Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93125 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] please help

Started by Joecastle , Oct 05 2007 12:21 PM

  • This topic is locked This topic is locked
124 replies to this topic

#106 Joecastle

Joecastle

    Authentic Member

  • Authentic Member
  • PipPip
  • 215 posts

Posted 24 October 2007 - 06:21 PM

In Add & RemovePrograms there is a Windows XP Hotfix (SP2) [See Q329115 for more information]

    Advertisements

Register to Remove

#107 sUΒs

sUΒs

    Authentic Member

  • Malware Expert
  • 189 posts

Posted 24 October 2007 - 06:25 PM

That's not it. How about the file - c:\windows\$NtServicePackUninstall$\spuninst\spuninst.exe

#108 Joecastle

Joecastle

    Authentic Member

  • Authentic Member
  • PipPip
  • 215 posts

Posted 24 October 2007 - 07:01 PM

That's not it. How about the file - c:\windows\$NtServicePackUninstall$\spuninst\spuninst.exe



No. I do not find it anywhere...

#109 sUΒs

sUΒs

    Authentic Member

  • Malware Expert
  • 189 posts

Posted 24 October 2007 - 07:06 PM

Please show me a fresh fix.bat report

#110 Joecastle

Joecastle

    Authentic Member

  • Authentic Member
  • PipPip
  • 215 posts

Posted 24 October 2007 - 07:33 PM

Please show me a fresh fix.bat report


catchme 0.3.1169.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-24 21:25:47
Windows 5.1.2600

scanning processes ...

System [4]
C:\WINDOWS\SYSTEM32\SMSS.EXE [404] 0x811FD218
C:\WINDOWS\SYSTEM32\CSRSS.EXE [468] 0xFFB55270
C:\WINDOWS\SYSTEM32\WINLOGON.EXE [492] 0xFFBA4DA8
C:\WINDOWS\SYSTEM32\SERVICES.EXE [536] 0x8118A210
C:\WINDOWS\SYSTEM32\LSASS.EXE [548] 0x81212020
C:\WINDOWS\SYSTEM32\SVCHOST.EXE [708] 0xFFB124B0
C:\WINDOWS\SYSTEM32\SVCHOST.EXE [740] 0xFFB3C020
C:\WINDOWS\SYSTEM32\SPOOLSV.EXE [1064] 0xFFB536F0
C:\WINDOWS\SYSTEM32\SVCHOST.EXE [1136] 0xFFBD26F0
C:\WINDOWS\SYSTEM32\USERINIT.EXE [1232] 0xFFB53478
C:\WINDOWS\EXPLORER.EXE [1288] 0x811FFA68
C:\WINDOWS\System32\alg.exe [1404] 0xFFB6D7A0
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE [1416] 0x8119D528
C:\PROGRAM FILES\COMMON FILES\AOL\TOPSPEED\2.0\AOLTSMON.EXE [1444] 0xFFB52388
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\aolserv.exe [1468] 0xFFB85B30
C:\PROGRAM FILES\GRISOFT\AVG ANTI-SPYWARE 7.5\GUARD.EXE [1488] 0xFFBB62F0
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE [1512] 0xFF95C9A0
C:\PROGRAM FILES\QUICKTIME\QTTASK.EXE [1520] 0xFF937970
C:\PROGRAM FILES\GRISOFT\AVG ANTI-SPYWARE 7.5\AVGAS.EXE [1536] 0xFF937170
C:\PROGRAM FILES\COMPACT WIRELESS-G USB NETWORK ADAPTER WITH SPEEDBOOSTER\WLSERVICE.EXE [1616] 0xFF9298B8
C:\PROGRAM FILES\TROJANHUNTER 5.0\THGUARD.EXE [1632] 0xFF928430
C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBARNOTIFIER\GOOGLETOOLBARNOTIFIER.EXE [1660] 0xFF881BE8
C:\PROGRAM FILES\ADOBE\ACROBAT 7.0\READER\READER_SL.EXE [1676] 0xFF86CBE8
C:\PROGRAM FILES\COMPACT WIRELESS-G USB NETWORK ADAPTER WITH SPEEDBOOSTER\WUSB54GSC.EXE [1684] 0xFF86B688
C:\WINDOWS\system32\cmd.exe [1848] 0xFEC0B918
C:\WINDOWS\catchme.exe [1884] 0xFEBF1020


SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost
LocalService REG_MULTI_SZ AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\
NetworkService REG_MULTI_SZ DnsCache\
netsvcs REG_MULTI_SZ 6to4AudioSrvBrowserCryptSvcDMServerDHCPERSvcEventSystemFastUserSwitchingCompatib
lityHidServIasIpripIrmonLanmanServerLanmanWorkstationMessengerNetmanNlaNtmssvcNW
WorkstationNwsapagentRasautoRasmanRemoteaccessScheduleSeclogonSENSSharedaccessSR
erviceTapisrvThemesTrkWksW32TimeWZCSVCWmiWmdmPmSpwinmgmtTermServiceShellHWDetect
onhelpsvcuploadmgr\
rpcss REG_MULTI_SZ RpcSs\
imgsvc REG_MULTI_SZ StiSvc\
termsvcs REG_MULTI_SZ TermService\

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\LocalService
CoInitializeSecurityParam REG_DWORD 1 (0x1)
AuthenticationCapabilities REG_DWORD 8192 (0x2000)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\netsvcs
CoInitializeSecurityParam REG_DWORD 1 (0x1)
AuthenticationCapabilities REG_DWORD 12320 (0x3020)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\PCHealth
CoInitializeSecurityParam REG_DWORD 2 (0x2)
AuthenticationCapabilities REG_DWORD 64 (0x40)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\termsvcs
CoInitializeSecurityParam REG_DWORD 1 (0x1)
DefaultRpcStackSize REG_DWORD 8 (0x8)


------ Services [Running]

