Panda says: Virus:Trj/Agent.AZD

jo60 · Nov 7, 2007

I have had some strange things happen in my machines (DT and Laptop).The DT machine is a Pentium 4 with 512 MB of memory. The rest of this post deals with the DT machine. They are both running Win XP SP2 with all of the patches applied. I have a firewall/anti-virus installed. When I do a scan with my anti-virus it malfunctions some of the time. If I uninstall it and then install it again it works correctly the first time and then malfunctions a second time.

I then installed AVG Free and ran it and it worked the first time and then malfunctioned the second time.

When the anti-viruses worked the first time they declared my system clean.

I went to the event viewer and found someone or something trying to logon to my ASPNET account.

I have heard that viruses try to disable your anti-virus software so they cannot be found. Has anyone heard of this?

The following is from my event viewer security log.

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 11/6/2007
Time: 10:32:37 PM
User: NT AUTHORITY\SYSTEM
Computer: GATEWAY-DESKTOP
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: ASPNET
Source Workstation: GATEWAY-DESKTOP
Error Code: 0xC000006A

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 11/6/2007
Time: 10:32:37 PM
User: NT AUTHORITY\SYSTEM
Computer: GATEWAY-DESKTOP
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: ASPNET
Domain:
Logon Type: 2
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: GATEWAY-DESKTOP

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I completed steps 1-5 and had only to skip running IE-spyad because it did not support IE 7. I also skipped step 4 because my system was up to date in terms of SP2 and patches.

Here is my HiJackThis report:

Deckard's System Scanner v20071014.68
Run by Owner on 2007-11-07 10:23:53
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
61: 2007-11-07 17:24:04 UTC - RP67 - Deckard's System Scanner Restore Point
60: 2007-11-06 18:28:38 UTC - RP66 - Installed AVG 7.5
59: 2007-11-06 18:27:49 UTC - RP65 - Removed AVG 7.5
58: 2007-11-06 17:23:36 UTC - RP64 - Agnitum Outpost Security Suite Restore Point: update
57: 2007-11-06 16:24:49 UTC - RP63 - Installed AVG 7.5

-- First Restore Point --
1: 2007-10-06 17:21:22 UTC - RP7 - Software Distribution Service 3.0

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2007-11-07 10:29:50
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\CtHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\HD Tune\HDTune.exe
C:\Program Files\SecCopy\SecCopy.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\Desktop\down load\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig?hl=en
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HD Tune] C:\PROGRA~1\HDTUNE~1\HDTune.exe
O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Second Copy] "C:\PROGRA~1\SecCopy\SecCopy.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html (file missing)
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html (file missing)
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html (file missing)
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html (file missing)
O9 - Extra button: Outpost Security Suite Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - (file missing)
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html (file missing)
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1191704449687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1191523266625
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Security Suite Pro\acs.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9097 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 BANTExt (Belarc SMBios Access) - c:\windows\system32\drivers\bantext.sys
R3 IPFilter (Microsoft IntelliPoint Features driver) - c:\windows\system32\drivers\ipfilter.sys <Not Verified; Microsoft Corporation; Microsoft IntelliPoint>
R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >
R3 VBEngNT - c:\windows\system32\drivers\vbengnt.sys <Not Verified; VirusBuster Kft.; VirusBuster Engine SYS for Windows NT/2000/XP>

S3 Partizan - c:\windows\system32\drivers\partizan.sys <Not Verified; Greatis Software; RegRun Security Suite>

pe386 driver present

msguard driver present

lzx32 driver present

huy32 driver present

xpdt driver present

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 acssrv (Agnitum Client Security Service) - c:\progra~1\agnitum\outpos~1\acs.exe <Not Verified; Agnitum Ltd.; Agnitum Outpost Service>

S2 UPHClean (User Profile Hive Cleanup) - c:\program files\uphclean\uphclean.exe <Not Verified; Microsoft Corporation; User Profile Hive Cleanup Service>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2007-11-02 15:40:22 408 -----n--- C:\WINDOWS\Tasks\Norton Security Scan.job

-- Files created between 2007-10-07 and 2007-11-07 -----------------------------

2007-11-07 09:50:48 0 d-------- C:\Program Files\SpywareBlaster
2007-11-07 08:39:40 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-11-07 08:39:37 0 d-------- C:\WINDOWS\LastGood
2007-11-06 11:31:24 8960 --a------ C:\WINDOWS\system32\drivers\uphcleanhlp.sys <Not Verified; Windows (R) 2000 DDK provider; User Profile Hive Cleanup Service>
2007-11-06 11:28:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-05 18:40:28 114688 --a------ C:\WINDOWS\system32\mxv.dll <Not Verified; ; fsutil80 Dynamic Link Library>
2007-11-05 18:40:18 0 d-------- C:\Program Files\FileStream
2007-11-05 18:09:52 1024 -r-h----- C:\WINDOWS\system32\NTIDIB4.dll
2007-11-05 18:09:52 6144 --a------ C:\WINDOWS\system32\drivers\NTIDrvr.sys <Not Verified; NewTech Infosystems, Inc.; >
2007-11-05 11:41:46 0 d-------- C:\Program Files\Acronis
2007-11-04 20:20:18 0 d-------- C:\Documents and Settings\Owner\Application Data\Acronis
2007-11-04 19:54:48 0 d-------- C:\Documents and Settings\LocalService\Application Data\Acronis
2007-11-04 19:52:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Acronis
2007-11-04 19:50:20 0 d-------- C:\Program Files\Common Files\Acronis
2007-11-04 10:33:15 0 d-------- C:\RootkitNO
2007-11-04 10:10:41 22528 --a------ C:\WINDOWS\system32\Partizan.exe <Not Verified; Greatis Software; RegRun Security Suite>
2007-11-04 10:10:41 31170 --a------ C:\WINDOWS\system32\drivers\Partizan.sys <Not Verified; Greatis Software; RegRun Security Suite>
2007-11-03 07:49:23 0 d-------- C:\Documents and Settings\Owner\Application Data\Genie-soft
2007-11-03 07:46:17 0 d-------- C:\Program Files\Genie-Soft
2007-11-02 13:14:49 0 d-------- C:\Documents and Settings\Owner\Application Data\Agnitum
2007-11-02 13:13:37 800222 --a------ C:\WINDOWS\system32\drivers\VBEngNT.sys <Not Verified; VirusBuster Kft.; VirusBuster Engine SYS for Windows NT/2000/XP>
2007-11-02 13:13:21 0 d-------- C:\WINDOWS\system32\Filt
2007-11-02 13:13:20 0 d-------- C:\Program Files\Agnitum
2007-11-02 13:12:56 0 d-------- C:\Documents and Settings\All Users\Application Data\Agnitum
2007-11-02 07:18:31 0 d-------- C:\Documents and Settings\Owner\Application Data\Smart PC Solutions
2007-11-02 07:18:23 0 d-------- C:\Program Files\Smart PC Solutions
2007-10-31 17:00:30 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-10-31 16:59:23 0 d-------- C:\Program Files\Norton Security Scan
2007-10-31 00:07:20 0 d--hs---- C:\found.000
2007-10-29 22:52:47 3840 -----n--- C:\WINDOWS\system32\drivers\BANTExt.sys
2007-10-29 22:52:47 0 d-------- C:\Program Files\Belarc
2007-10-28 21:43:39 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-28 21:41:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2007-10-28 13:37:35 0 d-------- C:\Program Files\UPHClean
2007-10-23 11:14:48 0 d-------- C:\Program Files\Windows Desktop Search
2007-10-23 09:16:51 0 d-------- C:\WINDOWS\system32\NtmsData
2007-10-22 19:36:37 0 d-------- C:\Documents and Settings\Owner\Application Data\U3
2007-10-20 20:17:48 0 d-------- C:\Documents and Settings\Owner\SecurityScans
2007-10-20 20:17:05 0 d-------- C:\Program Files\Microsoft Baseline Security Analyzer 2
2007-10-20 08:26:10 0 d-------- C:\WINDOWS\SoftwareDistribution
2007-10-18 10:57:51 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2007-10-18 10:54:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-10-18 10:54:00 0 d-------- C:\Program Files\Common Files\Adobe
2007-10-15 08:33:22 0 d-------- C:\WINDOWS\system32\CatRoot2
2007-10-14 15:16:54 0 d-------- C:\Program Files\HD Tune
2007-10-14 14:38:41 0 d-------- C:\Documents and Settings\Owner\Application Data\CyberLink
2007-10-14 14:38:40 0 d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2007-10-14 14:30:10 0 d-------- C:\Program Files\CyberLink
2007-10-11 10:04:26 0 d-------- C:\NVIDIA
2007-10-11 09:46:02 0 d-------- C:\WINDOWS\nview
2007-10-10 17:03:19 0 d-------- C:\Program Files\MSXML 6.0
2007-10-10 16:31:04 0 d-------- C:\Program Files\MSBuild
2007-10-10 16:27:08 0 d-------- C:\WINDOWS\system32\XPSViewer
2007-10-10 16:26:20 0 d-------- C:\Program Files\Reference Assemblies
2007-10-10 16:23:39 0 d-------- C:\Program Files\Windows Media Connect 2
2007-10-10 16:21:19 0 d-------- C:\WINDOWS\system32\LogFiles
2007-10-10 16:21:19 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2007-10-10 16:18:56 0 d-------- C:\WINDOWS\RegisteredPackages
2007-10-10 16:17:05 0 d-------- C:\WINDOWS\system32\URTTEMP
2007-10-09 17:11:39 0 d-------- C:\WINDOWS\Sun
2007-10-09 13:34:02 0 d-------- C:\WINDOWS\pss
2007-10-09 11:54:09 0 d--h----- C:\Program Files\Zero G Registry
2007-10-09 11:53:05 0 d--h----- C:\Documents and Settings\Owner\InstallAnywhere
2007-10-08 15:15:56 692 --a------ C:\register.bat
2007-10-07 12:02:53 0 d-------- C:\Documents and Settings\All Users\Application Data\RoboForm
2007-10-07 12:01:07 0 d-------- C:\Program Files\Siber Systems

