Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
I have been infected by a virus / trojan, and have gotten a number of unwanted popup ad when i launch ie. i also have the red 'x' next to my c drive. i ran the vundofix, it appeared to have removed some files. i ran windows defender it still finds the win32/fotomot virus/trojan. i ran trendmicro's house call and it found the troj_vundo.aah and pe_trats_a trojan/virus. this all started when i downloaded software from limewire that i thought was going to help me crack a password on a word doc that i had forgotten the password to. please advise.
You might want to dowload and install AVG if you dont have a virus program installed. Afterward's start windows in safe mode, by constantly pressing F8 when you restart your computer. Once in safe mode, do a full system scan with avg and see if it can quaranteen those viruses.
Jim R
0 
Run Vundofix twice.
Go to the this link:
Follow their directions to disable any realtime protection that you have as it will interfere with the fix by reinstalling the corrupt files.
Please download and install the latest version of HijackThis v2.0.2:
Download the "HijackThis" Installer from this link:
Hijack This
1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.Please download ComboFix to the desktop from one of the following links:
Link 3
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.
0
Hello,
Here are the logs. Thanks for all your help. I really appreciate it.
-Paul
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:03:56 PM, on 1/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: NormalRunning processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Cisco Systems\AutoUpdate\AutoUpdate.exe
C:\Documents and Settings\All Users.WINXP\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.exe
C:\WINXP\System32\nvsvc32.exe
C:\WINXP\System32\svchost.exe
C:\Program Files\Linksys\WUSB300N\WLService.exe
C:\Program Files\Linksys\WUSB300N\WUSB300N.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINXP\system32\WDBtnMgr.exe
C:\WINXP\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Sony\Giga Pocket\usbsircs.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Sony\Giga Pocket\ReserveModule.exe
C:\Program Files\Sony\Giga Pocket\gps.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINXP\system32\hpoipm07.exe
C:\WINXP\explorer.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\notepad.exe
E:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Gneco\Desktop\HiJackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINXP\system32\BhoCitUS.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {9f96e779-3c0d-7afb-6e34-f6dc42c7c0d7} - {7d0c7c24-cd6f-43e6-bfa7-d0c3977e69f9} - C:\WINXP\system32\drodfrrf.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - D:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINXP\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINXP\System32\hphmon04.exe
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [CitiVAN] C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe /dontopenmycards
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [f043a0bf] rundll32.exe "C:\WINXP\system32\ewmkdxis.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINXP\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe" -scheduler
O4 - HKCU\..\Run: [EPSON Stylus Photo R260 Series] C:\WINXP\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.exe /FU "C:\WINXP\TEMP\E_S1BD.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Giga Pocket Initialize.lnk = C:\Program Files\Sony\Giga Pocket\initovl.exe
O4 - Global Startup: Giga Pocket Remocon Driver.lnk = C:\Program Files\Sony\Giga Pocket\usbsircs.exe
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - Global Startup: Timer Recording Manager.lnk = C:\Program Files\Sony\Giga Pocket\ReserveModule.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINXP\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINXP\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\winxp\system32\nwprovau.dll
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www.priv.njmls.xmlsweb.com/X...
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/Walgreen...
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://org.mlxchange.com/Control/Mu...
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.nationalgeomatica.com/mg...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://org.mlxchange.com/Control/ML...
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/inst...
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/I...
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://org.mlxchange.com/Control/IR...
O16 - DPF: {9E214F45-89C2-4DE3-94A9-530EB1D05F7E} - http://www.quest3d.com/Quest3D_WebI...
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AutoUpdate: Cisco Apps (AutoUpdate__Cisco) - Cisco Systems, Inc. - C:\Program Files\Common Files\Cisco Systems\AutoUpdate\AutoUpdate.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users.WINXP\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINXP\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINXP\System32\HPHipm11.exe
O23 - Service: WUSB300NSvc - Unknown owner - C:\Program Files\Linksys\WUSB300N\WLService.exe
O24 - Desktop Component 0: (no name) - http://www.buildabear.com/graphics/...--
End of file - 10305 bytes
ComboFix 08-01-29.2 - Gneco 2008-01-28 18:36:17.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.475 [GMT -5:00]
Running from: C:\Documents and Settings\Gneco\Desktop\ComboFix.exe
* Created a new restore point[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.C:\WINXP\system32\ssqro.dll
C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\NetMon
C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\NetMon\log.txt
C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
C:\Program Files\Common Files\Microsoft Shared\DW\dwtrig20.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINXP\cookies.ini
C:\WINXP\system32\ctfmon.exe.tmp
C:\WINXP\system32\e9
C:\WINXP\system32\e9\farstadcom2.exe
C:\WINXP\system32\hptqkxxc.dllbox
C:\WINXP\system32\inolvwhy.exe
C:\WINXP\system32\jkkjhif.dll
C:\WINXP\system32\mcrh.tmp
C:\WINXP\system32\oevqitjt.ini
C:\WINXP\system32\orqss.ini
C:\WINXP\system32\orqss.ini2
C:\WINXP\system32\p2
C:\WINXP\system32\pac.txt
C:\WINXP\system32\qilucocl.ini
C:\WINXP\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.exe
C:\WINXP\system32\ssqro.dll
C:\WINXP\system32\ssqro.exe
C:\WINXP\system32\t8
C:\WINXP\system32\tjtiqveo.dll
C:\WINXP\Fonts\'.
((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\DomainService
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-29 )))))))))))))))))))))))))))))))
.2008-01-28 02:26 . 2008-01-28 12:29 <DIR> d-------- C:\Documents and Settings\Gneco\.housecall6.6
2008-01-28 02:10 . 2008-01-28 02:10 <DIR> d-------- C:\WINXP\LastGood.Tmp
2008-01-28 00:00 . 2008-01-28 11:10 <DIR> d-------- C:\VundoFix Backups
2008-01-25 22:57 . 2008-01-27 11:28 <DIR> d-------- C:\WINXP\system32\SysDriversBak
2008-01-17 16:28 . 2008-01-29 18:39 <DIR> d-------- C:\Program Files\Windows Defender
2008-01-17 16:24 . 2008-01-28 12:35 15,360 --a------ C:\WINXP\system32\ctfmon .exe
2008-01-17 15:43 . 2008-01-26 00:02 <DIR> d-a------ C:\Documents and Settings\All Users.WINXP\Application Data\TEMP
2008-01-17 13:05 . 2008-01-27 22:43 348,160 --a------ C:\WINXP\system32\hphmon04 .exe
2008-01-17 13:05 . 2008-01-17 16:24 153,088 --a------ C:\WINXP\system32\VOBREGCheck .exe
2008-01-17 00:41 . 2008-01-17 00:41 147,456 --a------ C:\WINXP\system32\vbzip10.dll
2008-01-17 00:34 . 2008-01-24 07:11 <DIR> d--hs---- C:\WINXP\VmlkZW8
2008-01-17 00:34 . 2008-01-17 00:34 <DIR> d-------- C:\WINXP\system32\edcA18
2008-01-17 00:34 . 2008-01-17 00:34 <DIR> d-------- C:\temp\Ryuan1
2008-01-11 23:44 . 2008-01-12 12:59 54,156 --ah----- C:\WINXP\QTFont.qfn
2008-01-11 23:44 . 2008-01-11 23:44 1,409 --a------ C:\WINXP\QTFont.for.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 23:39 --------- d-----w C:\Program Files\QuickTime
2008-01-29 23:39 --------- d-----w C:\Program Files\MSN Messenger
2008-01-29 23:39 --------- d-----w C:\Program Files\Citi Virtual Account Numbers
2008-01-28 18:47 --------- d-----w C:\Program Files\Quicken
2008-01-28 05:42 --------- d-----w C:\Program Files\Java
2008-01-26 05:01 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-26 04:58 --------- d-----w C:\Program Files\ItsDeductibleEX
2008-01-17 17:02 --------- d-----w C:\Program Files\Real
2008-01-17 17:02 --------- d-----w C:\Program Files\QUICKENW
2008-01-12 17:47 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-11 23:14 --------- d-----w C:\Program Files\Symantec
2008-01-11 23:06 --------- d-----w C:\Documents and Settings\All Users.WINXP\Application Data\Symantec
2007-12-19 22:52 --------- d-----w C:\Documents and Settings\Gneco\Application Data\Snapfish
2007-12-05 00:02 --------- d-----w C:\Program Files\InterActual
.
[code][/code]
----a-w 192,512 2008-01-28 17:35:21 C:\Program Files\Citi Virtual Account Numbers\CitiVAN .exe
----a-w 218,032 2008-01-28 16:10:28 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:28 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:28 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:28 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:28 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:28 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:30 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 39,264 2008-01-28 17:35:33 C:\Program Files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
----a-w 69,632 2008-01-28 17:35:18 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd .exe
----a-w 132,496 2008-01-28 17:35:24 C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w 1,289,000 2008-01-17 21:24:23 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,289,000 2008-01-28 16:10:36 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 5,674,352 2008-01-28 17:35:37 C:\Program Files\MSN Messenger\msnmsgr .exe
----a-w 155,648 2008-01-28 16:10:37 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:38 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:39 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:39 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:39 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:40 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:40 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:40 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:40 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:40 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:41 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:41 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:41 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:41 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:41 C:\Program Files\QuickTime\qttask .exe
----a-w 866,584 2008-01-28 17:35:28 C:\Program Files\Windows Defender\MSASCui .exe
----a-w 15,360 2008-01-28 17:35:29 C:\WINXP\system32\ctfmon .exe
----a-w 348,160 2008-01-28 03:43:42 C:\WINXP\system32\hphmon04 .exe
----a-w 153,088 2008-01-17 21:24:02 C:\WINXP\system32\VOBREGCheck .exe
----a-w 139,264 2008-01-28 17:35:27 C:\WINXP\system32\spool\drivers\w32x86\3\E_FATIBNA .exe
----a-w 188,416 2008-01-28 03:43:41 C:\WINXP\system32\spool\drivers\w32x86\3\hpztsb07 .exe
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7d0c7c24-cd6f-43e6-bfa7-d0c3977e69f9}]
C:\WINXP\system32\drodfrrf.dll[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [ ]
"ctfmon.exe"="C:\WINXP\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe" [ ]
"EPSON Stylus Photo R260 Series"="C:\WINXP\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.exe" [ ][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="C:\WINXP\System32\spool\drivers\w32x86\3\hpztsb07.exe" [ ]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [ ]
"HPHmon04"="C:\WINXP\System32\hphmon04.exe" [ ]
"PtiuPbmd"="ptipbm.dll" [2003-05-20 16:56 24576 C:\WINXP\system32\ptipbm.dll]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"CitiVAN"="C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe" [ ]
"WD Button Manager"="WDBtnMgr.exe" [2007-06-03 13:01 364544 C:\WINXP\system32\WDBtnMgr.exe]
"UserFaultCheck"="C:\WINXP\system32\dumprep 0 -u" [ ]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [ ]
"f043a0bf"="C:\WINXP\system32\ewmkdxis.dll" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [ ]C:\Documents and Settings\All Users.WINXP\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe [2005-12-30 00:01:21 43520]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-08-08 00:28:49 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Giga Pocket Initialize.lnk - C:\Program Files\Sony\Giga Pocket\initovl.exe [2004-08-07 03:42:45 20480]
Giga Pocket Remocon Driver.lnk - C:\Program Files\Sony\Giga Pocket\usbsircs.exe [2004-08-07 03:03:06 94208]
HPAiODevice(hp officejet 7100 series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe [2002-11-23 19:55:48 495682]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-04-02 23:15:37 114688]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.exe [2000-01-21 03:15:54 65588]
Timer Recording Manager.lnk - C:\Program Files\Sony\Giga Pocket\ReserveModule.exe [2004-08-07 03:42:45 245760][HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINXP\system32\ssqro[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]
C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-02-08 17:03 278528 E:\Program Files\iTunes\iTunesHelper.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
R0 si3112;SiI-3112 SATALink Controller;C:\WINXP\system32\drivers\si3112.sys [2004-06-14 21:03]
R1 SonyFanC;FAN Control Device Service;C:\WINXP\system32\Drivers\SonyFanC.sys [2001-12-03 11:53]
R2 AutoUpdate__Cisco;AutoUpdate: Cisco Apps;"C:\Program Files\Common Files\Cisco Systems\AutoUpdate\AutoUpdate.exe" [2004-10-28 11:58]
R2 CvlCdpPacket;Cisco VT Advantage CDP Packet Driver;C:\WINXP\system32\DRIVERS\CdpPacketWdmCvl.sys [2004-10-28 11:59]
R2 V7;V7;C:\WINXP\system32\drivers\V7.sys [2000-03-09 13:24]
R3 SMBE;Sony MPEG2 Encoder Board (WDM);C:\WINXP\system32\Drivers\SMBE.SYS [2001-09-21 11:16]
S1 ac97intcc;ac97intcc;C:\WINXP\system32\drivers\ac97intcc.sys []
S3 CiscoCam8116;Cisco VT Camera(1);C:\WINXP\system32\DRIVERS\CamDrC21.sys [2004-10-27 17:12]
S3 Cpmt;Cisco Media Termination;C:\WINXP\system32\Drivers\Cpmt.sys [2004-10-28 11:51]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\WINXP\system32\DRIVERS\wdcsam.sys [2006-09-07 16:16].
Contents of the 'Scheduled Tasks' folder
"2008-01-29 23:44:54 C:\WINXP\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 18:42:34
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
Completion time: 2008-01-29 18:45:31
ComboFix-quarantined-files.txt 2008-01-29 23:45:29
.
2008-01-25 10:51:01 --- E O F ---
0
Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
RenV::
----a-w 192,512 2008-01-28 17:35:21 C:\Program Files\Citi Virtual Account Numbers\CitiVAN .exe
----a-w 218,032 2008-01-28 16:10:28 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:28 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:28 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:28 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:28 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:28 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:30 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 39,264 2008-01-28 17:35:33 C:\Program Files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
----a-w 69,632 2008-01-28 17:35:18 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd .exe
----a-w 132,496 2008-01-28 17:35:24 C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w 1,289,000 2008-01-17 21:24:23 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,289,000 2008-01-28 16:10:36 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 5,674,352 2008-01-28 17:35:37 C:\Program Files\MSN Messenger\msnmsgr .exe
----a-w 155,648 2008-01-28 16:10:37 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:38 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:39 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:39 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:39 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:40 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:40 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:40 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:40 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:40 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:41 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:41 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:41 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:41 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:41 C:\Program Files\QuickTime\qttask .exe
----a-w 866,584 2008-01-28 17:35:28 C:\Program Files\Windows Defender\MSASCui .exe
----a-w 15,360 2008-01-28 17:35:29 C:\WINXP\system32\ctfmon .exe
----a-w 348,160 2008-01-28 03:43:42 C:\WINXP\system32\hphmon04 .exe
----a-w 153,088 2008-01-17 21:24:02 C:\WINXP\system32\VOBREGCheck .exe
----a-w 139,264 2008-01-28 17:35:27 C:\WINXP\system32\spool\drivers\w32x86\3\E_FATIBNA .exe
----a-w 188,416 2008-01-28 03:43:41 C:\WINXP\system32\spool\drivers\w32x86\3\hpztsb07 .exeFile::
C:\WINXP\system32\ewmkdxis.dll
C:\WINXP\system32\drodfrrf.dll
Driver::
Folder::
C:\WINXP\VmlkZW8
C:\WINXP\system32\edcA18
C:\temp\Ryuan1
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7d0c7c24-cd6f-43e6-bfa7-d0c3977e69f9}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"f043a0bf"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".Post a new Combofix log and a new Hijack This log please.
Please go to Virus Total and upload the following file for analysis:
C:\WINXP\system32\vbzip10.dll
Post the results in your reply.
0
File vbzip10.dll received on 03.29.2007 13:49:41 (CET)
Current status: finished
Result: 2/32 (6.25%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
Ewido - - -
FileAdvisor - - No threat detected
Fortinet - - -
F-Prot - - -
F-Secure - - -
Ikarus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - -
Prevx1 - - -
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
UNA - - Backdoor.IRCBot.E96F
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - -
Additional information
MD5: 5b25690cc2e55a6d4bc965068a7ba1ef
0
Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINXP\system32\vbzip10.dll
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".Post a new Combofix log.
0
ComboFix 08-01-29.2 - Gneco 2008-01-28 23:58:02.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.578 [GMT -5:00]
Running from: C:\Documents and Settings\Gneco\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Gneco\Desktop\CFScript.txt
* Created a new restore point[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
FILE
C:\WINXP\system32\vbzip10.dll
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.C:\WINXP\system32\vbzip10.dll
.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-29 )))))))))))))))))))))))))))))))
.2008-01-28 02:26 . 2008-01-28 12:29 <DIR> d-------- C:\Documents and Settings\Gneco\.housecall6.6
2008-01-28 00:00 . 2008-01-28 11:10 <DIR> d-------- C:\VundoFix Backups
2008-01-25 22:57 . 2008-01-27 11:28 <DIR> d-------- C:\WINXP\system32\SysDriversBak
2008-01-17 16:28 . 2008-01-29 18:39 <DIR> d-------- C:\Program Files\Windows Defender
2008-01-17 16:24 . 2008-01-28 12:35 15,360 --a------ C:\WINXP\system32\ctfmon .exe
2008-01-17 15:43 . 2008-01-26 00:02 <DIR> d-a------ C:\Documents and Settings\All Users.WINXP\Application Data\TEMP
2008-01-17 13:05 . 2008-01-27 22:43 348,160 --a------ C:\WINXP\system32\hphmon04 .exe
2008-01-17 13:05 . 2008-01-17 16:24 153,088 --a------ C:\WINXP\system32\VOBREGCheck .exe
2008-01-17 00:34 . 2008-01-24 07:11 <DIR> d--hs---- C:\WINXP\VmlkZW8
2008-01-17 00:34 . 2008-01-17 00:34 <DIR> d-------- C:\WINXP\system32\edcA18
2008-01-17 00:34 . 2008-01-17 00:34 <DIR> d-------- C:\temp\Ryuan1
2008-01-11 23:44 . 2008-01-12 12:59 54,156 --ah----- C:\WINXP\QTFont.qfn
2008-01-11 23:44 . 2008-01-11 23:44 1,409 --a------ C:\WINXP\QTFont.for.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 23:39 --------- d-----w C:\Program Files\QuickTime
2008-01-29 23:39 --------- d-----w C:\Program Files\MSN Messenger
2008-01-29 23:39 --------- d-----w C:\Program Files\Citi Virtual Account Numbers
2008-01-28 18:47 --------- d-----w C:\Program Files\Quicken
2008-01-28 05:42 --------- d-----w C:\Program Files\Java
2008-01-26 05:01 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-26 04:58 --------- d-----w C:\Program Files\ItsDeductibleEX
2008-01-17 17:02 --------- d-----w C:\Program Files\Real
2008-01-17 17:02 --------- d-----w C:\Program Files\QUICKENW
2008-01-12 17:47 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-11 23:14 --------- d-----w C:\Program Files\Symantec
2008-01-11 23:06 --------- d-----w C:\Documents and Settings\All Users.WINXP\Application Data\Symantec
2007-12-19 22:52 --------- d-----w C:\Documents and Settings\Gneco\Application Data\Snapfish
2007-12-05 00:02 --------- d-----w C:\Program Files\InterActual
.