SERVICE_NAME: ALG
SERVICE_NAME: AOL ACS
SERVICE_NAME: AOL TopSpeedMonitor
SERVICE_NAME: AOLService
SERVICE_NAME: AudioSrv
SERVICE_NAME: AVG Anti-Spyware Guard
SERVICE_NAME: Browser
SERVICE_NAME: CryptSvc
SERVICE_NAME: dmserver
SERVICE_NAME: ERSvc
SERVICE_NAME: Eventlog
SERVICE_NAME: EventSystem
SERVICE_NAME: helpsvc
SERVICE_NAME: Irmon
SERVICE_NAME: lanmanserver
SERVICE_NAME: lanmanworkstation
SERVICE_NAME: Netman
SERVICE_NAME: PlugPlay
SERVICE_NAME: ProtectedStorage
SERVICE_NAME: RasMan
SERVICE_NAME: RemoteAccess
SERVICE_NAME: RemoteRegistry
SERVICE_NAME: RpcSs
SERVICE_NAME: SamSs
SERVICE_NAME: Schedule
SERVICE_NAME: seclogon
SERVICE_NAME: SENS
SERVICE_NAME: ShellHWDetection
SERVICE_NAME: Spooler
SERVICE_NAME: srservice
SERVICE_NAME: TapiSrv
SERVICE_NAME: TermService
SERVICE_NAME: Themes
SERVICE_NAME: TrkWks
SERVICE_NAME: uploadmgr
SERVICE_NAME: W32Time
SERVICE_NAME: WebClient
SERVICE_NAME: winmgmt
SERVICE_NAME: WmdmPmSp
SERVICE_NAME: WUSB54GSCSVC
SERVICE_NAME: WZCSVC

------ Services [Stopped]

SERVICE_NAME: Alerter
SERVICE_NAME: AppMgmt
SERVICE_NAME: BITS
SERVICE_NAME: cisvc
SERVICE_NAME: ClipSrv
SERVICE_NAME: COMSysApp
SERVICE_NAME: Dhcp
SERVICE_NAME: dmadmin
SERVICE_NAME: Dnscache
SERVICE_NAME: FastUserSwitchingCompatibility
SERVICE_NAME: GoogleDesktopManager
SERVICE_NAME: gpejsjbq
SERVICE_NAME: gusvc
SERVICE_NAME: HidServ
SERVICE_NAME: HTTPFilter
SERVICE_NAME: ImapiService
SERVICE_NAME: LmHosts
SERVICE_NAME: Messenger
SERVICE_NAME: mnmsrvc
SERVICE_NAME: MSDTC
SERVICE_NAME: MSIServer
SERVICE_NAME: NetDDE
SERVICE_NAME: NetDDEdsdm
SERVICE_NAME: Netlogon
SERVICE_NAME: Nla
SERVICE_NAME: NtLmSsp
SERVICE_NAME: NtmsSvc
SERVICE_NAME: ose
SERVICE_NAME: PolicyAgent
SERVICE_NAME: RasAuto
SERVICE_NAME: RDSessMgr
SERVICE_NAME: RpcLocator
SERVICE_NAME: RSVP
SERVICE_NAME: SCardSvr
SERVICE_NAME: SharedAccess
SERVICE_NAME: SSDPSRV
SERVICE_NAME: stisvc
SERVICE_NAME: SwPrv
SERVICE_NAME: SysmonLog
SERVICE_NAME: TlntSvr
SERVICE_NAME: upnphost
SERVICE_NAME: UPS
SERVICE_NAME: VSS
SERVICE_NAME: WmdmPmSN
SERVICE_NAME: Wmi
SERVICE_NAME: WmiApSrv
SERVICE_NAME: wuauserv

------ Drivers [Running]

SERVICE_NAME: ACPI
SERVICE_NAME: AegisP
SERVICE_NAME: AFD
SERVICE_NAME: ALiADWDM
SERVICE_NAME: AliIde
SERVICE_NAME: alim1541
SERVICE_NAME: ASCTRM
SERVICE_NAME: atapi
SERVICE_NAME: audstub
SERVICE_NAME: AVG Anti-Spyware Driver
SERVICE_NAME: AvgAsCln
SERVICE_NAME: Beep
SERVICE_NAME: catchme
SERVICE_NAME: Cdfs
SERVICE_NAME: Cdrom
SERVICE_NAME: CmBatt
SERVICE_NAME: Compbatt
SERVICE_NAME: Disk
SERVICE_NAME: dmio
SERVICE_NAME: dmload
SERVICE_NAME: E100B
SERVICE_NAME: Fastfat
SERVICE_NAME: Fdc
SERVICE_NAME: Fips
SERVICE_NAME: Flpydisk
SERVICE_NAME: Ftdisk
SERVICE_NAME: Gpc
SERVICE_NAME: i8042prt
SERVICE_NAME: IPSec
SERVICE_NAME: irda
SERVICE_NAME: IRENUM
SERVICE_NAME: isapnp
SERVICE_NAME: Kbdclass
SERVICE_NAME: KSecDD
SERVICE_NAME: mnmdd
SERVICE_NAME: Modem
SERVICE_NAME: Mouclass
SERVICE_NAME: MountMgr
SERVICE_NAME: MRxDAV
SERVICE_NAME: MRxSmb
SERVICE_NAME: Msfs
SERVICE_NAME: Mup
SERVICE_NAME: NDIS
SERVICE_NAME: NdisTapi
SERVICE_NAME: Ndisuio
SERVICE_NAME: NdisWan
SERVICE_NAME: NDProxy
SERVICE_NAME: NetBIOS
SERVICE_NAME: Npfs
SERVICE_NAME: Null
SERVICE_NAME: P3
SERVICE_NAME: Parport
SERVICE_NAME: PartMgr
SERVICE_NAME: ParVdm
SERVICE_NAME: PCI
SERVICE_NAME: Pcmcia
SERVICE_NAME: PptpMiniport
SERVICE_NAME: PSched
SERVICE_NAME: Ptilink
SERVICE_NAME: RasAcd
SERVICE_NAME: Rasirda
SERVICE_NAME: Rasl2tp
SERVICE_NAME: RasPppoe
SERVICE_NAME: Raspti
SERVICE_NAME: Rdbss
SERVICE_NAME: RDPCDD
SERVICE_NAME: rdpdr
SERVICE_NAME: redbook
SERVICE_NAME: ROOTMODEM
SERVICE_NAME: serenum
SERVICE_NAME: Serial
SERVICE_NAME: SMCIRDA
SERVICE_NAME: sr
SERVICE_NAME: Srv
SERVICE_NAME: swenum
SERVICE_NAME: sysaudio
SERVICE_NAME: TermDD
SERVICE_NAME: TOSHIBASoftModem
SERVICE_NAME: trid3d
SERVICE_NAME: Update
SERVICE_NAME: usbhub
SERVICE_NAME: usbohci
SERVICE_NAME: USBSTOR
SERVICE_NAME: VgaSave
SERVICE_NAME: VolSnap
SERVICE_NAME: wanatw
SERVICE_NAME: wdmaud

