ATVman

June 25, 2012

The log didn't copy very well

d69fcd3-1f843ef2\rotor/zalux.class;C:\Documents and Settings\Ean\Application Data\Sun\Java\Deployment\cache\6.0\19\d69fcd3-1f843ef2;Exploit.CVE2010-0840.20;;

d69fcd3-1f843ef2;C:\Documents and Settings\Ean\Application Data\Sun\Java\Deployment\cache\6.0\19;Container contains infected objects;Moved.;

CustomInstallationPlugIn.dll;C:\Documents and Settings\Kelly\Local Settings\Temp\01M7GSE0\kitchen_brigade-setup[1] Setup\plugins\2;Probably STPAGE.Trojan;;

jar_cache1483048561033722112.tmp\E.class;C:\Documents and Settings\Kids\Local Settings\Temp\jar_cache1483048561033722112.tmp;Exploit.Java.307;;

jar_cache1483048561033722112.tmp;C:\Documents and Settings\Kids\Local Settings\Temp;Container contains infected objects;Moved.;

cbr2121;kw=google;sz=728x90;ord=5358208832638516[1];C:\Documents and Settings\Kids\Local Settings\Temporary Internet Files\Content.IE5\75A9R9MB;Probably SCRIPT.Virus;;

cbr2121;kw=google;sz=728x90;ord=2998561148723128[1];C:\Documents and Settings\Kids\Local Settings\Temporary Internet Files\Content.IE5\GY2C9IOO;Probably SCRIPT.Virus;;

npCouponPrinter.dll;C:\Program Files\Mozilla Firefox\plugins;Adware.Coupons.34;;

A0102387.bat;C:\System Volume Information\_restore{82EC36D8-0CA1-4777-868B-3C6B2F39DA92}\RP1089;Probably BATCH.Virus;;

A0105426.bat;C:\System Volume Information\_restore{82EC36D8-0CA1-4777-868B-3C6B2F39DA92}\RP1095;Probably BATCH.Virus;;

June 23, 2012

Status: Disinfected (events: 8)

6/23/2012 2:19:28 PM Disinfected Trojan program Trojan-Downloader.Java.Agent.al C:\Documents and Settings\Ean\Application Data\Sun\Java\Deployment\cache\6.0\0\4fde7d80-45da705b/mp1/p2/C.class High

6/23/2012 2:19:30 PM Disinfected Trojan program Exploit.Java.CVE-2011-3544.cg C:\Documents and Settings\Ean\Application Data\Sun\Java\Deployment\cache\6.0\35\778e4823-3aeeaa59/Play.class High

6/23/2012 12:55:19 PM Disinfected Trojan program Trojan-Downloader.Java.Agent.al C:\Documents and Settings\Kelly\Application Data\Sun\Java\Deployment\cache\6.0\12\72c8f00c-3a1c94fa/mz1/my/CL.class High

6/23/2012 12:55:19 PM Disinfected Trojan program Exploit.Java.CVE-2010-0840.dz C:\Documents and Settings\Kelly\Application Data\Sun\Java\Deployment\cache\6.0\53\1e44b9b5-2b96c3b6/json/Parser.class High

6/23/2012 12:55:19 PM Disinfected Trojan program Trojan-Downloader.Java.Agent.al C:\Documents and Settings\Kelly\Application Data\Sun\Java\Deployment\cache\6.0\12\72c8f00c-3a1c94fa High

6/23/2012 12:55:19 PM Disinfected Trojan program Exploit.Java.CVE-2010-0840.dz C:\Documents and Settings\Kelly\Application Data\Sun\Java\Deployment\cache\6.0\53\1e44b9b5-2b96c3b6 High

6/23/2012 2:19:28 PM Disinfected Trojan program Trojan-Downloader.Java.Agent.al C:\Documents and Settings\Ean\Application Data\Sun\Java\Deployment\cache\6.0\0\4fde7d80-45da705b High

6/23/2012 2:19:30 PM Disinfected Trojan program Exploit.Java.CVE-2011-3544.cg C:\Documents and Settings\Ean\Application Data\Sun\Java\Deployment\cache\6.0\35\778e4823-3aeeaa59 High

Status: Will be deleted when the computer is restarted (events: 1)

6/23/2012 2:20:47 PM Will be deleted when the computer is restarted Trojan program HEUR:Trojan.Win32.Generic C:\Documents and Settings\Ean\Local Settings\temp\NOD1161.tmp High

Status: Deleted (events: 22)

6/23/2012 12:55:48 PM Deleted Trojan program Trojan.Win32.Agent.slys C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\6.0\28\3084999c-20c534ad//PE-Crypt.XorPE High

6/23/2012 12:55:42 PM Deleted Trojan program Trojan.Win32.Agent.smek C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\6.0\45\5bc711ed-618e7de3//PE-Crypt.XorPE High