-- Find3M Report ---------------------------------------------------------------

2007-11-07 09:16:15 0 d-------- C:\Program Files\SecCopy
2007-11-07 09:13:34 0 d-------- C:\Program Files\Google
2007-11-06 23:36:56 288 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000001-00000000-00000001-00001102-00000004-10061102}.dat
2007-11-06 23:36:56 288 --a------ C:\WINDOWS\system32\DVCState-{00000001-00000000-00000001-00001102-00000004-10061102}.dat
2007-11-05 18:22:40 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-05 18:22:28 0 d-------- C:\Program Files\Common Files
2007-11-05 18:09:48 0 d-------- C:\Program Files\Common Files\InstallShield
2007-10-06 10:32:15 0 d-------- C:\Program Files\Microsoft Works
2007-10-06 10:09:55 0 d-------- C:\Program Files\Messenger
2007-10-05 11:19:51 0 d-------- C:\Program Files\Common Files\L&H
2007-10-05 11:19:40 0 d-------- C:\Program Files\Microsoft ActiveSync
2007-10-05 11:18:47 0 d-------- C:\Program Files\Microsoft.NET
2007-10-05 10:49:45 0 d-------- C:\Documents and Settings\Owner\Application Data\Macromedia
2007-10-05 07:15:53 0 d-------- C:\Documents and Settings\Owner\Application Data\Talkback
2007-10-05 07:15:31 0 -----n--- C:\WINDOWS\nsreg.dat
2007-10-05 07:15:24 0 d-------- C:\Documents and Settings\Owner\Application Data\Mozilla
2007-10-05 07:13:09 0 d-------- C:\Documents and Settings\Owner\Application Data\Google
2007-10-04 20:40:51 0 d-------- C:\Program Files\Microsoft Hardware
2007-10-04 16:45:58 0 d-------- C:\Program Files\Java
2007-10-04 15:10:39 0 d-------- C:\Program Files\ORL
2007-10-04 14:38:00 0 d-------- C:\Program Files\Common Files\Java
2007-10-04 14:37:36 0 d-------- C:\Documents and Settings\Owner\Application Data\Sun
2007-10-04 14:37:35 0 d-------- C:\Program Files\CCleaner
2007-10-04 10:48:50 0 d-------- C:\Program Files\Intel
2007-10-04 10:45:04 0 d-------- C:\Program Files\Gateway
2007-10-04 10:34:11 0 d-------- C:\Documents and Settings\Owner\Application Data\Identities
2007-10-04 10:29:32 0 d-------- C:\Program Files\microsoft frontpage
2007-10-04 10:29:13 0 -rahs---- C:\MSDOS.SYS
2007-10-04 10:29:13 0 -rahs---- C:\IO.SYS
2007-10-04 10:29:13 0 --a------ C:\CONFIG.SYS
2007-10-04 10:29:13 0 --a------ C:\AUTOEXEC.BAT
2007-10-04 10:27:56 0 d--h----- C:\Program Files\WindowsUpdate
2007-10-04 10:27:52 0 d-------- C:\Program Files\Online Services
2007-10-04 10:27:08 0 d-------- C:\Program Files\Common Files\MSSoap
2007-10-04 10:27:01 0 d-------- C:\Program Files\Movie Maker
2007-10-04 10:26:37 21640 -----n--- C:\WINDOWS\system32\emptyregdb.dat
2007-10-04 10:25:43 0 d-------- C:\Program Files\MSN Gaming Zone
2007-10-04 10:25:35 0 d-------- C:\Program Files\Windows NT
2007-10-04 03:15:00 0 d-------- C:\Program Files\Common Files\ODBC
2007-10-04 03:14:57 0 d-------- C:\Program Files\Common Files\SpeechEngines
2007-10-04 03:14:31 62 ---hs---- C:\Documents and Settings\Owner\Application Data\desktop.ini
2007-09-18 17:35:55 50688 --a------ C:\ATF-Cleaner.exe <Not Verified; Atribune.org; ATF Cleaner>
2007-09-17 05:26:28 1303 --a------ C:\XP_Install.bat
2007-09-17 01:07:00 1626112 -----n--- C:\WINDOWS\system32\nwiz.exe
2007-09-17 01:07:00 1019904 -----n--- C:\WINDOWS\system32\nvwimg.dll
2007-09-17 01:07:00 1703936 -----n--- C:\WINDOWS\system32\nvwdmcpl.dll
2007-09-17 01:07:00 466944 -----n--- C:\WINDOWS\system32\nvshell.dll
2007-09-17 01:07:00 1478656 -----n--- C:\WINDOWS\system32\nview.dll
2007-09-17 01:07:00 1339392 -----n--- C:\WINDOWS\system32\nvdspsch.exe
2007-09-17 01:07:00 442368 -----n--- C:\WINDOWS\system32\nvappbar.exe
2007-09-17 01:07:00 425984 -----n--- C:\WINDOWS\system32\keystone.exe