------ Drivers [Stopped]

SERVICE_NAME: Abiosdsk
SERVICE_NAME: abp480n5
SERVICE_NAME: ACPIEC
SERVICE_NAME: adpu160m
SERVICE_NAME: aec
SERVICE_NAME: Aha154x
SERVICE_NAME: aic78u2
SERVICE_NAME: aic78xx
SERVICE_NAME: amsint
SERVICE_NAME: asc
SERVICE_NAME: asc3350p
SERVICE_NAME: asc3550
SERVICE_NAME: AsyncMac
SERVICE_NAME: Atdisk
SERVICE_NAME: Atmarpc
SERVICE_NAME: Auq68
SERVICE_NAME: BCM42RLY
SERVICE_NAME: cbidf2k
SERVICE_NAME: cd20xrnt
SERVICE_NAME: Cdaudio
SERVICE_NAME: Changer
SERVICE_NAME: CmdIde
SERVICE_NAME: Cpqarray
SERVICE_NAME: dac960nt
SERVICE_NAME: dmboot
SERVICE_NAME: DMusic
SERVICE_NAME: dpti2o
SERVICE_NAME: drmkaud
SERVICE_NAME: gmer
SERVICE_NAME: hpn
SERVICE_NAME: hpt3xx
SERVICE_NAME: HTTP
SERVICE_NAME: i2omgmt
SERVICE_NAME: i2omp
SERVICE_NAME: Imapi
SERVICE_NAME: ini910u
SERVICE_NAME: IntelIde
SERVICE_NAME: ip6fw
SERVICE_NAME: IpFilterDriver
SERVICE_NAME: IpInIp
SERVICE_NAME: IpNat
SERVICE_NAME: kmixer
SERVICE_NAME: lbrtfdc
SERVICE_NAME: mraid35x
SERVICE_NAME: MSKSSRV
SERVICE_NAME: MSPCLOCK
SERVICE_NAME: MSPQM
SERVICE_NAME: mssmbios
SERVICE_NAME: NetBT
SERVICE_NAME: Ntfs
SERVICE_NAME: NwlnkFlt
SERVICE_NAME: NwlnkFwd
SERVICE_NAME: PCIDump
SERVICE_NAME: PCIIde
SERVICE_NAME: PDCOMP
SERVICE_NAME: PDFRAME
SERVICE_NAME: PDRELI
SERVICE_NAME: PDRFRAME
SERVICE_NAME: perc2
SERVICE_NAME: perc2hib
SERVICE_NAME: ql1080
SERVICE_NAME: Ql10wnt
SERVICE_NAME: ql12160
SERVICE_NAME: ql1240
SERVICE_NAME: ql1280
SERVICE_NAME: RDPWD
SERVICE_NAME: Secdrv
SERVICE_NAME: Sfloppy
SERVICE_NAME: Simbad
SERVICE_NAME: Sparrow
SERVICE_NAME: splitter
SERVICE_NAME: swmidi
SERVICE_NAME: symc810
SERVICE_NAME: symc8xx
SERVICE_NAME: sym_hi
SERVICE_NAME: sym_u3
SERVICE_NAME: Tcpip
SERVICE_NAME: TDPIPE
SERVICE_NAME: TDTCP
SERVICE_NAME: TosIde
SERVICE_NAME: Udfs
SERVICE_NAME: ultra
SERVICE_NAME: USB_RNDIS
SERVICE_NAME: ViaIde
SERVICE_NAME: Wanarp
SERVICE_NAME: WDICA

#111 sUΒs

sUΒs

    Authentic Member

  • Malware Expert
  • 189 posts

Posted 24 October 2007 - 07:47 PM

------ Drivers [Stopped]

SERVICE_NAME: Tcpip

You won't have internet connectivity if this driver isn't running.

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

@echo off
vfind -ltf %systemdrive%\tcpip* >tcpip.txt
notepad tcpip.txt
del tcpip.txt

Save this as find.bat Choose to "Save type as - All Files"
It should look like this: Posted Image
Double click on find.bat & allow it to run