6/23/2012 12:56:09 PM Deleted Trojan program Packed.Win32.Black.d C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\6.0\48\2a913bb0-46f0b1da//PE-Crypt.XorPE//PE_Patch//ASProtect14 High

6/23/2012 12:55:42 PM Deleted Trojan program Trojan.Win32.Agent.smek C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\6.0\45\5bc711ed-618e7de3 High

6/23/2012 12:55:48 PM Deleted Trojan program Trojan.Win32.Agent.slys C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\6.0\28\3084999c-20c534ad High

6/23/2012 12:56:19 PM Deleted Trojan program Packed.Win32.Black.d C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\6.0\48\7d1460f0-5b0d843e//PE-Crypt.XorPE//PE_Patch//ASProtect14 High

6/23/2012 12:56:08 PM Deleted Trojan program Trojan.Win32.Agent.slyh C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\6.0\50\2d15d0b2-4d80facb//PE-Crypt.XorPE High

6/23/2012 12:56:08 PM Deleted Trojan program Trojan.Win32.Agent.slyh C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\6.0\50\2d15d0b2-4d80facb High

6/23/2012 12:56:09 PM Deleted Trojan program Packed.Win32.Black.d C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\6.0\48\2a913bb0-46f0b1da//PE-Crypt.XorPE//PE_Patch High

6/23/2012 12:56:09 PM Deleted Trojan program Packed.Win32.Black.d C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\6.0\48\2a913bb0-46f0b1da//PE-Crypt.XorPE High

6/23/2012 12:56:09 PM Deleted Trojan program Packed.Win32.Black.d C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\6.0\48\2a913bb0-46f0b1da High

6/23/2012 12:56:19 PM Deleted Trojan program Packed.Win32.Black.d C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\6.0\48\7d1460f0-5b0d843e//PE-Crypt.XorPE//PE_Patch High

6/23/2012 12:56:19 PM Deleted Trojan program Packed.Win32.Black.d C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\6.0\48\7d1460f0-5b0d843e//PE-Crypt.XorPE High

6/23/2012 12:56:19 PM Deleted Trojan program Packed.Win32.Black.d C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\6.0\48\7d1460f0-5b0d843e High

6/23/2012 12:56:50 PM Deleted Trojan program Packed.Win32.Black.d C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\6.0\9\58e72549-1220e024//PE-Crypt.XorPE//PE_Patch//ASProtect14 High

6/23/2012 12:56:50 PM Deleted Trojan program Packed.Win32.Black.d C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\6.0\9\58e72549-1220e024//PE-Crypt.XorPE//PE_Patch High

6/23/2012 12:56:50 PM Deleted Trojan program Packed.Win32.Black.d C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\6.0\9\58e72549-1220e024//PE-Crypt.XorPE High

6/23/2012 12:56:50 PM Deleted Trojan program Packed.Win32.Black.d C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\6.0\9\58e72549-1220e024 High

6/23/2012 12:58:04 PM Deleted Trojan program Trojan-Spy.Win32.Lurk.ze C:\Documents and Settings\Kids\Local Settings\Temp\0.4561690942235387.htm High

6/23/2012 12:58:23 PM Deleted Trojan program Trojan-Spy.Win32.Lurk.ze C:\Documents and Settings\Kids\Local Settings\Temp\E8.tmp High

6/23/2012 1:43:54 PM Deleted Trojan program Trojan.Win32.Agent.slys C:\System Volume Information\_restore{82EC36D8-0CA1-4777-868B-3C6B2F39DA92}\RP1087\A0100341.exe High

6/23/2012 1:44:19 PM Deleted Trojan program Packed.Win32.Krap.hc C:\System Volume Information\_restore{82EC36D8-0CA1-4777-868B-3C6B2F39DA92}\RP1094\A0105369.exe High

June 22, 2012

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=446ef88b5f4c914291259598ec8f7749

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2012-06-22 11:18:08

# local_time=2012-06-22 07:18:08 (-0500, Eastern Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=2817 16777215 100 100 62309983 64908079 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=127817

