Piriform Community Forums > Trojan.Downloader.Small.CML

Full Version: Trojan.Downloader.Small.CML

Piriform Community Forums > Computer Help and Discussion > Spyware Hell

david613

Jun 19 2007, 04:41 AM

Hi,

After using Noadware to scan my computer, it found "Trojan.Downloader.Small.CML". After removing and restart my computer it reappear as soon as i boot up. Appreciate if anyone can help, I had attached the hijcakThis log. Thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 12:24:16 PM, on 6/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Nortel\IP Softphone 2050\i2050QosSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\WinPop\winpop.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 165.228.132.10:3128
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_14\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MobileDesktop] C:\Program Files\pfingo\pfingoactive\C:\Program Files\pfingo\pfingoactive\activedesktop.exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_14\bin\npjpi142_14.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_14\bin\npjpi142_14.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://*.int.x69x.net
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://nortelsupport.webex.com/client/T23L...ort/ieatgpc.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wingdy32 - C:\WINDOWS\SYSTEM32\wingdy32.dll
O20 - Winlogon Notify: winqif32 - winqif32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Nortel IP Softphone 2050 QoS (i2050QoSSvc) - Nortel - C:\Program Files\Nortel\IP Softphone 2050\i2050QosSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: OTMResourceManager - Unknown owner - C:\Nortel\OMServices\OMCommonServices\Bin\OTMResourceManager.exe
O23 - Service: OTMSingletonServer - Unknown owner - C:\Nortel\OMServices\OMCommonServices\Bin\OTMSingletonServer.exe
O23 - Service: OTMTaskScheduler - Unknown owner - C:\Nortel\OMServices\OMCommonServices\Bin\OTMTaskScheduler.exe
O23 - Service: OTMWatchDog - Nortel Networks Corporation - C:\Nortel\Common Services\Program Files\OTMWatchDog.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

rridgely

Jun 19 2007, 06:02 AM

Welcome to the forum.

Run BitDefender Online Scanner

Using internet Explorer please go HERE to run BitDefender's Online scan.
Read the terms and then click I Agree
You may receive a Security Warning about the BitDefender ActiveX control, If you do, please allow it to install.
On the scanning Options screen, Press Click Here To Scan and then follow the on screen prompts.
Once bit defender is finished scanning your computer it will automatically remove the infections. Once the removal process is finished press the close button and a dialog box will appear asking if you want to send your scan log back to the makers of bitdefender. You do not have to do this but what you do want to do is press the button that says "view log" and then copy and paste that log into notepad and save it to your desktop as bitdefender.txt.
Reboot your computer

Then run:

Download Superantispyware

Load Superantispyware and click the check for updates button.
Once the update is finished click the scan your computer button.
Check Perform Complete Scan and then next.
Superantispyware will now scan your computer and when its finished it will list all the infections it has found.
Make sure that they all have a check next to them and press next.
Click finish and you will be taken back to the main interface.
Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.
Copy and paste the log onto the forum.

Post the bitdefender log, the superantispyware log and a new hijackthis log.

david613

Jun 20 2007, 02:17 AM

QUOTE(rridgely @ Jun 19 2007, 06:02 AM) [snapback]74049[/snapback]

Welcome to the forum.

Run BitDefender Online Scanner

Using internet Explorer please go HERE to run BitDefender's Online scan.
Read the terms and then click I Agree
You may receive a Security Warning about the BitDefender ActiveX control, If you do, please allow it to install.
On the scanning Options screen, Press Click Here To Scan and then follow the on screen prompts.
Once bit defender is finished scanning your computer it will automatically remove the infections. Once the removal process is finished press the close button and a dialog box will appear asking if you want to send your scan log back to the makers of bitdefender. You do not have to do this but what you do want to do is press the button that says "view log" and then copy and paste that log into notepad and save it to your desktop as bitdefender.txt.
Reboot your computer

Then run:

Download Superantispyware

Load Superantispyware and click the check for updates button.
Once the update is finished click the scan your computer button.
Check Perform Complete Scan and then next.
Superantispyware will now scan your computer and when its finished it will list all the infections it has found.
Make sure that they all have a check next to them and press next.
Click finish and you will be taken back to the main interface.
Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.
Copy and paste the log onto the forum.

Post the bitdefender log, the superantispyware log and a new hijackthis log.

Hi,

The logs are as follow;

BitDefender Online Scanner - Real Time Virus Report
Generated at: Wed, Jun 20, 2007 - 08:11:07
________________________________________
Scan Info
Scanned Files 949862
Infected Files 43

Virus Detected
Trojan.Downloader.Agent.YEG 1
Trojan.Downloader.Small.ZCE 2
Trojan.Popwin.BK 3
BehavesLike:BAT.Delete 1
Trojan.Dialer.VTK 1
Trojan.Downloader.JS.CD 1
Backdoor.Delf.AKI 1
Trojan.Vundo.DMA 2
Trojan.Dialer.ACA 2
Trojan.Rootkit.Agent.BZ 1
Backdoor.Pcclient.GV 2
Application.JS.ForcePopup.I 3
Trojan.Agent.AAHI 3
Type_VBS_Autorun 2
Trojan.Lasta.S 1
Dropped:Trojan.Rootkit.Ntrootkit.F 1
Trojan.Downloader.Agent.BGY 2
Trojan.Downloader.Porndials.A 10
Generic.JS.Obsq.F0BD0EE6 1
Rootkit.Agent.DP 1
Trojan.PWS.LdPinch.SZW 2

________________________________________
This summary of the scan process will be used by the BitDefender Antivirus Lab to create agregate statistics about virus activity around the world.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/20/2007 at 09:57 AM

Application Version : 3.8.1002

Core Rules Database Version : 3258
Trace Rules Database Version: 1269

Scan type : Complete Scan
Total Scan Time : 01:19:52

Memory items scanned : 511
Memory threats detected : 2
Registry items scanned : 6187
Registry threats detected : 12
File items scanned : 58177
File threats detected : 195

Trojan.Mezzia/Resident
C:\WINDOWS\SYSTEM32\WINGDY32.DLL
C:\WINDOWS\SYSTEM32\WINGDY32.DLL

Trojan.Downloader-Gen/WinPop
C:\PROGRAM FILES\WINPOP\WINPOP.EXE
C:\PROGRAM FILES\WINPOP\WINPOP.EXE
[WinPop] C:\PROGRAM FILES\WINPOP\WINPOP.EXE
C:\Program Files\WinPop

Trojan.Homepage
HKLM\Software\Classes\CLSID\{686a161d-5bd1-4999-8832-6393f41e564c}
HKCR\CLSID\{686A161D-5BD1-4999-8832-6393F41E564C}
HKCR\CLSID\{686A161D-5BD1-4999-8832-6393F41E564C}
HKCR\CLSID\{686A161D-5BD1-4999-8832-6393F41E564C}\InprocServer32
HKCR\CLSID\{686A161D-5BD1-4999-8832-6393F41E564C}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\HP100.TMP

Trojan.Downloader-Win/GHY
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\wingdy32