Post back to tell me what it says

#112 Joecastle

Joecastle

    Authentic Member

  • Authentic Member
  • PipPip
  • 215 posts

Posted 24 October 2007 - 08:03 PM

----a-w 180,032 2001-08-23 16:00:00 C:\WINDOWS\system32\drivers\tcpip6.sys ----a-w 359,040 2004-08-04 06:14:40 C:\WINDOWS\system32\drivers\tcpip.sys ----a-w 359,808 2006-04-20 11:51:50 C:\WINDOWS\system32\drivers\tcpip.sys.sys ----a-w 327,168 2001-08-23 16:00:00 C:\WINDOWS\system32\dllcache\tcpip.sys ----a-w 180,032 2001-08-23 16:00:00 C:\WINDOWS\system32\dllcache\tcpip6.sys ----a-w 50,586 2001-08-23 16:00:00 C:\WINDOWS\Help\tcpip.chm ----a-w 223,616 2004-08-04 06:07:46 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\tcpip6.sys ----a-w 359,040 2004-08-04 06:14:40 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\tcpip.sys ----a-w 0 2007-10-25 01:55:44 C:\Documents and Settings\admin\Desktop\tcpip.txt ----a-w 126,648 2007-06-06 16:41:40 C:\Program Files\Spybot - Search & Destroy\Plugins\TCPIPAddress.dll ------w 160,070 2001-08-23 12:00:00 C:\I386\TCPIP.SY_ ------w 87,453 2001-08-23 12:00:00 C:\I386\TCPIP6.SY_ ------w 43,437 2001-08-23 12:00:00 C:\I386\TCPIPW.CH_ Entries: 13 (13) Directories: 0 Files: 13 Bytes: 2,456,930 Blocks: 4,803

#113 sUΒs

sUΒs

    Authentic Member

  • Malware Expert
  • 189 posts

Posted 24 October 2007 - 08:13 PM

Hmm ...plenty of spares around. :) Delete the existing copy at C;\Windows\System32\drivers\tcpip.sys Copy from C:\WINDOWS\system32\dllcache\tcpip.sys to replace it Reboot

#114 Joecastle

Joecastle

    Authentic Member

  • Authentic Member
  • PipPip
  • 215 posts

Posted 24 October 2007 - 08:39 PM

Hmm ...plenty of spares around. :)

Delete the existing copy at C;\Windows\System32\drivers\tcpip.sys

Copy from C:\WINDOWS\system32\dllcache\tcpip.sys to replace it

Reboot


sUBs,

There are 2 tcpip in C;\Windows\System32\drivers\

1 tcpip.sys
2 tcpip

I deleted C;\Windows\System32\drivers\tcpip.sys as mentioned

I copied tcpip from here C:\WINDOWS\system32\dllcache\tcpip & as I am going to paste it a Confirm widow pops up taht says This folder already contains a file named "tcpip"
Before I paste it. What should I do? It is asking me if I want to replace tcpip.

Edited by Joecastle, 24 October 2007 - 08:41 PM.

#115 sUΒs

sUΒs

    Authentic Member

  • Malware Expert
  • 189 posts

Posted 24 October 2007 - 08:43 PM

It's probably Windows File Protection at work. It replaces the file which you deleted. Let's check if it replaced it correctly. Right click on C:\Windows\System32\drivers\tcpip.sys & select "Properties" Check to see if it's filesize is 327,168 bytes If so, you can reboot now

    Advertisements

Register to Remove

#116 Joecastle

Joecastle

    Authentic Member

  • Authentic Member
  • PipPip
  • 215 posts

Posted 24 October 2007 - 09:35 PM

YESSSSSSSSS!!! We are online!!!