[code][/code]
----a-w 192,512 2008-01-28 17:35:21 C:\Program Files\Citi Virtual Account Numbers\CitiVAN .exe
----a-w 218,032 2008-01-28 16:10:28 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:28 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:28 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:28 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:28 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:28 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:30 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 39,264 2008-01-28 17:35:33 C:\Program Files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
----a-w 69,632 2008-01-28 17:35:18 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd .exe
----a-w 132,496 2008-01-28 17:35:24 C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w 1,289,000 2008-01-17 21:24:23 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,289,000 2008-01-28 16:10:36 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 5,674,352 2008-01-28 17:35:37 C:\Program Files\MSN Messenger\msnmsgr .exe
----a-w 155,648 2008-01-28 16:10:37 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:38 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:39 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:39 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:39 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:40 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:40 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:40 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:40 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:40 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:41 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:41 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:41 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:41 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:41 C:\Program Files\QuickTime\qttask .exe
----a-w 866,584 2008-01-28 17:35:28 C:\Program Files\Windows Defender\MSASCui .exe
----a-w 15,360 2008-01-28 17:35:29 C:\WINXP\system32\ctfmon .exe
----a-w 348,160 2008-01-28 03:43:42 C:\WINXP\system32\hphmon04 .exe
----a-w 153,088 2008-01-17 21:24:02 C:\WINXP\system32\VOBREGCheck .exe
----a-w 139,264 2008-01-28 17:35:27 C:\WINXP\system32\spool\drivers\w32x86\3\E_FATIBNA .exe
----a-w 188,416 2008-01-28 03:43:41 C:\WINXP\system32\spool\drivers\w32x86\3\hpztsb07 .exe
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7d0c7c24-cd6f-43e6-bfa7-d0c3977e69f9}]
C:\WINXP\system32\drodfrrf.dll[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [ ]
"ctfmon.exe"="C:\WINXP\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe" [ ]
"EPSON Stylus Photo R260 Series"="C:\WINXP\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.exe" [ ][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="C:\WINXP\System32\spool\drivers\w32x86\3\hpztsb07.exe" [ ]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [ ]
"HPHmon04"="C:\WINXP\System32\hphmon04.exe" [ ]
"PtiuPbmd"="ptipbm.dll" [2003-05-20 16:56 24576 C:\WINXP\system32\ptipbm.dll]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"CitiVAN"="C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe" [ ]
"WD Button Manager"="WDBtnMgr.exe" [2007-06-03 13:01 364544 C:\WINXP\system32\WDBtnMgr.exe]
"UserFaultCheck"="C:\WINXP\system32\dumprep 0 -u" [ ]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [ ]
"f043a0bf"="C:\WINXP\system32\ewmkdxis.dll" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [ ]C:\Documents and Settings\All Users.WINXP\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe [2005-12-30 00:01:21 43520]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-08-08 00:28:49 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Giga Pocket Initialize.lnk - C:\Program Files\Sony\Giga Pocket\initovl.exe [2004-08-07 03:42:45 20480]
Giga Pocket Remocon Driver.lnk - C:\Program Files\Sony\Giga Pocket\usbsircs.exe [2004-08-07 03:03:06 94208]
HPAiODevice(hp officejet 7100 series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe [2002-11-23 19:55:48 495682]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-04-02 23:15:37 114688]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.exe [2000-01-21 03:15:54 65588]
Timer Recording Manager.lnk - C:\Program Files\Sony\Giga Pocket\ReserveModule.exe [2004-08-07 03:42:45 245760][HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINXP\system32\ssqro[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]
C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-02-08 17:03 278528 E:\Program Files\iTunes\iTunesHelper.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
R0 si3112;SiI-3112 SATALink Controller;C:\WINXP\system32\drivers\si3112.sys [2004-06-14 21:03]
R1 SonyFanC;FAN Control Device Service;C:\WINXP\system32\Drivers\SonyFanC.sys [2001-12-03 11:53]
R2 AutoUpdate__Cisco;AutoUpdate: Cisco Apps;"C:\Program Files\Common Files\Cisco Systems\AutoUpdate\AutoUpdate.exe" [2004-10-28 11:58]
R2 CvlCdpPacket;Cisco VT Advantage CDP Packet Driver;C:\WINXP\system32\DRIVERS\CdpPacketWdmCvl.sys [2004-10-28 11:59]
R2 V7;V7;C:\WINXP\system32\drivers\V7.sys [2000-03-09 13:24]
R3 SMBE;Sony MPEG2 Encoder Board (WDM);C:\WINXP\system32\Drivers\SMBE.SYS [2001-09-21 11:16]
S1 ac97intcc;ac97intcc;C:\WINXP\system32\drivers\ac97intcc.sys []
S3 CiscoCam8116;Cisco VT Camera(1);C:\WINXP\system32\DRIVERS\CamDrC21.sys [2004-10-27 17:12]
S3 Cpmt;Cisco Media Termination;C:\WINXP\system32\Drivers\Cpmt.sys [2004-10-28 11:51]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\WINXP\system32\DRIVERS\wdcsam.sys [2006-09-07 16:16].
Contents of the 'Scheduled Tasks' folder
"2008-01-29 05:06:00 C:\WINXP\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 00:03:34
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
r Running Proce
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Cisco Systems\AutoUpdate\AutoUpdate.exe
C:\Documents and Settings\All Users.WINXP\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.exe
C:\WINXP\System32\nvsvc32.exe
C:\Program Files\Linksys\WUSB300N\WLService.exe
C:\Program Files\Linksys\WUSB300N\WUSB300N.exe
C:\WINXP\system32\WDBtnMgr.exe
C:\WINXP\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Sony\Giga Pocket\usbsircs.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Sony\Giga Pocket\ReserveModule.exe
C:\Program Files\Sony\Giga Pocket\gps.exe
C:\WINXP\System32\rundll32.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINXP\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
.
**************************************************************************
.
Completion time: 2008-01-29 0:06:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-29 05:06:31
ComboFix2.txt 2008-01-29 23:45:32
.
2008-01-25 10:51:01 --- E O F ---
0
Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
RenV::----a-w 192,512 2008-01-28 17:35:21 C:\Program Files\Citi Virtual Account Numbers\CitiVAN .exe
----a-w 218,032 2008-01-28 16:10:28 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:28 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:28 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:28 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:28 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:28 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:30 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 39,264 2008-01-28 17:35:33 C:\Program Files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
----a-w 69,632 2008-01-28 17:35:18 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd .exe
----a-w 132,496 2008-01-28 17:35:24 C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w 1,289,000 2008-01-17 21:24:23 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,289,000 2008-01-28 16:10:36 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 5,674,352 2008-01-28 17:35:37 C:\Program Files\MSN Messenger\msnmsgr .exe
----a-w 155,648 2008-01-28 16:10:37 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:38 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:39 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:39 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:39 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:40 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:40 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:40 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:40 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:40 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:41 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:41 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:41 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:41 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:41 C:\Program Files\QuickTime\qttask .exe
----a-w 866,584 2008-01-28 17:35:28 C:\Program Files\Windows Defender\MSASCui .exe
----a-w 15,360 2008-01-28 17:35:29 C:\WINXP\system32\ctfmon .exe
----a-w 348,160 2008-01-28 03:43:42 C:\WINXP\system32\hphmon04 .exe
----a-w 153,088 2008-01-17 21:24:02 C:\WINXP\system32\VOBREGCheck .exe
----a-w 139,264 2008-01-28 17:35:27 C:\WINXP\system32\spool\drivers\w32x86\3\E_FATIBNA .exe
----a-w 188,416 2008-01-28 03:43:41 C:\WINXP\system32\spool\drivers\w32x86\3\hpztsb07 .exeFile::
C:\WINXP\system32\drodfrrf.dll
C:\WINXP\system32\ewmkdxis.dll
Driver::
f043a0bf
ewmkdxisFolder::
C:\WINXP\VmlkZW8
C:\WINXP\system32\edcA18
C:\temp\Ryuan1
C:\WINXP\system32\ssqro
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7d0c7c24-cd6f-43e6-bfa7-d0c3977e69f9}]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"f043a0bf"=-
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".Post a new Combofix log.
0
Sorry for the delayed response...I have been on a business trip away from the (infected) desktop computer. I just returned today. Here is the Combofix log that you requested:
ComboFix 08-01-29.2 - Gneco 2008-02-02 17:17:46.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.596 [GMT -5:00]
Running from: C:\Documents and Settings\Gneco\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Gneco\Desktop\CFScript.txt
* Created a new restore point[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
FILE
C:\WINXP\system32\drodfrrf.dll
C:\WINXP\system32\ewmkdxis.dll
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.C:\temp\Ryuan1
C:\temp\Ryuan1\tepU.log
C:\WINXP\system32\edcA18
C:\WINXP\system32\edcA18\edcA182328.exe
C:\WINXP\VmlkZW8.
((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))
.2008-01-28 02:26 . 2008-01-28 12:29 <DIR> d-------- C:\Documents and Settings\Gneco\.housecall6.6
2008-01-28 00:00 . 2008-01-28 11:10 <DIR> d-------- C:\VundoFix Backups
2008-01-25 22:57 . 2008-01-27 11:28 <DIR> d-------- C:\WINXP\system32\SysDriversBak
2008-01-17 16:28 . 2008-01-29 18:39 <DIR> d-------- C:\Program Files\Windows Defender
2008-01-17 16:24 . 2008-01-28 12:35 15,360 --a------ C:\WINXP\system32\ctfmon .exe
2008-01-17 15:43 . 2008-01-26 00:02 <DIR> d-a------ C:\Documents and Settings\All Users.WINXP\Application Data\TEMP
2008-01-17 13:05 . 2008-01-27 22:43 348,160 --a------ C:\WINXP\system32\hphmon04 .exe
2008-01-17 13:05 . 2008-01-17 16:24 153,088 --a------ C:\WINXP\system32\VOBREGCheck .exe
2008-01-11 23:44 . 2008-01-12 12:59 54,156 --ah----- C:\WINXP\QTFont.qfn
2008-01-11 23:44 . 2008-01-11 23:44 1,409 --a------ C:\WINXP\QTFont.for.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 23:39 --------- d-----w C:\Program Files\QuickTime
2008-01-29 23:39 --------- d-----w C:\Program Files\MSN Messenger
2008-01-29 23:39 --------- d-----w C:\Program Files\Citi Virtual Account Numbers
2008-01-28 18:47 --------- d-----w C:\Program Files\Quicken
2008-01-28 05:42 --------- d-----w C:\Program Files\Java
2008-01-26 05:01 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-26 04:58 --------- d-----w C:\Program Files\ItsDeductibleEX
2008-01-17 17:02 --------- d-----w C:\Program Files\Real
2008-01-17 17:02 --------- d-----w C:\Program Files\QUICKENW
2008-01-12 17:47 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-11 23:14 --------- d-----w C:\Program Files\Symantec
2008-01-11 23:06 --------- d-----w C:\Documents and Settings\All Users.WINXP\Application Data\Symantec
2007-12-19 22:52 --------- d-----w C:\Documents and Settings\Gneco\Application Data\Snapfish
2007-12-05 00:02 --------- d-----w C:\Program Files\InterActual
.
[code][/code]
----a-w 192,512 2008-01-28 17:35:21 C:\Program Files\Citi Virtual Account Numbers\CitiVAN .exe
----a-w 218,032 2008-01-28 16:10:28 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:28 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:28 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:28 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:28 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:28 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:30 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 39,264 2008-01-28 17:35:33 C:\Program Files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
----a-w 69,632 2008-01-28 17:35:18 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd .exe
----a-w 132,496 2008-01-28 17:35:24 C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w 1,289,000 2008-01-17 21:24:23 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,289,000 2008-01-28 16:10:36 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 5,674,352 2008-01-28 17:35:37 C:\Program Files\MSN Messenger\msnmsgr .exe
----a-w 155,648 2008-01-28 16:10:37 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:38 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:39 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:39 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:39 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:40 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:40 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:40 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:40 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:40 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:41 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:41 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:41 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:41 C:\Program Files\QuickTime\qttask .exe
----a-w 155,648 2008-01-28 16:10:41 C:\Program Files\QuickTime\qttask .exe
----a-w 866,584 2008-01-28 17:35:28 C:\Program Files\Windows Defender\MSASCui .exe
----a-w 15,360 2008-01-28 17:35:29 C:\WINXP\system32\ctfmon .exe
----a-w 348,160 2008-01-28 03:43:42 C:\WINXP\system32\hphmon04 .exe
----a-w 153,088 2008-01-17 21:24:02 C:\WINXP\system32\VOBREGCheck .exe
----a-w 139,264 2008-01-28 17:35:27 C:\WINXP\system32\spool\drivers\w32x86\3\E_FATIBNA .exe
----a-w 188,416 2008-01-28 03:43:41 C:\WINXP\system32\spool\drivers\w32x86\3\hpztsb07 .exe
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [ ]
"ctfmon.exe"="C:\WINXP\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe" [ ]
"EPSON Stylus Photo R260 Series"="C:\WINXP\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.exe" [ ][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="C:\WINXP\System32\spool\drivers\w32x86\3\hpztsb07.exe" [ ]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [ ]
"HPHmon04"="C:\WINXP\System32\hphmon04.exe" [ ]
"PtiuPbmd"="ptipbm.dll" [2003-05-20 16:56 24576 C:\WINXP\system32\ptipbm.dll]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"CitiVAN"="C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe" [ ]
"WD Button Manager"="WDBtnMgr.exe" [2007-06-03 13:01 364544 C:\WINXP\system32\WDBtnMgr.exe]
"UserFaultCheck"="C:\WINXP\system32\dumprep 0 -u" [ ]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [ ]C:\Documents and Settings\All Users.WINXP\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe [2005-12-30 00:01:21 43520]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-08-08 00:28:49 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Giga Pocket Initialize.lnk - C:\Program Files\Sony\Giga Pocket\initovl.exe [2004-08-07 03:42:45 20480]
Giga Pocket Remocon Driver.lnk - C:\Program Files\Sony\Giga Pocket\usbsircs.exe [2004-08-07 03:03:06 94208]
HPAiODevice(hp officejet 7100 series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe [2002-11-23 19:55:48 495682]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-04-02 23:15:37 114688]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.exe [2000-01-21 03:15:54 65588]
Timer Recording Manager.lnk - C:\Program Files\Sony\Giga Pocket\ReserveModule.exe [2004-08-07 03:42:45 245760][HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINXP\system32\ssqro[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]
C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-02-08 17:03 278528 E:\Program Files\iTunes\iTunesHelper.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
R0 si3112;SiI-3112 SATALink Controller;C:\WINXP\system32\drivers\si3112.sys [2004-06-14 21:03]
R1 SonyFanC;FAN Control Device Service;C:\WINXP\system32\Drivers\SonyFanC.sys [2001-12-03 11:53]
R2 AutoUpdate__Cisco;AutoUpdate: Cisco Apps;"C:\Program Files\Common Files\Cisco Systems\AutoUpdate\AutoUpdate.exe" [2004-10-28 11:58]
R2 CvlCdpPacket;Cisco VT Advantage CDP Packet Driver;C:\WINXP\system32\DRIVERS\CdpPacketWdmCvl.sys [2004-10-28 11:59]
R2 V7;V7;C:\WINXP\system32\drivers\V7.sys [2000-03-09 13:24]
R2 WUSB300NSvc;WUSB300NSvc;"C:\Program Files\Linksys\WUSB300N\WLService.exe" "WUSB300N.exe" []
R3 SMBE;Sony MPEG2 Encoder Board (WDM);C:\WINXP\system32\Drivers\SMBE.SYS [2001-09-21 11:16]
S1 ac97intcc;ac97intcc;C:\WINXP\system32\drivers\ac97intcc.sys []
S3 CiscoCam8116;Cisco VT Camera(1);C:\WINXP\system32\DRIVERS\CamDrC21.sys [2004-10-27 17:12]
S3 Cpmt;Cisco Media Termination;C:\WINXP\system32\Drivers\Cpmt.sys [2004-10-28 11:51]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\WINXP\system32\DRIVERS\wdcsam.sys [2006-09-07 16:16].
Contents of the 'Scheduled Tasks' folder
"2008-02-02 22:27:06 C:\WINXP\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 17:24:42
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
r Running Proce
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Cisco Systems\AutoUpdate\AutoUpdate.exe
C:\Documents and Settings\All Users.WINXP\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.exe
C:\WINXP\System32\nvsvc32.exe
C:\Program Files\Linksys\WUSB300N\WLService.exe
C:\Program Files\Linksys\WUSB300N\WUSB300N.exe
C:\WINXP\system32\WDBtnMgr.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Sony\Giga Pocket\usbsircs.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Sony\Giga Pocket\ReserveModule.exe
C:\Program Files\Sony\Giga Pocket\gps.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINXP\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
.
**************************************************************************
.
Completion time: 2008-02-02 17:27:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-02 22:27:27
ComboFix2.txt 2008-01-29 05:06:34
ComboFix3.txt 2008-01-29 23:45:32
.
2008-02-02 21:20:09 --- E O F ---
0
Go to start> control panel> aadd/remove programs and uninstall Quicktime.
Run an online scan with Kaspersky from the following link:
Kaspersky Online ScannerNote: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component
Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
Once the files are downloaded click on Next
Click on Scan Settings and configure as follows:
Scan using the following Anti-Virus database:
Extended
Scan Options:
Scan Archives
Scan Mail Base
Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.
0
I was unable to uninstall Quicktime through the Control Panel nor through running the Quicktime uninstall program in the >Start>All Programs>Quick Time folder.
I got this error message dialogue box while attempting to uninstall Quicktime:
Unhandled Exception
Error Number: 0x80040707
Description: DLL function call crashed: QTInstallCode.QuickTimeUninstallProcSetup will now terminate.
Is there another way to uninstall Quicktime?
Do you still want me to download/run Kaspersky without uninstalling Quicktime?Please advise....
0
Lets see if this will kill it.
Open Notepad and copy/paste everything between the X"s into it and make sure "Folder::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Folder::
C:\Program Files\QuickTime
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".Post a new Combofix log.