Adware.Tracking Cookie
C:\Documents and Settings\david.liu\Cookies\david.liu@microsoftoffice.112.2o7[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@questionmarket[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@ad.uk.tangozebra[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@ad.adition[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@revsci[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@www.adult168[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@indextools[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@ads.realtechnetwork[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@serving-sys[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@stats.asianbookie[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@atwola[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@ads.ozonemedia.co[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@tacoda[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@adinterax[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@xiti[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@pro-market[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@www.advertising-department[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@ads.revsci[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@nakido.liveadulthost[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@cf-db01.clickfacts[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@audit.median[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@adrevenue[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@server.iad.liveperson[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@ads.asia1.com[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@partypoker[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@www.mediafire[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@laptopmag.122.2o7[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@adtech[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@wt.sexsearchcom[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@list[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@mediafire[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@www6.addfreestats[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@blp.valueclick[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@tribalfusion[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@2o7[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@ad.yieldmanager[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@revenue[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@server.iad.liveperson[3].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@valueclick[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@azjmp[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@dealtime[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@warlog[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@www.totsex[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@adbrite.122.2o7[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@www.smartadserver[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@cnetasiapacific.122.2o7[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@stat.onestat[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@banners.sys-con[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@realmedia[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@ads.softure[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@mazda.122.2o7[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@overture[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@multiply.112.2o7[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@youporn[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@www.tns-counter[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@standardcharteredbank.122.2o7[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@adbrite[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@sales.liveperson[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@mtr.splash.sexsearch[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@partygaming.122.2o7[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@imrworldwide[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@stat.dealtime[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@bs.serving-sys[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@yadro[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@adultadworld[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@rambler[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@shinystat[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@ads.pointroll[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@counterpath[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@demo.adecn[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@linkto.mediafire[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@int.sitestat[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@server.iad.liveperson[5].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@sales.liveperson[3].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@metacafe.122.2o7[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@mediaonenetwork[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@www.dealtime[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@hotlog[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@specificclick[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@liveadulthost[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@rgmjapan.tripod[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@ad.zanox[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@ad.text.tbn[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@adopt.specificclick[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@www.burstnet[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@ad2.adecn[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@ads.creative-weblogging[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@ads.uncoverthenet[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@usenext[3].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@tracker.pegsanalytics[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@tracker.pegsanalytics[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@precisionclick[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@3.adbrite[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@pbh.adbureau[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@www.googleadservices[6].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@try.starware[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@yousendit.112.2o7[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@rotator.adjuggler[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@hardwarezone[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@crackspider[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@esdla.warez.download.ddlspot[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@www.googleadservices[8].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@clickbank[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@edge.ru4[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@sg.hardwarezone[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@hitbox[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@jamster.com[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@doubleclick[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@tripod[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@clicksor[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@www5.addfreestats[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@adverticum[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@streamit.hardwarezone[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@qksrv[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@trafficmp[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@try.starware[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@support.counterpath[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@geo.precisionclick[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@acvs.mediaonenetwork[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@int.sitestat[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@h.starware[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@serialdevil[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@mediaplex[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@spylog[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@ad.tbn[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@forums.hardwarezone[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@ads.adbrite[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@ad.600.tbn[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@ad16.doubleadx[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@msnportal.112.2o7[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@ad.media-servers[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@ad1.clickhype[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@usenext[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@www7.addfreestats[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@mediacorp.com[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@ads.sim-eye[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@ad.top1.adbn[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@adecn[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@4.adbrite[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@www.googleadservices[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@ad.rich1.adbn[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@toplist[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@burstnet[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@adult-sex-searcher[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@sonysg.112.2o7[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@fastclick[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@ehg-vintedge.hitbox[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@avcool.liveadulthost[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@10dollargroupsex[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@ad.iconadserver[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@ads2.weblogssl[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@www.googleadservices[3].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@sktools-2.3.31-keygen.warez.download.ddlspot[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@adbrite[2].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@sales.liveperson[4].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@www.fullreleases[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@www.googleadservices[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@server.iad.liveperson[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@2.adbrite[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@www.googleadservices[4].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@www.googleadservices[7].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@www.crackfind[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@tracking.byindia[1].txt
C:\Documents and Settings\david.liu\Cookies\david.liu@www.googleadservices[5].txt
C:\Documents and Settings\Administrator.INTLSOS\Cookies\administrator@ad.yieldmanager[2].txt
C:\Documents and Settings\Administrator.INTLSOS\Cookies\administrator@ad.zanox[2].txt
C:\Documents and Settings\Administrator.INTLSOS\Cookies\administrator@adserving.cpxinteractive[2].txt
C:\Documents and Settings\Administrator.INTLSOS\Cookies\administrator@fastclick[2].txt
C:\Documents and Settings\Administrator.INTLSOS\Cookies\administrator@tribalfusion[1].txt
C:\Documents and Settings\davidliu\Cookies\davidliu@2o7[1].txt
C:\Documents and Settings\davidliu\Cookies\davidliu@acvs.mediaonenetwork[1].txt
C:\Documents and Settings\davidliu\Cookies\davidliu@adbrite[1].txt
C:\Documents and Settings\davidliu\Cookies\davidliu@ads.asia1.com[1].txt
C:\Documents and Settings\davidliu\Cookies\davidliu@cnetasiapacific.122.2o7[1].txt
C:\Documents and Settings\davidliu\Cookies\davidliu@forums.hardwarezone[1].txt
C:\Documents and Settings\davidliu\Cookies\davidliu@hardwarezone[2].txt
C:\Documents and Settings\davidliu\Cookies\davidliu@mediaonenetwork[1].txt
C:\Documents and Settings\davidliu\Cookies\davidliu@questionmarket[1].txt
C:\Documents and Settings\davidliu\Cookies\davidliu@revsci[1].txt
C:\Documents and Settings\davidliu\Cookies\davidliu@serving-sys[1].txt
C:\Documents and Settings\davidliu\Cookies\davidliu@streamit.hardwarezone[2].txt
C:\Documents and Settings\davidliu\Cookies\davidliu@valueclick[1].txt
C:\Documents and Settings\eng.admin\Cookies\eng.admin@belnk[1].txt
C:\Documents and Settings\eng.admin\Cookies\eng.admin@cnetasiapacific.122.2o7[1].txt
C:\Documents and Settings\eng.admin\Cookies\eng.admin@dist.belnk[2].txt
C:\Documents and Settings\eng.admin\Cookies\eng.admin@doubleclick[1].txt
C:\Documents and Settings\eng.admin\Cookies\eng.admin@msnportal.112.2o7[1].txt
C:\Documents and Settings\eng.admin\Cookies\eng.admin@pornohome[1].txt

Trojan.Unknown Origin
HKLM\SOFTWARE\Microsoft\MSSMGR
HKLM\SOFTWARE\Microsoft\MSSMGR#Brnd
HKLM\SOFTWARE\Microsoft\MSSMGR#BSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#SSTV

Trojan.Security Toolbar
C:\Documents and Settings\david.liu\Favorites\Antivirus Test Online.url

Trojan.Homepage/Puper
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#wininet.dll

Trojan.Downloader-Gen/Installer
C:\WINDOWS\B122.EXE

Trace.Known Threat Sources
C:\Documents and Settings\eng.admin\Local Settings\Temporary Internet Files\Content.IE5\49IBC1AN\text[1].dat

Logfile of HijackThis v1.99.1
Scan saved at 10:25:55 AM, on 6/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Nortel\IP Softphone 2050\i2050QosSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 165.228.132.10:3128
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_14\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MobileDesktop] C:\Program Files\pfingo\pfingoactive\C:\Program Files\pfingo\pfingoactive\activedesktop.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_14\bin\npjpi142_14.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_14\bin\npjpi142_14.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://*.int.x69x.net
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://nortelsupport.webex.com/client/T23L...ort/ieatgpc.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winqif32 - winqif32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Nortel IP Softphone 2050 QoS (i2050QoSSvc) - Nortel - C:\Program Files\Nortel\IP Softphone 2050\i2050QosSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: OTMResourceManager - Unknown owner - C:\Nortel\OMServices\OMCommonServices\Bin\OTMResourceManager.exe
O23 - Service: OTMSingletonServer - Unknown owner - C:\Nortel\OMServices\OMCommonServices\Bin\OTMSingletonServer.exe
O23 - Service: OTMTaskScheduler - Unknown owner - C:\Nortel\OMServices\OMCommonServices\Bin\OTMTaskScheduler.exe
O23 - Service: OTMWatchDog - Nortel Networks Corporation - C:\Nortel\Common Services\Program Files\OTMWatchDog.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

rridgely

Jun 20 2007, 02:46 AM

I wasn't expecting all of that to be detected.
This machine is pretty bad off apparently...

Lets get some more scans done to make sure this thing is clean.

Download AVG Anti-Spyware

Load AVG antispyware and then click the Update tab at the top. Under Manual Update click Start update.
After the update finishes (the status bar at the bottom will display "Update successful")
Click on the Scanner tab at the top and then click on Complete System Scan
Ewido will list any infections found on the left, when the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG antispyware will then display "All actions have been applied" on the right.
Click on "Save Report", then "Save Report As". This will create a text file which you can then save to the Desktop and post back

Note that this is not AVG antivirus but the program formally known as Ewido

Run Kaspersky WebScanner

Please go HERE and click Kaspersky Online Scanner
Read and Accept the Agreement
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
If you see a Windows dialog asking if you want to install this software, click the Install button.
The program will launch and then begin downloading the latest definition files,
When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
Under "Please select a target to scan:", click My Computer to start the scan.
When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.
Paste kaspersky log onto forum.

Post a log for avg antispyware, kaspersky, and a new hijackthis log.

david613

Jun 20 2007, 05:03 PM

QUOTE(rridgely @ Jun 20 2007, 02:46 AM) [snapback]74139[/snapback]

I wasn't expecting all of that to be detected.
This machine is pretty bad off apparently...

Lets get some more scans done to make sure this thing is clean.

Download AVG Anti-Spyware

Load AVG antispyware and then click the Update tab at the top. Under Manual Update click Start update.
After the update finishes (the status bar at the bottom will display "Update successful")
Click on the Scanner tab at the top and then click on Complete System Scan
Ewido will list any infections found on the left, when the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG antispyware will then display "All actions have been applied" on the right.
Click on "Save Report", then "Save Report As". This will create a text file which you can then save to the Desktop and post back

Note that this is not AVG antivirus but the program formally known as Ewido
Run Kaspersky WebScanner

Please go HERE and click Kaspersky Online Scanner
Read and Accept the Agreement
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
If you see a Windows dialog asking if you want to install this software, click the Install button.
The program will launch and then begin downloading the latest definition files,
When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
Under "Please select a target to scan:", click My Computer to start the scan.
When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.
Paste kaspersky log onto forum.

Post a log for avg antispyware, kaspersky, and a new hijackthis log.

Hi rridgely,

I had downloaded and install AVG anitspyware but I cannot launch the application dont know why. It can only launch in safe mode, please advise. Thanks.

rridgely

Jun 20 2007, 11:58 PM

I'm not sure why its not working. Just uninstall it.
And then use this:

Please download WebRoot SpySweeper from HERE (It's a 14 day trial):

Click the Download now link on the right to download the program.
Double-click the file to install it as follows:

Click "Next", read the agreement, Click "Next"
Choose "Custom" click "Next".
Leave the default installation directory as it is, then click "Next".
UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
Finally, click "Install"

Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click Yes.
Once the definitions are installed, disconnect from the internet.
Click Options on the left side.
Click the Sweep Options tab.
Under What to Sweep please put a check next to the following:
Sweep Memory
Sweep Registry
Sweep Cookies
Sweep All User Accounts
Enable Direct Disk Sweeping
Sweep Contents of Compressed Files
Sweep for Rootkits
Please UNCHECK Do not Sweep System Restore Folder.