# found=13

# cleaned=13

# scan_time=3032

C:\Documents and Settings\Ean\Local Settings\Application Data\{65A65992-99D4-11E1-826E-B8AC6F996F26}\chrome\content\browser.xul JS/Redirector.NIQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Kelly\Local Settings\Application Data\{65A65992-99D4-11E1-826E-B8AC6F996F26}\chrome\content\browser.xul JS/Redirector.NIQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Kelly\Local Settings\Temp\jar_cache5719936466553698840.tmp Java/Exploit.CVE-2012-0507.BK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\6.0\13\547bef0d-157d0899 a variant of Win32/Injector.SQB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Kids\Local Settings\Application Data\Apple Computer\Ahead\seooekhsp.dll a variant of Win32/Kryptik.AGJV trojan (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Kids\Local Settings\Application Data\{65A65992-99D4-11E1-826E-B8AC6F996F26}\chrome\content\browser.xul JS/Redirector.NIQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Kids\Local Settings\Application Data\{d9631021-81ab-1cc1-e8f5-aabc88d61ea1}\L\80000032.@ probably a variant of Win32/Sirefef.EU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Kids\Local Settings\Application Data\{d9631021-81ab-1cc1-e8f5-aabc88d61ea1}\U\80000032.@ probably a variant of Win32/Sirefef.EU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Kids\Local Settings\Temp\100.tmp a variant of Win32/Kryptik.AGNZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Kids\Local Settings\Temp\mpland.dll a variant of Win32/Medfos.AA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Kids\Local Settings\Temp\tempfiles.exe a variant of Win32/Injector.SQB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Kids\Local Settings\Temp\nst231.tmp\seooekhsp.dll a variant of Win32/Kryptik.AGJV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{82EC36D8-0CA1-4777-868B-3C6B2F39DA92}\RP1095\A0105487.dll a variant of Win32/Kryptik.AGJV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

June 22, 2012

https://www.virustotal.com/file/bc43d953e24b76a86aa7252a35ce408341fc14e6b1cb5a0c592a92ba4f9325ae/analysis/1340348243/

June 21, 2012

Vuze is gone. Here is the ComboFix log

ComboFix 12-06-21.01 - Ean 06/21/2012 12:51:41.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1186 [GMT -4:00]

Running from: c:\documents and settings\Ean\Desktop\ComboFix.exe

.

((((((((((((((((((((((((( Files Created from 2012-05-21 to 2012-06-21 )))))))))))))))))))))))))))))))

.

2012-06-15 14:24 . 2012-06-15 14:24 -------- d-sh--w- c:\documents and settings\Kids\IECompatCache

2012-06-12 13:05 . 2012-06-12 13:05 -------- d-----w- c:\documents and settings\Kids\Applications

2012-05-26 19:03 . 2012-05-26 19:03 -------- d-sh--w- c:\documents and settings\Ean\IECompatCache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-04-04 19:56 . 2009-07-31 00:13 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-04-25 05:58 . 2011-04-25 05:58 124864 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll

2011-04-25 06:48 . 2011-04-25 06:48 13760 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll

2011-04-25 06:00 . 2011-04-25 06:00 71104 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll

2011-04-25 05:59 . 2011-04-25 05:59 92096 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll

2011-04-25 05:58 . 2011-04-25 05:58 22976 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll

2011-04-25 05:57 . 2011-04-25 05:57 255936 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll

2011-04-25 05:58 . 2011-04-25 05:58 32192 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll

2011-04-25 05:58 . 2011-04-25 05:58 40896 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll

2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

2011-04-25 05:51 . 2011-04-25 05:51 898480 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll

2011-04-25 06:00 . 2011-04-25 06:00 24512 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2009-01-18 . 600D58665D16BFBB776EFEFB0E80532D . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

.

((((((((((((((((((((((((((((( SnapShot@2012-06-15_17.33.20 )))))))))))))))))))))))))))))))))))))))))

.

+ 2012-06-21 15:41 . 2012-06-21 15:41 16384 c:\windows\Temp\Perflib_Perfdata_ec.dat

+ 2012-06-21 15:52 . 2012-06-21 15:52 16384 c:\windows\Temp\Perflib_Perfdata_8dc.dat

+ 2001-08-23 11:00 . 2012-06-15 19:22 68796 c:\windows\system32\perfc009.dat

- 2001-08-23 11:00 . 2012-03-12 00:54 68796 c:\windows\system32\perfc009.dat

+ 2001-08-23 11:00 . 2012-06-15 19:22 436026 c:\windows\system32\perfh009.dat

- 2001-08-23 11:00 . 2012-03-12 00:54 436026 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 202024]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 16132608]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"EPSON Stylus CX6600 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE" [2004-03-01 98304]

"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]

"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 1828136]

"eligmini"="c:\program files\Fisher-Price\Easy-Link internet launch pad\Easy-Link internet launch pad.exe" [2008-09-03 487424]

"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2010-05-24 86016]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2010-11-19 193880]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]

"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2011-04-25 305088]

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Nero\\Nero8\\Nero MediaHome\\NeroMediaHome.exe"=

"c:\\Program Files\\Nero\\Nero8\\Nero MediaHome\\NMMediaServer.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Documents and Settings\\Kelly\\Desktop\\utorrent.exe"=

"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=

"c:\\Program Files\\Cisco Packet Tracer 5.3\\bin\\PacketTracer5.exe"=

.

R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [4/25/2011 1:49 AM 65584]

R2 HealthMonitor;HealthMonitor;c:\program files\HealthMonitor\HealthMonitor.exe [9/2/2005 12:56 PM 24576]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/30/2009 8:13 PM 654408]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/30/2009 8:13 PM 22344]

R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [1/18/2009 11:04 PM 47360]

S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [11/17/2009 7:38 PM 18560]

.