0
ComboFix 08-01-29.2 - Gneco 2008-02-03 19:19:25.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.602 [GMT -5:00]
Running from: C:\Documents and Settings\Gneco\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Gneco\Desktop\CFScript.txt
* Created a new restore point[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.C:\Program Files\QuickTime
C:\Program Files\QuickTime\PictureViewer.exe
C:\Program Files\QuickTime\PictureViewer.Resources\da.lproj\PictureViewerLocalized.dll
C:\Program Files\QuickTime\PictureViewer.Resources\da.lproj\PictureViewerLocalized.qtr
C:\Program Files\QuickTime\PictureViewer.Resources\de.lproj\PictureViewerLocalized.dll
C:\Program Files\QuickTime\PictureViewer.Resources\de.lproj\PictureViewerLocalized.qtr
C:\Program Files\QuickTime\PictureViewer.Resources\en.lproj\PictureViewerLocalized.dll
C:\Program Files\QuickTime\PictureViewer.Resources\en.lproj\PictureViewerLocalized.qtr
C:\Program Files\QuickTime\PictureViewer.Resources\es.lproj\PictureViewerLocalized.dll
C:\Program Files\QuickTime\PictureViewer.Resources\es.lproj\PictureViewerLocalized.qtr
C:\Program Files\QuickTime\PictureViewer.Resources\fi.lproj\PictureViewerLocalized.dll
C:\Program Files\QuickTime\PictureViewer.Resources\fi.lproj\PictureViewerLocalized.qtr
C:\Program Files\QuickTime\PictureViewer.Resources\fr.lproj\PictureViewerLocalized.dll
C:\Program Files\QuickTime\PictureViewer.Resources\fr.lproj\PictureViewerLocalized.qtr
C:\Program Files\QuickTime\PictureViewer.Resources\it.lproj\PictureViewerLocalized.dll
C:\Program Files\QuickTime\PictureViewer.Resources\it.lproj\PictureViewerLocalized.qtr
C:\Program Files\QuickTime\PictureViewer.Resources\ja.lproj\PictureViewerLocalized.dll
C:\Program Files\QuickTime\PictureViewer.Resources\ja.lproj\PictureViewerLocalized.qtr
C:\Program Files\QuickTime\PictureViewer.Resources\ko.lproj\PictureViewerLocalized.dll
C:\Program Files\QuickTime\PictureViewer.Resources\ko.lproj\PictureViewerLocalized.qtr
C:\Program Files\QuickTime\PictureViewer.Resources\nl.lproj\PictureViewerLocalized.dll
C:\Program Files\QuickTime\PictureViewer.Resources\nl.lproj\PictureViewerLocalized.qtr
C:\Program Files\QuickTime\PictureViewer.Resources\no.lproj\PictureViewerLocalized.dll
C:\Program Files\QuickTime\PictureViewer.Resources\no.lproj\PictureViewerLocalized.qtr
C:\Program Files\QuickTime\PictureViewer.Resources\PictureViewer.qtr
C:\Program Files\QuickTime\PictureViewer.Resources\sv.lproj\PictureViewerLocalized.dll
C:\Program Files\QuickTime\PictureViewer.Resources\sv.lproj\PictureViewerLocalized.qtr
C:\Program Files\QuickTime\PictureViewer.Resources\zh_CN.lproj\PictureViewerLocalized.dll
C:\Program Files\QuickTime\PictureViewer.Resources\zh_CN.lproj\PictureViewerLocalized.qtr
C:\Program Files\QuickTime\PictureViewer.Resources\zh_TW.lproj\PictureViewerLocalized.dll
C:\Program Files\QuickTime\PictureViewer.Resources\zh_TW.lproj\PictureViewerLocalized.qtr
C:\Program Files\QuickTime\Plugins\npqtplugin.dll
C:\Program Files\QuickTime\Plugins\npqtplugin2.dll
C:\Program Files\QuickTime\Plugins\npqtplugin3.dll
C:\Program Files\QuickTime\Plugins\npqtplugin4.dll
C:\Program Files\QuickTime\Plugins\npqtplugin5.dll
C:\Program Files\QuickTime\Plugins\npqtplugin6.dll
C:\Program Files\QuickTime\Plugins\npqtplugin7.dll
C:\Program Files\QuickTime\Plugins\nsIQTScriptablePlugin.xpt
C:\Program Files\QuickTime\Plugins\QuickTimePlugin.class
C:\Program Files\QuickTime\PropertyPanels\annoanno.pdef
C:\Program Files\QuickTime\PropertyPanels\moovaudi.pdef
C:\Program Files\QuickTime\PropertyPanels\moovpres.pdef
C:\Program Files\QuickTime\PropertyPanels\PanelHelperBase.qpa
C:\Program Files\QuickTime\PropertyPanels\PanelHelperBase.Resources\da.lproj\PanelHelperBaseLocalized.qtr
C:\Program Files\QuickTime\PropertyPanels\PanelHelperBase.Resources\de.lproj\PanelHelperBaseLocalized.qtr
C:\Program Files\QuickTime\PropertyPanels\PanelHelperBase.Resources\en.lproj\PanelHelperBaseLocalized.qtr
C:\Program Files\QuickTime\PropertyPanels\PanelHelperBase.Resources\es.lproj\PanelHelperBaseLocalized.qtr
C:\Program Files\QuickTime\PropertyPanels\PanelHelperBase.Resources\fi.lproj\PanelHelperBaseLocalized.qtr
C:\Program Files\QuickTime\PropertyPanels\PanelHelperBase.Resources\fr.lproj\PanelHelperBaseLocalized.qtr
C:\Program Files\QuickTime\PropertyPanels\PanelHelperBase.Resources\it.lproj\PanelHelperBaseLocalized.qtr
C:\Program Files\QuickTime\PropertyPanels\PanelHelperBase.Resources\ja.lproj\PanelHelperBaseLocalized.qtr
C:\Program Files\QuickTime\PropertyPanels\PanelHelperBase.Resources\ko.lproj\PanelHelperBaseLocalized.qtr
C:\Program Files\QuickTime\PropertyPanels\PanelHelperBase.Resources\nl.lproj\PanelHelperBaseLocalized.qtr
C:\Program Files\QuickTime\PropertyPanels\PanelHelperBase.Resources\no.lproj\PanelHelperBaseLocalized.qtr
C:\Program Files\QuickTime\PropertyPanels\PanelHelperBase.Resources\PanelHelperBase.qtr
C:\Program Files\QuickTime\PropertyPanels\PanelHelperBase.Resources\sv.lproj\PanelHelperBaseLocalized.qtr
C:\Program Files\QuickTime\PropertyPanels\PanelHelperBase.Resources\zh_CN.lproj\PanelHelperBaseLocalized.qtr
C:\Program Files\QuickTime\PropertyPanels\PanelHelperBase.Resources\zh_TW.lproj\PanelHelperBaseLocalized.qtr
C:\Program Files\QuickTime\PropertyPanels\PropertyPanels.plist
C:\Program Files\QuickTime\PropertyPanels\PropPanelHelpers.qpa
C:\Program Files\QuickTime\PropertyPanels\PropPanelHelpers.Resources\da.lproj\PropPanelHelpersLocalized.qtr
C:\Program Files\QuickTime\PropertyPanels\PropPanelHelpers.Resources\de.lproj\PropPanelHelpersLocalized.qtr
C:\Program Files\QuickTime\PropertyPanels\PropPanelHelpers.Resources\en.lproj\PropPanelHelpersLocalized.qtr
C:\Program Files\QuickTime\PropertyPanels\PropPanelHelpers.Resources\es.lproj\PropPanelHelpersLocalized.qtr
C:\Program Files\QuickTime\PropertyPanels\PropPanelHelpers.Resources\fi.lproj\PropPanelHelpersLocalized.qtr
C:\Program Files\QuickTime\PropertyPanels\PropPanelHelpers.Resources\fr.lproj\PropPanelHelpersLocalized.qtr
C:\Program Files\QuickTime\PropertyPanels\PropPanelHelpers.Resources\it.lproj\PropPanelHelpersLocalized.qtr
C:\Program Files\QuickTime\PropertyPanels\PropPanelHelpers.Resources\ja.lproj\PropPanelHelpersLocalized.qtr
C:\Program Files\QuickTime\PropertyPanels\PropPanelHelpers.Resources\ko.lproj\PropPanelHelpersLocalized.qtr
C:\Program Files\QuickTime\PropertyPanels\PropPanelHelpers.Resources\nl.lproj\PropPanelHelpersLocalized.qtr
C:\Program Files\QuickTime\PropertyPanels\PropPanelHelpers.Resources\no.lproj\PropPanelHelpersLocalized.qtr
C:\Program Files\QuickTime\PropertyPanels\PropPanelHelpers.Resources\PropPanelHelpers.qtr
C:\Program Files\QuickTime\PropertyPanels\PropPanelHelpers.Resources\sv.lproj\PropPanelHelpersLocalized.qtr
C:\Program Files\QuickTime\PropertyPanels\PropPanelHelpers.Resources\zh_CN.lproj\PropPanelHelpersLocalized.qtr
C:\Program Files\QuickTime\PropertyPanels\PropPanelHelpers.Resources\zh_TW.lproj\PropPanelHelpersLocalized.qtr
C:\Program Files\QuickTime\PropertyPanels\rsrcrsrc.pdef
C:\Program Files\QuickTime\PropertyPanels\trakaudi.pdef
C:\Program Files\QuickTime\PropertyPanels\trakothr.pdef
C:\Program Files\QuickTime\PropertyPanels\trakstrm.pdef
C:\Program Files\QuickTime\PropertyPanels\trakvisl.pdef
C:\Program Files\QuickTime\QTInfo.exe
C:\Program Files\QuickTime\QTOControl.dll
C:\Program Files\QuickTime\QTOLibrary.dll
C:\Program Files\QuickTime\QTPlugin.ocx
C:\Program Files\QuickTime\QTSystem\CFCharacterSetBitmaps.bitmap
C:\Program Files\QuickTime\QTSystem\CFUniCharPropertyDatabase.data
C:\Program Files\QuickTime\QTSystem\CFUnicodeData-B.mapping
C:\Program Files\QuickTime\QTSystem\CFUnicodeData-L.mapping
C:\Program Files\QuickTime\QTSystem\CoreVideo.qtx
C:\Program Files\QuickTime\QTSystem\CoreVideo.Resources\CoreVideo.qtr
C:\Program Files\QuickTime\QTSystem\CoreVideo.Resources\da.lproj\CoreVideoLocalized.qtr
C:\Program Files\QuickTime\QTSystem\CoreVideo.Resources\de.lproj\CoreVideoLocalized.qtr
C:\Program Files\QuickTime\QTSystem\CoreVideo.Resources\en.lproj\CoreVideoLocalized.qtr
C:\Program Files\QuickTime\QTSystem\CoreVideo.Resources\es.lproj\CoreVideoLocalized.qtr
C:\Program Files\QuickTime\QTSystem\CoreVideo.Resources\fi.lproj\CoreVideoLocalized.qtr
C:\Program Files\QuickTime\QTSystem\CoreVideo.Resources\fr.lproj\CoreVideoLocalized.qtr
C:\Program Files\QuickTime\QTSystem\CoreVideo.Resources\it.lproj\CoreVideoLocalized.qtr
C:\Program Files\QuickTime\QTSystem\CoreVideo.Resources\ja.lproj\CoreVideoLocalized.qtr
C:\Program Files\QuickTime\QTSystem\CoreVideo.Resources\ko.lproj\CoreVideoLocalized.qtr
C:\Program Files\QuickTime\QTSystem\CoreVideo.Resources\nl.lproj\CoreVideoLocalized.qtr
C:\Program Files\QuickTime\QTSystem\CoreVideo.Resources\no.lproj\CoreVideoLocalized.qtr
C:\Program Files\QuickTime\QTSystem\CoreVideo.Resources\sv.lproj\CoreVideoLocalized.qtr
C:\Program Files\QuickTime\QTSystem\CoreVideo.Resources\zh_CN.lproj\CoreVideoLocalized.qtr
C:\Program Files\QuickTime\QTSystem\CoreVideo.Resources\zh_TW.lproj\CoreVideoLocalized.qtr
C:\Program Files\QuickTime\QTSystem\Indeo4.qtx
C:\Program Files\QuickTime\QTSystem\Ir41_qc.dll
C:\Program Files\QuickTime\QTSystem\Ir41_qcx.dll
C:\Program Files\QuickTime\QTSystem\QTJava.dll
C:\Program Files\QuickTime\QTSystem\QTJava.zip
C:\Program Files\QuickTime\QTSystem\QTJavaNative.dll
C:\Program Files\QuickTime\QTSystem\QTMLClient.dll
C:\Program Files\QuickTime\QTSystem\QTPluginInstaller.exe
C:\Program Files\QuickTime\QTSystem\QuickTime.cpl
C:\Program Files\QuickTime\QTSystem\QuickTime.qts
C:\Program Files\QuickTime\QTSystem\QuickTime.Resources\da.lproj\QuickTimeLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime.Resources\de.lproj\QuickTimeLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime.Resources\en.lproj\QuickTimeLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime.Resources\es.lproj\QuickTimeLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime.Resources\fi.lproj\QuickTimeLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime.Resources\fr.lproj\QuickTimeLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime.Resources\it.lproj\QuickTimeLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime.Resources\ja.lproj\QuickTimeLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime.Resources\ko.lproj\QuickTimeLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime.Resources\nl.lproj\QuickTimeLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime.Resources\no.lproj\QuickTimeLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime.Resources\QuickTime.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime.Resources\sv.lproj\QuickTimeLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime.Resources\zh_CN.lproj\QuickTimeLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime.Resources\zh_TW.lproj\QuickTimeLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime3GPP.qtx
C:\Program Files\QuickTime\QTSystem\QuickTime3GPP.Resources\da.lproj\QuickTime3GPPLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime3GPP.Resources\de.lproj\QuickTime3GPPLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime3GPP.Resources\en.lproj\QuickTime3GPPLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime3GPP.Resources\es.lproj\QuickTime3GPPLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime3GPP.Resources\fi.lproj\QuickTime3GPPLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime3GPP.Resources\fr.lproj\QuickTime3GPPLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime3GPP.Resources\it.lproj\QuickTime3GPPLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime3GPP.Resources\ja.lproj\QuickTime3GPPLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime3GPP.Resources\ko.lproj\QuickTime3GPPLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime3GPP.Resources\nl.lproj\QuickTime3GPPLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime3GPP.Resources\no.lproj\QuickTime3GPPLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime3GPP.Resources\QuickTime3GPP.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime3GPP.Resources\sv.lproj\QuickTime3GPPLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime3GPP.Resources\zh_CN.lproj\QuickTime3GPPLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime3GPP.Resources\zh_TW.lproj\QuickTime3GPPLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime3GPPAuthoring.qtx
C:\Program Files\QuickTime\QTSystem\QuickTime3GPPAuthoring.Resources\da.lproj\QuickTime3GPPAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime3GPPAuthoring.Resources\de.lproj\QuickTime3GPPAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime3GPPAuthoring.Resources\en.lproj\QuickTime3GPPAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime3GPPAuthoring.Resources\es.lproj\QuickTime3GPPAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime3GPPAuthoring.Resources\fi.lproj\QuickTime3GPPAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime3GPPAuthoring.Resources\fr.lproj\QuickTime3GPPAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime3GPPAuthoring.Resources\it.lproj\QuickTime3GPPAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime3GPPAuthoring.Resources\ja.lproj\QuickTime3GPPAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime3GPPAuthoring.Resources\ko.lproj\QuickTime3GPPAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime3GPPAuthoring.Resources\nl.lproj\QuickTime3GPPAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime3GPPAuthoring.Resources\no.lproj\QuickTime3GPPAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime3GPPAuthoring.Resources\QuickTime3GPPAuthoring.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime3GPPAuthoring.Resources\sv.lproj\QuickTime3GPPAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime3GPPAuthoring.Resources\zh_CN.lproj\QuickTime3GPPAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTime3GPPAuthoring.Resources\zh_TW.lproj\QuickTime3GPPAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeAudioSupport.qtx
C:\Program Files\QuickTime\QTSystem\QuickTimeAudioSupport.Resources\da.lproj\QuickTimeAudioSupportLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeAudioSupport.Resources\de.lproj\QuickTimeAudioSupportLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeAudioSupport.Resources\en.lproj\QuickTimeAudioSupportLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeAudioSupport.Resources\es.lproj\QuickTimeAudioSupportLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeAudioSupport.Resources\fi.lproj\QuickTimeAudioSupportLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeAudioSupport.Resources\fr.lproj\QuickTimeAudioSupportLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeAudioSupport.Resources\it.lproj\QuickTimeAudioSupportLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeAudioSupport.Resources\ja.lproj\QuickTimeAudioSupportLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeAudioSupport.Resources\ko.lproj\QuickTimeAudioSupportLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeAudioSupport.Resources\nl.lproj\QuickTimeAudioSupportLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeAudioSupport.Resources\no.lproj\QuickTimeAudioSupportLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeAudioSupport.Resources\QuickTimeAudioSupport.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeAudioSupport.Resources\sv.lproj\QuickTimeAudioSupportLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeAudioSupport.Resources\zh_CN.lproj\QuickTimeAudioSupportLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeAudioSupport.Resources\zh_TW.lproj\QuickTimeAudioSupportLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeAuthoring.qtx
C:\Program Files\QuickTime\QTSystem\QuickTimeAuthoring.Resources\da.lproj\QuickTimeAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeAuthoring.Resources\de.lproj\QuickTimeAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeAuthoring.Resources\en.lproj\QuickTimeAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeAuthoring.Resources\es.lproj\QuickTimeAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeAuthoring.Resources\fi.lproj\QuickTimeAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeAuthoring.Resources\fr.lproj\QuickTimeAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeAuthoring.Resources\it.lproj\QuickTimeAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeAuthoring.Resources\ja.lproj\QuickTimeAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeAuthoring.Resources\ko.lproj\QuickTimeAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeAuthoring.Resources\nl.lproj\QuickTimeAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeAuthoring.Resources\no.lproj\QuickTimeAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeAuthoring.Resources\QuickTimeAuthoring.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeAuthoring.Resources\sv.lproj\QuickTimeAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeAuthoring.Resources\zh_CN.lproj\QuickTimeAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeAuthoring.Resources\zh_TW.lproj\QuickTimeAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeCapture.qtx
C:\Program Files\QuickTime\QTSystem\QuickTimeCapture.Resources\da.lproj\QuickTimeCaptureLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeCapture.Resources\de.lproj\QuickTimeCaptureLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeCapture.Resources\en.lproj\QuickTimeCaptureLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeCapture.Resources\es.lproj\QuickTimeCaptureLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeCapture.Resources\fi.lproj\QuickTimeCaptureLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeCapture.Resources\fr.lproj\QuickTimeCaptureLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeCapture.Resources\it.lproj\QuickTimeCaptureLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeCapture.Resources\ja.lproj\QuickTimeCaptureLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeCapture.Resources\ko.lproj\QuickTimeCaptureLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeCapture.Resources\nl.lproj\QuickTimeCaptureLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeCapture.Resources\no.lproj\QuickTimeCaptureLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeCapture.Resources\QuickTimeCapture.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeCapture.Resources\sv.lproj\QuickTimeCaptureLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeCapture.Resources\zh_CN.lproj\QuickTimeCaptureLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeCapture.Resources\zh_TW.lproj\QuickTimeCaptureLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeCheck.ocx
C:\Program Files\QuickTime\QTSystem\QuickTimeEffects.qtx
C:\Program Files\QuickTime\QTSystem\QuickTimeEffects.Resources\da.lproj\QuickTimeEffectsLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeEffects.Resources\de.lproj\QuickTimeEffectsLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeEffects.Resources\en.lproj\QuickTimeEffectsLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeEffects.Resources\es.lproj\QuickTimeEffectsLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeEffects.Resources\fi.lproj\QuickTimeEffectsLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeEffects.Resources\fr.lproj\QuickTimeEffectsLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeEffects.Resources\it.lproj\QuickTimeEffectsLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeEffects.Resources\ja.lproj\QuickTimeEffectsLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeEffects.Resources\ko.lproj\QuickTimeEffectsLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeEffects.Resources\nl.lproj\QuickTimeEffectsLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeEffects.Resources\no.lproj\QuickTimeEffectsLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeEffects.Resources\QuickTimeEffects.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeEffects.Resources\sv.lproj\QuickTimeEffectsLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeEffects.Resources\zh_CN.lproj\QuickTimeEffectsLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeEffects.Resources\zh_TW.lproj\QuickTimeEffectsLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeEssentials.qtx
C:\Program Files\QuickTime\QTSystem\QuickTimeEssentials.Resources\da.lproj\QuickTimeEssentialsLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeEssentials.Resources\de.lproj\QuickTimeEssentialsLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeEssentials.Resources\en.lproj\QuickTimeEssentialsLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeEssentials.Resources\es.lproj\QuickTimeEssentialsLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeEssentials.Resources\fi.lproj\QuickTimeEssentialsLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeEssentials.Resources\fr.lproj\QuickTimeEssentialsLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeEssentials.Resources\it.lproj\QuickTimeEssentialsLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeEssentials.Resources\ja.lproj\QuickTimeEssentialsLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeEssentials.Resources\ko.lproj\QuickTimeEssentialsLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeEssentials.Resources\nl.lproj\QuickTimeEssentialsLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeEssentials.Resources\no.lproj\QuickTimeEssentialsLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeEssentials.Resources\QuickTimeEssentials.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeEssentials.Resources\sv.lproj\QuickTimeEssentialsLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeEssentials.Resources\zh_CN.lproj\QuickTimeEssentialsLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeEssentials.Resources\zh_TW.lproj\QuickTimeEssentialsLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeH264.qtx
C:\Program Files\QuickTime\QTSystem\QuickTimeH264.Resources\da.lproj\QuickTimeH264Localized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeH264.Resources\de.lproj\QuickTimeH264Localized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeH264.Resources\en.lproj\QuickTimeH264Localized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeH264.Resources\es.lproj\QuickTimeH264Localized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeH264.Resources\fi.lproj\QuickTimeH264Localized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeH264.Resources\fr.lproj\QuickTimeH264Localized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeH264.Resources\it.lproj\QuickTimeH264Localized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeH264.Resources\ja.lproj\QuickTimeH264Localized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeH264.Resources\ko.lproj\QuickTimeH264Localized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeH264.Resources\nl.lproj\QuickTimeH264Localized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeH264.Resources\no.lproj\QuickTimeH264Localized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeH264.Resources\QuickTimeH264.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeH264.Resources\sv.lproj\QuickTimeH264Localized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeH264.Resources\zh_CN.lproj\QuickTimeH264Localized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeH264.Resources\zh_TW.lproj\QuickTimeH264Localized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeImage.qtx
C:\Program Files\QuickTime\QTSystem\QuickTimeImage.Resources\da.lproj\QuickTimeImageLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeImage.Resources\de.lproj\QuickTimeImageLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeImage.Resources\en.lproj\QuickTimeImageLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeImage.Resources\es.lproj\QuickTimeImageLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeImage.Resources\fi.lproj\QuickTimeImageLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeImage.Resources\fr.lproj\QuickTimeImageLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeImage.Resources\it.lproj\QuickTimeImageLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeImage.Resources\ja.lproj\QuickTimeImageLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeImage.Resources\ko.lproj\QuickTimeImageLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeImage.Resources\nl.lproj\QuickTimeImageLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeImage.Resources\no.lproj\QuickTimeImageLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeImage.Resources\QuickTimeImage.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeImage.Resources\sv.lproj\QuickTimeImageLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeImage.Resources\zh_CN.lproj\QuickTimeImageLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeImage.Resources\zh_TW.lproj\QuickTimeImageLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeInternetExtras.qtx
C:\Program Files\QuickTime\QTSystem\QuickTimeInternetExtras.Resources\da.lproj\QuickTimeInternetExtrasLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeInternetExtras.Resources\de.lproj\QuickTimeInternetExtrasLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeInternetExtras.Resources\en.lproj\QuickTimeInternetExtrasLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeInternetExtras.Resources\es.lproj\QuickTimeInternetExtrasLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeInternetExtras.Resources\fi.lproj\QuickTimeInternetExtrasLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeInternetExtras.Resources\fr.lproj\QuickTimeInternetExtrasLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeInternetExtras.Resources\it.lproj\QuickTimeInternetExtrasLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeInternetExtras.Resources\ja.lproj\QuickTimeInternetExtrasLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeInternetExtras.Resources\ko.lproj\QuickTimeInternetExtrasLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeInternetExtras.Resources\nl.lproj\QuickTimeInternetExtrasLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeInternetExtras.Resources\no.lproj\QuickTimeInternetExtrasLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeInternetExtras.Resources\QuickTimeInternetExtras.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeInternetExtras.Resources\sv.lproj\QuickTimeInternetExtrasLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeInternetExtras.Resources\zh_CN.lproj\QuickTimeInternetExtrasLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeInternetExtras.Resources\zh_TW.lproj\QuickTimeInternetExtrasLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeJavaExtras.qtx