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [03/11/2003 04:24 PM]
"CTHelper"="CTHELPER.EXE" [10/04/2007 10:47 AM C:\WINDOWS\system32\CtHelper.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [09/17/2007 01:07 AM]
"nwiz"="nwiz.exe" [09/17/2007 01:07 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [09/17/2007 01:07 AM]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [07/15/2005 02:48 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 07:51 PM]
"HD Tune"="C:\PROGRA~1\HDTUNE~1\HDTune.exe" [09/03/2007 12:37 AM]
"OutpostMonitor"="C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe" [11/02/2007 07:32 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [10/14/2007 08:13 PM]
"Second Copy"="C:\PROGRA~1\SecCopy\SecCopy.exe" [10/17/2007 08:42 AM]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [10/07/2007 12:01 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 05:00 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SetDefaultMidi"=MIDIDEF.EXE

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [10/20/2005 12:04:08 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [10/28/2007 9:41:25 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispCPL"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispAppearancePage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoPropertiesRecycleBin"=0 (0x0)
"NoPropertiesMyComputer"=0 (0x0)
"NoSaveSettings"=0 (0x0)
"NoPropertiesMyDocuments"=0 (0x0)
"NoDesktop"=0 (0x0)
"NoDesktopCleanupWizard"=0 (0x0)
"DisablePersonalDirChange"=0 (0x0)
"NoThemesTab"=0 (0x0)
"NoRun"=0 (0x0)
"NoSimpleStartMenu"=0 (0x0)
"NoWindowsUpdate"=0 (0x0)
"NoChangeStartMenu"=0 (0x0)
"StartMenuLogOff"=0 (0x0)
"NoClose"=0 (0x0)
"NoNetworkConnections"=0 (0x0)
"NoSetTaskbar"=1 (0x1)
"NoToolbarsOnTaskbar"=0 (0x0)
"NoStartMenuNetworkPlaces"=0 (0x0)
"NoSMMyDocs"=0 (0x0)
"NoSMHelp"=0 (0x0)
"NoManageMyComputerVerb"=0 (0x0)
"NoSecConsole"=0 (0x0)
"NoFolderOptions"=0 (0x0)
"NoSharedDocuments"=0 (0x0)
"NoSecurityTab"=0 (0x0)
"NoHardwareTab"=0 (0x0)
"NoFileMenu"=0 (0x0)
"NoNetConnectDisconnect"=1 (0x1)
"NoViewContextMenu"=0 (0x0)
"DisallowRun"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\progra~1\agnitum\outpos~1\wl_hook.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli scecli scecli

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]

-- End of Deckard's System Scanner: finished at 2007-11-07 10:31:06 ------------

Here is the output from the Panda Anti-virus:

Incident Status Location

Virus:Trj/Agent.AZD Disinfected C:\Documents and Settings\All Users\Desktop\MCW\ResetSysRestore.VBS
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lemnjnfp.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lemnjnfp.default\cookies.txt[.com.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lemnjnfp.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lemnjnfp.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lemnjnfp.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lemnjnfp.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lemnjnfp.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lemnjnfp.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lemnjnfp.default\cookies.txt[.go.com/]
Potentially unwanted tool:Application/Yalta Not disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\E8K0XFVC\yalta[1]\Yalta.exe
Potentially unwanted tool:Application/Yalta Not disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\E8K0XFVC\yalta[1]\YALTA.VXD
Virus:Trj/Agent.AZD Not disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\IL05I5EH\MCWinstallation[1].zip[XP_Initial_Tools.exe][ResetSysRestore.VBS]
Potentially unwanted tool:Application/Pskill.K Not disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\IL05I5EH\MCWinstallation[1].zip[XP_Necessities.exe][killrss.exe][pskill.exe]
Potentially unwanted tool:Application/Leaktest.A Not disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MAIHAEI9\tooleaky[1].exe
Potentially unwanted tool:Application/Pskill.K Not disinfected C:\killrss.exe[pskill.exe]

I await your analysis.

jo60

jo60 · Nov 13, 2007

Bump

I did all the leg work as specified in how to post in this forum. Can I please get some help?

jo60

Ried · Nov 13, 2007

Apologies for the delay. As you can see, the amount of logs and members requesting help is overwhelming, and there are only a handful of us to assist. Unfortunately, threads get overlooked.

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.

When finished, it will produce a report for you.
I'll need the C:\ComboFix.txt along with a new HijackThis log so we can continue cleaning the system.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

jo60 · Nov 13, 2007

Ried,

Here is the Combo fix output

ComboFix 07-11-08.3 - Owner 2007-11-12 22:40:10.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.191 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files\ODCTOOLS

.
((((((((((((((((((((((((( Files Created from 2007-10-13 to 2007-11-13 )))))))))))))))))))))))))))))))
.

