C:\Documents and Settings\ Locked file. Not tested. C:\pagefile.sys Locked file. Not tested. C:\Program Files\Ableton\Live 7.0.2\Program\cpv.dll Trojan horse Agent.ZGQ Object was moved to Virus Vault. C:\ProgramData\Desktop\ Locked file. Not tested. C:\ProgramData\Documents\ Locked file. Not tested. C:\ProgramData\Favorites\ Locked file. Not tested. C:\ProgramData\Templates\ Locked file. Not tested. C:\Qoobox\Quarantine\C\Users\Jason\AppData\Roaming\Adobe\Player.exe.vir Trojan horse Downloader.Generic7.BAXD Object was moved to Virus Vault. C:\System Volume Information\{03484753-44e7-11de-b1bf-001fd0d477f7}{3808876b-c176-4e48-b7ae-04046e6cc752} Locked file. Not tested. C:\System Volume Information\{09a99e72-465c-11de-b1d4-001fd0d477f7}{3808876b-c176-4e48-b7ae-04046e6cc752} Locked file. Not tested. C:\System Volume Information\{1e5ab66c-400c-11de-91cf-001fd0d477f7}{3808876b-c176-4e48-b7ae-04046e6cc752} Locked file. Not tested. C:\System Volume Information\{1e5ab68f-400c-11de-91cf-001fd0d477f7}{3808876b-c176-4e48-b7ae-04046e6cc752} Locked file. Not tested. C:\System Volume Information\{22c50be3-441e-11de-a088-001fd0d477f7}{3808876b-c176-4e48-b7ae-04046e6cc752} Locked file. Not tested. C:\System Volume Information\{22c50bf8-441e-11de-a088-001fd0d477f7}{3808876b-c176-4e48-b7ae-04046e6cc752} Locked file. Not tested. C:\System Volume Information\{22c50bfe-441e-11de-a088-001fd0d477f7}{3808876b-c176-4e48-b7ae-04046e6cc752} Locked file. Not tested. C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752} Locked file. Not tested. C:\System Volume Information\{4b88d97a-43fd-11de-8a6f-001fd0d477f7}{3808876b-c176-4e48-b7ae-04046e6cc752} Locked file. Not tested. C:\System Volume Information\{62cc98f2-423c-11de-9b1a-001fd0d477f7}{3808876b-c176-4e48-b7ae-04046e6cc752} Locked file. Not tested. C:\System Volume Information\{702c6412-3c35-11de-a235-001fd0d477f7}{3808876b-c176-4e48-b7ae-04046e6cc752} Locked file. Not tested. C:\System Volume Information\{73ab05b7-458b-11de-8b71-001fd0d477f7}{3808876b-c176-4e48-b7ae-04046e6cc752} Locked file. Not tested. C:\System Volume Information\{86591775-4300-11de-b1ac-001fd0d477f7}{3808876b-c176-4e48-b7ae-04046e6cc752} Locked file. Not tested. C:\System Volume Information\{87befe6c-419f-11de-ba7b-001fd0d477f7}{3808876b-c176-4e48-b7ae-04046e6cc752} Locked file. Not tested. C:\System Volume Information\{a388f4a5-3d02-11de-88aa-001fd0d477f7}{3808876b-c176-4e48-b7ae-04046e6cc752} Locked file. Not tested. C:\System Volume Information\{c3a88f5e-3d71-11de-92dd-001fd0d477f7}{3808876b-c176-4e48-b7ae-04046e6cc752} Locked file. Not tested. C:\System Volume Information\{e9585601-4a46-11de-b4a3-001fd0d477f7}{3808876b-c176-4e48-b7ae-04046e6cc752} Locked file. Not tested. C:\System Volume Information\{ed9647ec-3e78-11de-a5a6-001fd0d477f7}{3808876b-c176-4e48-b7ae-04046e6cc752} Locked file. Not tested. C:\System Volume Information\{fabbc795-4b0f-11de-8702-001fd0d477f7}{3808876b-c176-4e48-b7ae-04046e6cc752} Locked file. Not tested. C:\Users\Default\AppData\Local\History\ Locked file. Not tested. C:\Users\Default\AppData\Local\Temporary Internet Files\ Locked file. Not tested. C:\Users\Default\Documents\My Music\ Locked file. Not tested. C:\Users\Default\Documents\My Pictures\ Locked file. Not tested. C:\Users\Default\Documents\My Videos\ Locked file. Not tested. C:\Users\Default\NetHood\ Locked file. Not tested. C:\Users\Default\PrintHood\ Locked file. Not tested. C:\Users\Default\Recent\ Locked file. Not tested. C:\Users\Default\Templates\ Locked file. Not tested. C:\Users\Home Slice\AppData\Local\History\ Locked file. Not tested. C:\Users\Home Slice\Documents\My Music\ Locked file. Not tested. C:\Users\Home Slice\Documents\My Pictures\ Locked file. Not tested. C:\Users\Home Slice\Documents\My