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG.qtx
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG.Resources\da.lproj\QuickTimeMPEGLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG.Resources\de.lproj\QuickTimeMPEGLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG.Resources\en.lproj\QuickTimeMPEGLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG.Resources\es.lproj\QuickTimeMPEGLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG.Resources\fi.lproj\QuickTimeMPEGLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG.Resources\fr.lproj\QuickTimeMPEGLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG.Resources\it.lproj\QuickTimeMPEGLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG.Resources\ja.lproj\QuickTimeMPEGLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG.Resources\ko.lproj\QuickTimeMPEGLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG.Resources\nl.lproj\QuickTimeMPEGLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG.Resources\no.lproj\QuickTimeMPEGLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG.Resources\QuickTimeMPEG.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG.Resources\sv.lproj\QuickTimeMPEGLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG.Resources\zh_CN.lproj\QuickTimeMPEGLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG.Resources\zh_TW.lproj\QuickTimeMPEGLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG4.qtx
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG4.Resources\da.lproj\QuickTimeMPEG4Localized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG4.Resources\de.lproj\QuickTimeMPEG4Localized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG4.Resources\en.lproj\QuickTimeMPEG4Localized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG4.Resources\es.lproj\QuickTimeMPEG4Localized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG4.Resources\fi.lproj\QuickTimeMPEG4Localized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG4.Resources\fr.lproj\QuickTimeMPEG4Localized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG4.Resources\it.lproj\QuickTimeMPEG4Localized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG4.Resources\ja.lproj\QuickTimeMPEG4Localized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG4.Resources\ko.lproj\QuickTimeMPEG4Localized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG4.Resources\nl.lproj\QuickTimeMPEG4Localized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG4.Resources\no.lproj\QuickTimeMPEG4Localized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG4.Resources\QuickTimeMPEG4.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG4.Resources\sv.lproj\QuickTimeMPEG4Localized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG4.Resources\zh_CN.lproj\QuickTimeMPEG4Localized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG4.Resources\zh_TW.lproj\QuickTimeMPEG4Localized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG4Authoring.qtx
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG4Authoring.Resources\da.lproj\QuickTimeMPEG4AuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG4Authoring.Resources\de.lproj\QuickTimeMPEG4AuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG4Authoring.Resources\en.lproj\QuickTimeMPEG4AuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG4Authoring.Resources\es.lproj\QuickTimeMPEG4AuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG4Authoring.Resources\fi.lproj\QuickTimeMPEG4AuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG4Authoring.Resources\fr.lproj\QuickTimeMPEG4AuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG4Authoring.Resources\it.lproj\QuickTimeMPEG4AuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG4Authoring.Resources\ja.lproj\QuickTimeMPEG4AuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG4Authoring.Resources\ko.lproj\QuickTimeMPEG4AuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG4Authoring.Resources\nl.lproj\QuickTimeMPEG4AuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG4Authoring.Resources\no.lproj\QuickTimeMPEG4AuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG4Authoring.Resources\QuickTimeMPEG4Authoring.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG4Authoring.Resources\sv.lproj\QuickTimeMPEG4AuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG4Authoring.Resources\zh_CN.lproj\QuickTimeMPEG4AuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMPEG4Authoring.Resources\zh_TW.lproj\QuickTimeMPEG4AuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMusic.qtx
C:\Program Files\QuickTime\QTSystem\QuickTimeMusic.Resources\da.lproj\QuickTimeMusicLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMusic.Resources\de.lproj\QuickTimeMusicLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMusic.Resources\en.lproj\QuickTimeMusicLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMusic.Resources\es.lproj\QuickTimeMusicLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMusic.Resources\fi.lproj\QuickTimeMusicLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMusic.Resources\fr.lproj\QuickTimeMusicLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMusic.Resources\it.lproj\QuickTimeMusicLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMusic.Resources\ja.lproj\QuickTimeMusicLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMusic.Resources\ko.lproj\QuickTimeMusicLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMusic.Resources\nl.lproj\QuickTimeMusicLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMusic.Resources\no.lproj\QuickTimeMusicLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMusic.Resources\QuickTimeMusic.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMusic.Resources\sv.lproj\QuickTimeMusicLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMusic.Resources\zh_CN.lproj\QuickTimeMusicLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMusic.Resources\zh_TW.lproj\QuickTimeMusicLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeMusicalInstruments.qtx
C:\Program Files\QuickTime\QTSystem\QuickTimeQD3D.qtx
C:\Program Files\QuickTime\QTSystem\QuickTimeQD3D.Resources\da.lproj\QuickTimeQD3DLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeQD3D.Resources\de.lproj\QuickTimeQD3DLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeQD3D.Resources\en.lproj\QuickTimeQD3DLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeQD3D.Resources\es.lproj\QuickTimeQD3DLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeQD3D.Resources\fi.lproj\QuickTimeQD3DLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeQD3D.Resources\fr.lproj\QuickTimeQD3DLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeQD3D.Resources\it.lproj\QuickTimeQD3DLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeQD3D.Resources\ja.lproj\QuickTimeQD3DLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeQD3D.Resources\ko.lproj\QuickTimeQD3DLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeQD3D.Resources\nl.lproj\QuickTimeQD3DLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeQD3D.Resources\no.lproj\QuickTimeQD3DLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeQD3D.Resources\QuickTimeQD3D.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeQD3D.Resources\sv.lproj\QuickTimeQD3DLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeQD3D.Resources\zh_CN.lproj\QuickTimeQD3DLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeQD3D.Resources\zh_TW.lproj\QuickTimeQD3DLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreaming.qtx
C:\Program Files\QuickTime\QTSystem\QuickTimeStreaming.Resources\da.lproj\QuickTimeStreamingLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreaming.Resources\de.lproj\QuickTimeStreamingLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreaming.Resources\en.lproj\QuickTimeStreamingLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreaming.Resources\es.lproj\QuickTimeStreamingLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreaming.Resources\fi.lproj\QuickTimeStreamingLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreaming.Resources\fr.lproj\QuickTimeStreamingLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreaming.Resources\it.lproj\QuickTimeStreamingLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreaming.Resources\ja.lproj\QuickTimeStreamingLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreaming.Resources\ko.lproj\QuickTimeStreamingLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreaming.Resources\nl.lproj\QuickTimeStreamingLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreaming.Resources\no.lproj\QuickTimeStreamingLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreaming.Resources\QuickTimeStreaming.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreaming.Resources\sv.lproj\QuickTimeStreamingLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreaming.Resources\zh_CN.lproj\QuickTimeStreamingLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreaming.Resources\zh_TW.lproj\QuickTimeStreamingLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreamingAuthoring.qtx
C:\Program Files\QuickTime\QTSystem\QuickTimeStreamingAuthoring.Resources\da.lproj\QuickTimeStreamingAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreamingAuthoring.Resources\de.lproj\QuickTimeStreamingAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreamingAuthoring.Resources\en.lproj\QuickTimeStreamingAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreamingAuthoring.Resources\es.lproj\QuickTimeStreamingAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreamingAuthoring.Resources\fi.lproj\QuickTimeStreamingAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreamingAuthoring.Resources\fr.lproj\QuickTimeStreamingAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreamingAuthoring.Resources\it.lproj\QuickTimeStreamingAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreamingAuthoring.Resources\ja.lproj\QuickTimeStreamingAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreamingAuthoring.Resources\ko.lproj\QuickTimeStreamingAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreamingAuthoring.Resources\nl.lproj\QuickTimeStreamingAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreamingAuthoring.Resources\no.lproj\QuickTimeStreamingAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreamingAuthoring.Resources\QuickTimeStreamingAuthoring.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreamingAuthoring.Resources\sv.lproj\QuickTimeStreamingAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreamingAuthoring.Resources\zh_CN.lproj\QuickTimeStreamingAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreamingAuthoring.Resources\zh_TW.lproj\QuickTimeStreamingAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreamingExtras.qtx
C:\Program Files\QuickTime\QTSystem\QuickTimeStreamingExtras.Resources\da.lproj\QuickTimeStreamingExtrasLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreamingExtras.Resources\de.lproj\QuickTimeStreamingExtrasLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreamingExtras.Resources\en.lproj\QuickTimeStreamingExtrasLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreamingExtras.Resources\es.lproj\QuickTimeStreamingExtrasLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreamingExtras.Resources\fi.lproj\QuickTimeStreamingExtrasLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreamingExtras.Resources\fr.lproj\QuickTimeStreamingExtrasLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreamingExtras.Resources\it.lproj\QuickTimeStreamingExtrasLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreamingExtras.Resources\ja.lproj\QuickTimeStreamingExtrasLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreamingExtras.Resources\ko.lproj\QuickTimeStreamingExtrasLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreamingExtras.Resources\nl.lproj\QuickTimeStreamingExtrasLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreamingExtras.Resources\no.lproj\QuickTimeStreamingExtrasLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreamingExtras.Resources\QuickTimeStreamingExtras.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreamingExtras.Resources\sv.lproj\QuickTimeStreamingExtrasLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreamingExtras.Resources\zh_CN.lproj\QuickTimeStreamingExtrasLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeStreamingExtras.Resources\zh_TW.lproj\QuickTimeStreamingExtrasLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeUpdateHelper.exe
C:\Program Files\QuickTime\QTSystem\QuickTimeVR.qtx
C:\Program Files\QuickTime\QTSystem\QuickTimeVR.Resources\da.lproj\QuickTimeVRLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeVR.Resources\de.lproj\QuickTimeVRLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeVR.Resources\en.lproj\QuickTimeVRLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeVR.Resources\es.lproj\QuickTimeVRLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeVR.Resources\fi.lproj\QuickTimeVRLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeVR.Resources\fr.lproj\QuickTimeVRLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeVR.Resources\it.lproj\QuickTimeVRLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeVR.Resources\ja.lproj\QuickTimeVRLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeVR.Resources\ko.lproj\QuickTimeVRLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeVR.Resources\nl.lproj\QuickTimeVRLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeVR.Resources\no.lproj\QuickTimeVRLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeVR.Resources\QuickTimeVR.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeVR.Resources\sv.lproj\QuickTimeVRLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeVR.Resources\zh_CN.lproj\QuickTimeVRLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeVR.Resources\zh_TW.lproj\QuickTimeVRLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeVRAuthoring.qtx
C:\Program Files\QuickTime\QTSystem\QuickTimeVRAuthoring.Resources\da.lproj\QuickTimeVRAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeVRAuthoring.Resources\de.lproj\QuickTimeVRAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeVRAuthoring.Resources\en.lproj\QuickTimeVRAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeVRAuthoring.Resources\es.lproj\QuickTimeVRAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeVRAuthoring.Resources\fi.lproj\QuickTimeVRAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeVRAuthoring.Resources\fr.lproj\QuickTimeVRAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeVRAuthoring.Resources\it.lproj\QuickTimeVRAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeVRAuthoring.Resources\ja.lproj\QuickTimeVRAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeVRAuthoring.Resources\ko.lproj\QuickTimeVRAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeVRAuthoring.Resources\nl.lproj\QuickTimeVRAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeVRAuthoring.Resources\no.lproj\QuickTimeVRAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeVRAuthoring.Resources\QuickTimeVRAuthoring.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeVRAuthoring.Resources\sv.lproj\QuickTimeVRAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeVRAuthoring.Resources\zh_CN.lproj\QuickTimeVRAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeVRAuthoring.Resources\zh_TW.lproj\QuickTimeVRAuthoringLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeWebHelper.qtx
C:\Program Files\QuickTime\QTSystem\QuickTimeWebHelper.Resources\da.lproj\QuickTimeWebHelperLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeWebHelper.Resources\de.lproj\QuickTimeWebHelperLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeWebHelper.Resources\en.lproj\QuickTimeWebHelperLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeWebHelper.Resources\es.lproj\QuickTimeWebHelperLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeWebHelper.Resources\fi.lproj\QuickTimeWebHelperLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeWebHelper.Resources\fr.lproj\QuickTimeWebHelperLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeWebHelper.Resources\it.lproj\QuickTimeWebHelperLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeWebHelper.Resources\ja.lproj\QuickTimeWebHelperLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeWebHelper.Resources\ko.lproj\QuickTimeWebHelperLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeWebHelper.Resources\nl.lproj\QuickTimeWebHelperLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeWebHelper.Resources\no.lproj\QuickTimeWebHelperLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeWebHelper.Resources\QuickTimeWebHelper.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeWebHelper.Resources\sv.lproj\QuickTimeWebHelperLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeWebHelper.Resources\zh_CN.lproj\QuickTimeWebHelperLocalized.qtr
C:\Program Files\QuickTime\QTSystem\QuickTimeWebHelper.Resources\zh_TW.lproj\QuickTimeWebHelperLocalized.qtr
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\QuickTime\QTUIPanelControl.dll
C:\Program Files\QuickTime\QuickTime Read Me.htm
C:\Program Files\QuickTime\QuickTimePlayer.exe
C:\Program Files\QuickTime\QuickTimePlayer.Resources\QuickTimePlayer.qtr
C:\Program Files\QuickTime\Sample.mov
C:\Program Files\QuickTime\Sample.qtif.
((((((((((((((((((((((((( Files Created from 2008-01-04 to 2008-02-04 )))))))))))))))))))))))))))))))
.2008-02-03 00:57 . 2008-02-03 00:57 1,158 --a------ C:\WINXP\mozver.dat
2008-01-28 02:26 . 2008-01-28 12:29 <DIR> d-------- C:\Documents and Settings\Gneco\.housecall6.6
2008-01-28 00:00 . 2008-01-28 11:10 <DIR> d-------- C:\VundoFix Backups
2008-01-25 22:57 . 2008-01-27 11:28 <DIR> d-------- C:\WINXP\system32\SysDriversBak
2008-01-17 16:28 . 2008-01-29 18:39 <DIR> d-------- C:\Program Files\Windows Defender
2008-01-17 16:24 . 2008-01-28 12:35 15,360 --a------ C:\WINXP\system32\ctfmon .exe
2008-01-17 15:43 . 2008-01-26 00:02 <DIR> d-a------ C:\Documents and Settings\All Users.WINXP\Application Data\TEMP
2008-01-17 13:05 . 2008-01-27 22:43 348,160 --a------ C:\WINXP\system32\hphmon04 .exe
2008-01-17 13:05 . 2008-01-17 16:24 153,088 --a------ C:\WINXP\system32\VOBREGCheck .exe
2008-01-11 23:44 . 2008-02-02 23:13 54,156 --ah----- C:\WINXP\QTFont.qfn
2008-01-11 23:44 . 2008-01-11 23:44 1,409 --a------ C:\WINXP\QTFont.for.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 23:39 --------- d-----w C:\Program Files\MSN Messenger
2008-01-29 23:39 --------- d-----w C:\Program Files\Citi Virtual Account Numbers
2008-01-28 18:47 --------- d-----w C:\Program Files\Quicken
2008-01-28 05:42 --------- d-----w C:\Program Files\Java
2008-01-26 05:01 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-26 04:58 --------- d-----w C:\Program Files\ItsDeductibleEX
2008-01-17 17:02 --------- d-----w C:\Program Files\Real
2008-01-17 17:02 --------- d-----w C:\Program Files\QUICKENW
2008-01-12 17:47 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-11 23:14 --------- d-----w C:\Program Files\Symantec
2008-01-11 23:06 --------- d-----w C:\Documents and Settings\All Users.WINXP\Application Data\Symantec
2007-12-19 22:52 --------- d-----w C:\Documents and Settings\Gneco\Application Data\Snapfish
2007-12-05 00:02 --------- d-----w C:\Program Files\InterActual
.
[code][/code]
----a-w 192,512 2008-01-28 17:35:21 C:\Program Files\Citi Virtual Account Numbers\CitiVAN .exe
----a-w 218,032 2008-01-28 16:10:28 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:28 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:28 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:28 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:28 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:28 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:29 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 218,032 2008-01-28 16:10:30 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 39,264 2008-01-28 17:35:33 C:\Program Files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
----a-w 69,632 2008-01-28 17:35:18 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd .exe
----a-w 132,496 2008-01-28 17:35:24 C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w 1,289,000 2008-01-17 21:24:23 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,289,000 2008-01-28 16:10:36 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 5,674,352 2008-01-28 17:35:37 C:\Program Files\MSN Messenger\msnmsgr .exe
----a-w 866,584 2008-01-28 17:35:28 C:\Program Files\Windows Defender\MSASCui .exe
----a-w 15,360 2008-01-28 17:35:29 C:\WINXP\system32\ctfmon .exe
----a-w 348,160 2008-01-28 03:43:42 C:\WINXP\system32\hphmon04 .exe
----a-w 153,088 2008-01-17 21:24:02 C:\WINXP\system32\VOBREGCheck .exe
----a-w 139,264 2008-01-28 17:35:27 C:\WINXP\system32\spool\drivers\w32x86\3\E_FATIBNA .exe
----a-w 188,416 2008-01-28 03:43:41 C:\WINXP\system32\spool\drivers\w32x86\3\hpztsb07 .exe
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [ ]
"ctfmon.exe"="C:\WINXP\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe" [ ]
"EPSON Stylus Photo R260 Series"="C:\WINXP\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.exe" [ ][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="C:\WINXP\System32\spool\drivers\w32x86\3\hpztsb07.exe" [ ]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [ ]
"HPHmon04"="C:\WINXP\System32\hphmon04.exe" [ ]
"PtiuPbmd"="ptipbm.dll" [2003-05-20 16:56 24576 C:\WINXP\system32\ptipbm.dll]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"CitiVAN"="C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe" [ ]
"WD Button Manager"="WDBtnMgr.exe" [2007-06-03 13:01 364544 C:\WINXP\system32\WDBtnMgr.exe]
"UserFaultCheck"="C:\WINXP\system32\dumprep 0 -u" [ ]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [ ]C:\Documents and Settings\All Users.WINXP\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe [2005-12-30 00:01:21 43520]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-08-08 00:28:49 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Giga Pocket Initialize.lnk - C:\Program Files\Sony\Giga Pocket\initovl.exe [2004-08-07 03:42:45 20480]
Giga Pocket Remocon Driver.lnk - C:\Program Files\Sony\Giga Pocket\usbsircs.exe [2004-08-07 03:03:06 94208]
HPAiODevice(hp officejet 7100 series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe [2002-11-23 19:55:48 495682]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-04-02 23:15:37 114688]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.exe [2000-01-21 03:15:54 65588]
Timer Recording Manager.lnk - C:\Program Files\Sony\Giga Pocket\ReserveModule.exe [2004-08-07 03:42:45 245760][HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINXP\system32\ssqro[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]
C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-02-08 17:03 278528 E:\Program Files\iTunes\iTunesHelper.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
R0 si3112;SiI-3112 SATALink Controller;C:\WINXP\system32\drivers\si3112.sys [2004-06-14 21:03]
R1 SonyFanC;FAN Control Device Service;C:\WINXP\system32\Drivers\SonyFanC.sys [2001-12-03 11:53]
R2 AutoUpdate__Cisco;AutoUpdate: Cisco Apps;"C:\Program Files\Common Files\Cisco Systems\AutoUpdate\AutoUpdate.exe" [2004-10-28 11:58]
R2 CvlCdpPacket;Cisco VT Advantage CDP Packet Driver;C:\WINXP\system32\DRIVERS\CdpPacketWdmCvl.sys [2004-10-28 11:59]
R2 V7;V7;C:\WINXP\system32\drivers\V7.sys [2000-03-09 13:24]
R2 WUSB300NSvc;WUSB300NSvc;"C:\Program Files\Linksys\WUSB300N\WLService.exe" "WUSB300N.exe" []
R3 SMBE;Sony MPEG2 Encoder Board (WDM);C:\WINXP\system32\Drivers\SMBE.SYS [2001-09-21 11:16]
S1 ac97intcc;ac97intcc;C:\WINXP\system32\drivers\ac97intcc.sys []
S3 CiscoCam8116;Cisco VT Camera(1);C:\WINXP\system32\DRIVERS\CamDrC21.sys [2004-10-27 17:12]
S3 Cpmt;Cisco Media Termination;C:\WINXP\system32\Drivers\Cpmt.sys [2004-10-28 11:51]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\WINXP\system32\DRIVERS\wdcsam.sys [2006-09-07 16:16].
Contents of the 'Scheduled Tasks' folder
"2008-02-04 00:16:01 C:\WINXP\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-03 19:29:04
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
r Running Proce
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Cisco Systems\AutoUpdate\AutoUpdate.exe
C:\Documents and Settings\All Users.WINXP\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.exe
C:\WINXP\System32\nvsvc32.exe
C:\Program Files\Linksys\WUSB300N\WLService.exe
C:\Program Files\Linksys\WUSB300N\WUSB300N.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINXP\system32\WDBtnMgr.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Sony\Giga Pocket\usbsircs.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Sony\Giga Pocket\ReserveModule.exe
C:\Program Files\Sony\Giga Pocket\gps.exe
C:\WINXP\System32\rundll32.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINXP\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
.
**************************************************************************
.
Completion time: 2008-02-03 19:31:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-04 00:31:32
ComboFix2.txt 2008-02-02 22:27:31
ComboFix3.txt 2008-01-29 05:06:34
ComboFix4.txt 2008-01-29 23:45:32
.
2008-02-02 21:20:09 --- E O F ---
0
After running Combfix, I again tried to uninstall Quicktime and this time it appeared to go a bit further. I received this message:
QuickTime Error
Error 1905.Module C:\Program Files\QuickTime\QTOControl.dll failed to unregister. HRESULT -2147220472. Contact your support personnel.Then it did say the QuickTime was removed.