2007-11-12 22:39 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-12 22:03 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-12 21:18 8,960 --a------ C:\WINDOWS\system32\drivers\uphcleanhlp.sys
2007-11-12 21:12 86,016 --a------ C:\WINDOWS\unvise32.exe
2007-11-12 21:11 <DIR> d-------- C:\Program Files\Common Files\Broderbund
2007-11-12 21:11 <DIR> d-------- C:\Program Files\Broderbund
2007-11-12 15:24 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-12 13:38 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner
2007-11-12 13:11 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Uniblue
2007-11-12 08:51 <DIR> d-------- C:\Program Files\Sana Security
2007-11-11 22:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2007-11-10 22:35 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-10 22:35 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2007-11-08 07:40 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-08 07:40 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2007-11-08 07:28 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-08 07:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-11-07 10:23 <DIR> d-------- C:\Deckard
2007-11-07 09:50 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-11-07 08:39 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-06 11:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-05 18:40 114,688 --a------ C:\WINDOWS\system32\mxv.dll
2007-11-05 18:09 6,144 --a------ C:\WINDOWS\system32\drivers\NTIDrvr.sys
2007-11-05 18:09 1,024 -r-h----- C:\WINDOWS\system32\NTIDIB4.dll
2007-11-05 11:41 <DIR> d-------- C:\Program Files\Acronis
2007-11-04 20:20 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Acronis
2007-11-04 19:54 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Acronis
2007-11-04 19:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Acronis
2007-11-04 19:51 441,760 --a------ C:\WINDOWS\system32\drivers\timntr.sys
2007-11-04 19:51 129,248 --a------ C:\WINDOWS\system32\drivers\snapman.sys
2007-11-04 19:51 44,384 --a------ C:\WINDOWS\system32\drivers\tifsfilt.sys
2007-11-04 19:50 <DIR> d-------- C:\Program Files\Common Files\Acronis
2007-11-04 19:50 368,736 --a------ C:\WINDOWS\system32\drivers\tdrpman.sys
2007-11-04 10:33 <DIR> d-------- C:\RootkitNO
2007-11-04 10:10 31,170 --a------ C:\WINDOWS\system32\drivers\Partizan.sys
2007-11-04 10:10 22,528 --a------ C:\WINDOWS\system32\Partizan.exe
2007-11-04 10:09 C:\WINDOWS\(2) C:\ComboFix\winstart.bat
2007-11-03 07:49 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Genie-soft
2007-11-03 07:46 <DIR> d-------- C:\Program Files\Genie-Soft
2007-11-03 07:46 128,104 --a------ C:\WINDOWS\system32\drivers\WimFltr.sys
2007-11-02 13:14 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Agnitum
2007-11-02 13:13 <DIR> d-------- C:\WINDOWS\system32\Filt
2007-11-02 13:13 <DIR> d-------- C:\Program Files\Agnitum
2007-11-02 13:13 800,222 --a------ C:\WINDOWS\system32\drivers\VBEngNT.sys
2007-11-02 13:13 435,232 --a------ C:\WINDOWS\system32\drivers\SandBox.sys
2007-11-02 13:13 198,416 --a------ C:\WINDOWS\system32\drivers\afw.sys
2007-11-02 13:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Agnitum
2007-11-02 07:18 <DIR> d-------- C:\Program Files\Smart PC Solutions
2007-11-02 07:18 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Smart PC Solutions
2007-10-31 17:00 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-10-31 00:07 <DIR> d--hs---- C:\found.000
2007-10-30 12:34 8,192 -----c--- C:\WINDOWS\system32\dllcache\rasadhlp.dll
2007-10-29 22:52 <DIR> d-------- C:\Program Files\Belarc
2007-10-29 22:52 3,840 --------- C:\WINDOWS\system32\drivers\BANTExt.sys
2007-10-28 21:43 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-28 21:43 626,688 --------- C:\WINDOWS\system32\msvcr80.dll
2007-10-28 21:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2007-10-28 13:37 <DIR> d-------- C:\Program Files\UPHClean
2007-10-25 12:21 266,360 --------- C:\WINDOWS\system32\TweakUI.exe
2007-10-23 11:14 <DIR> d-------- C:\Program Files\Windows Desktop Search
2007-10-23 11:14 192,000 -----c--- C:\WINDOWS\system32\dllcache\offfilt.dll
2007-10-23 11:14 98,304 -----c--- C:\WINDOWS\system32\dllcache\nlhtml.dll
2007-10-23 11:14 29,696 -----c--- C:\WINDOWS\system32\dllcache\mimefilt.dll
2007-10-23 09:16 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-10-22 19:36 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\U3
2007-10-20 20:17 <DIR> d-------- C:\Program Files\Microsoft Baseline Security Analyzer 2
2007-10-20 20:17 <DIR> d-------- C:\Documents and Settings\Owner\SecurityScans
2007-10-18 10:54 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-10-15 08:33 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2007-10-14 15:16 <DIR> d-------- C:\Program Files\HD Tune
2007-10-14 14:38 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\CyberLink
2007-10-14 14:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2007-10-14 14:30 <DIR> d-------- C:\Program Files\CyberLink
2007-10-14 14:30 1,066,544 --------- C:\WINDOWS\system32\mfc71.dll
2007-10-14 14:30 509,488 --------- C:\WINDOWS\system32\msvcp71.dll
2007-10-14 14:30 353,840 --------- C:\WINDOWS\system32\msvcr71.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-09 04:28 --------- d-----w C:\Program Files\SecCopy
2007-11-09 04:26 --------- d-----w C:\Program Files\Google
2007-11-08 00:46 --------- d-----w C:\Program Files\Java
2007-11-06 01:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-06 01:09 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-11 00:03 --------- d-----w C:\Program Files\MSXML 6.0
2007-10-10 23:31 --------- d-----w C:\Program Files\MSBuild
2007-10-10 23:26 --------- d-----w C:\Program Files\Reference Assemblies
2007-10-10 23:23 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-10-09 18:54 --------- d--h--w C:\Program Files\Zero G Registry
2007-10-08 22:23 692 ----a-w C:\register.bat
2007-10-07 19:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\RoboForm
2007-10-07 19:01 --------- d-----w C:\Program Files\Siber Systems
2007-10-06 20:55 6,139,760 ----a-w C:\WindowsUpdateAgent30-x86.exe
2007-10-06 17:32 --------- d-----w C:\Program Files\Microsoft Works
2007-10-05 18:19 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-10-05 18:19 --------- d-----w C:\Program Files\Common Files\L&H
2007-10-05 18:18 --------- d-----w C:\Program Files\Microsoft.NET
2007-10-05 14:15 --------- d-----w C:\Documents and Settings\Owner\Application Data\Talkback
2007-10-05 03:40 --------- d-----w C:\Program Files\Microsoft Hardware
2007-10-04 22:10 --------- d-----w C:\Program Files\ORL
2007-10-04 21:38 --------- d-----w C:\Program Files\Common Files\Java
2007-10-04 21:37 --------- d-----w C:\Program Files\CCleaner
2007-10-04 17:48 --------- d-----w C:\Program Files\Intel
2007-10-04 17:47 822,416 ------w C:\WINDOWS\system32\drivers\ha10kx2k.sys
2007-10-04 17:47 6,144 ------w C:\WINDOWS\system32\drivers\ctprxy2k.sys
2007-10-04 17:47 50,805 ------w C:\WINDOWS\system32\drivers\IntelC53.sys
2007-10-04 17:47 497,376 ------w C:\WINDOWS\system32\drivers\ctaud2k.sys
2007-10-04 17:47 49,152 ------w C:\WINDOWS\mididef.exe
2007-10-04 17:47 49,152 ------w C:\WINDOWS\ctdcres.dll
2007-10-04 17:47 481,305 ------w C:\WINDOWS\system32\drivers\IntelC52.sys
2007-10-04 17:47 31,440 ------w C:\WINDOWS\system32\drivers\mohfilt.sys
2007-10-04 17:47 286,384 ------w C:\WINDOWS\system32\drivers\ctdvda2k.sys
2007-10-04 17:47 20,480 ------w C:\WINDOWS\inRes.dll
2007-10-04 17:47 184,656 ------w C:\WINDOWS\system32\drivers\ctoss2k.sys
2007-10-04 17:47 184,320 ------w C:\WINDOWS\psconv.exe
2007-10-04 17:47 176,128 ------w C:\WINDOWS\readreg.exe
2007-10-04 17:47 145,408 ------w C:\WINDOWS\system32\drivers\e100b325.sys
2007-10-04 17:47 139,936 ------w C:\WINDOWS\system32\drivers\haP16v2k.sys
2007-10-04 17:47 135,248 ------w C:\WINDOWS\system32\drivers\ctsfm2k.sys
2007-10-04 17:47 135,040 ------w C:\WINDOWS\system32\drivers\ctac32k.sys
2007-10-04 17:47 116,000 ------w C:\WINDOWS\system32\drivers\emupia2k.sys
2007-10-04 17:47 102,400 ------w C:\WINDOWS\system32\drivers\ianswxp.sys
2007-10-04 17:47 1,075,685 ------w C:\WINDOWS\system32\drivers\IntelC51.sys
2007-10-04 17:45 --------- d-----w C:\Program Files\Gateway
2007-10-04 17:29 --------- d-----w C:\Program Files\microsoft frontpage
2007-09-19 00:35 50,688 ----a-w C:\ATF-Cleaner.exe
2007-09-17 12:26 1,303 ----a-w C:\XP_Install.bat
2007-09-17 08:07 6,853,088 ------w C:\WINDOWS\system32\drivers\nv4_mini.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 16:24]
"CTHelper"="CTHELPER.EXE" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 01:07]
"nwiz"="nwiz.exe" [2007-09-17 01:07 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 01:07]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 14:48]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"HD Tune"="C:\PROGRA~1\HDTUNE~1\HDTune.exe" [2007-09-03 00:37]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"SanaSafeConnect"="C:\Program Files\Sana Security\Primary Response SafeConnect\agent\bin\SanaSafeConnect.exe" [2007-10-18 19:23]
"1A:Stardock TrayMonitor"="" []
"Atomic Clock 7.0"="C:\Program Files\Broderbund\Atomic Clock 7.0\AtomClk.exe" [2002-11-14 12:00]
"OutpostMonitor"="C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe" [2007-11-02 19:32]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-14 20:13]
"Second Copy"="C:\PROGRA~1\SecCopy\SecCopy.exe" [2007-10-17 08:42]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 05:00]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-11-09 14:49]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"1A:Stardock TrayMonitor"=