#117 sUΒs

sUΒs

    Authentic Member

  • Malware Expert
  • 189 posts

Posted 24 October 2007 - 09:37 PM

Using Internet Explorer, visit http://www.kaspersky...apter=161739400

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

    Posted Image

  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

#118 Joecastle

Joecastle

    Authentic Member

  • Authentic Member
  • PipPip
  • 215 posts

Posted 25 October 2007 - 12:06 AM

WOW!! Here it is... ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Thursday, October 25, 2007 2:02:33 AM Operating System: Microsoft Windows XP Professional, (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 25/10/2007 Kaspersky Anti-Virus database records: 444235 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ Scan Statistics: Total number of scanned objects: 48025 Number of viruses found: 58 Number of infected objects: 242 Number of suspicious objects: 3 Duration of the scan process: 02:05:27 Infected Object Name / Virus Name / Last Action C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped C:\WINDOWS\system32\config\SYSTEM Object is locked skipped C:\WINDOWS\system32\config\DEFAULT Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\mstlsap.1 Infected: Trojan.Win32.Delf.agk skipped C:\WINDOWS\system32\eceecgsl.dll.bak Infected: Trojan.Win32.Delf.ajv skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\Debug\oakley.log Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\installer.exe Infected: Trojan-Dropper.Win32.Agent.bqg skipped C:\WINDOWS\ModemLog_Communications cable between two computers.txt Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstdout.txt Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstderr.txt Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\server.lock Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aoltsmon.lock Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\cache.db Object is locked skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip/v1.8.4/wbuninst.exe Suspicious: Password-protected-EXE skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip ZIP: suspicious - 1 skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\admin\NTUSER.DAT Object is locked skipped C:\Documents and Settings\admin\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184325-120.dll Infected: Trojan-Spy.Win32.BZub.bsa skipped C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184325-962.dll Infected: not-a-virus:AdWare.Win32.Agent.kr skipped C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184325-791.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184325-714.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gh skipped C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184325-392.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071011-181038-202.dll Infected: Trojan-Spy.Win32.BZub.bsa skipped C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071012-201206-819.dll Infected: Trojan-Spy.Win32.BZub.bsa skipped C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071012-203312-221.dll Infected: Trojan-Spy.Win32.BZub.bsa skipped C:\Documents and Settings\admin\Desktop\ieupdr2.exe Infected: Trojan-Downloader.Win32.Small.fww skipped C:\Documents and Settings\admin\Cookies\index.dat Object is locked skipped C:\Documents and Settings\admin\ntuser.dat.LOG Object is locked skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP26\A0067304.dll Suspicious: Packed.Win32.Morphine.a skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP26\A0069339.dll Infected: Trojan.Win32.Delf.agk skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP27\A0069347.dll Infected: Trojan.Win32.Agent.cho skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP27\A0069350.DLL Infected: Trojan.Win32.Delf.ajv skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP27\A0069351.DLL Infected: Trojan-Clicker.Win32.Delf.jv skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP27\A0070359.dll Infected: Trojan-Downloader.Win32.Agent.elf skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP27\A0070360.dll Infected: Trojan-Dropper.Win32.Agent.cia skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP27\A0070361.dll Infected: Trojan.Win32.Delf.ajz skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP27\A0070377.dll Infected: Trojan-PSW.Win32.Nilage.bsz skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP27\A0070484.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP27\A0070487.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP27\A0070488.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP27\A0070489.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP27\A0070490.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP29\A0070541.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP29\A0070542.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP29\A0070544.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP29\A0070546.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP29\A0070548.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP29\A0070549.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP29\A0070551.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP29\A0070552.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP29\A0070555.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP29\A0070558.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP29\A0070559.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP29\A0070561.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP29\A0070564.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP29\A0070565.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP29\A0070567.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP29\A0070568.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP29\A0070569.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP29\A0070588.dll Infected: Trojan-Spy.Win32.Small.ez skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP29\A0070591.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP41\A0072081.exe Infected: Trojan.Win32.Agent.bnd skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP41\A0072085.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.jn skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP41\A0072085.exe NSIS: infected - 1 skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP41\A0072102.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP41\A0072102.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP41\A0072102.exe NSIS: infected - 2 skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP43\A0074872.exe Infected: not-a-virus:AdWare.Win32.Agent.jn skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP43\A0079059.dll Infected: not-a-virus:AdWare.Win32.AdBand.c skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP43\A0080061.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP43\A0080062.exe Infected: Trojan-Spy.Win32.Banker.ejg skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP43\A0080099.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP43\A0082940.dll Infected: Trojan-Clicker.Win32.Delf.jr skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP44\A0083972.exe Infected: Trojan-Proxy.Win32.Wopla.ag skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP44\A0083990.dll Infected: not-a-virus:AdWare.Win32.Agent.kr skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP44\A0083991.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP44\A0083992.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gh skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP44\A0083993.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP44\A0084004.dll Infected: SpamTool.Win32.Agent.be skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP44\A0084005.dll Infected: Trojan-Spy.Win32.BZub.ik skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP44\A0084008.sys Infected: Rootkit.Win32.Agent.lj skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP44\A0084026.dll Infected: SpamTool.Win32.Agent.bk skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP44\A0084027.dll Infected: SpamTool.Win32.Agent.bk skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP44\A0084028.exe/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP44\A0084028.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.AdBand.c skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP44\A0084028.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Agent.jn skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP44\A0084028.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.jn skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP44\A0084028.exe NSIS: infected - 4 skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP44\A0084029.exe Infected: Trojan-Downloader.Win32.VB.bgd skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP44\A0084037.