0
Here is the scan results from Kaspersky:
100% - Scan
-----------
Scanned: 569077
Detected: 56
Untreated: 56
Start time: 2/4/2008 12:02:14 AM
Duration: 11:13:54
Finish time: 2/4/2008 3:18:48 AM
Signatures published: 2/3/2008 8:39:35 PM
Detected
--------
Status Object
------ ------
detected: Trojan program Trojan-Spy.HTML.Citifraud.ay Email message body: Main Identity\Local Folders\Inbox\[From:"Customer Support" <support@citibank.com>][Subject:Dear customer your details have been compromised][Time:2004/10/02 00:55:36]/text/plain
detected: Trojan program Backdoor.Win32.Agent.dbm File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\gamadril20071203[1].bac_a02688//CryptFF.b
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\hpgs2wnd.exe.bac_a03240//CryptFF.b
detected: Trojan program Trojan-Downloader.Win32.Agent.gwe File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\inolvwhy.exe.bad.bac_a02688//CryptFF.b
detected: Trojan program Trojan-Downloader.Win32.Agent.gwe File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\kkwpvogk.exe.bad.bac_a02688//CryptFF.b
detected: Trojan program Trojan-Downloader.Win32.Agent.hql File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\mrofinu1000106.exe.bac_a02688//CryptFF.b//PE_Patch.Upolyx//PE_Patch.UPX//UPX
detected: Trojan program Trojan-Downloader.Win32.Agent.hql File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\mrofinu1188.exe.bac_a02688//CryptFF.b//PE_Patch.Upolyx//PE_Patch.UPX//UPX
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\MSASCui.exe.bac_a03240//CryptFF.b
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\RCX29.tmp.bac_a02688//CryptFF.b
detected: Trojan program Trojan-Downloader.Win32.Agent.gwe File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\savhhwct.exe.bad.bac_a02688//CryptFF.b
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\ssqro-disabled.exe.bad.bac_a02688//CryptFF.b
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\ssqro.exe.bac_a02688//CryptFF.b
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\ssqro.exe.bad.bac_a02688//CryptFF.b
detected: Trojan program Trojan.Win32.Zapchast.dt File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\TMP0000001F293454D5B8C86D8B.bac_a02688//CryptFF.b
detected: Trojan program Trojan.Win32.Zapchast.dt File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\TMP0000006734DBEEEF51F31318.bac_a02688//CryptFF.b
detected: Trojan program Trojan.Win32.Zapchast.dt File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\TMP0000006904D090D4B494E14C.bac_a02688//CryptFF.b
detected: Trojan program Trojan.Win32.Zapchast.dt File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\TMP0000006CA0C2980B33E243FB.bac_a02688//CryptFF.b
detected: Trojan program Trojan.Win32.Zapchast.dt File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\TMP0000006EDFB05C55D29548F3.bac_a02688//CryptFF.b
detected: Trojan program Trojan.Win32.Zapchast.dt File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\TMP00000071C2FADF58E31658AA.bac_a02688//CryptFF.b
detected: Trojan program Trojan.Win32.Zapchast.dt File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\TMP000000724E5A055438B00BEA.bac_a02688//CryptFF.b
detected: Trojan program Trojan.Win32.Zapchast.dt File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\TMP00000073345D3058622FBB58.bac_a02688//CryptFF.b
detected: Trojan program Trojan.Win32.Zapchast.dt File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\TMP0000007549430F7583C9AA88.bac_a02688//CryptFF.b
detected: Trojan program Trojan.Win32.Zapchast.dt File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\TMP00000076EBB840B0CFBDAE22.bac_a02688//CryptFF.b
detected: Trojan program Trojan.Win32.Zapchast.dt File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\TMP000000770EAAC2A28229D2E3.bac_a02688//CryptFF.b
detected: Trojan program Trojan.Win32.Zapchast.dt File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\TMP0000007841AD08A4D4A4250C.bac_a02688//CryptFF.b
detected: Trojan program Trojan.Win32.Zapchast.dt File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\TMP0000007B4E0FAF71598D915F.bac_a02688//CryptFF.b
detected: Trojan program Trojan.Win32.Zapchast.dt File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\TMP0000009EE4FF6A397229CDFA.bac_a02688//CryptFF.b
detected: Trojan program Trojan-Downloader.Win32.Agent.gwe File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\uyfetsbn.exe.bad.bac_a02688//CryptFF.b
detected: Trojan program Trojan-Downloader.Win32.Agent.gwe File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\vpaaxlys.exe.bad.bac_a02688//CryptFF.b
detected: Trojan program Trojan-Clicker.HTML.IFrame.dn File: C:\Program Files\Real\progyca.html
detected: adware not-a-virus:AdWare.Win32.Virtumonde.dyx File: C:\QooBox\Quarantine\catchme2008-01-29_184204.87.zip/ssqro.dll
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\Citi Virtual Account Numbers\CitiVAN.exe.vir
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe.vir
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe.vir
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe.vir
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\Common Files\Microsoft Shared\DW\dwtrig20.exe.vir
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe.vir
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\Java\jre1.6.0_03\bin\jusched.exe.vir
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\MSN Messenger\msnmsgr.exe.vir
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\Windows Defender\MSASCui.exe.vir
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\WINXP\system32\ctfmon.exe.tmp.vir
detected: Trojan program Trojan-Downloader.Win32.Agent.gwe File: C:\QooBox\Quarantine\C\WINXP\system32\inolvwhy.exe.vir
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\WINXP\system32\ssqro.exe.vir
detected: adware not-a-virus:AdWare.Win32.Virtumonde.ebw File: C:\QooBox\Quarantine\C\WINXP\system32\tjtiqveo.dll.vir
detected: Trojan program Trojan-Downloader.Win32.VB.ceh File: C:\QooBox\Quarantine\C\WINXP\system32\edcA18\edcA182328.exe.vir
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\WINXP\system32\spool\drivers\w32x86\3\E_FATIBNA.exe.vir
detected: adware not-a-virus:AdWare.Win32.Virtumonde.eby File: C:\VundoFix Backups\bvnrcdjd.dll.bad
detected: adware not-a-virus:AdWare.Win32.Virtumonde.edw File: C:\VundoFix Backups\ewmkdxis.dll.bad
detected: adware not-a-virus:AdWare.Win32.Virtumonde.dnn File: C:\VundoFix Backups\hptqkxxc.dll.bad
detected: adware not-a-virus:AdWare.Win32.Virtumonde.dnn File: C:\VundoFix Backups\psxnraaf.dll.bad
detected: adware not-a-virus:AdWare.Win32.Virtumonde.dyx File: C:\VundoFix Backups\ssqro.dll.bad
detected: Trojan program Rootkit.Win32.Agent.to File: C:\WINXP\system32\SysDriversBak\ac97intcc.sys
detected: malware Exploit.HTML.Iframe.FileDownload (modification) File: E:\My Documents\400Archive\My Documents\Backup\SOAR\20030609\TEMP\01567562.TMP
Events
------
Time Name Status Reason
---- ---- ------ ------
Statistics
----------
Object Scanned Detected Untreated Deleted Moved to Quarantine Archives Packed files Password protected Corrupted
--------------- ---------
Settings
--------
Parameter Value
--------- -----
Security Level Recommended
Action Prompt for action when the scan is complete
Run mode Manually
File types Scan all files
Scan only new and changed files No
Scan archives All
Scan embedded OLE objects All
Skip if object is larger than No
Skip if scan takes longer than No
Parse email formats No
Scan password-protected archives No
Enable iChecker technology Yes
Enable iSwift technology Yes
Record information about dangerous objects to program statistics Yes
0
I selected the "Neutalize" option on Kaspersky. This is the log that it produced after the Neutralization....
not found: Trojan program Trojan-Spy.HTML.Citifraud.ay Email message body: Main Identity\Local Folders\Inbox\[From:"Customer Support" <support@citibank.com>][Subject:Dear customer your details have been compromised][Time:2004/10/02 00:55:36]/text/plain
deleted: Trojan program Backdoor.Win32.Agent.dbm File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\gamadril20071203[1].bac_a02688//CryptFF.b
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\hpgs2wnd.exe.bac_a03240//CryptFF.b
deleted: Trojan program Trojan-Downloader.Win32.Agent.gwe File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\inolvwhy.exe.bad.bac_a02688//CryptFF.b
deleted: Trojan program Trojan-Downloader.Win32.Agent.gwe File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\kkwpvogk.exe.bad.bac_a02688//CryptFF.b
deleted: Trojan program Trojan-Downloader.Win32.Agent.hql File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\mrofinu1000106.exe.bac_a02688//CryptFF.b//PE_Patch.Upolyx//PE_Patch.UPX//UPX
deleted: Trojan program Trojan-Downloader.Win32.Agent.hql File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\mrofinu1188.exe.bac_a02688//CryptFF.b//PE_Patch.Upolyx//PE_Patch.UPX//UPX
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\MSASCui.exe.bac_a03240//CryptFF.b
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\RCX29.tmp.bac_a02688//CryptFF.b
deleted: Trojan program Trojan-Downloader.Win32.Agent.gwe File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\savhhwct.exe.bad.bac_a02688//CryptFF.b
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\ssqro-disabled.exe.bad.bac_a02688//CryptFF.b
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\ssqro.exe.bac_a02688//CryptFF.b
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\ssqro.exe.bad.bac_a02688//CryptFF.b
deleted: Trojan program Trojan.Win32.Zapchast.dt File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\TMP0000001F293454D5B8C86D8B.bac_a02688//CryptFF.b
deleted: Trojan program Trojan.Win32.Zapchast.dt File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\TMP0000006734DBEEEF51F31318.bac_a02688//CryptFF.b
deleted: Trojan program Trojan.Win32.Zapchast.dt File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\TMP0000006904D090D4B494E14C.bac_a02688//CryptFF.b
deleted: Trojan program Trojan.Win32.Zapchast.dt File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\TMP0000006CA0C2980B33E243FB.bac_a02688//CryptFF.b
deleted: Trojan program Trojan.Win32.Zapchast.dt File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\TMP0000006EDFB05C55D29548F3.bac_a02688//CryptFF.b
deleted: Trojan program Trojan.Win32.Zapchast.dt File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\TMP00000071C2FADF58E31658AA.bac_a02688//CryptFF.b
deleted: Trojan program Trojan.Win32.Zapchast.dt File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\TMP000000724E5A055438B00BEA.bac_a02688//CryptFF.b
deleted: Trojan program Trojan.Win32.Zapchast.dt File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\TMP00000073345D3058622FBB58.bac_a02688//CryptFF.b
deleted: Trojan program Trojan.Win32.Zapchast.dt File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\TMP0000007549430F7583C9AA88.bac_a02688//CryptFF.b
deleted: Trojan program Trojan.Win32.Zapchast.dt File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\TMP00000076EBB840B0CFBDAE22.bac_a02688//CryptFF.b
deleted: Trojan program Trojan.Win32.Zapchast.dt File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\TMP000000770EAAC2A28229D2E3.bac_a02688//CryptFF.b
deleted: Trojan program Trojan.Win32.Zapchast.dt File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\TMP0000007841AD08A4D4A4250C.bac_a02688//CryptFF.b
deleted: Trojan program Trojan.Win32.Zapchast.dt File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\TMP0000007B4E0FAF71598D915F.bac_a02688//CryptFF.b
deleted: Trojan program Trojan.Win32.Zapchast.dt File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\TMP0000009EE4FF6A397229CDFA.bac_a02688//CryptFF.b
deleted: Trojan program Trojan-Downloader.Win32.Agent.gwe File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\uyfetsbn.exe.bad.bac_a02688//CryptFF.b
deleted: Trojan program Trojan-Downloader.Win32.Agent.gwe File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\vpaaxlys.exe.bad.bac_a02688//CryptFF.b
deleted: Trojan program Trojan-Clicker.HTML.IFrame.dn File: C:\Program Files\Real\progyca.html
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.dyx File: C:\QooBox\Quarantine\catchme2008-01-29_184204.87.zip/ssqro.dll
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\Citi Virtual Account Numbers\CitiVAN.exe.vir
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe.vir
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe.vir
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe.vir
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\Common Files\Microsoft Shared\DW\dwtrig20.exe.vir
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe.vir
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\Java\jre1.6.0_03\bin\jusched.exe.vir
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\MSN Messenger\msnmsgr.exe.vir
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\Windows Defender\MSASCui.exe.vir
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\WINXP\system32\ctfmon.exe.tmp.vir
deleted: Trojan program Trojan-Downloader.Win32.Agent.gwe File: C:\QooBox\Quarantine\C\WINXP\system32\inolvwhy.exe.vir
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\WINXP\system32\ssqro.exe.vir
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.ebw File: C:\QooBox\Quarantine\C\WINXP\system32\tjtiqveo.dll.vir
deleted: Trojan program Trojan-Downloader.Win32.VB.ceh File: C:\QooBox\Quarantine\C\WINXP\system32\edcA18\edcA182328.exe.vir
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\WINXP\system32\spool\drivers\w32x86\3\E_FATIBNA.exe.vir
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.eby File: C:\VundoFix Backups\bvnrcdjd.dll.bad
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.edw File: C:\VundoFix Backups\ewmkdxis.dll.bad
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\VundoFix Backups\hptqkxxc.dll.bad
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\VundoFix Backups\psxnraaf.dll.bad
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.dyx File: C:\VundoFix Backups\ssqro.dll.bad
deleted: Trojan program Rootkit.Win32.Agent.to File: C:\WINXP\system32\SysDriversBak\ac97intcc.sys
disinfected: malware Exploit.HTML.Iframe.FileDownload (modification) File: E:\My Documents\400Archive\My Documents\Backup\SOAR\20030609\TEMP\01567562.TMP
quarantined: malware Exploit.HTML.Iframe.FileDownload (modification) Email message body: e:\my documents\400archive\my documents\backup\soar\20030609\temp\01567562.tmp/text/html
0
I selected the "Neutalize" option on Kaspersky. This is the log that it produced after the Neutralization....
not found: Trojan program Trojan-Spy.HTML.Citifraud.ay Email message body: Main Identity\Local Folders\Inbox\[From:"Customer Support" <support@citibank.com>][Subject:Dear customer your details have been compromised][Time:2004/10/02 00:55:36]/text/plain
deleted: Trojan program Backdoor.Win32.Agent.dbm File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\gamadril20071203[1].bac_a02688//CryptFF.b
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\hpgs2wnd.exe.bac_a03240//CryptFF.b
deleted: Trojan program Trojan-Downloader.Win32.Agent.gwe File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\inolvwhy.exe.bad.bac_a02688//CryptFF.b
deleted: Trojan program Trojan-Downloader.Win32.Agent.gwe File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\kkwpvogk.exe.bad.bac_a02688//CryptFF.b
deleted: Trojan program Trojan-Downloader.Win32.Agent.hql File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\mrofinu1000106.exe.bac_a02688//CryptFF.b//PE_Patch.Upolyx//PE_Patch.UPX//UPX
deleted: Trojan program Trojan-Downloader.Win32.Agent.hql File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\mrofinu1188.exe.bac_a02688//CryptFF.b//PE_Patch.Upolyx//PE_Patch.UPX//UPX
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\MSASCui.exe.bac_a03240//CryptFF.b
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\RCX29.tmp.bac_a02688//CryptFF.b
deleted: Trojan program Trojan-Downloader.Win32.Agent.gwe File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\savhhwct.exe.bad.bac_a02688//CryptFF.b
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\ssqro-disabled.exe.bad.bac_a02688//CryptFF.b
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\ssqro.exe.bac_a02688//CryptFF.b
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\ssqro.exe.bad.bac_a02688//CryptFF.b
deleted: Trojan program Trojan.Win32.Zapchast.dt File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\TMP0000001F293454D5B8C86D8B.bac_a02688//CryptFF.b
deleted: Trojan program Trojan.Win32.Zapchast.dt File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\TMP0000006734DBEEEF51F31318.bac_a02688//CryptFF.b
deleted: Trojan program Trojan.Win32.Zapchast.dt File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\TMP0000006904D090D4B494E14C.bac_a02688//CryptFF.b
deleted: Trojan program Trojan.Win32.Zapchast.dt File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\TMP0000006CA0C2980B33E243FB.bac_a02688//CryptFF.b
deleted: Trojan program Trojan.Win32.Zapchast.dt File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\TMP0000006EDFB05C55D29548F3.bac_a02688//CryptFF.b
deleted: Trojan program Trojan.Win32.Zapchast.dt File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\TMP00000071C2FADF58E31658AA.bac_a02688//CryptFF.b
deleted: Trojan program Trojan.Win32.Zapchast.dt File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\TMP000000724E5A055438B00BEA.bac_a02688//CryptFF.b
deleted: Trojan program Trojan.Win32.Zapchast.dt File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\TMP00000073345D3058622FBB58.bac_a02688//CryptFF.b
deleted: Trojan program Trojan.Win32.Zapchast.dt File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\TMP0000007549430F7583C9AA88.bac_a02688//CryptFF.b
deleted: Trojan program Trojan.Win32.Zapchast.dt File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\TMP00000076EBB840B0CFBDAE22.bac_a02688//CryptFF.b
deleted: Trojan program Trojan.Win32.Zapchast.dt File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\TMP000000770EAAC2A28229D2E3.bac_a02688//CryptFF.b
deleted: Trojan program Trojan.Win32.Zapchast.dt File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\TMP0000007841AD08A4D4A4250C.bac_a02688//CryptFF.b
deleted: Trojan program Trojan.Win32.Zapchast.dt File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\TMP0000007B4E0FAF71598D915F.bac_a02688//CryptFF.b
deleted: Trojan program Trojan.Win32.Zapchast.dt File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\TMP0000009EE4FF6A397229CDFA.bac_a02688//CryptFF.b
deleted: Trojan program Trojan-Downloader.Win32.Agent.gwe File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\uyfetsbn.exe.bad.bac_a02688//CryptFF.b
deleted: Trojan program Trojan-Downloader.Win32.Agent.gwe File: C:\Documents and Settings\Gneco\.housecall6.6\Quarantine\vpaaxlys.exe.bad.bac_a02688//CryptFF.b
deleted: Trojan program Trojan-Clicker.HTML.IFrame.dn File: C:\Program Files\Real\progyca.html
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.dyx File: C:\QooBox\Quarantine\catchme2008-01-29_184204.87.zip/ssqro.dll
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\Citi Virtual Account Numbers\CitiVAN.exe.vir
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe.vir
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe.vir
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe.vir
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\Common Files\Microsoft Shared\DW\dwtrig20.exe.vir
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe.vir
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\Java\jre1.6.0_03\bin\jusched.exe.vir
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\MSN Messenger\msnmsgr.exe.vir
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\Windows Defender\MSASCui.exe.vir
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\WINXP\system32\ctfmon.exe.tmp.vir
deleted: Trojan program Trojan-Downloader.Win32.Agent.gwe File: C:\QooBox\Quarantine\C\WINXP\system32\inolvwhy.exe.vir
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\WINXP\system32\ssqro.exe.vir
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.ebw File: C:\QooBox\Quarantine\C\WINXP\system32\tjtiqveo.dll.vir
deleted: Trojan program Trojan-Downloader.Win32.VB.ceh File: C:\QooBox\Quarantine\C\WINXP\system32\edcA18\edcA182328.exe.vir
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\WINXP\system32\spool\drivers\w32x86\3\E_FATIBNA.exe.vir
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.eby File: C:\VundoFix Backups\bvnrcdjd.dll.bad
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.edw File: C:\VundoFix Backups\ewmkdxis.dll.bad
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\VundoFix Backups\hptqkxxc.dll.bad
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\VundoFix Backups\psxnraaf.dll.bad
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.dyx File: C:\VundoFix Backups\ssqro.dll.bad
deleted: Trojan program Rootkit.Win32.Agent.to File: C:\WINXP\system32\SysDriversBak\ac97intcc.sys
disinfected: malware Exploit.HTML.Iframe.FileDownload (modification) File: E:\My Documents\400Archive\My Documents\Backup\SOAR\20030609\TEMP\01567562.TMP
quarantined: malware Exploit.HTML.Iframe.FileDownload (modification) Email message body: e:\my documents\400archive\my documents\backup\soar\20030609\temp\01567562.tmp/text/html
0
Do you have an antivirus installed on the computer, if not you can download it at this link:
AVG Free Antivirus You need to have an antivirus installed before we continue.Navigate to and delete the contents of the following folder but Not the folder itself:
C:\Documents and Settings\Gneco\.housecall6.6\Quarantine
Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
RenV::
----a-w 192,512 2008-01-28 17:35:21 C:\Program Files\Citi Virtual Account Numbers\CitiVAN .exe
----a-w 39,264 2008-01-28 17:35:33 C:\Program Files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
----a-w 69,632 2008-01-28 17:35:18 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd .exe
----a-w 132,496 2008-01-28 17:35:24 C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w 1,289,000 2008-01-17 21:24:23 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,289,000 2008-01-28 16:10:36 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 5,674,352 2008-01-28 17:35:37 C:\Program Files\MSN Messenger\msnmsgr .exe
----a-w 866,584 2008-01-28 17:35:28 C:\Program Files\Windows Defender\MSASCui .exe
----a-w 15,360 2008-01-28 17:35:29 C:\WINXP\system32\ctfmon .exe
----a-w 348,160 2008-01-28 03:43:42 C:\WINXP\system32\hphmon04 .exe
----a-w 153,088 2008-01-17 21:24:02 C:\WINXP\system32\VOBREGCheck .exe
----a-w 139,264 2008-01-28 17:35:27 C:\WINXP\system32\spool\drivers\w32x86\3\E_FATIBNA .exe
----a-w 188,416 2008-01-28 03:43:41 C:\WINXP\system32\spool\drivers\w32x86\3\hpztsb07 .exeFile::
C:\WINXP\system32\SysDriversBak\ac97intcc.sys
C:\Program Files\Real\progyca.html
Driver::
ac97intccFolder::
C:\Program Files\Common Files\InstallShield
e:\my documents\400archive\my documents\backup\soar\20030609\temp
C:\VundoFix Backups
C:\Qoobox
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".Post a new Combofix log.