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SetDefaultMidi"=MIDIDEF.EXE

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-10-28 21:41:25]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"=0 (0x0)
"NoToolbarsOnTaskbar"=0 (0x0)
"DisallowRun"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\agnitum\outpos~1\wl_hook.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= :\WINDOWS\system32\srr

R0 timounter;Acronis True Image Backup Archive Explorer;C:\WINDOWS\system32\DRIVERS\timntr.sys
R1 SandBox;SandBox;C:\WINDOWS\system32\DRIVERS\SandBox.sys
R2 acssrv;Agnitum Client Security Service;C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
R2 SanaSafeConnectAgent;SanaSafeConnectAgent;"C:\Program Files\Sana Security\Primary Response SafeConnect\agent\Bin\SanaAgent.exe" SanaSafeConnectAgent
R2 SanaSafeConnectWatcher;SanaSafeConnectWatcher;C:\Program Files\Sana Security\Primary Response SafeConnect\agent\Bin\SanaSafeConnectWatcher.exe
R2 tifsfilter;Acronis True Image FS Filter;C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
R3 afw;Agnitum firewall driver;C:\WINDOWS\system32\DRIVERS\afw.sys
R3 ASWFilt;ASWFilt;C:\WINDOWS\system32\Filt\ASWFilt.dll
R3 SanaSafeConnectDriver;SanaSafeConnectDriver;\??\C:\Program Files\Sana Security\Primary Response SafeConnect\agent\driver\platform_XP\SafeConnectDriver.sys
R3 SanaSafeConnectFilter;SanaSafeConnectFilter;\??\C:\Program Files\Sana Security\Primary Response SafeConnect\agent\driver\platform_XP\SafeConnectFilter.sys
R3 SanaSafeConnectShim;SanaSafeConnectShim;\??\C:\Program Files\Sana Security\Primary Response SafeConnect\agent\driver\platform_XP\SafeConnectShim.sys
R3 VBEngNT;VBEngNT;C:\WINDOWS\system32\DRIVERS\VBEngNT.sys
R3 VBFilt;VBFilt;C:\WINDOWS\system32\Filt\VBFilt.dll
S3 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys
S3 WimFltr;WimFltr;C:\WINDOWS\system32\DRIVERS\wimfltr.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-12 22:46:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\OP_CACHE.ATR 24 bytes
C:\WINDOWS\system32\OP_CACHE.IDX 12 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
Completion time: 2007-11-12 22:50:28 - machine was rebooted
.
--- E O F ---

Here is the output for the Deckard's System Scanner:

Deckard's System Scanner v20071014.68
Run by Owner on 2007-11-12 23:11:47
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 511 MiB (512 MiB recommended).

-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:53 PM, on 11/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sana Security\Primary Response SafeConnect\agent\Bin\SanaSafeConnectWatcher.exe
C:\Program Files\Sana Security\Primary Response SafeConnect\agent\Bin\SanaAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\PROGRA~1\HDTUNE~1\HDTune.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Sana Security\Primary Response SafeConnect\agent\bin\SanaSafeConnect.exe
C:\Program Files\Broderbund\Atomic Clock 7.0\AtomClk.exe
C:\PROGRA~1\SecCopy\SecCopy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Sana Security\Primary Response SafeConnect\agent\bin\SanaMonitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Owner\My Documents\Safe Init\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HD Tune] C:\PROGRA~1\HDTUNE~1\HDTune.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SanaSafeConnect] "C:\Program Files\Sana Security\Primary Response SafeConnect\agent\bin\SanaSafeConnect.exe"
O4 - HKLM\..\Run: [Atomic Clock 7.0] C:\Program Files\Broderbund\Atomic Clock 7.0\AtomClk.exe
O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Second Copy] "C:\PROGRA~1\SecCopy\SecCopy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Outpost Security Suite Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Security Suite Pro\ie_bar.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1191704449687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1191523266625
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SanaSafeConnectAgent - Sana Security - C:\Program Files\Sana Security\Primary Response SafeConnect\agent\Bin\SanaAgent.exe
O23 - Service: SanaSafeConnectWatcher - Sana Security - C:\Program Files\Sana Security\Primary Response SafeConnect\agent\Bin\SanaSafeConnectWatcher.exe

