|
|||||||
| Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs |
 |
|
|
Topic Tools |
|
#1
August 1st, 2007, 05:28 PM
|
|||
|
|||
|
Will only load into safe mode, error in all others, can't use system restore
A few days ago I was trying to fix some problems on my mother's computer related to spyware and malware and her DSL stopped working. After running hijack it found the LSP was messed up and couldn't fix it. I had to go on my computer to download LSPfix from cexx.org. I used that but the internet still wouldn't work. I somehow managed to get it to work by messing with some settings (I can't recall what I did).
This is where the real problems started. When the internet starting working after my rebooting explorer started shutting off and restarting constantly. I had to ctrl + alt + del to just finally kill it since the computer was so slow trying to do anything while explorer was restarting. While using the internet trying to find out what was wrong with explorer the computer put it's self into stand by mode. While trying to get it out of that mode the computer shut down and rebooted. The computer tries to load normally but encounters an error. Even with completely shutting it off first it won't load normally. It won't load if I choose go back to last known good settings. I also can't load into safe mode with networking. The only thing that works is reg. safe mode. If I try going to system restore I get a message about system restore can't protect your computer and reboot before trying it again. I have no clue what to do. I'm trying to find her Windows XP disk but even if I find it I'm not sure what to do that could fix these problems. I'm assuming these problem are spyware or virus related. Her hijack this log: Logfile of HijackThis v1.99.1 Scan saved at 10:57:57 PM, on 7/31/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Microsoft Office\Office\WINWORD.EXE C:\WINDOWS\msagent\AgentSvr.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\vedxg6ame4.exe C:\WINDOWS\system32\vedxg6ame4.exe C:\HJT\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dog.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http://NTSERVER:80 O2 - BHO: H - {83E915D4-DDDB-4450-B957-7A3240E9CE66} - zoox1.dll (file missing) O2 - BHO: H - {C9905EF0-610F-4404-9030-A3F345D069F5} - C:\WINDOWS\system32\comi2.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernelwind32.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [szkzojal.exe] C:\WINDOWS\system32\szkzojal.exe O4 - HKLM\..\Run: [SC2] C:\WINDOWS\system32\scchk32.exe O4 - HKLM\..\Run: [BillGatesLoh.exe] C:\WINDOWS\BillGatesLoh.exe O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1" O4 - HKCU\..\Run: [Service Pack 1] C:\WINDOWS\system32\vedxg6ame4.exe O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe O4 - HKCU\..\Run: [gf1.0.0.2] C:\WINDOWS\system32\NBPDtJPa.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll O16 - DPF: Win32 Classes - O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct1_x.cab O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KXHCM10 Control) - http://birdieboutique.viewnetcam.com:87/kxhcm10.ocx O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1177565592151 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/dow...in/actxcab.cab O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/A...oadcontrol.cab O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...setup142f1.cab O18 - Filter: text/html - {A8981DB9-B2B3-47D7-A890-9C9D9F4C5552} - C:\WINDOWS\mfA.tmp O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O20 - Winlogon Notify: botreg - C:\Documents and Settings\All Users\Documents\Settings\bot.dll O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE O23 - Service: TCP/IP NetBIOS Helper LmHostsdmserver (LmHostsdmserver) - Unknown owner - C:\WINDOWS\system32\HCFCSA32t.exe (file missing) O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing) O23 - Service: Routing and Remote Access RemoteAccessRpcSs (RemoteAccessRpcSs) - Unknown owner - C:\WINDOWS\system32\SHDOC401f.exe (file missing) O23 - Service: System Restore Service (srservice) - Unknown owner - % (file missing) O23 - Service: Automatic Updates wuauservxmlprov (wuauservxmlprov) - Unknown owner - C:\WINDOWS\system32\Flying Windowsh.exe (file missing) Any help would be so appreciated!!!!!! 