0
ComboFix 08-01-29.2 - Gneco 2008-02-06 0:14:56.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.426 [GMT -5:00]
Running from: C:\Documents and Settings\Gneco\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Gneco\Desktop\CFScript.txt
* Created a new restore point[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
FILE
C:\Program Files\Real\progyca.html
C:\WINXP\system32\SysDriversBak\ac97intcc.sys
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.C:\Program Files\Common Files\InstallShield
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\_ISRES1033.dll
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\ID
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriver.exe
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriver2.exe
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\iGdiCnv.dll
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IScrCnv.dll
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\ISRT.dll
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IUserCnv.dll
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\objpscnv.dll
C:\Program Files\Common Files\InstallShield\Driver\7\Intel 32\_ISRES1033.dll
C:\Program Files\Common Files\InstallShield\Driver\7\Intel 32\IDriver.exe
C:\Program Files\Common Files\InstallShield\Driver\7\Intel 32\IScript7.dll
C:\Program Files\Common Files\InstallShield\Driver\7\Intel 32\ISRT.dll
C:\Program Files\Common Files\InstallShield\Driver\7\Intel 32\IUser7.dll
C:\Program Files\Common Files\InstallShield\Driver\7\Intel 32\objps7.dll
C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\_ISRES1033.dll
C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe
C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver2.exe
C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IScript8.dll
C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\ISRT.dll
C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IUser8.dll
C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\objps8.dll
C:\Program Files\Common Files\InstallShield\Driver\9\Intel 32\_ISRES1033.dll
C:\Program Files\Common Files\InstallShield\Driver\9\Intel 32\ID
C:\Program Files\Common Files\InstallShield\Driver\9\Intel 32\IDriver.exe
C:\Program Files\Common Files\InstallShield\Driver\9\Intel 32\IDriver2.exe
C:\Program Files\Common Files\InstallShield\Driver\9\Intel 32\iGdiCnv.dll
C:\Program Files\Common Files\InstallShield\Driver\9\Intel 32\IScrCnv.dll
C:\Program Files\Common Files\InstallShield\Driver\9\Intel 32\ISRT.dll
C:\Program Files\Common Files\InstallShield\Driver\9\Intel 32\IUserCnv.dll
C:\Program Files\Common Files\InstallShield\Driver\9\Intel 32\objpscnv.dll
C:\Program Files\Common Files\InstallShield\engine\6\Intel 32\corecomp.ini
C:\Program Files\Common Files\InstallShield\engine\6\Intel 32\ctor.dll
C:\Program Files\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe
C:\Program Files\Common Files\InstallShield\engine\6\Intel 32\ILog.dll
C:\Program Files\Common Files\InstallShield\engine\6\Intel 32\iuser.dll
C:\Program Files\Common Files\InstallShield\engine\6\Intel 32\objectps.dll
C:\Program Files\Common Files\InstallShield\IScript\iscript.dll
C:\Program Files\Common Files\InstallShield\Professional\RunTime\[u]0[/u]701\Intel32\ctor.dll
C:\Program Files\Common Files\InstallShield\Professional\RunTime\[u]0[/u]701\Intel32\DotNetInstaller.exe
C:\Program Files\Common Files\InstallShield\Professional\RunTime\[u]0[/u]701\Intel32\iGdi.dll
C:\Program Files\Common Files\InstallShield\Professional\RunTime\[u]0[/u]701\Intel32\iKernel.dll
C:\Program Files\Common Files\InstallShield\Professional\RunTime\[u]0[/u]701\Intel32\iscript.dll
C:\Program Files\Common Files\InstallShield\Professional\RunTime\[u]0[/u]701\Intel32\iuser.dll
C:\Program Files\Common Files\InstallShield\Professional\RunTime\[u]0[/u]701\Intel32\setup.dll
C:\Program Files\Common Files\InstallShield\Professional\RunTime\[u]0[/u]9\[u]0[/u]0\Intel32\ctor.dll
C:\Program Files\Common Files\InstallShield\Professional\RunTime\[u]0[/u]9\[u]0[/u]0\Intel32\DotNetInstaller.exe
C:\Program Files\Common Files\InstallShield\Professional\RunTime\[u]0[/u]9\[u]0[/u]0\Intel32\iGdi.dll
C:\Program Files\Common Files\InstallShield\Professional\RunTime\[u]0[/u]9\[u]0[/u]0\Intel32\iKernel.dll
C:\Program Files\Common Files\InstallShield\Professional\RunTime\[u]0[/u]9\[u]0[/u]0\Intel32\iscript.dll
C:\Program Files\Common Files\InstallShield\Professional\RunTime\[u]0[/u]9\[u]0[/u]0\Intel32\iuser.dll
C:\Program Files\Common Files\InstallShield\Professional\RunTime\[u]0[/u]9\[u]0[/u]0\Intel32\Setup.dll
C:\Program Files\Common Files\InstallShield\Professional\RunTime\10\[u]0[/u]1\Intel32\ctor.dll
C:\Program Files\Common Files\InstallShield\Professional\RunTime\10\[u]0[/u]1\Intel32\DotNetInstaller.exe
C:\Program Files\Common Files\InstallShield\Professional\RunTime\10\[u]0[/u]1\Intel32\iGdi.dll
C:\Program Files\Common Files\InstallShield\Professional\RunTime\10\[u]0[/u]1\Intel32\iKernel.dll
C:\Program Files\Common Files\InstallShield\Professional\RunTime\10\[u]0[/u]1\Intel32\iscript.dll
C:\Program Files\Common Files\InstallShield\Professional\RunTime\10\[u]0[/u]1\Intel32\iuser.dll
C:\Program Files\Common Files\InstallShield\Professional\RunTime\10\[u]0[/u]1\Intel32\setup.dll
C:\Program Files\Common Files\InstallShield\Professional\RunTime\11\[u]0[/u]0\Intel32\ctor.dll
C:\Program Files\Common Files\InstallShield\Professional\RunTime\11\[u]0[/u]0\Intel32\DotNetInstaller.exe
C:\Program Files\Common Files\InstallShield\Professional\RunTime\11\[u]0[/u]0\Intel32\iGdi.dll
C:\Program Files\Common Files\InstallShield\Professional\RunTime\11\[u]0[/u]0\Intel32\iKernel.dll
C:\Program Files\Common Files\InstallShield\Professional\RunTime\11\[u]0[/u]0\Intel32\iscript.dll
C:\Program Files\Common Files\InstallShield\Professional\RunTime\11\[u]0[/u]0\Intel32\iuser.dll
C:\Program Files\Common Files\InstallShield\Professional\RunTime\11\[u]0[/u]0\Intel32\setup.dll
C:\Program Files\Common Files\InstallShield\Professional\RunTime\iKernel.rgs
C:\Program Files\Common Files\InstallShield\Professional\RunTime\IsProBE.tlb
C:\Program Files\Common Files\InstallShield\Professional\RunTime\Objectps.dll
C:\Program Files\Common Files\InstallShield\UpdateService\_ispmres.dll
C:\Program Files\Common Files\InstallShield\UpdateService\_isusres.dll
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISDM.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ui\about.htm
C:\Program Files\Common Files\InstallShield\UpdateService\ui\authFailed.htm
C:\Program Files\Common Files\InstallShield\UpdateService\ui\avlupdates.js
C:\Program Files\Common Files\InstallShield\UpdateService\ui\checkfor.htm
C:\Program Files\Common Files\InstallShield\UpdateService\ui\checking.htm
C:\Program Files\Common Files\InstallShield\UpdateService\ui\getall.htm
C:\Program Files\Common Files\InstallShield\UpdateService\ui\help.htm
C:\Program Files\Common Files\InstallShield\UpdateService\ui\history.htm
C:\Program Files\Common Files\InstallShield\UpdateService\ui\images\content_back_alert.jpg
C:\Program Files\Common Files\InstallShield\UpdateService\ui\images\content_back_standard.jpg
C:\Program Files\Common Files\InstallShield\UpdateService\ui\images\content_back_update.jpg
C:\Program Files\Common Files\InstallShield\UpdateService\ui\images\content_background.gif
C:\Program Files\Common Files\InstallShield\UpdateService\ui\images\critical_icon.gif
C:\Program Files\Common Files\InstallShield\UpdateService\ui\images\d.gif
C:\Program Files\Common Files\InstallShield\UpdateService\ui\images\dotted_line_218.gif
C:\Program Files\Common Files\InstallShield\UpdateService\ui\images\empty_progress.gif
C:\Program Files\Common Files\InstallShield\UpdateService\ui\images\header_background.jpg
C:\Program Files\Common Files\InstallShield\UpdateService\ui\images\help_logo.jpg
C:\Program Files\Common Files\InstallShield\UpdateService\ui\images\icon_about.gif
C:\Program Files\Common Files\InstallShield\UpdateService\ui\images\icon_archive.gif
C:\Program Files\Common Files\InstallShield\UpdateService\ui\images\icon_close.gif
C:\Program Files\Common Files\InstallShield\UpdateService\ui\images\icon_help.gif
C:\Program Files\Common Files\InstallShield\UpdateService\ui\images\icon_instructions.gif
C:\Program Files\Common Files\InstallShield\UpdateService\ui\images\icon_settings.gif
C:\Program Files\Common Files\InstallShield\UpdateService\ui\images\icon_shield.gif
C:\Program Files\Common Files\InstallShield\UpdateService\ui\images\icon_update.gif
C:\Program Files\Common Files\InstallShield\UpdateService\ui\images\icon_update_checking.gif
C:\Program Files\Common Files\InstallShield\UpdateService\ui\images\icon_view.gif
C:\Program Files\Common Files\InstallShield\UpdateService\ui\images\icon_web.gif
C:\Program Files\Common Files\InstallShield\UpdateService\ui\images\important_icon.gif
C:\Program Files\Common Files\InstallShield\UpdateService\ui\images\install_button.gif
C:\Program Files\Common Files\InstallShield\UpdateService\ui\images\list_header_back.gif
C:\Program Files\Common Files\InstallShield\UpdateService\ui\images\logo.jpg
C:\Program Files\Common Files\InstallShield\UpdateService\ui\images\minor_icon.gif
C:\Program Files\Common Files\InstallShield\UpdateService\ui\images\round_submit_button.gif
C:\Program Files\Common Files\InstallShield\UpdateService\ui\images\sec_nav_back.jpg
C:\Program Files\Common Files\InstallShield\UpdateService\ui\images\separator.gif
C:\Program Files\Common Files\InstallShield\UpdateService\ui\images\Thumbs.db
C:\Program Files\Common Files\InstallShield\UpdateService\ui\images\top_background.jpg
C:\Program Files\Common Files\InstallShield\UpdateService\ui\images\top_nav_back.jpg
C:\Program Files\Common Files\InstallShield\UpdateService\ui\images\u.gif
C:\Program Files\Common Files\InstallShield\UpdateService\ui\images\update_header.jpg
C:\Program Files\Common Files\InstallShield\UpdateService\ui\InstallInstr.htm
C:\Program Files\Common Files\InstallShield\UpdateService\ui\lang\resource.js
C:\Program Files\Common Files\InstallShield\UpdateService\ui\lang\strings1026.js
C:\Program Files\Common Files\InstallShield\UpdateService\ui\lang\strings1027.js
C:\Program Files\Common Files\InstallShield\UpdateService\ui\lang\strings1028.js
C:\Program Files\Common Files\InstallShield\UpdateService\ui\lang\strings1029.js
C:\Program Files\Common Files\InstallShield\UpdateService\ui\lang\strings1030.js
C:\Program Files\Common Files\InstallShield\UpdateService\ui\lang\strings1031.js
C:\Program Files\Common Files\InstallShield\UpdateService\ui\lang\strings1032.js
C:\Program Files\Common Files\InstallShield\UpdateService\ui\lang\strings1033.js
C:\Program Files\Common Files\InstallShield\UpdateService\ui\lang\strings1034.js
C:\Program Files\Common Files\InstallShield\UpdateService\ui\lang\strings1035.js
C:\Program Files\Common Files\InstallShield\UpdateService\ui\lang\strings1036.js
C:\Program Files\Common Files\InstallShield\UpdateService\ui\lang\strings1038.js
C:\Program Files\Common Files\InstallShield\UpdateService\ui\lang\strings1040.js
C:\Program Files\Common Files\InstallShield\UpdateService\ui\lang\strings1041.js
C:\Program Files\Common Files\InstallShield\UpdateService\ui\lang\strings1042.js
C:\Program Files\Common Files\InstallShield\UpdateService\ui\lang\strings1043.js
C:\Program Files\Common Files\InstallShield\UpdateService\ui\lang\strings1044.js
C:\Program Files\Common Files\InstallShield\UpdateService\ui\lang\strings1045.js
C:\Program Files\Common Files\InstallShield\UpdateService\ui\lang\strings1046.js
C:\Program Files\Common Files\InstallShield\UpdateService\ui\lang\strings1048.js
C:\Program Files\Common Files\InstallShield\UpdateService\ui\lang\strings1049.js
C:\Program Files\Common Files\InstallShield\UpdateService\ui\lang\strings1050.js
C:\Program Files\Common Files\InstallShield\UpdateService\ui\lang\strings1051.js
C:\Program Files\Common Files\InstallShield\UpdateService\ui\lang\strings1053.js
C:\Program Files\Common Files\InstallShield\UpdateService\ui\lang\strings1054.js
C:\Program Files\Common Files\InstallShield\UpdateService\ui\lang\strings1055.js
C:\Program Files\Common Files\InstallShield\UpdateService\ui\lang\strings1057.js
C:\Program Files\Common Files\InstallShield\UpdateService\ui\lang\strings1060.js
C:\Program Files\Common Files\InstallShield\UpdateService\ui\lang\strings1069.js
C:\Program Files\Common Files\InstallShield\UpdateService\ui\lang\strings2052.js
C:\Program Files\Common Files\InstallShield\UpdateService\ui\lang\strings2070.js
C:\Program Files\Common Files\InstallShield\UpdateService\ui\lang\strings2074.js
C:\Program Files\Common Files\InstallShield\UpdateService\ui\lang\strings3084.js
C:\Program Files\Common Files\InstallShield\UpdateService\ui\notconnected.htm
C:\Program Files\Common Files\InstallShield\UpdateService\ui\security.htm
C:\Program Files\Common Files\InstallShield\UpdateService\ui\settings.htm
C:\Program Files\Common Files\InstallShield\UpdateService\ui\toaster.htm
C:\Program Files\Common Files\InstallShield\UpdateService\ui\toaster_multiple.htm
C:\Program Files\Common Files\InstallShield\UpdateService\ui\ToasterStyle.css
C:\Program Files\Common Files\InstallShield\UpdateService\ui\um.htm
C:\Program Files\Common Files\InstallShield\UpdateService\ui\umbcpc.htm
C:\Program Files\Common Files\InstallShield\UpdateService\ui\updatecomplete.htm
C:\Program Files\Common Files\InstallShield\UpdateService\ui\UpdaterStyle.css
C:\Program Files\Common Files\InstallShield\UpdateService\ui\updates.htm
C:\Qoobox
C:\Qoobox\BackEnv\appdata.folder.dat
C:\Qoobox\BackEnv\cache.folder.dat
C:\Qoobox\BackEnv\desktop.folder.dat
C:\Qoobox\BackEnv\favorites.folder.dat
C:\Qoobox\BackEnv\local appdata.folder.dat
C:\Qoobox\BackEnv\local settings.folder.dat
C:\Qoobox\BackEnv\my pictures.folder.dat
C:\Qoobox\BackEnv\personal.folder.dat
C:\Qoobox\BackEnv\profiles.folder.dat
C:\Qoobox\BackEnv\programs.folder.dat
C:\Qoobox\BackEnv\setpath.bat
C:\Qoobox\BackEnv\setpath.dat
C:\Qoobox\BackEnv\start menu.folder.dat
C:\Qoobox\BackEnv\startup.folder.dat
C:\Qoobox\BackEnv\templates.folder.dat
C:\Qoobox\CFScript_used_2008-01-28@23.58.txt
C:\Qoobox\CFScript_used_2008-02-02@17.17.txt
C:\Qoobox\CFScript_used_2008-02-03@19.19.txt
C:\Qoobox\CFScript_used_2008-02-06@0.14.txt
C:\Qoobox\ComboFix-quarantined-files.txt
C:\Qoobox\ComboFix2.txt
C:\Qoobox\ComboFix3.txt
C:\Qoobox\ComboFix4.txt
C:\Qoobox\ComboFix5.txt
C:\Qoobox\snapshot@2008-01-29_ 0.06.16.37.dat
C:\Qoobox\snapshot@2008-01-29_ 0.06.16.37_B.dat
C:\Qoobox\snapshot@2008-01-29_18.45.14.67.dat
C:\Qoobox\snapshot@2008-01-29_18.45.14.67_B.dat
C:\Qoobox\snapshot@2008-02-02_17.27.12.76.dat
C:\Qoobox\snapshot@2008-02-02_17.27.12.76_B.dat
C:\Qoobox\snapshot@2008-02-03_19.31.15.89.dat
C:\Qoobox\snapshot@2008-02-03_19.31.15.89_B.dat
C:\VundoFix Backups
C:\VundoFix Backups\djdcrnvb.ini.bad
C:\VundoFix Backups\hphmon04.exe.bad
C:\VundoFix Backups\hpztsb07.exe.bad
C:\VundoFix Backups\orqss.ini.bad
C:\VundoFix Backups\orqss.ini2.bad
C:\VundoFix Backups\rjexkskg.ini.bad
C:\VundoFix Backups\sixdkmwe.ini.bad
C:\VundoFix Backups\VOBREGCheck.exe.bad
C:\WINXP\system32\drivers\core.cache.dsk
e:\my documents\400archive\my documents\backup\soar\20030609\temp
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]0702671.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]0702672.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]0702677.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]0703006.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]0751170.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]0751171.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]0751177.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]0751290.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]0752104.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]0752105.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]0769285.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]0769286.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]0769291.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]0882501.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]0882502.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]0967020.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]0967022.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]0967029.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]0967101.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]0967590.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]0967591.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]0971899.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]0971900.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]0971906.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]0971992.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]0975745.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]0975746.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]0975752.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]0975839.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1163445.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1163446.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1163452.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1186204.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1186205.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1186211.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1186377.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1194583.CDX
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1194583.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1213071.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1213072.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1213077.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1219786.CDX
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1219786.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1270488.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1270489.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1270495.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1273148.CDX
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1273148.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1286734.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1286736.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1286743.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1288284.CDX
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1288284.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1293372.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1293373.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1293379.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1293640.CDX
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1293640.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1294937.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1294938.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1294945.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1295057.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1318195.CDX
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1318195.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1326507.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1326508.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1326723.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1326724.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1327467.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1327468.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1380062.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1380063.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1380067.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1414116.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1414117.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1414124.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1415251.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1415252.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1509318.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1509319.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1509528.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1541768.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1541769.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1541774.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1548452.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1553620.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1553621.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1553627.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1562207.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1562208.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1562213.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1562333.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1567561.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1567562.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1567674.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\[u]0[/u]1567675.TMP
e:\my documents\400archive\my documents\backup\soar\20030609\temp\TOOLTAX.TXT
e:\my documents\400archive\my documents\backup\soar\20030609\temp\TOOLTAX.xls.
((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).