--
End of file - 8931 bytes

-- Files created between 2007-10-12 and 2007-11-12 -----------------------------

2007-11-12 22:03:27 0 d-------- C:\Program Files\Trend Micro
2007-11-12 21:18:09 8960 --a------ C:\WINDOWS\system32\drivers\uphcleanhlp.sys <Not Verified; Windows (R) 2000 DDK provider; User Profile Hive Cleanup Service>
2007-11-12 21:12:30 86016 --a------ C:\WINDOWS\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
2007-11-12 21:11:29 0 d-------- C:\Program Files\Common Files\Broderbund
2007-11-12 21:11:27 0 d-------- C:\Program Files\Broderbund
2007-11-12 15:24:53 0 d-------- C:\Program Files\MSXML 4.0
2007-11-12 13:38:50 0 d-------- C:\Program Files\Eusing Free Registry Cleaner
2007-11-12 13:11:16 0 d-------- C:\Documents and Settings\Owner\Application Data\Uniblue
2007-11-12 08:51:53 0 d-------- C:\Program Files\Sana Security
2007-11-11 22:52:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2007-11-10 22:35:04 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-11-10 22:35:04 0 d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2007-11-10 22:35:00 3231744 --a------ C:\Documents and Settings\Owner\ntuser.dat
2007-11-10 22:35:00 229376 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2007-11-08 07:40:38 0 d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2007-11-08 07:40:11 0 d-------- C:\Program Files\Lavasoft
2007-11-08 07:28:09 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-08 07:25:40 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-11-07 09:50:48 0 d-------- C:\Program Files\SpywareBlaster
2007-11-07 08:39:40 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-11-06 11:28:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-05 18:40:28 114688 --a------ C:\WINDOWS\system32\mxv.dll <Not Verified; ; fsutil80 Dynamic Link Library>
2007-11-05 18:09:52 1024 -r-h----- C:\WINDOWS\system32\NTIDIB4.dll
2007-11-05 18:09:52 6144 --a------ C:\WINDOWS\system32\drivers\NTIDrvr.sys <Not Verified; NewTech Infosystems, Inc.; >
2007-11-05 11:41:46 0 d-------- C:\Program Files\Acronis
2007-11-04 20:20:18 0 d-------- C:\Documents and Settings\Owner\Application Data\Acronis
2007-11-04 19:54:48 0 d-------- C:\Documents and Settings\LocalService\Application Data\Acronis
2007-11-04 19:52:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Acronis
2007-11-04 19:50:20 0 d-------- C:\Program Files\Common Files\Acronis
2007-11-04 10:33:15 0 d-------- C:\RootkitNO
2007-11-04 10:10:41 22528 --a------ C:\WINDOWS\system32\Partizan.exe <Not Verified; Greatis Software; RegRun Security Suite>
2007-11-04 10:10:41 31170 --a------ C:\WINDOWS\system32\drivers\Partizan.sys <Not Verified; Greatis Software; RegRun Security Suite>
2007-11-03 07:49:23 0 d-------- C:\Documents and Settings\Owner\Application Data\Genie-soft
2007-11-03 07:46:17 0 d-------- C:\Program Files\Genie-Soft
2007-11-02 13:14:49 0 d-------- C:\Documents and Settings\Owner\Application Data\Agnitum
2007-11-02 13:13:37 800222 --a------ C:\WINDOWS\system32\drivers\VBEngNT.sys <Not Verified; VirusBuster Kft.; VirusBuster Engine SYS for Windows NT/2000/XP>
2007-11-02 13:13:21 0 d-------- C:\WINDOWS\system32\Filt
2007-11-02 13:13:20 0 d-------- C:\Program Files\Agnitum
2007-11-02 13:12:56 0 d-------- C:\Documents and Settings\All Users\Application Data\Agnitum
2007-11-02 07:18:31 0 d-------- C:\Documents and Settings\Owner\Application Data\Smart PC Solutions
2007-11-02 07:18:23 0 d-------- C:\Program Files\Smart PC Solutions
2007-10-31 17:00:30 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-10-31 00:07:20 0 d--hs---- C:\found.000
2007-10-29 22:52:47 3840 -----n--- C:\WINDOWS\system32\drivers\BANTExt.sys
2007-10-29 22:52:47 0 d-------- C:\Program Files\Belarc
2007-10-28 21:43:39 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-28 21:41:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2007-10-28 13:37:35 0 d-------- C:\Program Files\UPHClean
2007-10-23 11:14:48 0 d-------- C:\Program Files\Windows Desktop Search
2007-10-23 09:16:51 0 d-------- C:\WINDOWS\system32\NtmsData
2007-10-22 19:36:37 0 d-------- C:\Documents and Settings\Owner\Application Data\U3
2007-10-20 20:17:48 0 d-------- C:\Documents and Settings\Owner\SecurityScans
2007-10-20 20:17:05 0 d-------- C:\Program Files\Microsoft Baseline Security Analyzer 2
2007-10-20 08:26:10 0 d-------- C:\WINDOWS\SoftwareDistribution
2007-10-18 10:57:51 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2007-10-18 10:54:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-10-18 10:54:00 0 d-------- C:\Program Files\Common Files\Adobe
2007-10-15 08:33:22 0 d-------- C:\WINDOWS\system32\CatRoot2
2007-10-14 15:16:54 0 d-------- C:\Program Files\HD Tune
2007-10-14 14:38:41 0 d-------- C:\Documents and Settings\Owner\Application Data\CyberLink
2007-10-14 14:38:40 0 d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2007-10-14 14:30:10 0 d-------- C:\Program Files\CyberLink

-- Find3M Report ---------------------------------------------------------------

2007-11-12 22:55:06 288 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000001-00000000-00000001-00001102-00000004-10061102}.dat
2007-11-12 22:55:06 288 --a------ C:\WINDOWS\system32\DVCState-{00000001-00000000-00000001-00001102-00000004-10061102}.dat
2007-11-12 21:11:29 0 d-------- C:\Program Files\Common Files
2007-11-08 21:28:37 0 d-------- C:\Program Files\SecCopy
2007-11-08 21:26:00 0 d-------- C:\Program Files\Google
2007-11-07 17:46:14 0 d-------- C:\Program Files\Java
2007-11-05 18:22:40 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-05 18:09:48 0 d-------- C:\Program Files\Common Files\InstallShield
2007-10-10 17:03:19 0 d-------- C:\Program Files\MSXML 6.0
2007-10-10 16:31:04 0 d-------- C:\Program Files\MSBuild
2007-10-10 16:26:20 0 d-------- C:\Program Files\Reference Assemblies
2007-10-10 16:23:40 0 d-------- C:\Program Files\Windows Media Connect 2
2007-10-09 11:54:09 0 d--h----- C:\Program Files\Zero G Registry
2007-10-08 15:23:58 692 --a------ C:\register.bat
2007-10-07 12:01:07 0 d-------- C:\Program Files\Siber Systems
2007-10-06 10:32:15 0 d-------- C:\Program Files\Microsoft Works
2007-10-06 10:09:55 0 d-------- C:\Program Files\Messenger
2007-10-05 11:19:51 0 d-------- C:\Program Files\Common Files\L&H
2007-10-05 11:19:40 0 d-------- C:\Program Files\Microsoft ActiveSync
2007-10-05 11:18:47 0 d-------- C:\Program Files\Microsoft.NET
2007-10-05 10:49:45 0 d-------- C:\Documents and Settings\Owner\Application Data\Macromedia
2007-10-05 07:15:53 0 d-------- C:\Documents and Settings\Owner\Application Data\Talkback
2007-10-05 07:15:31 0 -----n--- C:\WINDOWS\nsreg.dat
2007-10-05 07:15:24 0 d-------- C:\Documents and Settings\Owner\Application Data\Mozilla
2007-10-05 07:13:09 0 d-------- C:\Documents and Settings\Owner\Application Data\Google
2007-10-04 20:40:51 0 d-------- C:\Program Files\Microsoft Hardware
2007-10-04 15:10:39 0 d-------- C:\Program Files\ORL
2007-10-04 14:38:00 0 d-------- C:\Program Files\Common Files\Java
2007-10-04 14:37:36 0 d-------- C:\Documents and Settings\Owner\Application Data\Sun
2007-10-04 14:37:35 0 d-------- C:\Program Files\CCleaner
2007-10-04 10:48:50 0 d-------- C:\Program Files\Intel
2007-10-04 10:45:04 0 d-------- C:\Program Files\Gateway
2007-10-04 10:34:11 0 d-------- C:\Documents and Settings\Owner\Application Data\Identities
2007-10-04 10:29:32 0 d-------- C:\Program Files\microsoft frontpage
2007-10-04 10:29:13 0 -rahs---- C:\MSDOS.SYS
2007-10-04 10:29:13 0 -rahs---- C:\IO.SYS
2007-10-04 10:29:13 0 --a------ C:\CONFIG.SYS
2007-10-04 10:29:13 0 --a------ C:\AUTOEXEC.BAT
2007-10-04 10:27:56 0 d--h----- C:\Program Files\WindowsUpdate
2007-10-04 10:27:52 0 d-------- C:\Program Files\Online Services
2007-10-04 10:27:08 0 d-------- C:\Program Files\Common Files\MSSoap
2007-10-04 10:27:01 0 d-------- C:\Program Files\Movie Maker
2007-10-04 10:26:37 21640 -----n--- C:\WINDOWS\system32\emptyregdb.dat
2007-10-04 10:25:43 0 d-------- C:\Program Files\MSN Gaming Zone
2007-10-04 10:25:35 0 d-------- C:\Program Files\Windows NT
2007-10-04 03:15:00 0 d-------- C:\Program Files\Common Files\ODBC
2007-10-04 03:14:57 0 d-------- C:\Program Files\Common Files\SpeechEngines
2007-10-04 03:14:31 62 ---hs---- C:\Documents and Settings\Owner\Application Data\desktop.ini
2007-09-18 17:35:55 50688 --a------ C:\ATF-Cleaner.exe <Not Verified; Atribune.org; ATF Cleaner>
2007-09-17 05:26:28 1303 --a------ C:\XP_Install.bat
2007-09-17 01:07:00 1626112 -----n--- C:\WINDOWS\system32\nwiz.exe
2007-09-17 01:07:00 1019904 -----n--- C:\WINDOWS\system32\nvwimg.dll
2007-09-17 01:07:00 1703936 -----n--- C:\WINDOWS\system32\nvwdmcpl.dll
2007-09-17 01:07:00 466944 -----n--- C:\WINDOWS\system32\nvshell.dll
2007-09-17 01:07:00 1478656 -----n--- C:\WINDOWS\system32\nview.dll
2007-09-17 01:07:00 1339392 -----n--- C:\WINDOWS\system32\nvdspsch.exe
2007-09-17 01:07:00 442368 -----n--- C:\WINDOWS\system32\nvappbar.exe
2007-09-17 01:07:00 425984 -----n--- C:\WINDOWS\system32\keystone.exe