Contents of the 'Scheduled Tasks' folder

.

2012-06-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-2052111302-682003330-1004Core.job

- c:\documents and settings\Kelly\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-02 01:11]

.

2012-06-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-2052111302-682003330-1004UA.job

- c:\documents and settings\Kelly\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-02 01:11]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://google.com/

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.0.1 216.165.129.158

FF - ProfilePath - c:\documents and settings\Ean\Application Data\Mozilla\Firefox\Profiles\ojdyfr6i.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-06-21 12:58

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(716)

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'explorer.exe'(3120)

c:\windows\system32\WININET.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2012-06-21 13:00:46

ComboFix-quarantined-files.txt 2012-06-21 17:00

ComboFix2.txt 2012-06-15 17:35

.

Pre-Run: 104,577,015,808 bytes free

Post-Run: 104,582,737,920 bytes free

.

- - End Of File - - A6FD0138D107192DD4D47227AADC902E

June 21, 2012

Each time it finds those 4 and says they remove successfully, but it comes back.

June 21, 2012

Here is the log from Mbam

Malwarebytes Anti-Malware (Trial) 1.61.0.1400

www.malwarebytes.org

Database version: v2012.06.21.06

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Ean :: EAN-5784A361F15 [administrator]

Protection: Enabled

6/21/2012 11:17:23 AM

mbam-log-2012-06-21 (11-17-23).txt

Scan type: Quick scan

Scan options disabled: P2P

Objects scanned: 241342

Time elapsed: 7 minute(s), 7 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 4

C:\Documents and Settings\Kids\Local Settings\Temp\0.17353914919558944 (Trojan.Happili) -> Quarantined and deleted successfully.

C:\Documents and Settings\Kids\Local Settings\Temp\0.3856546594334659 (Trojan.Happili) -> Quarantined and deleted successfully.

C:\Documents and Settings\Kids\Local Settings\Temp\0.9491749519361574 (Trojan.Happili) -> Quarantined and deleted successfully.

C:\Documents and Settings\Kids\Applications\NT\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

(end)

June 21, 2012

I have recently been hit w/ the Happili Trojan, MBAM says it finds it and cleans it up but I still will randomly get pop ups from Mbam saying it blocked a outgoing attempt to a malicious website, the website IP is different on most notifications.

I downloaded DDS and ran it, below are the 2 logs, please help me - Thanks.

DDS.TXT

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24

Run by Ean at 10:14:14 on 2012-06-21

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1266 [GMT -4:00]

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\HealthMonitor\HealthMonitor.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE

C:\Program Files\Fisher-Price\Easy-Link internet launch pad\Easy-Link internet launch pad.exe

C:\Program Files\ClamWin\bin\ClamTray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Citrix\ICA Client\concentr.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE

C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\Citrix\ICA Client\wfcrun32.exe

C:\WINDOWS\system32\wuauclt.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://google.com/

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

uRun: [startCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe

uRun: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [EPSON Stylus CX6600 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9EA.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"

mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe

mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"

mRun: [eligmini] c:\program files\fisher-price\easy-link internet launch pad\Easy-Link internet launch pad.exe 0

mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233613307578

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.0.1 216.165.129.158

TCP: Interfaces\{8C572FCF-FA1D-495C-A0DC-27D6270921F5} : DhcpNameServer = 192.168.0.1 216.165.129.158

Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\ean\application data\mozilla\firefox\profiles\ojdyfr6i.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

.

============= SERVICES / DRIVERS ===============

.

R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2011-4-25 65584]

R2 HealthMonitor;HealthMonitor;c:\program files\healthmonitor\HealthMonitor.exe [2005-9-2 24576]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-7-30 654408]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-7-30 22344]

S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2009-11-17 18560]

.

=============== Created Last 30 ================

.

2012-06-15 17:19:29 -------- d-sha-r- C:\cmdcons

2012-06-15 17:14:54 98816 ----a-w- c:\windows\sed.exe

2012-06-15 17:14:54 518144 ----a-w- c:\windows\SWREG.exe

2012-06-15 17:14:54 256000 ----a-w- c:\windows\PEV.exe

2012-06-15 17:14:54 208896 ----a-w- c:\windows\MBR.exe

2012-06-15 17:14:46 -------- d-----w- C:\ComboFix

2012-05-26 19:03:00 -------- d-sh--w- c:\documents and settings\ean\IECompatCache

.

==================== Find3M ====================

.

2012-04-04 19:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

.

============= FINISH: 10:15:04.62 ===============

ATTACH.TXT

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 1/18/2009 2:11:35 PM

System Uptime: 6/21/2012 8:36:40 AM (2 hours ago)

.

Motherboard: ASUSTeK Computer INC. | | M2A-VM

Processor: AMD Athlon 64 X2 Dual Core Processor 5000+ | Socket AM2 | 2599/200mhz

.