-------\LEGACY_AC97INTCC
-------\ac97intcc
((((((((((((((((((((((((( Files Created from 2008-01-06 to 2008-02-06 )))))))))))))))))))))))))))))))
.2008-02-05 22:53 . 2008-02-05 22:53 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-02-05 22:52 . 2008-02-05 23:42 <DIR> d-------- C:\Program Files\Norton Internet Security
2008-02-05 22:51 . 2008-02-05 23:20 123,952 --a------ C:\WINXP\system32\drivers\SYMEVENT.SYS
2008-02-05 22:51 . 2008-02-05 23:20 60,800 --a------ C:\WINXP\system32\S32EVNT1.DLL
2008-02-05 22:51 . 2008-02-05 23:20 10,740 --a------ C:\WINXP\system32\drivers\SYMEVENT.CAT
2008-02-05 22:51 . 2008-02-05 23:20 805 --a------ C:\WINXP\system32\drivers\SYMEVENT.INF
2008-02-05 21:43 . 2005-02-02 01:21 14,408 --a------ C:\WINXP\system32\drivers\gearaspiwdm.sys
2008-02-05 19:22 . 2008-02-05 19:22 <DIR> d-------- C:\DVRA04
2008-02-05 17:47 . 2008-02-05 17:47 <DIR> d-------- C:\Program Files\PC Drivers HeadQuarters
2008-02-05 17:47 . 2008-02-05 17:47 <DIR> d-------- C:\Documents and Settings\All Users.WINXP\Application Data\PC Drivers HeadQuarters
2008-02-03 23:49 . 2008-02-06 00:26 7,090,976 --ahs---- C:\WINXP\system32\drivers\fidbox.dat
2008-02-03 23:49 . 2008-02-06 00:26 104,396 --ahs---- C:\WINXP\system32\drivers\fidbox.idx
2008-02-03 23:49 . 2008-02-06 00:26 35,872 --ahs---- C:\WINXP\system32\drivers\fidbox2.dat
2008-02-03 23:49 . 2008-02-06 00:26 6,524 --ahs---- C:\WINXP\system32\drivers\fidbox2.idx
2008-02-03 23:47 . 2008-02-03 23:47 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-02-03 23:47 . 2008-02-05 23:44 <DIR> d-------- C:\Documents and Settings\All Users.WINXP\Application Data\Kaspersky Lab
2008-02-03 23:46 . 2008-02-03 23:46 <DIR> d-------- C:\KAV
2008-02-03 00:57 . 2008-02-03 00:57 1,158 --a------ C:\WINXP\mozver.dat
2008-01-28 02:26 . 2008-01-28 12:29 <DIR> d-------- C:\Documents and Settings\Gneco\.housecall6.6
2008-01-25 22:57 . 2008-02-05 21:58 <DIR> d-------- C:\WINXP\system32\SysDriversBak
2008-01-17 16:28 . 2008-01-29 18:39 <DIR> d-------- C:\Program Files\Windows Defender
2008-01-17 16:24 . 2008-01-28 12:35 15,360 --a------ C:\WINXP\system32\ctfmon .exe
2008-01-17 15:43 . 2008-01-26 00:02 <DIR> d-a------ C:\Documents and Settings\All Users.WINXP\Application Data\TEMP
2008-01-17 13:05 . 2008-01-27 22:43 348,160 --a------ C:\WINXP\system32\hphmon04 .exe
2008-01-17 13:05 . 2008-01-17 16:24 153,088 --a------ C:\WINXP\system32\VOBREGCheck .exe
2008-01-11 23:44 . 2008-02-02 23:13 54,156 --ah----- C:\WINXP\QTFont.qfn
2008-01-11 23:44 . 2008-01-11 23:44 1,409 --a------ C:\WINXP\QTFont.for.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-06 05:13 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-06 04:20 --------- d-----w C:\Program Files\Symantec
2008-02-06 04:20 --------- d-----w C:\Documents and Settings\All Users.WINXP\Application Data\Symantec
2008-02-06 03:55 --------- d-----w C:\Documents and Settings\Gneco\Application Data\Symantec
2008-02-05 22:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-04 22:23 --------- d-----w C:\Program Files\Real
2008-01-29 23:39 --------- d-----w C:\Program Files\MSN Messenger
2008-01-29 23:39 --------- d-----w C:\Program Files\Citi Virtual Account Numbers
2008-01-28 18:47 --------- d-----w C:\Program Files\Quicken
2008-01-28 05:42 --------- d-----w C:\Program Files\Java
2008-01-26 05:01 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-26 04:58 --------- d-----w C:\Program Files\ItsDeductibleEX
2008-01-17 17:02 --------- d-----w C:\Program Files\QUICKENW
2008-01-15 14:54 10,537 ----a-w C:\WINXP\system32\drivers\coh_mon.cat
2008-01-15 10:28 706 ----a-w C:\WINXP\system32\drivers\COH_Mon.inf
2008-01-12 23:32 23,904 ----a-w C:\WINXP\system32\drivers\COH_Mon.sys
2007-12-19 22:52 --------- d-----w C:\Documents and Settings\Gneco\Application Data\Snapfish
.
[code][/code]
----a-w 192,512 2008-01-28 17:35:21 C:\Program Files\Citi Virtual Account Numbers\CitiVAN .exe
----a-w 39,264 2008-01-28 17:35:33 C:\Program Files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
----a-w 69,632 2008-01-28 17:35:18 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd .exe
----a-w 132,496 2008-01-28 17:35:24 C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w 1,289,000 2008-01-17 21:24:23 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,289,000 2008-01-28 16:10:36 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 5,674,352 2008-01-28 17:35:37 C:\Program Files\MSN Messenger\msnmsgr .exe
----a-w 866,584 2008-01-28 17:35:28 C:\Program Files\Windows Defender\MSASCui .exe
----a-w 15,360 2008-01-28 17:35:29 C:\WINXP\system32\ctfmon .exe
----a-w 348,160 2008-01-28 03:43:42 C:\WINXP\system32\hphmon04 .exe
----a-w 153,088 2008-01-17 21:24:02 C:\WINXP\system32\VOBREGCheck .exe
----a-w 139,264 2008-01-28 17:35:27 C:\WINXP\system32\spool\drivers\w32x86\3\E_FATIBNA .exe
----a-w 188,416 2008-01-28 03:43:41 C:\WINXP\system32\spool\drivers\w32x86\3\hpztsb07 .exe
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-24 22:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-02-05 23:19 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{327C2873-E90D-4C37-AA9D-10AC9BABA46C}
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar][HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-24 22:51 316784][HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [ ]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe" [ ]
"EPSON Stylus Photo R260 Series"="C:\WINXP\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.exe" [ ]
"ctfmon.exe"="C:\WINXP\system32\ctfmon.exe" [2004-08-04 02:56 15360][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 13:15 51048]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-24 23:53 714608]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [ ]
"WD Button Manager"="WDBtnMgr.exe" [2007-06-03 13:01 364544 C:\WINXP\system32\WDBtnMgr.exe]
"UserFaultCheck"="C:\WINXP\system32\dumprep 0 -u" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"PtiuPbmd"="ptipbm.dll" [2003-05-20 16:56 24576 C:\WINXP\system32\ptipbm.dll]
"NvCplDaemon"="NvQTwk" []
"iTunesHelper"="E:\Program Files\iTunes\iTunesHelper.exe" [2006-02-08 17:03 278528]
"HPHUPD04"="C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [ ]
"HPHmon04"="C:\WINXP\System32\hphmon04.exe" [ ]
"HPDJ Taskbar Utility"="C:\WINXP\System32\spool\drivers\w32x86\3\hpztsb07.exe" [ ]
"CitiVAN"="C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe" [ ]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe" [2007-11-19 14:40 231952][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [ ]C:\Documents and Settings\All Users.WINXP\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe [2005-12-30 00:01:21 43520]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-08-08 00:28:49 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Giga Pocket Initialize.lnk - C:\Program Files\Sony\Giga Pocket\initovl.exe [2004-08-07 03:42:45 20480]
Giga Pocket Remocon Driver.lnk - C:\Program Files\Sony\Giga Pocket\usbsircs.exe [2004-08-07 03:03:06 94208]
HPAiODevice(hp officejet 7100 series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe [2002-11-23 19:55:48 495682]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-04-02 23:15:37 114688]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.exe [2000-01-21 03:15:54 65588]
Timer Recording Manager.lnk - C:\Program Files\Sony\Giga Pocket\ReserveModule.exe [2004-08-07 03:42:45 245760][HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINXP\system32\ssqroR0 si3112;SiI-3112 SATALink Controller;C:\WINXP\system32\drivers\si3112.sys [2004-06-14 21:03]
R1 SonyFanC;FAN Control Device Service;C:\WINXP\system32\Drivers\SonyFanC.sys [2001-12-03 11:53]
R2 AutoUpdate__Cisco;AutoUpdate: Cisco Apps;"C:\Program Files\Common Files\Cisco Systems\AutoUpdate\AutoUpdate.exe" [2004-10-28 11:58]
R2 CvlCdpPacket;Cisco VT Advantage CDP Packet Driver;C:\WINXP\system32\DRIVERS\CdpPacketWdmCvl.sys [2004-10-28 11:59]
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" [2008-01-31 13:15]
R2 V7;V7;C:\WINXP\system32\drivers\V7.sys [2000-03-09 13:24]
R2 WUSB300NSvc;WUSB300NSvc;"C:\Program Files\Linksys\WUSB300N\WLService.exe" "WUSB300N.exe" []
R3 SMBE;Sony MPEG2 Encoder Board (WDM);C:\WINXP\system32\Drivers\SMBE.SYS [2001-09-21 11:16]
R3 SymIMMP;SymIMMP;C:\WINXP\system32\DRIVERS\SymIM.sys [2007-08-09 19:27]
S3 CiscoCam8116;Cisco VT Camera(1);C:\WINXP\system32\DRIVERS\CamDrC21.sys [2004-10-27 17:12]
S3 COH_Mon;COH_Mon;C:\WINXP\system32\Drivers\COH_Mon.sys [2008-01-12 18:32]
S3 Cpmt;Cisco Media Termination;C:\WINXP\system32\Drivers\Cpmt.sys [2004-10-28 11:51]
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINXP\system32\DRIVERS\SymIM.sys [2007-08-09 19:27]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\WINXP\system32\DRIVERS\wdcsam.sys [2006-09-07 16:16]*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-02-06 05:30:25 C:\WINXP\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-02-06 03:59:36 C:\WINXP\Tasks\Norton Internet Security - Run Full System Scan - Gneco.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exen/TASK:
.
**************************************************************************catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-06 00:28:08
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
r Running Proce
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Cisco Systems\AutoUpdate\AutoUpdate.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Documents and Settings\All Users.WINXP\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.exe
C:\WINXP\System32\nvsvc32.exe
C:\Program Files\Linksys\WUSB300N\WLService.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Linksys\WUSB300N\WUSB300N.exe
C:\WINXP\system32\WDBtnMgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Sony\Giga Pocket\usbsircs.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Sony\Giga Pocket\ReserveModule.exe
C:\Program Files\Sony\Giga Pocket\gps.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINXP\system32\hpoipm07.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
.
**************************************************************************
.
Completion time: 2008-02-06 0:32:30 - machine was rebooted
.
2008-02-05 21:12:01 --- E O F ---
0
Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
RenV::
----a-w 192,512 2008-01-28 17:35:21 C:\Program Files\Citi Virtual Account Numbers\CitiVAN .exe
----a-w 39,264 2008-01-28 17:35:33 C:\Program Files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
----a-w 69,632 2008-01-28 17:35:18 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd .exe
----a-w 132,496 2008-01-28 17:35:24 C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w 1,289,000 2008-01-17 21:24:23 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,289,000 2008-01-28 16:10:36 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 5,674,352 2008-01-28 17:35:37 C:\Program Files\MSN Messenger\msnmsgr .exe
----a-w 866,584 2008-01-28 17:35:28 C:\Program Files\Windows Defender\MSASCui .exe
----a-w 15,360 2008-01-28 17:35:29 C:\WINXP\system32\ctfmon .exe
----a-w 348,160 2008-01-28 03:43:42 C:\WINXP\system32\hphmon04 .exe
----a-w 153,088 2008-01-17 21:24:02 C:\WINXP\system32\VOBREGCheck .exe
----a-w 139,264 2008-01-28 17:35:27 C:\WINXP\system32\spool\drivers\w32x86\3\E_FATIBNA .exe
----a-w 188,416 2008-01-28 03:43:41 C:\WINXP\system32\spool\drivers\w32x86\3\hpztsb07 .exeFile::
C:\WINXP\system32\ptipbm.dll
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PtiuPbmd"=-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".Post a new Combofix log.
Please run a new Kaspersky scan and post it's log.
0
Here is the ComboFix Log, will post the Kaspersky log shortly.....1
ComboFix 08-01-29.2 - Gneco 2008-02-07 18:28:58.8 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447 [GMT -5:00]
Running from: C:\Documents and Settings\Gneco\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Gneco\Desktop\CFScript.txt
* Created a new restore point[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
FILE
C:\WINXP\system32\ptipbm.dll
.((((((((((((((((((((((((( Files Created from 2008-01-07 to 2008-02-07 )))))))))))))))))))))))))))))))
.2008-02-07 00:20 . 2008-02-07 00:20 <DIR> d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Avanquest
2008-02-07 00:02 . 2008-02-07 00:02 <DIR> d-------- C:\Documents and Settings\All Users.WINXP\Application Data\BVRP Software
2008-02-06 23:59 . 2008-02-06 23:59 <DIR> dr-hs---- C:\_Backup.RC
2008-02-06 23:59 . 2008-02-07 17:38 <DIR> d--h----- C:\_Backup
2008-02-06 23:58 . 2008-02-06 23:58 <DIR> d-------- C:\Documents and Settings\Gneco\Application Data\Avanquest
2008-02-06 23:50 . 2008-02-06 23:50 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-05 22:53 . 2008-02-05 22:53 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-02-05 22:52 . 2008-02-05 23:42 <DIR> d-------- C:\Program Files\Norton Internet Security
2008-02-05 22:51 . 2008-02-05 23:20 123,952 --a------ C:\WINXP\system32\drivers\SYMEVENT.SYS
2008-02-05 22:51 . 2008-02-05 23:20 60,800 --a------ C:\WINXP\system32\S32EVNT1.DLL
2008-02-05 22:51 . 2008-02-05 23:20 10,740 --a------ C:\WINXP\system32\drivers\SYMEVENT.CAT
2008-02-05 22:51 . 2008-02-05 23:20 805 --a------ C:\WINXP\system32\drivers\SYMEVENT.INF
2008-02-05 21:43 . 2005-02-02 01:21 14,408 --a------ C:\WINXP\system32\drivers\gearaspiwdm.sys
2008-02-05 19:22 . 2008-02-05 19:22 <DIR> d-------- C:\DVRA04
2008-02-05 17:47 . 2008-02-05 17:47 <DIR> d-------- C:\Documents and Settings\All Users.WINXP\Application Data\PC Drivers HeadQuarters
2008-02-03 23:49 . 2008-02-06 22:22 7,354,400 --ahs---- C:\WINXP\system32\drivers\fidbox.dat
2008-02-03 23:49 . 2008-02-06 22:22 107,924 --ahs---- C:\WINXP\system32\drivers\fidbox.idx
2008-02-03 23:49 . 2008-02-06 22:22 61,472 --ahs---- C:\WINXP\system32\drivers\fidbox2.dat
2008-02-03 23:49 . 2008-02-06 22:22 9,968 --ahs---- C:\WINXP\system32\drivers\fidbox2.idx
2008-02-03 23:46 . 2008-02-03 23:46 <DIR> d-------- C:\KAV
2008-02-03 00:57 . 2008-02-03 00:57 1,158 --a------ C:\WINXP\mozver.dat
2008-01-28 02:26 . 2008-01-28 12:29 <DIR> d-------- C:\Documents and Settings\Gneco\.housecall6.6
2008-01-25 22:57 . 2008-02-05 21:58 <DIR> d-------- C:\WINXP\system32\SysDriversBak
2008-01-17 16:24 . 2008-01-28 12:35 15,360 --a--c--- C:\WINXP\system32\dllcache\ctfmon.exe
2008-01-17 16:24 . 2008-01-28 12:35 15,360 --a------ C:\WINXP\system32\ctfmon.exe
2008-01-17 15:43 . 2008-01-26 00:02 <DIR> d-a------ C:\Documents and Settings\All Users.WINXP\Application Data\TEMP
2008-01-17 13:05 . 2008-01-27 22:43 348,160 --a------ C:\WINXP\system32\hphmon04.exe
2008-01-17 13:05 . 2008-01-17 16:24 153,088 --a------ C:\WINXP\system32\VOBREGCheck.exe
2008-01-11 23:44 . 2008-02-02 23:13 54,156 --ah----- C:\WINXP\QTFont.qfn
2008-01-11 23:44 . 2008-01-11 23:44 1,409 --a------ C:\WINXP\QTFont.for.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-07 22:43 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-07 21:41 --------- d-----w C:\Documents and Settings\All Users.WINXP\Application Data\Symantec
2008-02-07 03:54 --------- d-----w C:\Program Files\MSN Messenger
2008-02-07 03:54 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-02-07 03:54 --------- d-----w C:\Program Files\Citi Virtual Account Numbers
2008-02-07 03:33 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-02-06 04:20 --------- d-----w C:\Program Files\Symantec
2008-02-06 03:55 --------- d-----w C:\Documents and Settings\Gneco\Application Data\Symantec
2008-02-05 22:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-04 22:23 --------- d-----w C:\Program Files\Real
2008-01-28 18:47 --------- d-----w C:\Program Files\Quicken
2008-01-28 05:42 --------- d-----w C:\Program Files\Java
2008-01-26 04:58 --------- d-----w C:\Program Files\ItsDeductibleEX
2008-01-17 17:02 --------- d-----w C:\Program Files\QUICKENW
2008-01-15 14:54 10,537 ----a-w C:\WINXP\system32\drivers\coh_mon.cat
2008-01-15 10:28 706 ----a-w C:\WINXP\system32\drivers\COH_Mon.inf
2008-01-12 23:32 23,904 ----a-w C:\WINXP\system32\drivers\COH_Mon.sys
2007-12-19 22:52 --------- d-----w C:\Documents and Settings\Gneco\Application Data\Snapfish
.
[code][/code]
----a-w 1,289,000 2008-01-17 21:24:23 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-24 22:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-02-05 23:19 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{327C2873-E90D-4C37-AA9D-10AC9BABA46C}
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar][HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-24 22:51 316784][HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2008-01-28 12:35 5674352]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe" [ ]
"EPSON Stylus Photo R260 Series"="C:\WINXP\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.exe" [2008-01-28 12:35 139264]
"ctfmon.exe"="C:\WINXP\system32\ctfmon.exe" [2008-01-28 12:35 15360][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 13:15 51048]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-24 23:53 714608]
"WD Button Manager"="WDBtnMgr.exe" [2007-06-03 13:01 364544 C:\WINXP\system32\WDBtnMgr.exe]
"UserFaultCheck"="C:\WINXP\system32\dumprep 0 -u" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-01-28 12:35 132496]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2008-01-28 12:35 69632]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"NvCplDaemon"="NvQTwk" []
"iTunesHelper"="E:\Program Files\iTunes\iTunesHelper.exe" [2006-02-08 17:03 278528]
"HPHUPD04"="C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [ ]
"HPHmon04"="C:\WINXP\System32\hphmon04.exe" [2008-01-27 22:43 348160]
"HPDJ Taskbar Utility"="C:\WINXP\System32\spool\drivers\w32x86\3\hpztsb07.exe" [2008-01-27 22:43 188416]
"CitiVAN"="C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe" [2008-01-28 12:35 192512]
"VirusScannerPro"="D:\PROGRA~1\AVANQU~1\Fix-It\MemCheck.exe" [2007-09-01 06:58 173312][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-01-28 12:35 39264]C:\Documents and Settings\All Users.WINXP\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe [2005-12-30 00:01:21 43520]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-08-08 00:28:49 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Giga Pocket Initialize.lnk - C:\Program Files\Sony\Giga Pocket\initovl.exe [2004-08-07 03:42:45 20480]
Giga Pocket Remocon Driver.lnk - C:\Program Files\Sony\Giga Pocket\usbsircs.exe [2004-08-07 03:03:06 94208]
HPAiODevice(hp officejet 7100 series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe [2002-11-23 19:55:48 495682]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-04-02 23:15:37 114688]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.exe [2000-01-21 03:15:54 65588]
Timer Recording Manager.lnk - C:\Program Files\Sony\Giga Pocket\ReserveModule.exe [2004-08-07 03:42:45 245760][HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINXP\system32\ssqroR0 si3112;SiI-3112 SATALink Controller;C:\WINXP\system32\drivers\si3112.sys [2004-06-14 21:03]
R1 SonyFanC;FAN Control Device Service;C:\WINXP\system32\Drivers\SonyFanC.sys [2001-12-03 11:53]
R2 AutoUpdate__Cisco;AutoUpdate: Cisco Apps;"C:\Program Files\Common Files\Cisco Systems\AutoUpdate\AutoUpdate.exe" [2004-10-28 11:58]
R2 CvlCdpPacket;Cisco VT Advantage CDP Packet Driver;C:\WINXP\system32\DRIVERS\CdpPacketWdmCvl.sys [2004-10-28 11:59]
R2 Fix-It Task Manager;Fix-It Task Manager;D:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe [2007-09-01 06:58]
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" [2008-01-31 13:15]
R2 V7;V7;C:\WINXP\system32\drivers\V7.sys [2000-03-09 13:24]
R2 WUSB300NSvc;WUSB300NSvc;"C:\Program Files\Linksys\WUSB300N\WLService.exe" "WUSB300N.exe" []
R3 MailScan;MailScan;D:\PROGRA~1\AVANQU~1\Fix-It\MailScan.sys [2007-09-01 06:58]
R3 SMBE;Sony MPEG2 Encoder Board (WDM);C:\WINXP\system32\Drivers\SMBE.SYS [2001-09-21 11:16]
R3 SymIMMP;SymIMMP;C:\WINXP\system32\DRIVERS\SymIM.sys [2007-08-09 19:27]
S3 CiscoCam8116;Cisco VT Camera(1);C:\WINXP\system32\DRIVERS\CamDrC21.sys [2004-10-27 17:12]
S3 COH_Mon;COH_Mon;C:\WINXP\system32\Drivers\COH_Mon.sys [2008-01-12 18:32]
S3 Cpmt;Cisco Media Termination;C:\WINXP\system32\Drivers\Cpmt.sys [2004-10-28 11:51]
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINXP\system32\DRIVERS\SymIM.sys [2007-08-09 19:27]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\WINXP\system32\DRIVERS\wdcsam.sys [2006-09-07 16:16]*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-02-06 03:59:36 C:\WINXP\Tasks\Norton Internet Security - Run Full System Scan - Gneco.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exen/TASK:
.