Click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.
Paste the contents of the session log you copied into your next reply.

Post the webroot log and a new hijackthis log

Still post a kaspersky land a hijackthis log as well.

david613

Jun 21 2007, 11:49 PM

QUOTE(rridgely @ Jun 20 2007, 11:58 PM) [snapback]74229[/snapback]

I'm not sure why its not working. Just uninstall it.
And then use this:

Please download WebRoot SpySweeper from HERE (It's a 14 day trial):

Click the Download now link on the right to download the program.
Double-click the file to install it as follows:

Click "Next", read the agreement, Click "Next"
Choose "Custom" click "Next".
Leave the default installation directory as it is, then click "Next".
UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
Finally, click "Install"

Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click Yes.
Once the definitions are installed, disconnect from the internet.
Click Options on the left side.
Click the Sweep Options tab.
Under What to Sweep please put a check next to the following:
Sweep Memory
Sweep Registry
Sweep Cookies
Sweep All User Accounts
Enable Direct Disk Sweeping
Sweep Contents of Compressed Files
Sweep for Rootkits
Please UNCHECK Do not Sweep System Restore Folder.

Click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.
Paste the contents of the session log you copied into your next reply.

Post the webroot log and a new hijackthis log

Still post a kaspersky land a hijackthis log as well.

Below are logs as per requested. As I m unable to run online kaspersky dont know why, i downloaded the trail version and run the scan.

webroot log

11:00 AM: None
11:00 AM: Traces Found: 0
11:00 AM: Sweep Canceled
11:00 AM: Start Custom Sweep
11:00 AM: Sweep initiated using definitions version 935
10:58 AM: Deletion from quarantine completed. Elapsed time 00:00:00
10:58 AM: Processing: serving-sys cookie
10:58 AM: Processing: redsheriff cookies
10:58 AM: Processing: 2o7.net cookie
10:58 AM: Processing: tribalfusion cookie
10:58 AM: Processing: about cookie
10:58 AM: Processing: cpxinteractive cookie
10:58 AM: Processing: yieldmanager cookie
10:58 AM: Processing: callwave cookie
10:58 AM: Processing: infospace cookie
10:58 AM: Processing: bs.serving-sys cookie
10:58 AM: Processing: go.com cookie
10:58 AM: Processing: go.com cookie
10:58 AM: Processing: go.com cookie
10:58 AM: Processing: prosearch.com hijack
10:58 AM: Processing: prosearch.com hijack
10:58 AM: Processing: maxifiles
10:58 AM: Processing: maxifiles
10:58 AM: Processing: popuper
10:58 AM: Processing: popuper
10:58 AM: Processing: trojan agent winlogonhook
10:58 AM: Deletion from quarantine initiated
10:58 AM: Removal process completed. Elapsed time 00:00:29
10:58 AM: Quarantining All Traces: infospace cookie
10:58 AM: Quarantining All Traces: tribalfusion cookie
10:58 AM: Quarantining All Traces: serving-sys cookie
10:58 AM: Quarantining All Traces: redsheriff cookies
10:58 AM: Quarantining All Traces: about cookie
10:58 AM: Quarantining All Traces: go.com cookie
10:58 AM: Quarantining All Traces: callwave cookie
10:58 AM: Quarantining All Traces: bs.serving-sys cookie
10:58 AM: Quarantining All Traces: cpxinteractive cookie
10:58 AM: Quarantining All Traces: yieldmanager cookie
10:58 AM: Quarantining All Traces: 2o7.net cookie
10:58 AM: Quarantining All Traces: prosearch.com hijack
10:58 AM: Quarantining All Traces: maxifiles
10:58 AM: Quarantining All Traces: trojan agent winlogonhook
10:58 AM: Quarantining All Traces: popuper
10:58 AM: Removal process initiated
10:53 AM: Traces Found: 20
10:53 AM: Custom Sweep has completed. Elapsed time 01:21:44
10:53 AM: File Sweep Complete, Elapsed Time: 01:18:13
10:48 AM: Warning: TCompressedFile.GetStreams(1): Stream read error
10:45 AM: Warning: TCompressedFile.GetStreams(1): Stream read error
Not enough storage is available to process this command
10:42 AM: Warning: Unable to sweep compressed file: System Error. Code: 8.
10:37 AM: Warning: TCompressedFile.GetStreams(1): Stream read error
10:34 AM: Warning: TCompressedFile.GetStreams(1): Stream read error
10:33 AM: Warning: TCompressedFile.GetStreams(1): Stream read error
10:30 AM: Warning: TCompressedFile.GetStreams(1): Stream read error
10:28 AM: Warning: TCompressedFile.GetStreams(1): Stream read error
10:17 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
10:12 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
10:12 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
10:11 AM: Warning: PerformFileOffsetMatch Failed to check file "c:\program files\common files\symantec shared\virusdefs\20070524.035\ecmsvr32.dll". "c:\program files\common files\symantec shared\virusdefs\20070524.035\ecmsvr32.dll": File not found
10:10 AM: Warning: PerformFileOffsetMatch Failed to check file "c:\program files\common files\symantec shared\virusdefs\20070524.035\naveng32.dll". "c:\program files\common files\symantec shared\virusdefs\20070524.035\naveng32.dll": File not found
10:08 AM: Warning: PerformFileOffsetMatch Failed to check file "c:\program files\common files\symantec shared\virusdefs\20070524.035\naveng.sys". "c:\program files\common files\symantec shared\virusdefs\20070524.035\naveng.sys": File not found
10:07 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
10:04 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
10:04 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
10:00 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
10:00 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
9:59 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
9:59 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
9:57 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
9:54 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
9:54 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
9:53 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
9:53 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
9:52 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
9:52 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
9:48 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
9:48 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
9:48 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
9:47 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
9:47 AM: Warning: PerformFileOffsetMatch Failed to check file "c:\program files\common files\symantec shared\virusdefs\20070524.035\eraser.sys". "c:\program files\common files\symantec shared\virusdefs\20070524.035\eraser.sys": File not found
9:47 AM: Warning: PerformFileOffsetMatch Failed to check file "c:\program files\common files\symantec shared\virusdefs\20070524.035\eectrl.sys". "c:\program files\common files\symantec shared\virusdefs\20070524.035\eectrl.sys": File not found
9:46 AM: Warning: PerformFileOffsetMatch Failed to check file "c:\program files\common files\symantec shared\virusdefs\20070524.035\naveng.vxd". "c:\program files\common files\symantec shared\virusdefs\20070524.035\naveng.vxd": File not found
9:45 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
9:45 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
9:44 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
9:43 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
9:35 AM: Starting File Sweep
9:35 AM: Cookie Sweep Complete, Elapsed Time: 00:00:11
9:35 AM: c:\documents and settings\davidliu\cookies\davidliu@infospace[1].txt (ID = 2865)
9:35 AM: Found Spy Cookie: infospace cookie
9:35 AM: c:\documents and settings\david.liu\cookies\david.liu@tribalfusion[2].txt (ID = 3589)
9:35 AM: Found Spy Cookie: tribalfusion cookie
9:35 AM: c:\documents and settings\david.liu\cookies\david.liu@soccernet.espn.go[2].txt (ID = 2729)
9:35 AM: c:\documents and settings\david.liu\cookies\david.liu@soccernet-akamai.espn.go[2].txt (ID = 2729)
9:35 AM: c:\documents and settings\david.liu\cookies\david.liu@serving-sys[1].txt (ID = 3343)
9:35 AM: Found Spy Cookie: serving-sys cookie
9:35 AM: c:\documents and settings\david.liu\cookies\david.liu@imrworldwide[2].txt (ID = 2845)
9:35 AM: Found Spy Cookie: redsheriff cookies
9:35 AM: c:\documents and settings\david.liu\cookies\david.liu@gojapan.about[1].txt (ID = 2038)
9:35 AM: Found Spy Cookie: about cookie
9:35 AM: c:\documents and settings\david.liu\cookies\david.liu@espn.go[2].txt (ID = 2729)
9:35 AM: Found Spy Cookie: go.com cookie
9:35 AM: c:\documents and settings\david.liu\cookies\david.liu@callwave[2].txt (ID = 2342)
9:35 AM: Found Spy Cookie: callwave cookie
9:35 AM: c:\documents and settings\david.liu\cookies\david.liu@bs.serving-sys[1].txt (ID = 2330)
9:35 AM: Found Spy Cookie: bs.serving-sys cookie
9:35 AM: c:\documents and settings\david.liu\cookies\david.liu@adserving.cpxinteractive[2].txt (ID = 8939)
9:35 AM: Found Spy Cookie: cpxinteractive cookie
9:35 AM: c:\documents and settings\david.liu\cookies\david.liu@ad.yieldmanager[1].txt (ID = 3751)
9:35 AM: Found Spy Cookie: yieldmanager cookie
9:35 AM: c:\documents and settings\david.liu\cookies\david.liu@2o7[1].txt (ID = 1957)
9:35 AM: Found Spy Cookie: 2o7.net cookie
9:35 AM: Starting Cookie Sweep
9:35 AM: Registry Sweep Complete, Elapsed Time:00:00:36
9:35 AM: HKU\S-1-5-21-2604483713-1547929032-2538269222-1315\software\microsoft\windows\currentversion\uninstall\winpop\ (ID = 2252632)
9:35 AM: HKU\S-1-5-21-2604483713-1547929032-2538269222-1315\software\microsoft\internet explorer\new windows\allow\ || *.starsdoor.com (ID = 2089452)
9:35 AM: Found Adware: maxifiles
9:35 AM: HKLM\software\microsoft\mssmgr\ (ID = 1776755)
9:35 AM: Found Trojan Horse: trojan agent winlogonhook
9:35 AM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objecta\{686a161d-5bd1-4999-8832-6393f41e564c}\ (ID = 1505707)
9:35 AM: HKLM\software\microsoft\internet explorer\main\ || start page_bak (ID = 1250791)
9:35 AM: HKLM\software\microsoft\internet explorer\main\ || search page_bak (ID = 1250789)
9:35 AM: Found Adware: prosearch.com hijack
9:35 AM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objecta\ (ID = 735573)
9:35 AM: Found Adware: popuper
9:34 AM: Starting Registry Sweep
9:34 AM: Memory Sweep Complete, Elapsed Time: 00:02:30
9:32 AM: Starting Memory Sweep
9:32 AM: Start Custom Sweep
9:32 AM: Sweep initiated using definitions version 935
9:31 AM: IE Favorites Shield: Entry Allowed: http://forum.shareinvestor.com/forum/
9:31 AM: IE Favorites Shield: Entry Allowed: http://forum.shareinvestor.com/forum/
9:25 AM: ApplicationMinimized - EXIT
9:25 AM: ApplicationMinimized - ENTER
9:24 AM: IE Favorites Shield: Entry Allowed: http://forum.shareinvestor.com/forum/
9:24 AM: IE Favorites Shield: Entry Allowed: http://forum.shareinvestor.com/forum/
9:23 AM: Your definitions are up to date.
9:23 AM: Your definitions are up to date.
Keylogger: Off
9:22 AM: Informational: ShieldEmail: Start monitoring port 25 for mail activities
9:22 AM: Informational: ShieldEmail: Start monitoring port 110 for mail activities
E-mail Attachment: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites: Off
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
9:22 AM: Shield States
9:22 AM: License Check Status (0): Success
9:21 AM: Spyware Definitions: 923
9:20 AM: Spy Sweeper 5.5.1.3354 started
9:20 AM: Spy Sweeper 5.5.1.3354 started
9:20 AM: | Start of Session, Thursday, June 21, 2007