|
|
#2
August 3rd, 2007, 02:09 PM
|
||||
|
||||
|
Howdy sweetiris,
Welcome to CTH. Looks like the System Restore service has become corrupted by some action. A very badly infected system here, so let's start repairs. Go to Start > Run and type cmd and OK. Type the below commands and hit "Enter" after each line sc stop RemoteAccessRpcSs sc delete RemoteAccessRpcSs sc stop wuauservxmlprov sc delete wuauservxmlprov Type Exit to close. Next Open HijackThis, and choose None of the above, just start the program. Click Config – Misc Tools – Open process manager. From the list, click each of the following if it is present, and Kill Process. Close HijackThis. C:\WINDOWS\system32\vedxg6ame4.exe C:\WINDOWS\system32\vedxg6ame4.exe (or any instance of this you see at the time) It also looks like your IE has had it's server settings redirected to an unknown and very suspect appearing proxy, but I cannot be sure on this just by looking at a log file. If you or your Mom did not set any proxy settings (or she recalls this being set by an ISP requirement - check with them if necessary) then close Internet Explorer and all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis. R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http://NTSERVER:80 Download and run DELDOMAINS right click the link, and select Save Link/Target As) then double click to open the DelDomains.inf .To execute the file: right-click and Select 'Install' from the Menu. You may only see the desktop perhaps flicker when the fix makes the corrections. (Note, if you use SpywareBlaster and/or IE/Spyads, it may be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection.) Download ComboFix.exe from here to your desktop, and click the downloaded file to run the repair. When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt. A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. ---------------------- Next Download SDFix.exe and save it to your desktop. ================================================== = Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode). In Safe Mode, click the SDFix.exe and allow it to extract to it's own folder. Open the extracted folder and double click RunThis.bat to start the script. Next type Y to begin the script. Once the fix has run it will prompt you to restart your computer. Press any key to restart at this time. Your system will take longer that normal to restart as the fixtool will be running and removing files. When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons. Then open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back here along with the combofix.txt and a new HijackThis log please.
|
|
#3
August 6th, 2007, 08:15 PM
|
|||
|
|||
|
It's still only booting into safe mode. I disabled the automatic restart after system failure so I could read the error message on the blue screen. It said PAGE_FAULT_IN_NON_PAGED-AREA.
***STOP: 0x00000050 (0xFP14a000, 0x00000000, 0xFAABOB7C, 0x00000000) Right before it starting booting only into safe mode I'd gone into Service under Administrative Tools in the Control Panel. Could I have changed something there that would cause it do only the safe mode? I've done everything you said except delete the hijack entry about the proxy server. I still have to check but I'm pretty sure it's supposed to be there. Combofix: ComboFix 07-08-04.3 - "Administrator" 2007-08-05 22:58:50.1 [GMT -4:00] - FAT32 [SAFE MODE] Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.True ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) Infected copy of C:\WINDOWS\system32\drivers\ndis.sys was found & disinfected C:\DOCUME~1\jlsadm\APPLIC~1\install.dat C:\Documents and Settings\All Users.