==== Disk Partitions =========================

.

A: is Removable

C: is FIXED (NTFS) - 596 GiB total, 97.456 GiB free.

D: is FIXED (NTFS) - 75 GiB total, 30.499 GiB free.

E: is Removable

F: is Removable

G: is Removable

H: is CDROM ()

I: is Removable

.

==== Disabled Device Manager Items =============

.

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Description: Network Controller

Device ID: PCI\VEN_1814&DEV_0301&SUBSYS_00551737&REV_00\4&CC5B14E&0&28A4

Manufacturer:

Name: Network Controller

PNP Device ID: PCI\VEN_1814&DEV_0301&SUBSYS_00551737&REV_00\4&CC5B14E&0&28A4

Service:

.

==== System Restore Points ===================

.

RP1003: 3/23/2012 6:28:14 PM - System Checkpoint

RP1004: 3/24/2012 6:48:00 PM - System Checkpoint

RP1005: 3/25/2012 10:00:17 PM - System Checkpoint

RP1006: 3/26/2012 10:06:50 PM - System Checkpoint

RP1007: 3/27/2012 10:09:22 PM - System Checkpoint

RP1008: 3/29/2012 9:21:23 AM - System Checkpoint

RP1009: 3/30/2012 9:32:48 AM - System Checkpoint

RP1010: 3/30/2012 6:46:39 PM - Removed EPSON PhotoStarter3.2

RP1011: 3/30/2012 6:47:50 PM - Removed EPSON CardMonitor

RP1012: 3/30/2012 6:48:26 PM - Removed Applet_Web

RP1013: 3/30/2012 6:48:32 PM - Removed Applet_App

RP1014: 3/30/2012 6:48:38 PM - Removed Applet_Ocr

RP1015: 3/30/2012 6:48:44 PM - Removed Applet_Email

RP1016: 3/30/2012 6:48:50 PM - Removed Applet_File

RP1017: 3/30/2012 6:48:58 PM - Removed Applet_CopyToFax

RP1018: 3/30/2012 6:49:03 PM - Removed Applet_VC

RP1019: 3/30/2012 6:49:11 PM - Removed Applet_Copy

RP1020: 3/30/2012 6:49:16 PM - Removed Smart Panel

RP1021: 3/31/2012 7:04:57 PM - System Checkpoint

RP1022: 4/1/2012 8:16:02 PM - System Checkpoint

RP1023: 4/2/2012 9:17:06 PM - System Checkpoint

RP1024: 4/3/2012 10:40:45 PM - System Checkpoint

RP1025: 4/4/2012 11:03:06 PM - System Checkpoint

RP1026: 4/5/2012 11:39:30 PM - System Checkpoint

RP1027: 4/7/2012 12:06:51 AM - System Checkpoint

RP1028: 4/8/2012 12:51:07 AM - System Checkpoint

RP1029: 4/9/2012 1:42:18 AM - System Checkpoint

RP1030: 4/10/2012 2:42:18 AM - System Checkpoint

RP1031: 4/11/2012 3:35:02 AM - System Checkpoint

RP1032: 4/12/2012 8:49:19 AM - System Checkpoint

RP1033: 4/13/2012 9:04:15 AM - System Checkpoint

RP1034: 4/14/2012 10:27:01 AM - System Checkpoint

RP1035: 4/15/2012 10:36:31 AM - System Checkpoint

RP1036: 4/16/2012 11:56:24 AM - System Checkpoint

RP1037: 4/17/2012 4:04:54 PM - System Checkpoint

RP1038: 4/18/2012 4:06:45 PM - System Checkpoint

RP1039: 4/19/2012 4:50:12 PM - System Checkpoint

RP1040: 4/20/2012 5:50:40 PM - System Checkpoint

RP1041: 4/22/2012 12:04:24 PM - System Checkpoint

RP1042: 4/23/2012 12:35:00 PM - System Checkpoint

RP1043: 4/24/2012 1:33:55 PM - System Checkpoint

RP1044: 4/25/2012 2:29:05 PM - System Checkpoint

RP1045: 4/26/2012 3:28:00 PM - System Checkpoint

RP1046: 4/27/2012 4:13:16 PM - System Checkpoint

RP1047: 4/28/2012 5:13:16 PM - System Checkpoint

RP1048: 4/29/2012 6:13:16 PM - System Checkpoint

RP1049: 4/30/2012 7:17:07 PM - System Checkpoint

RP1050: 5/1/2012 7:32:01 PM - System Checkpoint

RP1051: 5/2/2012 8:16:21 PM - System Checkpoint

RP1052: 5/3/2012 8:42:35 PM - System Checkpoint

RP1053: 5/4/2012 9:16:21 PM - System Checkpoint

RP1054: 5/5/2012 10:16:21 PM - System Checkpoint

RP1055: 5/7/2012 6:08:18 PM - System Checkpoint

RP1056: 5/8/2012 10:12:17 PM - System Checkpoint

RP1057: 5/9/2012 11:29:33 PM - System Checkpoint

RP1058: 5/10/2012 11:46:35 PM - System Checkpoint

RP1059: 5/11/2012 11:51:02 PM - System Checkpoint

RP1060: 5/13/2012 12:08:51 AM - System Checkpoint

RP1061: 5/14/2012 7:57:49 AM - System Checkpoint

RP1062: 5/15/2012 4:35:13 PM - System Checkpoint

RP1063: 5/16/2012 4:42:23 PM - System Checkpoint