kaspersky log.

Protection
----------
Total scanned: 2714
Detected: 26
Untreated: 0
Start time: 6/22/2007 7:34:01 AM
Duration: 00:08:01

Detected
--------
Status Object
------ ------
detected: riskware Invader (loader) Running process: C:\Program Files\Apoint\Apoint.exe
not found: Trojan program Trojan-Proxy.Win32.Agent.mx File: C:\WINDOWS\SYSTEM32\DRIVERS\ASC3550U.SYS
not found: Trojan program Trojan-Proxy.Win32.Agent.mx File: C:\WINDOWS\System32\Drivers\asc3550i.SYS
deleted: virus Email-Worm.Win32.Warezov.lc Email message attachment: Outlook\Personal Folders\Top of Personal Folders\Inbox\[From:joe shaan][Subject:postcard][Time:2007/02/14 13:47:41]/postcard.zip/postcard.exe//PE_Patch.UPX//UPX
deleted: virus Email-Worm.Win32.Warezov.lc Email message attachment: Outlook\Personal Folders\Top of Personal Folders\Inbox\[From:secur@motorsportwarehouse.com][Subject:Mail server report.][Time:2007/02/14 14:01:45]/Update-KB8953-x86.exe//PE_Patch.UPX//UPX
detected: riskware Invader (loader) Running process: C:\WINDOWS\system32\mstsc.exe
not found: Trojan program Trojan.Win32.Dialer.qn File: C:\WINDOWS\TEMP\WIN427.TMP.EXE//PE_Patch.PECompact//PecBundle//PECompact
deleted: malware Exploit.HTML.IframeBof File: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine68C0000.VBN//CryptZ
deleted: Trojan program Trojan-Downloader.Win32.Agent.brk File: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine8940000.VBN//CryptZ
deleted: Trojan program Trojan-Downloader.Win32.LoadAdv.gen File: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\QuarantineB6C0001.VBN//CryptZ//PE_Patch.UPX//UPX
deleted: Trojan program Rootkit.Win32.Agent.ey File: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\QuarantineB6C0018.VBN//CryptZ
deleted: Trojan program Trojan-Downloader.VBS.Agent.u File: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\QuarantineE380000.VBN//CryptZ
deleted: Trojan program Trojan-Downloader.JS.Agent.fq File: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\QuarantineE380001.VBN//CryptZ
deleted: Trojan program Backdoor.Win32.Delf.aki File: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\129C0000.VBN//CryptZ/keygen.exe//PE_Patch.UPX//UPX
deleted: Trojan program Backdoor.Win32.Delf.aki File: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\129C0001.VBN//CryptZ
deleted: Trojan program Backdoor.Win32.Delf.aki File: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\129C0002.VBN//CryptZ/keygen.exe//PE_Patch.UPX//UPX
deleted: Trojan program Backdoor.Win32.Delf.aki File: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\129C0003.VBN//CryptZ
deleted: malware Exploit.Java.Gimsh.a File: C:\Documents and Settings\david.liu\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\game.class-50a073d8-164af630.class
deleted: Trojan program Trojan-Downloader.VBS.Agent.p File: C:\Documents and Settings\david.liu\Local Settings\Temporary Internet Files\Content.IE5\40PTQCDP\counter21[1].htm
deleted: Trojan program Trojan.Win32.Dialer.qn File: C:\Documents and Settings\david.liu\Local Settings\Temporary Internet Files\Content.IE5\9MPNR3XV\antzom[1].exe//PE_Patch.PECompact//PecBundle//PECompact
not found: Trojan program Trojan.Win32.Dialer.qn File: C:\WINDOWS\Temp\PR451.tmp//PecBundle//PECompact
not found: Trojan program Trojan.Win32.Dialer.qn File: C:\WINDOWS\Temp\PR452.tmp//PECompact
not found: Trojan program Trojan.Win32.Dialer.qn File: C:\WINDOWS\Temp\PR454.tmp
deleted: Trojan program Trojan.Win32.Dialer.qn File: C:\WINDOWS\Temp\win347.tmp.exe//PE_Patch.PECompact//PecBundle//PECompact
deleted: Trojan program Trojan.Win32.Dialer.qn File: C:\WINDOWS\Temp\win385.tmp.exe//PE_Patch.PECompact//PecBundle//PECompact
deleted: Trojan program Trojan.Win32.Dialer.qn File: C:\WINDOWS\Temp\win3B5.tmp.exe//PE_Patch.PECompact//PecBundle//PECompact