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [03/11/2003 04:24 PM]
"CTHelper"="CTHELPER.EXE" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [09/17/2007 01:07 AM]
"nwiz"="nwiz.exe" [09/17/2007 01:07 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [09/17/2007 01:07 AM]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [07/15/2005 02:48 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 07:51 PM]
"HD Tune"="C:\PROGRA~1\HDTUNE~1\HDTune.exe" [09/03/2007 12:37 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]
"SanaSafeConnect"="C:\Program Files\Sana Security\Primary Response SafeConnect\agent\bin\SanaSafeConnect.exe" [10/18/2007 07:23 PM]
"1A:Stardock TrayMonitor"="" []
"Atomic Clock 7.0"="C:\Program Files\Broderbund\Atomic Clock 7.0\AtomClk.exe" [11/14/2002 12:00 PM]
"OutpostMonitor"="C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe" [11/02/2007 07:32 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [10/14/2007 08:13 PM]
"Second Copy"="C:\PROGRA~1\SecCopy\SecCopy.exe" [10/17/2007 08:42 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 05:00 AM]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [11/09/2007 02:49 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"1A:Stardock TrayMonitor"=

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SetDefaultMidi"=MIDIDEF.EXE

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [10/20/2005 12:04:08 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [10/28/2007 9:41:25 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoPropertiesRecycleBin"=0 (0x0)
"NoPropertiesMyComputer"=0 (0x0)
"NoPropertiesMyDocuments"=0 (0x0)
"NoDesktopCleanupWizard"=0 (0x0)
"DisablePersonalDirChange"=0 (0x0)
"NoSimpleStartMenu"=0 (0x0)
"NoChangeStartMenu"=0 (0x0)
"NoNetworkConnections"=0 (0x0)
"NoSetTaskbar"=0 (0x0)
"NoToolbarsOnTaskbar"=0 (0x0)
"NoStartMenuNetworkPlaces"=0 (0x0)
"NoSMMyDocs"=0 (0x0)
"NoSMHelp"=0 (0x0)
"NoManageMyComputerVerb"=0 (0x0)
"NoSecConsole"=0 (0x0)
"NoSharedDocuments"=0 (0x0)
"NoSecurityTab"=0 (0x0)
"NoHardwareTab"=0 (0x0)
"NoFileMenu"=0 (0x0)
"NoNetConnectDisconnect"=0 (0x0)
"DisallowRun"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\progra~1\agnitum\outpos~1\wl_hook.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= :\WINDOWS\system32\srr

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]

-- End of Deckard's System Scanner: finished at 2007-11-12 23:12:46 ------------

I have tried to rerun the Panda Scanner but it hangs up after scan completion and preparing the report. The summary says I have one infected file and 15 cookies.

jo60

Ried · Nov 14, 2007

Try this online scanner instead:

Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
    [*]Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

jo60 · Nov 14, 2007

Ried,

Here is the results of the Kaspersky scan:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, November 14, 2007 5:55:50 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/11/2007
Kaspersky Anti-Virus database records: 457944
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 390088
Number of viruses found: 2
Number of infected objects: 6
Number of suspicious objects: 0
Duration of the scan process: 03:42:10