Videos\ Locked file. Not tested. C:\Users\Home Slice\NetHood\ Locked file. Not tested. C:\Users\Home Slice\PrintHood\ Locked file. Not tested. C:\Users\Home Slice\Templates\ Locked file. Not tested. C:\Users\Jason\AppData\Local\History\ Locked file. Not tested. C:\Users\Jason\AppData\Local\Microsoft\Windows\UsrClass.dat Locked file. Not tested. C:\Users\Jason\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Locked file. Not tested. C:\Users\Jason\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Locked file. Not tested. C:\Users\Jason\Documents\My Music\ Locked file. Not tested. C:\Users\Jason\Documents\My Pictures\ Locked file. Not tested. C:\Users\Jason\Documents\My Videos\ Locked file. Not tested. C:\Users\Jason\NetHood\ Locked file. Not tested. C:\Users\Jason\NTUSER.DAT Locked file. Not tested. C:\Users\Jason\ntuser.dat.LOG1 Locked file. Not tested. C:\Users\Jason\ntuser.dat.LOG2 Locked file. Not tested. C:\Users\Jason\PrintHood\ Locked file. Not tested. C:\Users\Public\Documents\My Music\ Locked file. Not tested. C:\Users\Public\Documents\My Pictures\ Locked file. Not tested. C:\Users\Public\Documents\My Videos\ Locked file. Not tested. C:\Windows\bthservsdp.dat Locked file. Not tested. C:\Windows\CSC\ Locked file. Not tested. C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat Locked file. Not tested. C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat Locked file. Not tested. C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT Locked file. Not tested. C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1 Locked file. Not tested. C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG2 Locked file. Not tested. C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT Locked file. Not tested. C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1 Locked file. Not tested. C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG2 Locked file. Not tested. C:\Windows\System32\catroot2\edb.log Locked file. Not tested. C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Locked file. Not tested. C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Locked file. Not tested. C:\Windows\System32\config\COMPONENTS Locked file. Not tested. C:\Windows\System32\config\COMPONENTS.LOG1 Locked file. Not tested. C:\Windows\System32\config\COMPONENTS.LOG2 Locked file. Not tested. C:\Windows\System32\config\DEFAULT Locked file. Not tested. C:\Windows\System32\config\DEFAULT.LOG1 Locked file. Not tested. C:\Windows\System32\config\DEFAULT.LOG2 Locked file. Not tested. C:\Windows\System32\config\RegBack\COMPONENTS Locked file. Not tested. C:\Windows\System32\config\RegBack\DEFAULT Locked file. Not tested. C:\Windows\System32\config\RegBack\SAM Locked file. Not tested. C:\Windows\System32\config\RegBack\SECURITY Locked file. Not tested. C:\Windows\System32\config\RegBack\SOFTWARE Locked file. Not tested. C:\Windows\System32\config\RegBack\SOFTWARE.OLD Locked file. Not tested. C:\Windows\System32\config\RegBack\SYSTEM Locked file. Not tested. C:\Windows\System32\config\SAM Locked file. Not tested. C:\Windows\System32\config\SAM.LOG1 Locked file. Not tested. C:\Windows\System32\config\SAM.LOG2 Locked file. Not tested. C:\Windows\System32\config\SECURITY Locked file. Not tested. C:\Windows\System32\config\SECURITY.LOG1 Locked file. Not tested. C:\Windows\System32\config\SECURITY.LOG2 Locked file. Not tested. C:\Windows\System32\config\SOFTWARE Locked file. Not tested. C:\Windows\System32\config\SOFTWARE.LOG1 Locked file. Not tested. C:\Windows\System32\config\SOFTWARE.LOG2 Locked file. Not tested. C:\Windows\System32\config\SYSTEM Locked file. Not tested. C:\Windows\System32\config\SYSTEM.LOG1 Locked file. Not tested. C:\Windows\System32\config\SYSTEM.LOG2 Locked file. Not tested. C:\Windows\System32\LogFiles\WMI\RtBackup\ Locked file. Not tested. J:\System Volume Information\ Locked file. Not tested. ------------------------------------------------------------ Objects scanned : 449016 Found infections : 2 Found PUPs : 0 Healed infections : 2 Healed PUPs : 0 Warnings : 0 |