Events
------
Time Event
---- -----
6/21/2007 12:02:47 PM A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
6/21/2007 12:02:58 PM Process (PID 644) tried to access Kaspersky Anti-Virus process (PID 1012), but the action has been blocked by the Self-Defense component. No action on your part is necessary.
6/21/2007 12:03:04 PM Protection of your computer started.
6/21/2007 12:05:45 PM Process (PID 172) tried to access Kaspersky Anti-Virus process (PID 1012), but the action has been blocked by the Self-Defense component. No action on your part is necessary.
6/21/2007 12:07:12 PM Running process C:\Program Files\Apoint\Apoint.exe: detected modification of riskware 'Invader (loader)'.
6/21/2007 12:10:05 PM Please restart your computer to complete the installation of new or updated protection components.
6/21/2007 12:10:23 PM Update completed successfully
6/21/2007 12:11:22 PM Process (PID 3036) tried to access Kaspersky Anti-Virus process (PID 1012), but the action has been blocked by the Self-Defense component. No action on your part is necessary.
6/21/2007 12:13:07 PM Threat signatures are up-to-date
6/21/2007 12:16:21 PM Protection of your computer is not running. You are advised to resume protection.
6/21/2007 12:18:35 PM A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
6/21/2007 12:18:45 PM Process (PID 744) tried to access Kaspersky Anti-Virus process (PID 832), but the action has been blocked by the Self-Defense component. No action on your part is necessary.
6/21/2007 12:18:53 PM Protection of your computer started.
6/21/2007 12:20:26 PM File C:\WINDOWS\SYSTEM32\DRIVERS\ASC3550U.SYS: detected Trojan program 'Trojan-Proxy.Win32.Agent.mx'. User: NXGENCOMMS\NG-DAVID-LIU$, computer: localhost.
6/21/2007 12:20:26 PM Security threats have been detected. You are advised to neutralize them immediately.
6/21/2007 12:20:26 PM File C:\WINDOWS\SYSTEM32\DRIVERS\ASC3550U.SYS: is still infected, skipped by user.
6/21/2007 12:21:30 PM Process (PID 168) tried to access Kaspersky Anti-Virus process (PID 832), but the action has been blocked by the Self-Defense component. No action on your part is necessary.
6/21/2007 12:22:43 PM Running process C:\Program Files\Apoint\Apoint.exe: detected modification of riskware 'Invader (loader)'.
6/21/2007 12:43:06 PM File C:\WINDOWS\System32\Drivers\asc3550i.SYS: detected Trojan program 'Trojan-Proxy.Win32.Agent.mx'.
6/21/2007 12:43:06 PM File C:\WINDOWS\System32\Drivers\asc3550i.SYS: is still infected, postponed.
6/21/2007 12:43:06 PM File C:\WINDOWS\System32\Drivers\asc3550u.SYS: detected Trojan program 'Trojan-Proxy.Win32.Agent.mx'.
6/21/2007 12:43:06 PM File C:\WINDOWS\System32\Drivers\asc3550u.SYS: is still infected, postponed.
6/21/2007 12:43:14 PM File C:\WINDOWS\system32\drivers\asc3550i.sys: detected Trojan program 'Trojan-Proxy.Win32.Agent.mx'.
6/21/2007 12:43:14 PM File C:\WINDOWS\system32\drivers\asc3550i.sys: is still infected, postponed.
6/21/2007 12:43:15 PM File C:\WINDOWS\system32\drivers\asc3550u.sys: detected Trojan program 'Trojan-Proxy.Win32.Agent.mx'.
6/21/2007 12:43:15 PM File C:\WINDOWS\system32\drivers\asc3550u.sys: is still infected, postponed.
6/21/2007 12:45:36 PM Process (PID 2192) tried to access Kaspersky Anti-Virus process (PID 832), but the action has been blocked by the Self-Defense component. No action on your part is necessary.
6/21/2007 12:49:09 PM Email message attachment Outlook\Personal Folders\Top of Personal Folders\Inbox\[From:joe shaan][Subject:postcard][Time:2007/02/14 13:47:41]/postcard.zip/postcard.exe//PE_Patch.UPX//UPX: detected virus 'Email-Worm.Win32.Warezov.lc'.
6/21/2007 12:49:09 PM Email message attachment Outlook\Personal Folders\Top of Personal Folders\Inbox\[From:joe shaan][Subject:postcard][Time:2007/02/14 13:47:41]/postcard.zip/postcard.exe//PE_Patch.UPX//UPX: is still infected, postponed.
6/21/2007 12:49:11 PM Email message attachment Outlook\Personal Folders\Top of Personal Folders\Inbox\[From:secur@motorsportwarehouse.com][Subject:Mail server report.][Time:2007/02/14 14:01:45]/Update-KB8953-x86.exe//PE_Patch.UPX//UPX: detected virus 'Email-Worm.Win32.Warezov.lc'.
6/21/2007 12:49:11 PM Email message attachment Outlook\Personal Folders\Top of Personal Folders\Inbox\[From:secur@motorsportwarehouse.com][Subject:Mail server report.][Time:2007/02/14 14:01:45]/Update-KB8953-x86.exe//PE_Patch.UPX//UPX: is still infected, postponed.
6/21/2007 1:16:28 PM File c:\windows\system32\drivers\asc3550i.sys: detected Trojan program 'Trojan-Proxy.Win32.Agent.mx'.
6/21/2007 1:18:28 PM File c:\windows\system32\drivers\asc3550i.sys: detected Trojan program 'Trojan-Proxy.Win32.Agent.mx'.
6/21/2007 1:19:18 PM File c:\windows\system32\drivers\asc3550i.sys: detected Trojan program 'Trojan-Proxy.Win32.Agent.mx'.
6/21/2007 1:19:18 PM File c:\windows\system32\drivers\asc3550i.sys: is still infected, skipped by user.
6/21/2007 1:19:33 PM File c:\windows\system32\drivers\asc3550i.sys: detected Trojan program 'Trojan-Proxy.Win32.Agent.mx'.
6/21/2007 1:19:33 PM File c:\windows\system32\drivers\asc3550i.sys: is still infected, skipped by user.
6/21/2007 1:19:44 PM File c:\windows\system32\drivers\asc3550i.sys: detected Trojan program 'Trojan-Proxy.Win32.Agent.mx'.
6/21/2007 1:19:45 PM File c:\windows\system32\drivers\asc3550i.sys: is still infected, skipped by user.
6/21/2007 1:19:59 PM File c:\windows\system32\drivers\asc3550i.sys: detected Trojan program 'Trojan-Proxy.Win32.Agent.mx'.
6/21/2007 1:21:19 PM File c:\windows\system32\drivers\asc3550u.sys: detected Trojan program 'Trojan-Proxy.Win32.Agent.mx'.
6/21/2007 1:26:19 PM Protection of your computer is not running. You are advised to resume protection.
6/21/2007 1:28:41 PM A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
6/21/2007 1:28:44 PM Process (PID 780) tried to access Kaspersky Anti-Virus process (PID 1432), but the action has been blocked by the Self-Defense component. No action on your part is necessary.
6/21/2007 1:28:55 PM Protection of your computer started.
6/21/2007 1:29:03 PM Security threats have been detected. You are advised to neutralize them immediately.
6/21/2007 1:31:28 PM Process (PID 152) tried to access Kaspersky Anti-Virus process (PID 1432), but the action has been blocked by the Self-Defense component. No action on your part is necessary.
6/21/2007 1:34:43 PM Running process C:\Program Files\Apoint\Apoint.exe: detected modification of riskware 'Invader (loader)'.
6/21/2007 1:35:22 PM Running process C:\WINDOWS\system32\mstsc.exe: detected modification of riskware 'Invader (loader)'.
6/21/2007 1:40:02 PM Protection of your computer is not running. You are advised to resume protection.
6/21/2007 2:22:26 PM Update error: DNS name resolving error.
6/21/2007 5:13:45 PM Update completed successfully
6/22/2007 2:21:25 AM Protection of your computer started.
6/22/2007 2:23:32 AM Update completed successfully
6/22/2007 3:01:44 AM File C:\WINDOWS\TEMP\WIN427.TMP.EXE//PE_Patch.PECompact//PecBundle//PECompact: detected Trojan program 'Trojan.Win32.Dialer.qn'. User: NXGENCOMMS\NG-DAVID-LIU$, computer: localhost.
6/22/2007 3:01:45 AM Security threats have been detected. You are advised to neutralize them immediately.
6/22/2007 3:47:31 AM File C:\DCD\CP SUs and PEPs\CP40404SU01S.exe/CP40404SU01S/MCETOOLS.EXE/TOOLS.EXE: is password protected.
6/22/2007 3:54:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AVGold.zip/sbRecovery.reg: is password protected.
6/22/2007 3:54:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AVGold.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AVGold1.zip/sbRecovery.reg: is password protected.
6/22/2007 3:54:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AVGold1.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AVGold2.zip/sbRecovery.reg: is password protected.
6/22/2007 3:54:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AVGold2.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AVGold3.zip/sbRecovery.reg: is password protected.
6/22/2007 3:54:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AVGold3.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearch.zip/sbRecovery.reg: is password protected.
6/22/2007 3:54:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearch.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearch1.zip/sbRecovery.reg: is password protected.
6/22/2007 3:54:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearch1.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearch2.zip/sbRecovery.reg: is password protected.
6/22/2007 3:54:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearch2.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearch3.zip/sbRecovery.reg: is password protected.
6/22/2007 3:54:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearch3.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearch4.zip/sbRecovery.reg: is password protected.
6/22/2007 3:54:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearch4.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearch5.zip/sbRecovery.reg: is password protected.
6/22/2007 3:54:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearch5.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearch6.zip/sbRecovery.reg: is password protected.
6/22/2007 3:54:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearch6.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWinRes.zip/sbRecovery.reg: is password protected.
6/22/2007 3:54:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWinRes.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MalwareWipe.zip/ignorelist.dat: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MalwareWipe.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MalwareWipe1.zip/sbRecovery.reg: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MalwareWipe1.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MalwareWipe2.zip/sbRecovery.reg: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MalwareWipe2.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MalwareWipe3.zip/db.dat.old: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MalwareWipe3.zip/MalwareWipe.exe: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MalwareWipe3.zip/malwarewipe.ini: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MalwareWipe3.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MaxFiles.zip/sbRecovery.reg: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MaxFiles.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PSGuard.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PWSLDPinchIE.zip/sbRecovery.reg: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PWSLDPinchIE.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PWSLDPinchIE1.zip/sbRecovery.reg: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PWSLDPinchIE1.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip/sbRecovery.reg: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip/sbRecovery.reg: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC3.zip/sbRecovery.reg: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC3.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCToolbar.zip/sbRecovery.reg: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCToolbar.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCToolbar1.zip/sbRecovery.reg: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCToolbar1.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCToolbar2.zip/sbRecovery.reg: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCToolbar2.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Spyblocs.zip/Remove Spyware.url: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Spyblocs.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpywareStrike.zip/sbRecovery.reg: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpywareStrike.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Torpig.zip/$_2341233.TMP: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Torpig.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Torpig1.zip/$_2341234.TMP: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Torpig1.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Torpig2.zip/$_2341233.TMP: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Torpig2.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Torpig3.zip/$_2341234.TMP: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Torpig3.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Torpig4.zip/$_2341233.TMP: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Torpig4.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Torpig5.zip/$_2341234.TMP: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Torpig5.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Vcodec.zip/ts.ico: is password protected.
6/22/2007 3:54:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Vcodec.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentqt.zip/retadpu2000352.exe: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentqt.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentqt1.zip/sbRecovery.reg: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentqt1.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentqt2.zip/sbRecovery.reg: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentqt2.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentqt3.zip/sbRecovery.reg: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentqt3.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentqt4.zip/sbRecovery.reg: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentqt4.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterAntiVirusDisableNotify.zip/sbRecovery.reg: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterAntiVirusDisableNotify.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterFirewallDisableNotify.zip/sbRecovery.reg: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterFirewallDisableNotify.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloader.zip/stdole3.tlb: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloader.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloader1.zip/sbRecovery.reg: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloader1.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloader10.zip/sbRecovery.reg: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloader10.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloader11.zip/sbRecovery.reg: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloader11.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloader12.zip/stdole3.tlb: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloader12.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloader13.zip/stdole3.tlb: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloader13.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloader14.zip/stdole3.tlb: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloader14.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloader2.zip/sbRecovery.reg: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloader2.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloader3.zip/sbRecovery.reg: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloader3.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloader4.zip/stdole3.tlb: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloader4.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloader5.zip/sbRecovery.reg: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloader5.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloader6.zip/sbRecovery.reg: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloader6.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloader7.zip/sbRecovery.reg: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloader7.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloader8.zip/stdole3.tlb: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloader8.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloader9.zip/sbRecovery.reg: is password protected.
6/22/2007 3:54:02 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloader9.zip/sbRecovery.ini: is password protected.
6/22/2007 3:54:14 AM File C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine68C0000.VBN//CryptZ: detected malware 'Exploit.HTML.IframeBof'.
6/22/2007 3:54:14 AM File C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine68C0000.VBN//CryptZ: is still infected, postponed.
6/22/2007 3:54:14 AM File C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine8940000.VBN//CryptZ: detected Trojan program 'Trojan-Downloader.Win32.Agent.brk'.
6/22/2007 3:54:14 AM File C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine8940000.VBN//CryptZ: is still infected, postponed.
6/22/2007 3:54:14 AM File C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\QuarantineB6C0001.VBN//CryptZ//PE_Patch.UPX//UPX: detected Trojan program 'Trojan-Downloader.Win32.LoadAdv.gen'.
6/22/2007 3:54:14 AM File C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\QuarantineB6C0001.VBN//CryptZ//PE_Patch.UPX//UPX: is still infected, postponed.
6/22/2007 3:54:15 AM File C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\QuarantineB6C0018.VBN//CryptZ: detected Trojan program 'Rootkit.Win32.Agent.ey'.
6/22/2007 3:54:15 AM File C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\QuarantineB6C0018.VBN//CryptZ: is still infected, postponed.
6/22/2007 3:54:15 AM File C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\QuarantineE380000.VBN//CryptZ: detected Trojan program 'Trojan-Downloader.VBS.Agent.u'.
6/22/2007 3:54:15 AM File C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\QuarantineE380000.VBN//CryptZ: is still infected, postponed.
6/22/2007 3:54:15 AM File C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\QuarantineE380001.VBN//CryptZ: detected Trojan program 'Trojan-Downloader.JS.Agent.fq'.
6/22/2007 3:54:15 AM File C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\QuarantineE380001.VBN//CryptZ: is still infected, postponed.
6/22/2007 3:54:17 AM File C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\129C0000.VBN//CryptZ/keygen.exe//PE_Patch.UPX//UPX: detected Trojan program 'Backdoor.Win32.Delf.aki'.
6/22/2007 3:54:17 AM File C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\129C0000.VBN//CryptZ/keygen.exe//PE_Patch.UPX//UPX: is still infected, postponed.
6/22/2007 3:54:19 AM File C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\129C0001.VBN//CryptZ: detected Trojan program 'Backdoor.Win32.Delf.aki'.
6/22/2007 3:54:19 AM File C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\129C0002.VBN//CryptZ/keygen.exe//PE_Patch.UPX//UPX: detected Trojan program 'Backdoor.Win32.Delf.aki'.
6/22/2007 3:54:19 AM File C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\129C0002.VBN//CryptZ/keygen.exe//PE_Patch.UPX//UPX: is still infected, postponed.
6/22/2007 3:54:19 AM File C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\129C0003.VBN//CryptZ: detected Trojan program 'Backdoor.Win32.Delf.aki'.
6/22/2007 3:57:19 AM File C:\Documents and Settings\david.liu\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\game.class-50a073d8-164af630.class: detected malware 'Exploit.Java.Gimsh.a'.
6/22/2007 3:57:19 AM File C:\Documents and Settings\david.liu\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\game.class-50a073d8-164af630.class: is still infected, postponed.
6/22/2007 4:04:28 AM File C:\Documents and Settings\david.liu\Local Settings\Temp\Rar$EX00.967\ulockmobile\Unlocking Phone BlackID ™.exe/AutoPlay/autorun.cdd/_detect.dat: is password protected.
6/22/2007 4:04:28 AM File C:\Documents and Settings\david.liu\Local Settings\Temp\Rar$EX00.967\ulockmobile\Unlocking Phone BlackID ™.exe/AutoPlay/autorun.cdd/_proj.dat: is password protected.
6/22/2007 4:04:28 AM File C:\Documents and Settings\david.liu\Local Settings\Temp\Rar$EX00.967\ulockmobile\Unlocking Phone BlackID ™.exe/AutoPlay/autorun.cdd/_fonts.dat: is password protected.
6/22/2007 4:07:36 AM File C:\Documents and Settings\david.liu\Local Settings\Temporary Internet Files\Content.IE5\40PTQCDP\counter21[1].htm: detected Trojan program 'Trojan-Downloader.VBS.Agent.p'.
6/22/2007 4:07:36 AM File C:\Documents and Settings\david.liu\Local Settings\Temporary Internet Files\Content.IE5\40PTQCDP\counter21[1].htm: is still infected, postponed.
6/22/2007 4:11:03 AM File C:\Documents and Settings\david.liu\Local Settings\Temporary Internet Files\Content.IE5\9MPNR3XV\antzom[1].exe//PE_Patch.PECompact//PecBundle//PECompact: detected Trojan program 'Trojan.Win32.Dialer.qn'.
6/22/2007 4:11:03 AM File C:\Documents and Settings\david.liu\Local Settings\Temporary Internet Files\Content.IE5\9MPNR3XV\antzom[1].exe//PE_Patch.PECompact//PecBundle//PECompact: is still infected, postponed.
6/22/2007 5:17:38 AM File C:\Nortel Info\CallPilot\CP3.03PEPS\CP300S00G15S.exe/CP300S00G15S/CP300S00G15S/MCETOOLS.EXE/TOOLS.EXE: is password protected.