RP1064: 5/17/2012 8:08:08 PM - System Checkpoint

RP1065: 5/18/2012 8:46:24 PM - System Checkpoint

RP1066: 5/19/2012 9:46:25 PM - System Checkpoint

RP1067: 5/21/2012 7:24:06 AM - System Checkpoint

RP1068: 5/22/2012 8:11:30 AM - System Checkpoint

RP1069: 5/23/2012 9:11:30 AM - System Checkpoint

RP1070: 5/24/2012 10:11:30 AM - System Checkpoint

RP1071: 5/25/2012 12:11:43 PM - System Checkpoint

RP1072: 5/26/2012 1:19:57 PM - System Checkpoint

RP1073: 5/27/2012 7:33:44 PM - System Checkpoint

RP1074: 5/28/2012 9:12:01 PM - System Checkpoint

RP1075: 5/29/2012 9:57:41 PM - System Checkpoint

RP1076: 5/30/2012 10:19:41 PM - System Checkpoint

RP1077: 5/31/2012 10:47:11 PM - System Checkpoint

RP1078: 6/1/2012 11:33:07 PM - System Checkpoint

RP1079: 6/2/2012 11:58:02 PM - System Checkpoint

RP1080: 6/4/2012 8:48:18 AM - System Checkpoint

RP1081: 6/5/2012 9:41:04 AM - System Checkpoint

RP1082: 6/6/2012 10:41:05 AM - System Checkpoint

RP1083: 6/7/2012 11:14:40 AM - System Checkpoint

RP1084: 6/8/2012 12:01:43 PM - System Checkpoint

RP1085: 6/9/2012 12:36:52 PM - System Checkpoint

RP1086: 6/11/2012 9:09:22 AM - System Checkpoint

RP1087: 6/12/2012 1:33:48 PM - System Checkpoint

RP1088: 6/13/2012 3:50:09 PM - System Checkpoint

RP1089: 6/14/2012 4:28:42 PM - System Checkpoint

RP1090: 6/15/2012 5:03:00 PM - System Checkpoint

RP1091: 6/16/2012 5:07:16 PM - System Checkpoint

RP1092: 6/17/2012 6:07:16 PM - System Checkpoint

RP1093: 6/19/2012 9:14:51 AM - System Checkpoint

RP1094: 6/20/2012 10:12:58 AM - System Checkpoint

.

==== Installed Programs ======================

.

AAC Decoder

ABBYY FineReader 5.0 Sprint Plus

Acrobat.com

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Photoshop 6.0

Adobe Reader 9.4.2

Adobe Shockwave Player 11.5

AMD Processor Driver

AnyDVD

Apple Application Support

Apple Mobile Device Support

Apple Software Update

AquAdvisor

ArcSoft Software Suite

ATI - Software Uninstall Utility

ATI Catalyst Control Center

ATI Display Driver

ATI Parental Control & Encoder

Audacity 1.2.6

AutoUpdate

Avi2Dvd 0.5

AviSynth 2.5

Bonjour

Catalyst Control Center Core Implementation

Catalyst Control Center Graphics Full Existing

Catalyst Control Center Graphics Full New

Catalyst Control Center Graphics Light

Catalyst Control Center Localization Chinese Standard

Catalyst Control Center Localization Chinese Traditional

Catalyst Control Center Localization Czech

Catalyst Control Center Localization Danish

Catalyst Control Center Localization Dutch

Catalyst Control Center Localization Finnish

Catalyst Control Center Localization French

Catalyst Control Center Localization German

Catalyst Control Center Localization Greek

Catalyst Control Center Localization Hungarian

Catalyst Control Center Localization Italian

Catalyst Control Center Localization Japanese

Catalyst Control Center Localization Korean

Catalyst Control Center Localization Norwegian

Catalyst Control Center Localization Polish

Catalyst Control Center Localization Portuguese

Catalyst Control Center Localization Russian

Catalyst Control Center Localization Spanish

Catalyst Control Center Localization Swedish

Catalyst Control Center Localization Thai

Catalyst Control Center Localization Turkish

ccc-core-static

ccc-utility

CCC Help Chinese Standard

CCC Help Chinese Traditional

CCC Help Czech

CCC Help Danish

CCC Help Dutch

CCC Help English

CCC Help Finnish

CCC Help French

CCC Help German

CCC Help Greek

CCC Help Hungarian

CCC Help Italian

CCC Help Japanese

CCC Help Korean

CCC Help Norwegian

CCC Help Polish

CCC Help Portuguese

CCC Help Russian

CCC Help Spanish

CCC Help Swedish

CCC Help Thai

CCC Help Turkish

CCleaner (remove only)