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP44\A0084084.exe Infected: Trojan.Win32.Agent.bnd skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP44\A0084085.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gg skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP44\A0084153.exe Infected: Trojan-Downloader.Win32.Small.ftt skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP44\A0084154.exe Infected: Trojan-Downloader.Win32.Small.fww skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP44\A0084155.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP44\A0084157.exe Infected: Trojan-Downloader.Win32.Small.fww skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP44\A0084160.exe Infected: Trojan-Spy.Win32.Perfloger.h skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP44\A0084161.exe Infected: Backdoor.Win32.Agent.bxx skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP44\A0084162.exe Infected: Rootkit.Win32.Agent.jy skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP44\A0084163.dll Infected: Trojan-Dropper.Win32.Agent.cie skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP44\A0084164.exe Infected: Trojan-Downloader.Win32.Agent.enr skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP44\A0084235.dll Infected: Trojan-Spy.Win32.BZub.bsa skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP44\A0084236.sys Infected: Rootkit.Win32.Agent.jf skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP45\A0103372.dll Infected: Trojan-Spy.Win32.BZub.bsa skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP45\A0103378.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP45\A0103379.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gh skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP45\A0103380.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP45\A0103381.dll Infected: not-a-virus:AdWare.Win32.Agent.kr skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP45\A0103382.dll Infected: Trojan-Spy.Win32.BZub.bsa skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP45\A0103385.exe Infected: Trojan-Downloader.Win32.Small.fww skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP47\A0104427.dll Infected: Trojan-Spy.Win32.BZub.bsa skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP47\A0104433.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP47\A0104434.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gh skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP47\A0104435.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP47\A0104436.dll Infected: not-a-virus:AdWare.Win32.Agent.kr skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP47\A0104437.dll Infected: Trojan-Spy.Win32.BZub.bsa skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP47\A0104440.exe Infected: Trojan-Downloader.Win32.Small.fww skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP48\A0105487.dll Infected: Trojan-Spy.Win32.BZub.bsa skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP48\A0105493.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP48\A0105494.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gh skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP48\A0105495.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP48\A0105496.dll Infected: not-a-virus:AdWare.Win32.Agent.kr skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP48\A0105497.dll Infected: Trojan-Spy.Win32.BZub.bsa skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP48\A0105500.exe Infected: Trojan-Downloader.Win32.Small.fww skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP49\A0106546.dll Infected: Trojan-Spy.Win32.BZub.bsa skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP49\A0106552.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP49\A0106553.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gh skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP49\A0106554.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP49\A0106555.dll Infected: not-a-virus:AdWare.Win32.Agent.kr skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP49\A0106556.dll Infected: Trojan-Spy.Win32.BZub.bsa skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP49\A0106559.exe Infected: Trojan-Downloader.Win32.Small.fww skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP50\A0106610.dll Infected: Trojan-Spy.Win32.BZub.bsa skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP50\A0106616.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP50\A0106617.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gh skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP50\A0106618.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP50\A0106619.dll Infected: not-a-virus:AdWare.Win32.Agent.kr skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP50\A0106620.dll Infected: Trojan-Spy.Win32.BZub.bsa skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP50\A0106623.exe Infected: Trojan-Downloader.Win32.Small.fww skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP51\A0106670.dll Infected: Trojan-Spy.Win32.BZub.bsa skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP51\A0106676.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP51\A0106677.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gh skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP51\A0106678.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP51\A0106679.dll Infected: not-a-virus:AdWare.Win32.Agent.kr skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP51\A0106680.dll Infected: Trojan-Spy.Win32.BZub.bsa skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP51\A0106683.exe Infected: Trojan-Downloader.Win32.Small.fww skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP52\A0108725.dll Infected: Trojan-Spy.Win32.BZub.bsa skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP52\A0108731.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP52\A0108732.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gh skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP52\A0108733.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP52\A0108734.dll Infected: not-a-virus:AdWare.Win32.Agent.kr skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP52\A0108735.dll Infected: Trojan-Spy.Win32.BZub.bsa skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP52\A0108738.exe Infected: Trojan-Downloader.Win32.Small.fww skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP53\A0108789.dll Infected: Trojan-Spy.Win32.BZub.bsa skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP53\A0108795.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP53\A0108796.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gh skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP53\A0108797.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP53\A0108798.dll Infected: not-a-virus:AdWare.Win32.Agent.kr skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP53\A0108799.dll Infected: Trojan-Spy.Win32.BZub.bsa skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP53\A0108801.exe Infected: Trojan-Downloader.Win32.Small.fww skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP54\A0108846.dll Infected: Trojan-Spy.Win32.BZub.bsa skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP54\A0108852.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP54\A0108853.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gh skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP54\A0108854.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP54\A0108855.dll Infected: not-a-virus:AdWare.Win32.Agent.kr skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP54\A0108856.dll Infected: Trojan-Spy.Win32.BZub.bsa skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP54\A0108858.exe Infected: Trojan-Downloader.Win32.Small.fww skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP56\A0109901.dll Infected: Trojan-Spy.Win32.BZub.bsa skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP56\A0109907.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP56\A0109908.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gh skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP56\A0109909.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP56\A0109910.dll Infected: not-a-virus:AdWare.Win32.Agent.kr skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP56\A0109911.dll Infected: Trojan-Spy.Win32.BZub.bsa skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP56\A0109913.exe Infected: Trojan-Downloader.Win32.Small.fww skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP57\A0110956.dll Infected: Trojan-Spy.Win32.BZub.bsa skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP57\A0110962.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP57\A0110963.