6/22/2007 5:18:01 AM File C:\Nortel Info\CallPilot\CP4\CP40404SU02S.exe/CP40404SU02S/MCETOOLS.EXE/TOOLS.EXE: is password protected.
6/22/2007 5:29:38 AM Update completed successfully
6/22/2007 5:36:13 AM File C:\Nortel Info\Symposium\SCCS4.017_PEPs\NS040107SU11S.exe/NS040107SU11S/NS040107SU11S/tools2.exe/TOOLS.EXE: is password protected.
6/22/2007 5:36:23 AM File C:\Nortel Info\Symposium\SCCS4.017_PEPs\NS040107SU11S\NS040107SU11S\tools2.exe/TOOLS.EXE: is password protected.
6/22/2007 5:38:10 AM File C:\Nortel Info\Symposium\SCCS4.2\Server_Supplementary\R4.0 TO R4.2 MIGRATION\NS040107SU09S.exe/NS040107SU09S/NS040107SU09S/tools2.exe/TOOLS.EXE: is password protected.
6/22/2007 6:00:46 AM File C:\Program Files\NoAdware4\NoAdwareBackup\6,19,2007_8,50,33.zip/Config.ini: is password protected.
6/22/2007 6:00:46 AM File C:\Program Files\NoAdware4\NoAdwareBackup\6,19,2007_8,50,33.zip/RegKeyBackup42948616.reg: is password protected.
6/22/2007 6:00:46 AM File C:\Program Files\NoAdware4\NoAdwareBackup\6,19,2007_8,50,33.zip/RegKeyValueBackup42949007.reg: is password protected.
6/22/2007 6:00:46 AM File C:\Program Files\NoAdware4\NoAdwareBackup\6,19,2007_8,50,33.zip/RegKeyValueBackup42949117.reg: is password protected.
6/22/2007 6:00:46 AM File C:\Program Files\NoAdware4\NoAdwareBackup\6,19,2007_8,50,33.zip/RegKeyValueBackup42949197.reg: is password protected.
6/22/2007 6:00:46 AM File C:\Program Files\NoAdware4\NoAdwareBackup\6,19,2007_8,50,33.zip/RegKeyValueBackup42949267.reg: is password protected.
6/22/2007 6:00:46 AM File C:\Program Files\NoAdware4\NoAdwareBackup\6,19,2007_8,50,33.zip/RegKeyValueBackup42949327.reg: is password protected.
6/22/2007 6:00:46 AM File C:\Program Files\NoAdware4\NoAdwareBackup\6,19,2007_8,50,33.zip/RegKeyValueBackup42949397.reg: is password protected.
6/22/2007 6:00:46 AM File C:\Program Files\NoAdware4\NoAdwareBackup\6,19,2007_8,50,33.zip/RegKeyValueBackup42949458.reg: is password protected.
6/22/2007 6:00:46 AM File C:\Program Files\NoAdware4\NoAdwareBackup\6,19,2007_8,50,33.zip/RegKeyValueBackup42949528.reg: is password protected.
6/22/2007 6:00:46 AM File C:\Program Files\NoAdware4\NoAdwareBackup\6,19,2007_8,50,33.zip/RegKeyValueBackup42949588.reg: is password protected.
6/22/2007 6:07:48 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc12\CP20127G047S.exe/CP20127G047S/CP20127G024S/MCETOOLS.EXE/TOOLS.EXE: is password protected.
6/22/2007 6:07:49 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc12\CP20127G047S.exe/CP20127G047S/CP20127G047S/MCETOOLS.EXE/TOOLS.EXE: is password protected.
6/22/2007 6:09:03 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc12\CP20127SU01S.exe/CP20127SU01S/CP20127SU01S/MCETOOLS.EXE/TOOLS.EXE: is password protected.
6/22/2007 6:09:05 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc12\CP20127SU02S.exe/CP20127SU02S/CP20127SU02S/MCETOOLS.EXE/TOOLS.EXE: is password protected.
6/22/2007 6:09:08 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc12\CP20127SU04S.exe/CP20127SU04S/CP20127SU04S/MCETOOLS.EXE/TOOLS.EXE: is password protected.
6/22/2007 6:09:11 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc12\CP20127SU04S.exe/CP20127SU04S/CP202S04G24S/MCETOOLS.EXE/TOOLS.EXE: is password protected.
6/22/2007 6:10:55 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc12\CP20127SU04S\CP20127SU04S\MCETOOLS.EXE/TOOLS.EXE: is password protected.
6/22/2007 6:11:00 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc12\CP20127SU04S\CP202S04G24S\MCETOOLS.EXE/TOOLS.EXE: is password protected.
6/22/2007 6:11:03 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\NM010709G072S.exe/NM010709G072S/NM010709G072S/MCETOOLS.EXE/TOOLS.EXE: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/ASYCFILT.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/AUDIOCVT.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/CO2C40EN.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/COMCAT.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/COMCTL32.OC_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/COMDLG32.OC_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/CRPE32.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/CRXLAT32.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/CRYSTL32.OC_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/CSREPORT.RP_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/CTL3D32.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/DAO350.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/DBGRID32.OC_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/DBLIST32.OC_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/IMPLODE.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/MCI32.OC_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/MFC40.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/MSJET35.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/MSJINT35.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/MSJTER35.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/MSRD2X35.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/MSREPL35.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/MSVBVM50.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/MSVCRT20.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/MSVCRT40.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/NBXCD.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/ODBCJI32.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/ODBCJT32.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/ODBCTL32.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/OLEAUT32.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/OLEPRO32.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/OSHTOOLS.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/P2BBND.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/P2BDAO.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/P2CTDAO.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/P2IRDAO.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/P2SODBC.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/PG32.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/PSREPORT.RP_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/RICHED32.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/RICHTX32.OC_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/SETUP.DA_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/SETUP.EXE: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/SETUP.LST: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/SETUP1.EX_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/SSREPORT.RP_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/ST5UNST.EX_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/STDOLE2.TL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/TABCTL32.OC_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/TOKENDB.BA_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/TOKENDB.MD_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/U2DDISK.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/U2DMAPI.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/U2FCR.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/U2FDIF.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/U2FHTML.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/U2FREC.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/U2FRTF.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/U2FSEPV.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/U2FTEXT.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/U2FWKS.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/U2FWORDW.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/U2FXLS.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/UPLAY10.DE_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/UPLAY10.EX_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/VB5DB.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/VB5STKIT.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/VBAJET32.DL_: is password protected.
6/22/2007 6:12:33 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc13.092\Client\NC010709SU04A.exe/support/uplayzip.exe/VBPARLIB.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/ASYCFILT.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/AUDIOCVT.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/CO2C40EN.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/COMCAT.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/COMCTL32.OC_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/COMDLG32.OC_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/CRPE32.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/CRXLAT32.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/CRYSTL32.OC_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/CSREPORT.RP_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/CTL3D32.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/DAO350.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/DBGRID32.OC_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/DBLIST32.OC_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/IMPLODE.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/MCI32.OC_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/MFC40.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/MSJET35.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/MSJINT35.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/MSJTER35.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/MSRD2X35.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/MSREPL35.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/MSVBVM50.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/MSVCRT20.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/MSVCRT40.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/NBXCD.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/ODBCJI32.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/ODBCJT32.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/ODBCTL32.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/OLEAUT32.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/OLEPRO32.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/OSHTOOLS.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/P2BBND.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/P2BDAO.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/P2CTDAO.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/P2IRDAO.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/P2SODBC.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/PG32.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/PSREPORT.RP_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/RICHED32.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/RICHTX32.OC_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/SETUP.DA_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/SETUP.EXE: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/SETUP.LST: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/SETUP1.EX_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/SSREPORT.RP_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/ST5UNST.EX_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/STDOLE2.TL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/TABCTL32.OC_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/TOKENDB.BA_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/TOKENDB.MD_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/U2DDISK.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/U2DMAPI.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/U2FCR.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/U2FDIF.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/U2FHTML.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/U2FREC.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/U2FRTF.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/U2FSEPV.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/U2FTEXT.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/U2FWKS.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/U2FWORDW.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/U2FXLS.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/UPLAY10.DE_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/UPLAY10.EX_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/VB5DB.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/VB5STKIT.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/VBAJET32.DL_: is password protected.
6/22/2007 6:13:20 AM File C:\RECYCLER\S-1-5-21-1343024091-764733703-854245398-1010\Dc8.09PEPs\Client\NC010709SU04A.exe/support/uplayzip.exe/VBPARLIB.DL_: is password protected.
6/22/2007 6:19:18 AM File C:\TEMP\ulockmobile.rar/ulockmobile\Unlocking Phone BlackID T.exe/AutoPlay/autorun.cdd/_detect.dat: is password protected.
6/22/2007 6:19:19 AM File C:\TEMP\ulockmobile.rar/ulockmobile\Unlocking Phone BlackID T.exe/AutoPlay/autorun.cdd/_proj.dat: is password protected.
6/22/2007 6:19:19 AM File C:\TEMP\ulockmobile.rar/ulockmobile\Unlocking Phone BlackID T.exe/AutoPlay/autorun.cdd/_fonts.dat: is password protected.
6/22/2007 6:21:15 AM File C:\TEMP\wq.rar/wq.rm: is password protected.
6/22/2007 6:57:27 AM File C:\WINDOWS\Temp\PR451.tmp//PecBundle//PECompact: detected Trojan program 'Trojan.Win32.Dialer.qn'.
6/22/2007 6:57:27 AM File C:\WINDOWS\Temp\PR451.tmp//PecBundle//PECompact: is still infected, postponed.
6/22/2007 6:57:27 AM File C:\WINDOWS\Temp\PR452.tmp//PECompact: detected Trojan program 'Trojan.Win32.Dialer.qn'.
6/22/2007 6:57:27 AM File C:\WINDOWS\Temp\PR452.tmp//PECompact: is still infected, postponed.
6/22/2007 6:57:28 AM File C:\WINDOWS\Temp\PR454.tmp: detected Trojan program 'Trojan.Win32.Dialer.qn'.
6/22/2007 6:57:28 AM File C:\WINDOWS\Temp\PR454.tmp: is still infected, postponed.
6/22/2007 6:57:34 AM File C:\WINDOWS\Temp\win347.tmp.exe//PE_Patch.PECompact//PecBundle//PECompact: detected Trojan program 'Trojan.Win32.Dialer.qn'.
6/22/2007 6:57:34 AM File C:\WINDOWS\Temp\win347.tmp.exe//PE_Patch.PECompact//PecBundle//PECompact: is still infected, postponed.
6/22/2007 6:57:35 AM File C:\WINDOWS\Temp\win385.tmp.exe//PE_Patch.PECompact//PecBundle//PECompact: detected Trojan program 'Trojan.Win32.Dialer.qn'.
6/22/2007 6:57:35 AM File C:\WINDOWS\Temp\win385.tmp.exe//PE_Patch.PECompact//PecBundle//PECompact: is still infected, postponed.
6/22/2007 6:57:36 AM File C:\WINDOWS\Temp\win3B5.tmp.exe//PE_Patch.PECompact//PecBundle//PECompact: detected Trojan program 'Trojan.Win32.Dialer.qn'.
6/22/2007 6:57:36 AM File C:\WINDOWS\Temp\win3B5.tmp.exe//PE_Patch.PECompact//PecBundle//PECompact: is still infected, postponed.
6/22/2007 6:57:38 AM File C:\WINDOWS\Temp\win427.tmp.exe//PE_Patch.PECompact//PecBundle//PECompact: detected Trojan program 'Trojan.Win32.Dialer.qn'.
6/22/2007 6:57:38 AM File C:\WINDOWS\Temp\win427.tmp.exe//PE_Patch.PECompact//PecBundle//PECompact: is still infected, postponed.
6/22/2007 6:59:55 AM File c:\documents and settings\all users\application data\symantec\symantec antivirus corporate edition\7.5\quarantine68c0000.vbn//CryptZ: detected malware 'Exploit.HTML.IframeBof'.
6/22/2007 7:22:35 AM File c:\documents and settings\all users\application data\symantec\symantec antivirus corporate edition\7.5\quarantine68c0000.vbn: deleted.
6/22/2007 7:22:35 AM File c:\documents and settings\all users\application data\symantec\symantec antivirus corporate edition\7.5\quarantine8940000.vbn//CryptZ: detected Trojan program 'Trojan-Downloader.Win32.Agent.brk'.
6/22/2007 7:22:36 AM File C:\WINDOWS\TEMP\WIN427.TMP.EXE: deleted.
6/22/2007 7:23:21 AM File c:\documents and settings\all users\application data\symantec\symantec antivirus corporate edition\7.5\quarantine8940000.vbn: deleted.
6/22/2007 7:23:21 AM File c:\documents and settings\all users\application data\symantec\symantec antivirus corporate edition\7.5\quarantineb6c0001.vbn//CryptZ//PE_Patch.UPX//UPX: detected Trojan program 'Trojan-Downloader.Win32.LoadAdv.gen'.
6/22/2007 7:23:25 AM File c:\documents and settings\all users\application data\symantec\symantec antivirus corporate edition\7.5\quarantineb6c0001.vbn: deleted.
6/22/2007 7:23:25 AM File c:\documents and settings\all users\application data\symantec\symantec antivirus corporate edition\7.5\quarantineb6c0018.vbn//CryptZ: detected Trojan program 'Rootkit.Win32.Agent.ey'.
6/22/2007 7:23:27 AM File c:\documents and settings\all users\application data\symantec\symantec antivirus corporate edition\7.5\quarantineb6c0018.vbn: deleted.
6/22/2007 7:23:27 AM File c:\documents and settings\all users\application data\symantec\symantec antivirus corporate edition\7.5\quarantinee380000.vbn//CryptZ: detected Trojan program 'Trojan-Downloader.VBS.Agent.u'.
6/22/2007 7:23:28 AM File c:\documents and settings\all users\application data\symantec\symantec antivirus corporate edition\7.5\quarantinee380000.vbn: deleted.
6/22/2007 7:23:28 AM File c:\documents and settings\all users\application data\symantec\symantec antivirus corporate edition\7.5\quarantinee380001.vbn//CryptZ: detected Trojan program 'Trojan-Downloader.JS.Agent.fq'.
6/22/2007 7:23:29 AM File c:\documents and settings\all users\application data\symantec\symantec antivirus corporate edition\7.5\quarantinee380001.vbn: deleted.
6/22/2007 7:23:30 AM File c:\documents and settings\all users\application data\symantec\symantec antivirus corporate edition\7.5\quarantine\129c0000.vbn//CryptZ/keygen.exe//PE_Patch.UPX//UPX: detected Trojan program 'Backdoor.Win32.Delf.aki'.
6/22/2007 7:23:33 AM File c:\documents and settings\all users\application data\symantec\symantec antivirus corporate edition\7.5\quarantine\129c0000.vbn: deleted.
6/22/2007 7:23:33 AM File c:\documents and settings\all users\application data\symantec\symantec antivirus corporate edition\7.5\quarantine\129c0001.vbn//CryptZ: detected Trojan program 'Backdoor.Win32.Delf.aki'.
6/22/2007 7:23:35 AM File c:\documents and settings\all users\application data\symantec\symantec antivirus corporate edition\7.5\quarantine\129c0001.vbn: deleted.
6/22/2007 7:23:35 AM File c:\documents and settings\all users\application data\symantec\symantec antivirus corporate edition\7.5\quarantine\129c0002.vbn//CryptZ/keygen.exe//PE_Patch.UPX//UPX: detected Trojan program 'Backdoor.Win32.Delf.aki'.
6/22/2007 7:23:36 AM File c:\documents and settings\all users\application data\symantec\symantec antivirus corporate edition\7.5\quarantine\129c0002.vbn: deleted.
6/22/2007 7:23:36 AM File c:\documents and settings\all users\application data\symantec\symantec antivirus corporate edition\7.5\quarantine\129c0003.vbn//CryptZ: detected Trojan program 'Backdoor.Win32.Delf.aki'.
6/22/2007 7:23:37 AM File c:\documents and settings\all users\application data\symantec\symantec antivirus corporate edition\7.5\quarantine\129c0003.vbn: deleted.
6/22/2007 7:23:37 AM File c:\documents and settings\david.liu\application data\sun\java\deployment\cache\javapi\v1.0\file\game.class-50a073d8-164af630.class: detected malware 'Exploit.Java.Gimsh.a'.
6/22/2007 7:23:39 AM File c:\documents and settings\david.liu\application data\sun\java\deployment\cache\javapi\v1.0\file\game.class-50a073d8-164af630.class: deleted.
6/22/2007 7:23:39 AM File c:\documents and settings\david.liu\local settings\temporary internet files\content.ie5\40ptqcdp\counter21[1].htm: detected Trojan program 'Trojan-Downloader.VBS.Agent.p'.
6/22/2007 7:23:40 AM File c:\documents and settings\david.liu\local settings\temporary internet files\content.ie5\40ptqcdp\counter21[1].htm: deleted.
6/22/2007 7:23:41 AM File c:\documents and settings\david.liu\local settings\temporary internet files\content.ie5\9mpnr3xv\antzom[1].exe//PE_Patch.PECompact//PecBundle//PECompact: detected Trojan program 'Trojan.Win32.Dialer.qn'.
6/22/2007 7:23:42 AM File c:\documents and settings\david.liu\local settings\temporary internet files\content.ie5\9mpnr3xv\antzom[1].exe: deleted.
6/22/2007 7:23:42 AM File c:\windows\temp\win347.tmp.exe//PE_Patch.PECompact//PecBundle//PECompact: detected Trojan program 'Trojan.Win32.Dialer.qn'.
6/22/2007 7:23:42 AM File c:\windows\temp\win347.tmp.exe: deleted.
6/22/2007 7:23:43 AM File c:\windows\temp\win385.tmp.exe//PE_Patch.PECompact//PecBundle//PECompact: detected Trojan program 'Trojan.Win32.Dialer.qn'.
6/22/2007 7:23:43 AM File c:\windows\temp\win385.tmp.exe: deleted.
6/22/2007 7:23:43 AM File c:\windows\temp\win3b5.tmp.exe//PE_Patch.PECompact//PecBundle//PECompact: detected Trojan program 'Trojan.Win32.Dialer.qn'.
6/22/2007 7:23:44 AM File c:\windows\temp\win3b5.tmp.exe: deleted.
6/22/2007 7:30:37 AM Protection of your computer is not running. You are advised to resume protection.
6/22/2007 7:34:01 AM Protection of your computer started.
6/22/2007 7:36:43 AM Update completed successfully