\documents\settings\desktop.ini C:\qqd.sys C:\WINDOWS\csrss.exe C:\WINDOWS\start.exe C:\WINDOWS\system32\55463641.dll C:\WINDOWS\system32\9_exception.nls C:\WINDOWS\system32\dllh8jkd1q1.exe C:\WINDOWS\system32\dllh8jkd1q2.exe C:\WINDOWS\system32\dllh8jkd1q5.exe C:\WINDOWS\system32\dllh8jkd1q6.exe C:\WINDOWS\system32\dllh8jkd1q7.exe C:\WINDOWS\system32\dllh8jkd1q8.exe C:\WINDOWS\system32\gmc.exe.exe C:\WINDOWS\system32\kernelwind32.exe C:\WINDOWS\system32\pfxzmtaim.dll C:\WINDOWS\system32\pfxzmtforum.dll C:\WINDOWS\system32\pfxzmtgtal.dll C:\WINDOWS\system32\pfxzmticq.dll C:\WINDOWS\system32\pfxzmtsmt.dll C:\WINDOWS\system32\pfxzmtsmtspm.dll C:\WINDOWS\system32\pfxzmtwbmail.dll C:\WINDOWS\system32\pfxzmtymsg.dll C:\WINDOWS\system32\vedxg4am1et2.exe C:\WINDOWS\system32\vedxg6ame4.exe C:\WINDOWS\system32\vedxga3me2.exe C:\WINDOWS\system32\vedxga4m1et4.exe C:\WINDOWS\system32\vedxga4me1.exe C:\WINDOWS\system32\vedxga5me3.exe C:\WINDOWS\system32\vtroll.dll C:\WINDOWS\system32\vx.tll Restored copy from - C:\WINDOWS\system32\dllcache\ndis.sys ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_ASC3550U -------\LEGACY_FWDRV.SYS -------\LEGACY_JHRR64 -------\LEGACY_QQD.SYS -------\LEGACY_RUNTIME -------\asc3550u -------\fwdrv.sys -------\qqd.sys ((((((((((((((((((((((((( Files Created from 2007-07-06 to 2007-08-06 ))))))))))))))))))))))))))))))) 2007-08-05 23:31 <DIR> d--hs---- C:\FOUND.000 2007-08-05 22:57 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-08-05 22:53 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft 2007-07-30 01:53 168,960 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Jhrr64.sys 2007-07-30 01:52 7,968 --a------ C:\WINDOWS\SYSTEM32\spooldr.sys 2007-07-30 01:52 168,960 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symavc32.sys 2007-07-30 01:52 113,088 --a------ C:\WINDOWS\spooldr.exe 2007-07-30 01:51 155,648 --a------ C:\WINDOWS\BillGatesLoh.exe 2007-07-24 06:11 12,033 --a------ C:\WINDOWS\win32.exe 2007-07-24 06:09 8,704 --a------ C:\WINDOWS\SYSTEM32\sporder.dll 2007-07-24 04:42 34,289 --a------ C:\WINDOWS\uvx.exe 2007-07-18 06:00 22,752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe 2007-07-18 06:00 <DIR> d--h----- C:\WINDOWS\$hf_mig$ 2007-07-18 06:00 <DIR> d-------- C:\WINDOWS\SYSTEM32\PreInstall 2007-07-17 23:26 8,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\fhlmrcmmbrqg.sys 2007-07-17 23:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan 2007-07-17 20:28 <DIR> d-------- C:\WINDOWS\BDOSCAN8 2007-07-17 16:02 3,670,016 --ah----- C:\DOCUME~1\ADMINI~1\ntuser.dat 2007-07-17 15:45 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys 2007-07-15 03:02 <DIR> d--hs---- C:\FOUND.010 2007-07-11 21:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan 2007-07-11 21:32 <DIR> d-------- C:\Program Files\Security Task Manager 2007-07-10 16:21 165,888 --a------ C:\WINDOWS\x97uzh74.exe 2007-07-06 15:00 <DIR> d-------- C:\WINDOWS\pss (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) 2007-07-30 01:52 374400 --a------ C:\WINDOWS\system32\drivers\tcpip.sys 2007-07-30 01:52 374400 --a------ C:\WINDOWS\system32\dllcache\tcpip.sys 2007-07-16 18:23 162 --ahs---- C:\WINDOWS\system32\858330841.dat 2007-07-06 15:08 116906 --a------ C:\WINDOWS\HPHins10.dat 2007-07-04 16:52 1632 --a------ C:\WINDOWS\system32\d3d8caps.dat 2007-06-28 22:10 --------- d-------- C:\Program Files\SpywareBlaster 2007-06-28 13:36 67072 --a------ C:\ycrle.exe 2007-06-28 13:36 67072 --a------ C:\WINDOWS\system32\szkzojal.exe 2007-05-28 00:14 78144 --a------ C:\WINDOWS\hpfins05.dat 2003-12-01 17:13 793 --a------ C:\Program Files\INSTALL.LOG 2002-09-22 15:28 266 ---hs---- C:\Program Files\desktop.ini 2002-09-22 15:28 11079 --a------ C:\Program Files\folder.htt C:\WINDOWS\system32\drivers\tcpip.sys ... is infected !! (additional data below) 374,400 2007-07-30 05:52:54 C:\WINDOWS\SYSTEM32\DRIVERS\tcpip.sys 