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Application Data\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Microsoft\HTML Help\hh.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\brndlog.bak Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\brndlog.txt Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Microsoft\Protect\CREDHIST Object is locked skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Desktop\CyberlinkPower2Go.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\HelpCtr\HelpSessionHistory.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_59R.wmdb Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.DTD Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012007111120071112\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\C0A52B82.TMP Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\IMT11.xml Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\IMT12.xml Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\IMT13.xml Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0VUFEBIX\blank[1].htm Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0VUFEBIX\body[1] Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0VUFEBIX\calendar[2] Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0VUFEBIX\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0VUFEBIX\helpdoc[1] Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0VUFEBIX\HomePage[1].htm Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0VUFEBIX\logo[1].bmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0VUFEBIX\mainpage[1] Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0VUFEBIX\minusCold[1].gif Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0VUFEBIX\nusrmgr[1] Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0VUFEBIX\nusrmgr[2] Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0VUFEBIX\picturepage[1] Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0VUFEBIX\pwcreate[1] Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0VUFEBIX\RemovePassword[1] Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0VUFEBIX\searchblurb[1].htm Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0VUFEBIX\Search[1].htm Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0VUFEBIX\shared[1].css Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0VUFEBIX\shared[1].js Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0VUFEBIX\SRUI-Confirm[1] Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0VUFEBIX\watermark[1] Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IL05I5EH\arrow_green_normal[1].bmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IL05I5EH\camera[1] Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IL05I5EH\Common[1].js Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IL05I5EH\Common[2].js Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IL05I5EH\Context[1].htm Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IL05I5EH\coUAprint[1].css Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IL05I5EH\coUA[1].css Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IL05I5EH\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IL05I5EH\desktop_icon_03[1].bmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IL05I5EH\guest_disabled[1] Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IL05I5EH\Homepage__DESKTOP[1].js Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IL05I5EH\Homepage__SHARED[1].js Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IL05I5EH\localtext[1] Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IL05I5EH\NavBar[1].htm Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IL05I5EH\nusrmgr[1] Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IL05I5EH\plusHot[1].gif Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IL05I5EH\popup[1] Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IL05I5EH\progbar[1].gif Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IL05I5EH\pwchange_o[1] Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IL05I5EH\rstrui[1] Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IL05I5EH\rstrui[2] Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IL05I5EH\srui-main[1] Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IVSPC98F\Behaviors[1].css Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IVSPC98F\chg_common[1] Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IVSPC98F\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IVSPC98F\desktop_icon_02[1].bmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IVSPC98F\help[1] Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IVSPC98F\mainpage2[2] Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IVSPC98F\MiniNavBar[1].htm Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IVSPC98F\MiniNavBar[1].xml Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IVSPC98F\NavBar[1].xml Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IVSPC98F\passwordpage2[1] Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IVSPC98F\plusCold[1].gif Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IVSPC98F\removepassword[1] Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IVSPC98F\RestoreUI[1] Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IVSPC98F\selectable[1] Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IVSPC98F\shared[1].css Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IVSPC98F\shared[2].css Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IVSPC98F\shared[3].css Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IVSPC98F\SRUI-Pick[1] Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IVSPC98F\start[1] Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IVSPC98F\stfind_3[1] Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IVSPC98F\users[1] Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IVSPC98F\warning[1].gif Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IVSPC98F\wrapperparam[1].js Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O14NI5GX\arrow_green_normal_shadow[1].bmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O14NI5GX\calendar[1] Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O14NI5GX\classic[1] Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O14NI5GX\Common[1].js Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O14NI5GX\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O14NI5GX\desktop_icon_01[1].bmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O14NI5GX\firstpage[1].htm Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O14NI5GX\HHWRAPPER[1].htm Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O14NI5GX\Layout[1].css Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O14NI5GX\mainpage[1] Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O14NI5GX\minusHot[1].gif Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O14NI5GX\PicturePage[1] Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O14NI5GX\popup[1] Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O14NI5GX\pwcreate_o[1] Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O14NI5GX\pw_common[1] Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O14NI5GX\shared[1].css Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O14NI5GX\shared[2].css Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O14NI5GX\shared[3].css Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O14NI5GX\shared[4].css Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O14NI5GX\SR_Grad[1] Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O14NI5GX\Uabrand[1].gif Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O14NI5GX\users32[1] Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O14NI5GX\watermark_300x[1].bmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\My Documents\My RoboForm Data\Default Profile\options.rfo Object is locked skipped
C:\Documents and Settings\Administrator\My Documents\My RoboForm Data\Default Profile\RoboFormDataHere.txt Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.ini Object is locked skipped
C:\Documents and Settings\Administrator\SendTo\Compressed (zipped) Folder.ZFSendToTarget Object is locked skipped
C:\Documents and Settings\Administrator\SendTo\Desktop (create shortcut).DeskLink Object is locked skipped
C:\Documents and Settings\Administrator\SendTo\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\SendTo\Mail Recipient.MAPIMail Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\Magnifier.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\Utility Manager.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Command Prompt.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Entertainment\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Entertainment\Windows Media Player.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Notepad.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Program Compatibility Wizard.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Synchronize.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Tour Windows XP.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Windows Explorer.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Cyberlink Power2Go\OnLine Registration.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Cyberlink Power2Go\Power2Go Express.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Cyberlink Power2Go\Power2Go Online Help.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Cyberlink Power2Go\Power2Go.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Cyberlink Power2Go\Readme.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Cyberlink Power2Go\System Diagnostic.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Cyberlink Power2Go\Uninstall Power2Go.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Remote Assistance.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Windows Media Player.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Templates\amipro.sam Object is locked skipped
C:\Documents and Settings\Administrator\Templates\excel.xls Object is locked skipped
C:\Documents and Settings\Administrator\Templates\excel4.xls Object is locked skipped
C:\Documents and Settings\Administrator\Templates\lotus.wk4 Object is locked skipped
C:\Documents and Settings\Administrator\Templates\powerpnt.ppt Object is locked skipped
C:\Documents and Settings\Administrator\Templates\presenta.shw Object is locked skipped
C:\Documents and Settings\Administrator\Templates\quattro.wb2 Object is locked skipped
C:\Documents and Settings\Administrator\Templates\sndrec.wav Object is locked skipped
C:\Documents and Settings\Administrator\Templates\winword.doc Object is locked skipped
C:\Documents and Settings\Administrator\Templates\winword2.doc Object is locked skipped
C:\Documents and Settings\Administrator\Templates\wordpfct.wpd Object is locked skipped
C:\Documents and Settings\Administrator\Templates\wordpfct.wpg Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\killrss.exe/data.rar/pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.k skipped
C:\killrss.exe/data.rar Infected: not-a-virus:RiskTool.Win32.PsKill.k skipped
C:\killrss.exe RarSFX: infected - 2 skipped
C:\Program Files\Agnitum\Outpost Security Suite Pro\log\net.log Object is locked skipped
C:\Program Files\Sana Security\Primary Response SafeConnect\agent\log\SanaAgent.log Object is locked skipped
C:\Program Files\Sana Security\Primary Response SafeConnect\agent\log\SanaAgent_boot.log Object is locked skipped
C:\Program Files\Sana Security\Primary Response SafeConnect\agent\log\SanaAgent_graph.log Object is locked skipped
C:\Program Files\Sana Security\Primary Response SafeConnect\agent\log\SanaAgent_malware.log Object is locked skipped
C:\Program Files\Sana Security\Primary Response SafeConnect\agent\log\SanaAgent_node.log Object is locked skipped
C:\Program Files\Sana Security\Primary Response SafeConnect\agent\log\SanaAgent_removed.log Object is locked skipped
C:\Program Files\Sana Security\Primary Response SafeConnect\agent\log\SanaSafeConnect_boot.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{1CC057ED-4DA2-4A0E-ABF6-A897CD6031ED}\RP66\A0034517.VBS Infected: Backdoor.Win32.Delf.akf skipped
C:\System Volume Information\_restore{1CC057ED-4DA2-4A0E-ABF6-A897CD6031ED}\RP82\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\pfirewall.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{4E79BF7E-4096-4B75-8E40-1C9909AEB1B8}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
G:\Disaster Backup\Disaster Recovery Job.C000/MF/C/Documents and Settings/All Users/Desktop/MCW/ResetSysRestore.VBS Infected: Backdoor.Win32.Delf.akf skipped
G:\Disaster Backup\Disaster Recovery Job.C000 ZIP: infected - 1 skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

jo60

jo60 · Nov 20, 2007

Ried,

You may have posted something to me that got lost in the system outage. If so, can you repost it?

jo60

Ried · Nov 20, 2007

Hello jo60,

Yes, indeed I had. The only item of note in the Kaspersky report is the following entry:

G:\Disaster Backup\Disaster Recovery Job.C000/MF/C/Documents and Settings/All Users/Desktop/MCW/ResetSysRestore.VBS ------>Backdoor.Win32.Delf.akf

Delete this:

G:\Disaster Backup\Disaster Recovery Job.C000

After running ComboFix, are you still having issues with your AV dropping out? What symptoms remain?

jo60 · Nov 20, 2007

Well I will try a-squared free anti-virus and let you know how it works. I have tried trial version of bit defender and it hung in final stages of scan, but that was before you had me remove the item in your last post.

Will try them again.

jo60

jo60 · Nov 21, 2007

Well I tried a-squared free again and made an interesting discovery. If I suspended my security suite it ran just fine. Evidently my security suite and a-squared free entered a deadly embrace that hung the system.

Now with the removal of the infected file, I will let you know if I encounter any other problems.

jo60

Ried · Nov 22, 2007

That makes sense since you never want to have more than 1 AV installed at any given time as they will conflict with one another as well as cause issues with your OS.

Please do keep me apprised of your situation. :sayyes:

Panda says: Virus:Trj/Agent.AZD

jo60

Attachments

jo60

Ried

jo60

Ried

jo60

jo60

Ried

jo60

jo60

Ried

Top Contributors this Month