Reports
-------
Component Status Start Finish Size
--------- ------ ----- ------ ----
Proactive Defense running 6/22/2007 7:34:01 AM 0 bytes
File Anti-Virus running 6/22/2007 7:34:01 AM 542.3 KB
Mail Anti-Virus running 6/22/2007 7:34:01 AM 0 bytes
Update completed 6/22/2007 7:34:02 AM 6/22/2007 7:36:43 AM 15.2 KB
Web Anti-Virus running 6/22/2007 7:34:01 AM 0 bytes

Logfile of HijackThis v1.99.1
Scan saved at 7:43:46 AM, on 6/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Nortel\IP Softphone 2050\i2050QosSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 165.228.132.10:3128
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SigmaTel StacMon] "C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [AVFX Engine] "C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_14\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MobileDesktop] C:\Program Files\pfingo\pfingoactive\C:\Program Files\pfingo\pfingoactive\activedesktop.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_14\bin\npjpi142_14.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_14\bin\npjpi142_14.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://*.int.x69x.net
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://nortelsupport.webex.com/client/T23L...ort/ieatgpc.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winqif32 - winqif32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Nortel IP Softphone 2050 QoS (i2050QoSSvc) - Nortel - C:\Program Files\Nortel\IP Softphone 2050\i2050QosSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: OTMResourceManager - Unknown owner - C:\Nortel\OMServices\OMCommonServices\Bin\OTMResourceManager.exe
O23 - Service: OTMSingletonServer - Unknown owner - C:\Nortel\OMServices\OMCommonServices\Bin\OTMSingletonServer.exe
O23 - Service: OTMTaskScheduler - Unknown owner - C:\Nortel\OMServices\OMCommonServices\Bin\OTMTaskScheduler.exe
O23 - Service: OTMWatchDog - Nortel Networks Corporation - C:\Nortel\Common Services\Program Files\OTMWatchDog.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