**************************************************************************catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-07 18:42:59
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
r Running Proce
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Cisco Systems\AutoUpdate\AutoUpdate.exe
C:\Documents and Settings\All Users.WINXP\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.exe
D:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\WINXP\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINXP\system32\WDBtnMgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\WINXP\System32\hphmon04.exe
C:\Program Files\Linksys\WUSB300N\WLService.exe
C:\WINXP\System32\spool\drivers\w32x86\3\hpztsb07.exe
D:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
C:\Program Files\Linksys\WUSB300N\WUSB300N.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Sony\Giga Pocket\usbsircs.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Sony\Giga Pocket\ReserveModule.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sony\Giga Pocket\gps.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINXP\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
.
**************************************************************************
.
Completion time: 2008-02-07 18:48:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-07 23:47:57
ComboFix2.txt 2008-02-07 04:27:22
ComboFix3.txt 2008-02-07 04:05:03
ComboFix4.txt 2008-02-06 05:32:31
.
2008-02-05 21:12:01 --- E O F ---
0
Looks like activesync is still infected and may need to be removed and reinstalled. It can be downloaded form this link:
http://www.microsoft.com/windowsmobile/activesync/default.mspx
You cna uninstall it in add/remove programs. Before doing that lets try once more to remove the baddie.Open Notepad and copy/paste everything between the X"s into it and make sure "RenV::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
RenV::----a-w 1,289,000 2008-01-17 21:24:23 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".Post a new Combofix log.
0
Here is the Kaspersky log that I promised. I will no run the script that you provided....
---------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, February 08, 2008 1:24:46 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 8/02/2008
Kaspersky Anti-Virus database records: 514767
---------------------Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: false
Scan Mail Bases: falseScan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\Scan Statistics:
Total number of scanned objects: 193989
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 01:44:54Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users.WINXP\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users.WINXP\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users.WINXP\Application Data\Symantec\Common Client\ccSubSDK\submissions.idx Object is locked skipped
C:\Documents and Settings\All Users.WINXP\Application Data\Symantec\Common Client\settings.DAT Object is locked skipped
C:\Documents and Settings\All Users.WINXP\Application Data\Symantec\Common Client\volatile.DAT Object is locked skipped
C:\Documents and Settings\All Users.WINXP\Application Data\Symantec\Common Client\{65933DCB-BAE3-42A8-B68E-BDAF8FCC9CBE}.DAT Object is locked skipped
C:\Documents and Settings\All Users.WINXP\Application Data\Symantec\Common Client\{6DBF9997-1D28-4868-8534-AB95F97209F1}.DAT Object is locked skipped
C:\Documents and Settings\All Users.WINXP\Application Data\Symantec\Common Client\{9A13EAFB-394F-43E3-B738-63C227B876DF}.DAT Object is locked skipped
C:\Documents and Settings\All Users.WINXP\Application Data\Symantec\Common Client\{CF93B90E-13B9-4496-A12F-21F89953C853}.DAT Object is locked skipped
C:\Documents and Settings\All Users.WINXP\Application Data\Symantec\LiveUpdate\2008-02-08_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users.WINXP\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users.WINXP\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users.WINXP\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users.WINXP\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users.WINXP\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users.WINXP\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users.WINXP\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users.WINXP\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users.WINXP\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users.WINXP\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users.WINXP\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users.WINXP\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users.WINXP\Application Data\Symantec\SPBBC\Shl_{AE6C9195-4A18-4344-90F0-06745C3266F0}.ldb Object is locked skipped
C:\Documents and Settings\All Users.WINXP\Application Data\Symantec\SPBBC\Shl_{AE6C9195-4A18-4344-90F0-06745C3266F0}.sds Object is locked skipped
C:\Documents and Settings\All Users.WINXP\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users.WINXP\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users.WINXP\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users.WINXP\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users.WINXP\Application Data\Symantec\SRTSP\SrtETmp\55A42ED0.TMP Object is locked skipped
C:\Documents and Settings\All Users.WINXP\Application Data\Symantec\SRTSP\SrtETmp\FE3E636D.TMP Object is locked skipped
C:\Documents and Settings\All Users.WINXP\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users.WINXP\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users.WINXP\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users.WINXP\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users.WINXP\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\Gneco\Application Data\Symantec\NPMDataStore\CIMStore.xml Object is locked skipped
C:\Documents and Settings\Gneco\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Gneco\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Gneco\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Gneco\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Gneco\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Gneco\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Gneco\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Gneco\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SymcData\ipsdefs\lulock.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SymcData\nco1.0defs\lulock.dat Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{592F6ED9-E7BC-49E4-ADD2-94858EAE6BC4}\RP13\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallQ308677$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ308677$\userenv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ311889$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ311889$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ311889$\termsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ312368$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ312368$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ312368$\syssetup.dll Object is locked skipped
C:\WINXP\Debug\PASSWD.LOG Object is locked skipped
C:\WINXP\SchedLgU.Txt Object is locked skipped
C:\WINXP\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINXP\Sti_Trace.log Object is locked skipped
C:\WINXP\system32\CatRoot2\edb.log Object is locked skipped
C:\WINXP\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINXP\system32\config\AppEvent.Evt Object is locked skipped
C:\WINXP\system32\config\default Object is locked skipped
C:\WINXP\system32\config\default.LOG Object is locked skipped
C:\WINXP\system32\config\Internet.evt Object is locked skipped
C:\WINXP\system32\config\SAM Object is locked skipped
C:\WINXP\system32\config\SAM.LOG Object is locked skipped
C:\WINXP\system32\config\SecEvent.Evt Object is locked skipped
C:\WINXP\system32\config\SECURITY Object is locked skipped
C:\WINXP\system32\config\SECURITY.LOG Object is locked skipped
C:\WINXP\system32\config\software Object is locked skipped
C:\WINXP\system32\config\software.LOG Object is locked skipped
C:\WINXP\system32\config\SysEvent.Evt Object is locked skipped
C:\WINXP\system32\config\system Object is locked skipped
C:\WINXP\system32\config\system.LOG Object is locked skipped
C:\WINXP\system32\drivers\fidbox.dat Object is locked skipped
C:\WINXP\system32\drivers\fidbox.idx Object is locked skipped
C:\WINXP\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINXP\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINXP\system32\h323log.txt Object is locked skipped
C:\WINXP\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINXP\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINXP\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINXP\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINXP\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINXP\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINXP\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINXP\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINXP\TEMP\JETAD28.tmp Object is locked skipped
C:\WINXP\wiadebug.log Object is locked skipped
C:\WINXP\wiaservc.log Object is locked skipped
C:\WINXP\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{592F6ED9-E7BC-49E4-ADD2-94858EAE6BC4}\RP13\change.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{592F6ED9-E7BC-49E4-ADD2-94858EAE6BC4}\RP13\change.log Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{592F6ED9-E7BC-49E4-ADD2-94858EAE6BC4}\RP13\change.log Object is locked skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
G:\System Volume Information\_restore{592F6ED9-E7BC-49E4-ADD2-94858EAE6BC4}\RP13\change.log Object is locked skippedScan process completed.
0
I executed the Combofix script and am posting the log below. The Red "X" next to my C Drive remains, is there anything else that I can do?????
ComboFix 08-01-29.2 - Gneco 2008-02-08 15:40:05.9 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.265 [GMT -5:00]
Running from: C:\Documents and Settings\Gneco\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Gneco\Desktop\CFScript.txt
* Created a new restore point[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 )))))))))))))))))))))))))))))))
.2008-02-08 10:51 . 2008-02-08 10:51 <DIR> d-------- C:\WINXP\system32\Kaspersky Lab
2008-02-08 10:51 . 2008-02-08 10:51 <DIR> d-------- C:\Documents and Settings\All Users.WINXP\Application Data\Kaspersky Lab
2008-02-07 00:20 . 2008-02-07 00:20 <DIR> d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Avanquest
2008-02-07 00:02 . 2008-02-07 00:02 <DIR> d-------- C:\Documents and Settings\All Users.WINXP\Application Data\BVRP Software
2008-02-06 23:59 . 2008-02-06 23:59 <DIR> dr-hs---- C:\_Backup.RC
2008-02-06 23:59 . 2008-02-07 17:38 <DIR> d--h----- C:\_Backup
2008-02-06 23:58 . 2008-02-06 23:58 <DIR> d-------- C:\Documents and Settings\Gneco\Application Data\Avanquest
2008-02-06 23:50 . 2008-02-06 23:50 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-05 22:53 . 2008-02-05 22:53 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-02-05 22:52 . 2008-02-05 23:42 <DIR> d-------- C:\Program Files\Norton Internet Security
2008-02-05 22:51 . 2008-02-05 23:20 123,952 --a------ C:\WINXP\system32\drivers\SYMEVENT.SYS
2008-02-05 22:51 . 2008-02-05 23:20 60,800 --a------ C:\WINXP\system32\S32EVNT1.DLL
2008-02-05 22:51 . 2008-02-05 23:20 10,740 --a------ C:\WINXP\system32\drivers\SYMEVENT.CAT
2008-02-05 22:51 . 2008-02-05 23:20 805 --a------ C:\WINXP\system32\drivers\SYMEVENT.INF
2008-02-05 21:43 . 2005-02-02 01:21 14,408 --a------ C:\WINXP\system32\drivers\gearaspiwdm.sys
2008-02-05 19:22 . 2008-02-05 19:22 <DIR> d-------- C:\DVRA04
2008-02-05 17:47 . 2008-02-05 17:47 <DIR> d-------- C:\Documents and Settings\All Users.WINXP\Application Data\PC Drivers HeadQuarters
2008-02-03 23:49 . 2008-02-08 15:46 7,635,744 --ahs---- C:\WINXP\system32\drivers\fidbox.dat
2008-02-03 23:49 . 2008-02-08 15:46 111,692 --ahs---- C:\WINXP\system32\drivers\fidbox.idx
2008-02-03 23:49 . 2008-02-08 15:46 77,600 --ahs---- C:\WINXP\system32\drivers\fidbox2.dat
2008-02-03 23:49 . 2008-02-08 15:46 11,480 --ahs---- C:\WINXP\system32\drivers\fidbox2.idx
2008-02-03 23:46 . 2008-02-03 23:46 <DIR> d-------- C:\KAV
2008-02-03 00:57 . 2008-02-03 00:57 1,158 --a------ C:\WINXP\mozver.dat
2008-01-28 02:26 . 2008-01-28 12:29 <DIR> d-------- C:\Documents and Settings\Gneco\.housecall6.6
2008-01-25 22:57 . 2008-02-05 21:58 <DIR> d-------- C:\WINXP\system32\SysDriversBak
2008-01-17 16:24 . 2008-01-28 12:35 15,360 --a--c--- C:\WINXP\system32\dllcache\ctfmon.exe
2008-01-17 16:24 . 2008-01-28 12:35 15,360 --a------ C:\WINXP\system32\ctfmon.exe
2008-01-17 15:43 . 2008-01-26 00:02 <DIR> d-a------ C:\Documents and Settings\All Users.WINXP\Application Data\TEMP
2008-01-17 13:05 . 2008-01-27 22:43 348,160 --a------ C:\WINXP\system32\hphmon04.exe
2008-01-17 13:05 . 2008-01-17 16:24 153,088 --a------ C:\WINXP\system32\VOBREGCheck.exe
2008-01-11 23:44 . 2008-02-02 23:13 54,156 --ah----- C:\WINXP\QTFont.qfn
2008-01-11 23:44 . 2008-01-11 23:44 1,409 --a------ C:\WINXP\QTFont.for.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-08 20:35 --------- d-----w C:\Documents and Settings\All Users.WINXP\Application Data\Symantec
2008-02-08 18:40 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-07 03:54 --------- d-----w C:\Program Files\MSN Messenger
2008-02-07 03:54 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-02-07 03:54 --------- d-----w C:\Program Files\Citi Virtual Account Numbers
2008-02-07 03:33 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-02-06 04:20 --------- d-----w C:\Program Files\Symantec
2008-02-06 03:55 --------- d-----w C:\Documents and Settings\Gneco\Application Data\Symantec
2008-02-05 22:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-04 22:23 --------- d-----w C:\Program Files\Real
2008-01-28 18:47 --------- d-----w C:\Program Files\Quicken
2008-01-28 05:42 --------- d-----w C:\Program Files\Java
2008-01-26 04:58 --------- d-----w C:\Program Files\ItsDeductibleEX
2008-01-17 17:02 --------- d-----w C:\Program Files\QUICKENW
2008-01-15 14:54 10,537 ----a-w C:\WINXP\system32\drivers\coh_mon.cat
2008-01-15 10:28 706 ----a-w C:\WINXP\system32\drivers\COH_Mon.inf
2008-01-12 23:32 23,904 ----a-w C:\WINXP\system32\drivers\COH_Mon.sys
2007-12-19 22:52 --------- d-----w C:\Documents and Settings\Gneco\Application Data\Snapfish
.
[code][/code]
----a-w 1,289,000 2008-01-17 21:24:23 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-24 22:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-02-05 23:19 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{327C2873-E90D-4C37-AA9D-10AC9BABA46C}
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar][HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-24 22:51 316784][HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2008-01-28 12:35 5674352]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe" [ ]
"EPSON Stylus Photo R260 Series"="C:\WINXP\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.exe" [2008-01-28 12:35 139264]
"ctfmon.exe"="C:\WINXP\system32\ctfmon.exe" [2008-01-28 12:35 15360][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 13:15 51048]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-24 23:53 714608]
"WD Button Manager"="WDBtnMgr.exe" [2007-06-03 13:01 364544 C:\WINXP\system32\WDBtnMgr.exe]
"UserFaultCheck"="C:\WINXP\system32\dumprep 0 -u" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-01-28 12:35 132496]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2008-01-28 12:35 69632]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"NvCplDaemon"="NvQTwk" []
"iTunesHelper"="E:\Program Files\iTunes\iTunesHelper.exe" [2006-02-08 17:03 278528]
"HPHUPD04"="C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [ ]
"HPHmon04"="C:\WINXP\System32\hphmon04.exe" [2008-01-27 22:43 348160]
"HPDJ Taskbar Utility"="C:\WINXP\System32\spool\drivers\w32x86\3\hpztsb07.exe" [2008-01-27 22:43 188416]
"CitiVAN"="C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe" [2008-01-28 12:35 192512]
"VirusScannerPro"="D:\PROGRA~1\AVANQU~1\Fix-It\MemCheck.exe" [2007-09-01 06:58 173312][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-01-28 12:35 39264]C:\Documents and Settings\All Users.WINXP\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe [2005-12-30 00:01:21 43520]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-08-08 00:28:49 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Giga Pocket Initialize.lnk - C:\Program Files\Sony\Giga Pocket\initovl.exe [2004-08-07 03:42:45 20480]
Giga Pocket Remocon Driver.lnk - C:\Program Files\Sony\Giga Pocket\usbsircs.exe [2004-08-07 03:03:06 94208]
HPAiODevice(hp officejet 7100 series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe [2002-11-23 19:55:48 495682]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-04-02 23:15:37 114688]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.exe [2000-01-21 03:15:54 65588]
Timer Recording Manager.lnk - C:\Program Files\Sony\Giga Pocket\ReserveModule.exe [2004-08-07 03:42:45 245760][HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINXP\system32\ssqroR0 si3112;SiI-3112 SATALink Controller;C:\WINXP\system32\drivers\si3112.sys [2004-06-14 21:03]
R1 SonyFanC;FAN Control Device Service;C:\WINXP\system32\Drivers\SonyFanC.sys [2001-12-03 11:53]
R2 AutoUpdate__Cisco;AutoUpdate: Cisco Apps;"C:\Program Files\Common Files\Cisco Systems\AutoUpdate\AutoUpdate.exe" [2004-10-28 11:58]
R2 CvlCdpPacket;Cisco VT Advantage CDP Packet Driver;C:\WINXP\system32\DRIVERS\CdpPacketWdmCvl.sys [2004-10-28 11:59]
R2 Fix-It Task Manager;Fix-It Task Manager;D:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe [2007-09-01 06:58]
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" [2008-01-31 13:15]
R2 V7;V7;C:\WINXP\system32\drivers\V7.sys [2000-03-09 13:24]
R2 WUSB300NSvc;WUSB300NSvc;"C:\Program Files\Linksys\WUSB300N\WLService.exe" "WUSB300N.exe" []
R3 MailScan;MailScan;D:\PROGRA~1\AVANQU~1\Fix-It\MailScan.sys [2007-09-01 06:58]
R3 SMBE;Sony MPEG2 Encoder Board (WDM);C:\WINXP\system32\Drivers\SMBE.SYS [2001-09-21 11:16]
R3 SymIMMP;SymIMMP;C:\WINXP\system32\DRIVERS\SymIM.sys [2007-08-09 19:27]
S3 CiscoCam8116;Cisco VT Camera(1);C:\WINXP\system32\DRIVERS\CamDrC21.sys [2004-10-27 17:12]
S3 COH_Mon;COH_Mon;C:\WINXP\system32\Drivers\COH_Mon.sys [2008-01-12 18:32]
S3 Cpmt;Cisco Media Termination;C:\WINXP\system32\Drivers\Cpmt.sys [2004-10-28 11:51]
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINXP\system32\DRIVERS\SymIM.sys [2007-08-09 19:27]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\WINXP\system32\DRIVERS\wdcsam.sys [2006-09-07 16:16]*Newly Created Service* - COMHOST
*Newly Created Service* - MAILSCAN
.
Contents of the 'Scheduled Tasks' folder
"2008-02-06 03:59:36 C:\WINXP\Tasks\Norton Internet Security - Run Full System Scan - Gneco.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exen/TASK:
.
**************************************************************************catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-08 15:48:05
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
r Running Proce
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Cisco Systems\AutoUpdate\AutoUpdate.exe
C:\Documents and Settings\All Users.WINXP\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.exe
D:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\WINXP\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINXP\system32\WDBtnMgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\WINXP\System32\hphmon04.exe
C:\WINXP\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
D:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Linksys\WUSB300N\WLService.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Linksys\WUSB300N\WUSB300N.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Sony\Giga Pocket\usbsircs.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Sony\Giga Pocket\ReserveModule.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sony\Giga Pocket\gps.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINXP\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
.
**************************************************************************
.
Completion time: 2008-02-08 15:53:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-08 20:53:03
ComboFix2.txt 2008-02-07 23:48:03
ComboFix3.txt 2008-02-07 04:27:22
ComboFix4.txt 2008-02-07 04:05:03
ComboFix5.txt 2008-02-06 05:32:31
.
2008-02-05 21:12:01 --- E O F ---
0
This should fix the red X.
Go to start> run> type in notepad > ok. Copy paste the following into notepad making [autorun] the very top line:
[autorun]
ICON=C:\WINDOWS\SYSTEM\SHELL32.DLL,8
Click "save as"> then using the drop down arrow on the far right of the "save in" window select Local Disk C: to be displayed in the "save in" window.
Next type "C:\autorun.inf" (you must use the quotes) in the file name window> click save.
Restart the computer.
C:\Program Files\Microsoft ActiveSync\wcescomm .exe still appears to be infected. I would uninstall it, download ActiveSync and reinstall it.
Let us know how the computer is operating.
0
Okay the Red "X" is fixed (does my computer actually run a program to replace the icon everytime I boot the computer?).
I just deleted the Active Sync files, was not able to "Uninstall" through the normal procedure...hope that is okay.
Do you happen to now why I might get the following error message every time I re-boot:
An exception occurred while trying to run "NvCpl.dll,NvStartup"
Is there anything I can do to address/solve this error?
BTW, you folks have been extremely helpful my computer is running so much better. Thanks a lot.
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