Cisco Packet Tracer 5.3

Citrix online plug-in - web

Citrix online plug-in (DV)

Citrix online plug-in (HDX)

Citrix online plug-in (USB)

Citrix online plug-in (Web)

ClamWin Free Antivirus 0.96.1

ConvertHelper 2.2

Coupon Printer for Windows

Critical Update for Windows Media Player 11 (KB959772)

DivX Codec

DivX Converter

DivX Player

DivX Plus DirectShow Filters

DivX Version Checker

DivX Web Player

Duplicate Music Files Finder 1.5.5

DVD Decrypter (Remove Only)

DVD Flick

DVD Shrink 3.2

DVDFab (Platinum/Gold/HD Decrypter) (Option: Mobile) 5.2.3.0

Easy-Link internet launch pad

EPSON Printer Software

ffdshow [rev 2844] [2009-03-30]

Free RAR Extract Frog 1.00

H.264 Decoder

HandBrake 0.9.3

HealthMonitor 3.0

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB2158563)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB2570791)

Hotfix for Windows XP (KB2633952)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

Image Resizer Powertoy for Windows XP

ImTOO DVD Ripper Platinum 5

iTunes

iTunes Library Updater

J2SE Runtime Environment 5.0 Update 5

Java Auto Updater

Java 6 Update 24

LADSPA_plugins-win-0.4.15

LAME v3.98.2 for Audacity

LeapFrog Connect

LeapFrog My Pals Plugin

LeapFrog Tag Junior Plugin

Libra 0.9.2

LiveUpdate 2.6 (Symantec Corporation)

Macromedia Dreamweaver MX

Macromedia Extension Manager

Malwarebytes Anti-Malware version 1.61.0.1400

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft Kernel-Mode Driver Framework Feature Pack 1.5

Microsoft National Language Support Downlevel APIs

Microsoft Office 2007 Service Pack 2 (SP2)

Microsoft Office Access MUI (English) 2007

Microsoft Office Access Setup Metadata MUI (English) 2007

Microsoft Office Enterprise 2007

Microsoft Office Excel MUI (English) 2007

Microsoft Office File Validation Add-In

Microsoft Office Groove MUI (English) 2007

Microsoft Office Groove Setup Metadata MUI (English) 2007

Microsoft Office InfoPath MUI (English) 2007

Microsoft Office OneNote MUI (English) 2007

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

Microsoft Office Publisher MUI (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft Software Update for Web Folders (English) 12

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 Redistributable

MKV Splitter

Mozilla Firefox (3.5.9)

MSN

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Nero 8

OGA Notifier 2.0.0048.0

pdfsam

PeerGuardian 2.0

Picasa 3

PrimoPDF

QuickTime

REALTEK GbE & FE Ethernet PCI-E NIC Driver

Realtek High Definition Audio Driver

Recover My Files

ScanToWeb

Security Update for 2007 Microsoft Office System (KB2288621)

Security Update for 2007 Microsoft Office System (KB2288931)

Security Update for 2007 Microsoft Office System (KB2345043)

Security Update for 2007 Microsoft Office System (KB2553089)

Security Update for 2007 Microsoft Office System (KB2553090)

Security Update for 2007 Microsoft Office System (KB2584063)

Security Update for 2007 Microsoft Office System (KB969559)

Security Update for 2007 Microsoft Office System (KB976321)

Security Update for CAPICOM (KB931906)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition

Security Update for Microsoft Office Access 2007 (KB979440)

Security Update for Microsoft Office Groove 2007 (KB2552997)

Security Update for Microsoft Office InfoPath 2007 (KB2510061)

Security Update for Microsoft Office InfoPath 2007 (KB979441)

Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition

Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition

Security Update for Microsoft Office system 2007 (972581)

Security Update for Microsoft Office system 2007 (KB974234)

Security Update for Microsoft Office Visio Viewer 2007 (KB973709)

Security Update for Microsoft Office Word 2007 (KB2344993)

Security Update for Microsoft Windows (KB2564958)

Security Update for Windows Internet Explorer 7 (KB2183461)

Security Update for Windows Internet Explorer 7 (KB2360131)

Security Update for Windows Internet Explorer 7 (KB2416400)

Security Update for Windows Internet Explorer 7 (KB2482017)

Security Update for Windows Internet Explorer 7 (KB2497640)

Security Update for Windows Internet Explorer 7 (KB2530548)

Security Update for Windows Internet Explorer 7 (KB2544521)

Security Update for Windows Internet Explorer 7 (KB2559049)

Security Update for Windows Internet Explorer 7 (KB2586448)