rridgely

Jun 22 2007, 12:07 AM

Open hijackthis and do a system scan. Then check off the following lines:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O20 - Winlogon Notify: winqif32 - winqif32.dll (file missing)

Then press fix checked and exit hijackthis.

------------------

Then its probably a good idea to clear your restore points and make a new one.

To Flush the infected restore points:

Click Start Menu > All Programs > Accessories > System Tools > SystemRestore

Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

-----------------

Let me know if everything seems back to normal.

david613

Jun 22 2007, 12:57 AM

QUOTE(rridgely @ Jun 22 2007, 12:07 AM) [snapback]74309[/snapback]

My system restore is off, is it recommanded to turn on?

rridgely

Jun 22 2007, 09:59 PM

QUOTE(david613 @ Jun 21 2007, 08:57 PM) [snapback]74310[/snapback]

My system restore is off, is it recommanded to turn on?

Thats up to you. I was just making sure you have a clean point to restore too if you did use it.

david613

Jun 23 2007, 05:26 PM

QUOTE(rridgely @ Jun 22 2007, 09:59 PM) [snapback]74369[/snapback]

Thats up to you. I was just making sure you have a clean point to restore too if you did use it.

Hi rridgely,

Thanks for your great help, I run the Noadware and the Trojan is gone although the system is quite slow now.

Regards,

David.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.