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gh skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP57\A0110964.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP57\A0110965.dll Infected: not-a-virus:AdWare.Win32.Agent.kr skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP57\A0110966.dll Infected: Trojan-Spy.Win32.BZub.bsa skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP57\A0110968.exe Infected: Trojan-Downloader.Win32.Small.fww skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP58\A0112011.dll Infected: Trojan-Spy.Win32.BZub.bsa skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP58\A0112017.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP58\A0112018.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gh skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP58\A0112019.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP58\A0112020.dll Infected: not-a-virus:AdWare.Win32.Agent.kr skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP58\A0112021.dll Infected: Trojan-Spy.Win32.BZub.bsa skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP58\A0112023.exe Infected: Trojan-Downloader.Win32.Small.fww skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP59\A0112099.dll Infected: Trojan-Spy.Win32.BZub.bsa skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP59\A0112105.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP59\A0112106.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gh skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP59\A0112107.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP59\A0112108.dll Infected: not-a-virus:AdWare.Win32.Agent.kr skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP59\A0112109.dll Infected: Trojan-Spy.Win32.BZub.bsa skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP59\A0112111.exe Infected: Trojan-Downloader.Win32.Small.fww skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP60\A0112188.dll Infected: Trojan-Spy.Win32.BZub.bsa skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP60\A0112194.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP60\A0112195.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gh skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP60\A0112196.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP60\A0112197.dll Infected: not-a-virus:AdWare.Win32.Agent.kr skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP60\A0112198.dll Infected: Trojan-Spy.Win32.BZub.bsa skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP60\A0112200.exe Infected: Trojan-Downloader.Win32.Small.fww skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP62\A0124323.dll Infected: Trojan-Spy.Win32.BZub.bsa skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP62\A0124329.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP62\A0124330.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gh skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP62\A0124331.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP62\A0124332.dll Infected: not-a-virus:AdWare.Win32.Agent.kr skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP62\A0124333.dll Infected: Trojan-Spy.Win32.BZub.bsa skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP62\A0124335.exe Infected: Trojan-Downloader.Win32.Small.fww skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP63\A0124417.dll Infected: Trojan-Spy.Win32.BZub.bsa skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP63\A0124423.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP63\A0124424.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gh skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP63\A0124425.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP63\A0124426.dll Infected: not-a-virus:AdWare.Win32.Agent.kr skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP63\A0124427.dll Infected: Trojan-Spy.Win32.BZub.bsa skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP63\A0124429.exe Infected: Trojan-Downloader.Win32.Small.fww skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP65\A0125517.dll Infected: Trojan-Spy.Win32.BZub.bsa skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP65\A0125523.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP65\A0125524.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gh skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP65\A0125525.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP65\A0125526.dll Infected: not-a-virus:AdWare.Win32.Agent.kr skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP65\A0125527.dll Infected: Trojan-Spy.Win32.BZub.bsa skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP65\A0125529.exe Infected: Trojan-Downloader.Win32.Small.fww skipped C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP65\change.log Object is locked skipped C:\qoobox\Quarantine\C\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Internet Explorer\prndrv.dll.vir Infected: SpamTool.Win32.Agent.be skipped C:\qoobox\Quarantine\C\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Internet Explorer\Filters\prx66b.dll.vir Infected: SpamTool.Win32.Agent.bk skipped C:\qoobox\Quarantine\C\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Internet Explorer\Filters\prx66a.dll.vir Infected: SpamTool.Win32.Agent.bk skipped C:\qoobox\Quarantine\C\Documents and Settings\admin\ie_update3r.exe.vir Infected: Trojan-Downloader.Win32.Small.fww skipped C:\qoobox\Quarantine\C\Documents and Settings\All Users\Documents\Settings\partnership.dll.vir Infected: Trojan-Proxy.Win32.Xorpix.bt skipped C:\qoobox\Quarantine\C\WINDOWS\system32\ipv6monr.dll.vir Infected: Trojan-Spy.Win32.BZub.ik skipped C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\lhfjncwk.sys.vir Infected: Rootkit.Win32.Agent.lj skipped C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\lhfjncwk.dat.vir Infected: Rootkit.Win32.Agent.li skipped C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\iiccncfm.dat.vir Infected: Rootkit.Win32.Agent.lk skipped C:\qoobox\Quarantine\C\WINDOWS\system32\Q2\mon33dll.exe.vir/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped C:\qoobox\Quarantine\C\WINDOWS\system32\Q2\mon33dll.exe.vir/stream/data0003 Infected: not-a-virus:AdWare.Win32.AdBand.c skipped C:\qoobox\Quarantine\C\WINDOWS\system32\Q2\mon33dll.exe.vir/stream/data0004 Infected: not-a-virus:AdWare.Win32.Agent.jn skipped C:\qoobox\Quarantine\C\WINDOWS\system32\Q2\mon33dll.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Agent.jn skipped C:\qoobox\Quarantine\C\WINDOWS\system32\Q2\mon33dll.exe.vir NSIS: infected - 4 skipped C:\qoobox\Quarantine\C\WINDOWS\system32\f24WtR\f24WtR2218.exe.vir Infected: Trojan-Downloader.Win32.VB.bgd skipped C:\qoobox\Quarantine\C\WINDOWS\system32\GRB9\wrdll22919.exe.vir Infected: Trojan-Downloader.Win32.Small.ftt skipped C:\qoobox\Quarantine\C\WINDOWS\system32\_svchost.exe.vir Infected: Trojan-Downloader.Win32.Small.fww skipped C:\qoobox\Quarantine\C\WINDOWS\system32\update176.exe.vir Infected: Trojan-Spy.Win32.Perfloger.h skipped C:\qoobox\Quarantine\C\WINDOWS\system32\update281.exe.vir Infected: Backdoor.Win32.Agent.bxx skipped C:\qoobox\Quarantine\C\WINDOWS\system32\update285.exe.vir Infected: Rootkit.Win32.Agent.jy skipped C:\qoobox\Quarantine\C\WINDOWS\system32\vahnjqck.dll.vir Infected: Trojan-Dropper.Win32.Agent.cie skipped C:\qoobox\Quarantine\C\WINDOWS\system32\mstlsap.dll.vir Infected: Trojan-Spy.Win32.BZub.bsa skipped C:\qoobox\Quarantine\C\WINDOWS\system32\syslodr.sys.vir Infected: Rootkit.Win32.Agent.jf skipped C:\qoobox\Quarantine\C\WINDOWS\Temp\772000.exe.vir Infected: Trojan.Win32.AntiNOD.c skipped C:\qoobox\Quarantine\C\WINDOWS\mgrs.exe.vir Infected: Trojan-Downloader.Win32.Alphabet.gen skipped C:\qoobox\Quarantine\C\WINDOWS\tsitra1000106.exe.vir Infected: Trojan-Downloader.Win32.Agent.enr skipped C:\qoobox\Quarantine\C\6.tmp.vir/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped C:\qoobox\Quarantine\C\6.tmp.vir NSIS: infected - 1 skipped C:\qoobox\Quarantine\C\7.tmp.vir/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped C:\qoobox\Quarantine\C\7.tmp.vir/stream/data0003 Infected: not-a-virus:AdWare.Win32.Agent.ay skipped C:\qoobox\Quarantine\C\7.tmp.vir/stream Infected: not-a-virus:AdWare.Win32.Agent.ay skipped C:\qoobox\Quarantine\C\7.tmp.vir NSIS: infected - 3 skipped C:\qoobox\Quarantine\C\Program Files\hlpsrv.exe.vir Infected: Trojan-Downloader.Win32.Alphabet.gen skipped C:\qoobox\Quarantine\C\FOUND.013\FILE0000.CHK.vir Infected: Rootkit.Win32.Agent.jy skipped C:\qoobox\Quarantine\C\FOUND.013\FILE0002.CHK.vir Infected: Trojan.Win32.Pakes.dm skipped C:\qoobox\Quarantine\C\FOUND.013\FILE0003.CHK.vir Infected: Trojan.Win32.Pakes.dm skipped C:\qoobox\Quarantine\C\FOUND.013\FILE0014.CHK.vir Infected: Rootkit.Win32.Agent.kb skipped Scan process completed.