Security Update for Windows Internet Explorer 7 (KB938127-v2)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Internet Explorer 7 (KB963027)

Security Update for Windows Internet Explorer 7 (KB969897)

Security Update for Windows Internet Explorer 7 (KB972260)

Security Update for Windows Internet Explorer 7 (KB974455)

Security Update for Windows Internet Explorer 7 (KB976325)

Security Update for Windows Internet Explorer 7 (KB978207)

Security Update for Windows Internet Explorer 7 (KB982381)

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Internet Explorer 8 (KB2544521)

Security Update for Windows Internet Explorer 8 (KB2586448)

Security Update for Windows Internet Explorer 8 (KB2618444)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2160329)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2279986)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2296199)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2436673)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476490)

Security Update for Windows XP (KB2476687)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479628)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485376)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2503658)

Security Update for Windows XP (KB2503665)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2506223)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2507938)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2510581)

Security Update for Windows XP (KB2511455)

Security Update for Windows XP (KB2524375)

Security Update for Windows XP (KB2535512)

Security Update for Windows XP (KB2536276-v2)

Security Update for Windows XP (KB2536276)

Security Update for Windows XP (KB2544893-v2)

Security Update for Windows XP (KB2544893)

Security Update for Windows XP (KB2555917)

Security Update for Windows XP (KB2562937)

Security Update for Windows XP (KB2566454)

Security Update for Windows XP (KB2567053)

Security Update for Windows XP (KB2567680)

Security Update for Windows XP (KB2570222)

Security Update for Windows XP (KB2570947)

Security Update for Windows XP (KB2592799)

Security Update for Windows XP (KB2618451)

Security Update for Windows XP (KB2619339)

Security Update for Windows XP (KB2620712)

Security Update for Windows XP (KB2624667)

Security Update for Windows XP (KB2633171)

Security Update for Windows XP (KB2639417)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958215)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960714)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977165)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981349)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981957)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982665)

Security Update for Windows XP (KB982802)

Skins

Spybot - Search & Destroy

Thomas & Friends - Railway Adventures

TuneUp Companion 1.1.9

Turbo Lister 2

Ultra PDF Tools 1.5 (build 90618)

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition

Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition

Update for Microsoft Office 2007 System (KB2539530)

Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition

Update for Microsoft Office OneNote 2007 (KB980729)

Update for Microsoft Office Outlook 2007 (KB2583910)

Update for Outlook 2007 Junk Email Filter (KB2596560)

Update for Windows Internet Explorer 7 (KB976749)

Update for Windows Internet Explorer 7 (KB980182)

Update for Windows Internet Explorer 8 (KB2598845)

Update for Windows XP (KB2141007)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2467659)

Update for Windows XP (KB2541763)

Update for Windows XP (KB2607712)

Update for Windows XP (KB2616676)

Update for Windows XP (KB2641690)

Update for Windows XP (KB898461)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

Use the entry named LeapFrog Connect to uninstall (LeapFrog My Pals Plugin)

Use the entry named LeapFrog Connect to uninstall (LeapFrog Tag Junior Plugin)

VC80CRTRedist - 8.0.50727.762

Videora iPod Converter 4.04

VLC media player 1.0.0

Vuze

WebFldrs XP

Windows Driver Package - LeapFrog (FlyUsb) USB (11/05/2008 1.1.1.0)

Windows Driver Package - Leapfrog (Leapfrog-USBLAN) Net (09/10/2009 02.03.05.012)

Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray

Windows Genuine Advantage Notifications (KB905474)

Windows Internet Explorer 7

Windows Internet Explorer 8

Windows Media Format 11 runtime

Windows Media Player 11

.

==== Event Viewer Messages From Past Week ========

.

6/18/2012 4:32:35 PM, error: Disk [11] - The driver detected a controller error on \Device\Harddisk3\D.

6/18/2012 11:16:29 PM, error: Disk [11] - The driver detected a controller error on \Device\Harddisk4\D.

6/16/2012 10:38:27 AM, error: Disk [11] - The driver detected a controller error on \Device\Harddisk5\D.

6/16/2012 10:32:03 AM, error: Service Control Manager [7022] - The HealthMonitor service hung on starting.

6/15/2012 3:30:57 PM, error: Disk [11] - The driver detected a controller error on \Device\Harddisk2\D.

.

==== End Of File ===========================

Sign In

ATVman

Posts

Joined

Last visited

Content Type

Events

Profiles

Forums

Posts posted by ATVman

Infected with Happili Trojan

Infected with Happili Trojan

Infected with Happili Trojan

Infected with Happili Trojan

Infected with Happili Trojan

Infected with Happili Trojan

Infected with Happili Trojan

Infected with Happili Trojan

Browse

Activity

Personal

Business

Business Modules

Partners

Learn

Start here

Type of malware/attacks

How does it get on my computer?

Scams and grifts

Support

Important Information