|
|
|
|
05-27-2009, 08:37 PM
|
#19 (permalink) |
|
Analyst, Security Team
Join Date: Jun 2008
Location: Midwest, U.S.A.
Posts: 564
OS: Dual Boot Setup, Vista SP2 and XPSP3
|
Re: Trojan on system?
Great! You can open AVG, navigate to the quarantined folder section and delete those findings...one of them was already locked up in the combofix quarantine folder by the way.
Click start-->run...then copy and paste the Bold text below into the run box and click "OK": ComboFix /u Performing this function will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again for you automatically. To assist in the prevention of spyware infections: Immunize your browser by installing Spywareblaster. What does it do?
Below you can choose from several of the freeware Firewalls available on the public domain. Even though you may have a Firewall already installed, keep this list handy should you choose not to renew your subscription for whatever reason. You should always have at least (but not more than ) one of these types of third party firewalls running on board: Sunbelt Personal Firewall Zone Alarm Outpost Free Comodo Beware of the "Ask" tool bar that's now included. If you don't want it, remove the check from the box during installation Install the free security tool "Secunia PSI" to help protect your system against software vulnerabilities. The free utility scans your system's software applications and offers a one button "Download "Solution" feature that updates the exploited software AND provides other related information/patching if warranted. Stay updated with the most recent Windows patches as well...using Microsoft's Windows Update. Make it easy on yourself, and set this feature to Automatic. Using an alternate browser can reduce your chance of certain infections installing themselves. I recommend installing Mozilla Firefox. If you don't already have "Firefox", please consider installing and using this browser for surfing. If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections. Run CCleaner often. The Yahoo Toolbar is included by default during the installation...if you DO NOT WANT IT, be sure to remove the check from the "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser" option during installation setup or else just download the Slim version (no toolbar...third download link at the bottom of that page).. Or if you just want to run your on board Disk Cleanup ("Start--> Programs-->Accessories-->System Tools-->Disk Cleanup" ), just open the utility and check off the following: Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files. Don't forget to defrag the system. So how did I get infected in the first place? Regards, and Happy Surfing!
__________________
Disabled Veteran, U.S.C.G. 1972 - 1978 Windows XP Performance and Maintenance Windows Vista Performance and Maintenance
|
|
|
|
|
05-27-2009, 08:39 PM
|
#20 (permalink) |
|
Analyst, Security Team
Join Date: Jun 2008
Location: Midwest, U.S.A.
Posts: 564
OS: Dual Boot Setup, Vista SP2 and XPSP3
|
Re: Trojan on system?
Since this issue appears to be resolved this topic will now be closed.
Other members who need assistance please start your own topic in a new thread. Thanks! The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you. IMPORTANT - Read This Before Posting For Malware Removal Help
__________________
Disabled Veteran, U.S.C.G. 1972 - 1978 Windows XP Performance and Maintenance Windows Vista Performance and Maintenance
|
|
|
|
| Thread Tools | |
|
|