#119 sUΒs

sUΒs

    Authentic Member

  • Malware Expert
  • 189 posts

Posted 25 October 2007 - 05:15 AM

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\mstlsap.1
C:\WINDOWS\system32\eceecgsl.dll.bak
C:\WINDOWS\installer.exe
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip
C:\Documents and Settings\admin\Desktop\ieupdr2.exe
Folder::
C:\Documents and Settings\admin\Desktop\New Folder\backups
Driver::
gpejsjbq

Save this as "CFScript"


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

#120 Joecastle

Joecastle

    Authentic Member

  • Authentic Member
  • PipPip
  • 215 posts

Posted 25 October 2007 - 03:03 PM

Hi sUBs,

ComboFix 07-10-19.1 - admin 2007-10-25 16:51:46.7 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.60 [GMT -4:00]
Running from: E:\ComboFix.exe
Command switches used :: C:\Documents and Settings\admin\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\Documents and Settings\admin\Desktop\ieupdr2.exe
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip
C:\WINDOWS\installer.exe
C:\WINDOWS\system32\eceecgsl.dll.bak
C:\WINDOWS\system32\mstlsap.1
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\admin\Desktop\ieupdr2.exe
C:\Documents and Settings\admin\Desktop\New Folder\backups
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184325-114
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184325-120
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184325-120.dll
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184325-154
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184325-220
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184325-246
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184325-281
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184325-290
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184325-369
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184325-392
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184325-392.dll
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184325-406
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184325-488
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184325-534
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184325-561
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184325-563
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184325-566
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184325-601
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184325-621
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184325-637
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184325-644
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184325-651
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184325-675
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184325-701
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184325-714
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184325-714.dll
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184325-757
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184325-791
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184325-791.dll
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184325-917
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184325-917.dll
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184325-962
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184325-962.dll
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184325-969
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184325-975
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184325-988
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184325-995
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184327-245
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184327-554
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071009-184328-899
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071011-181038-202
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071011-181038-202.dll
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071011-181038-666
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071011-181038-807
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071011-181038-807.dll
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071012-201206-819
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071012-201206-819.dll
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071012-201206-968
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071012-201206-985
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071012-201206-985.dll
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071012-203312-221
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071012-203312-221.dll
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071012-203312-666
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071012-203312-666.dll
C:\Documents and Settings\admin\Desktop\New Folder\backups\backup-20071012-203312-977
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip
C:\WINDOWS\installer.exe
C:\WINDOWS\system32\eceecgsl.dll.bak
C:\WINDOWS\system32\mstlsap.1

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_GPEJSJBQ
-------\gpejsjbq


((((((((((((((((((((((((( Files Created from 2007-09-25 to 2007-10-25 )))))))))))))))))))))))))))))))
.

2007-10-24 23:39 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-24 23:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-24 23:23 327,168 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
2007-10-24 23:23 327,168 --a------ C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-20 10:37 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-10-09 19:13 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-05 17:26 <DIR> d-------- C:\Documents and Settings\admin\Application Data\TrojanHunter
2007-10-05 13:57 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2007-10-04 21:47 <DIR> d-------- C:\WINDOWS\peernet
2007-10-04 21:46 <DIR> d-------- C:\WINDOWS\provisioning
2007-10-04 21:33 20,480 --a------ C:\WINDOWS\system32\sprecovr.exe
2007-10-04 21:28 15,872 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-10-04 21:19 <DIR> d-------- C:\WINDOWS\EHome
2007-10-04 20:53 4,569 --------- C:\WINDOWS\system32\secupd.dat
2007-10-04 17:28 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2007-10-04 17:28 171,280 --a------ C:\WINDOWS\system32\jit.dll
2007-10-04 17:28 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2007-10-04 17:28 46,352 --a------ C:\WINDOWS\setdebug.exe
2007-10-04 17:28 6,550 --a------ C:\WINDOWS\jautoexp.dat
2007-10-04 17:08 <DIR> d--h----- C:\WINDOWS\$xpsp1hfm$
2007-10-04 17:08 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2007-10-04 02:56 <DIR> d-------- C:\WINDOWS\system32\bits
2007-10-04 00:09 <DIR> d-------- C:\WINDOWS\pss
2007-10-03 23:49 <DIR> d-------- C:\Documents and Settings\admin\Application Data\Grisoft
2007-10-03 23:49 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-03 23:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-03 23:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-03 23:17 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-10-03 23:17 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-10-03 23:17 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-10-03 23:17 186,136 --a------ C:\WINDOWS\system32\wuaueng1.dll
2007-10-03 23:17 167,704 --a------ C:\WINDOWS\system32\wuauclt1.exe
2007-10-03 23:17 33,624 --a------ C:\WINDOWS\system32\wups.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-20 23:24 17,801 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2007-09-20 23:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-20 23:23 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-09-20 23:07 --------- d-----w C:\Documents and Settings\admin\Application Data\AdobeUM
2007-09-20 23:03 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-08 02:23 --------- d--ha-w C:\Documents and Settings\All Users\Application Data\GTek
2007-09-08 02:23 --------- d-----w C:\Program Files\Linksys EasyLink Advisor
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-03-25 01:55 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((( snapshot@2007-10-09_19.28.22.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-15 19:48:42 585,791 ----a-w C:\WINDOWS\gmer.dll
+ 2007-06-29 13:38:18 581,632 ----a-r C:\WINDOWS\gmer.exe
- 2007-10-07 22:16:16 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-10-25 20:42:40 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-10-07 22:16:16 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-10-25 20:42:40 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-10-07 22:16:16 65,536 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-10-25 20:42:40 65,536 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-10-15 19:48:44 70,001 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2007-04-07 19:53:44 52,400 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-10-25 03:34:18 52,400 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-04-07 19:53:44 354,222 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-10-25 03:34:18 354,222 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-10-24 23:24:42 912,768 ----a-w C:\WINDOWS\system32\restore\rstrlog.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{078A5878-DA1D-4AD9-A6CD-63D7F737106A}]
C:\WINDOWS\System32\mstlsap.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BC91129A-A238-49F2-B101-2896DF91A32F}]
c:\windows\system32\cagacag.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-08-10 18:10]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-10 18:11]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [2007-09-09 09:31]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-28 00:33]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bsfrzvci]
cagacag.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"= C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1155247693\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

R2 WUSB54GSCSVC;WUSB54GSCSVC;"C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe" "WUSB54GSC.exe"
R3 TOSHIBASoftModem;Toshiba Soft Modem;C:\WINDOWS\System32\DRIVERS\LTSMT.sys
R3 trid3d;trid3d;C:\WINDOWS\System32\DRIVERS\trid3dm.sys

.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-25 16:56:38
Windows 5.1.2600 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-25 16:58:50 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-22 19:50
C:\ComboFix-quarantined-files.txt ... 2007-10-12 21:07
C:\ComboFix3.txt ... 2007-10-15 16:02
.
--- E O F ---

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·