374,400 2007-07-30 05:52:44 C:\WINDOWS\SYSTEM32\dllcache\tcpip.sys 359,808 2006-04-20 11:51:50 C:\WINDOWS\SoftwareDistribution\Download\556eb9843 6b65a8c1ffae674c83d197f\sp2gdr\tcpip.sys 360,576 2006-04-20 12:18:36 C:\WINDOWS\SoftwareDistribution\Download\556eb9843 6b65a8c1ffae674c83d197f\sp2qfe\tcpip.sys ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83E915D4-DDDB-4450-B957-7A3240E9CE66}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "SystemTray"="SysTray.Exe" [2004-08-04 12:00 C:\WINDOWS\SYSTEM32\systray.exe] "IntelliType"="C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-21 21:41] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25] "szkzojal.exe"="C:\WINDOWS\system32\szkzojal.e xe" [2007-06-28 13:36] "BillGatesLoh.exe"="C:\WINDOWS\BillGatesLoh.ex e" [2007-07-30 01:51] [HKEY_USERS\.default\software\microsoft\windows\cur rentversion\runonce] "Printing Migration"=rundll32.exe C:\WINDOWS\system32\spool\migrate.dll,ProcessWin9x NetworkPrinters C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\Osa9.exe [1999-02-17 20:05:56] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2007-04-26 21:18 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD LT Startup Accelerator.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD LT Startup Accelerator.lnk backup=C:\WINDOWS\pss\AutoCAD LT Startup Accelerator.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-] "EnsoniqMixer"=C:\WINDOWS\starter.exe "CriticalUpdate"=C:\WINDOWS\SYSTEM32\WUCRTUPD. EXE -startup [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\setup\disabledrunkeys] "LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme "TCASUTIEXE"=TCAUDIAG.EXE -off "WinampAgent"="C:\Program Files\Winamp3\winampa.exe" "LoadQM"=loadqm.exe "CallControl 4.5"=C:\Program Files\FaxTalk Communicator\FTCtrl32.exe /autoload "NetOnHold"=C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe "HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe R0 PrevxDriver;PREVX Kernel Mode Agent;C:\WINDOWS\system32\DRIVERS\pxfsf.sys R1 PXRDDriver;PREVX Rootkitscan driver;C:\WINDOWS\system32\DRIVERS\pxrd.sys S1 PREVXTdi;PREVX TDI filter;C:\WINDOWS\system32\DRIVERS\pxtdi.sys S1 SASDIFSV;SASDIFSV;\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS S1 SASKUTIL;SASKUTIL;\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys S2 CdaC15BA;CdaC15BA;\??\C:\WINDOWS\system32\drivers\ CDAC15BA.SYS S2 LmHostsdmserver;TCP/IP NetBIOS Helper LmHostsdmserver;C:\WINDOWS\system32\HCFCSA32t.exe srv S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys S3 PREVXEmulator;PREVX Emulator driver;C:\WINDOWS\system32\DRIVERS\PxEmu.sys S3 SASENUM;SASENUM;\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}] "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] C:\WINDOWS\SYSTEM32\UPDCRL.EXE -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl Contents of the 'Scheduled Tasks' folder 2007-07-07 18:00:04 C:\WINDOWS\Tasks\Tune-up Application Start.job ************************************************** ************************ catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-08-05 23:32:42 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************** ************************ Completion time: 2007-08-05 23:35:09 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-08-05 23:35 --- E O F --- SDFix ran but when the computer rebooted nothing ever came up saying it was finished. SDFix: Version 1.95 Run by Administrator on Sun 08/05/2007 at 11:44 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Patched tcpip.sys Found! tcpip.sys File Locations: C:\WINDOWS\SYSTEM32\DRIVERS\tcpip.sys C:\WINDOWS\SYSTEM32\dllcache\tcpip.sys C:\WINDOWS\SoftwareDistribution\Download\556eb9843 6b65a8c1ffae674c83d197f\sp2gdr\tcpip.sys C:\WINDOWS\SoftwareDistribution\Download\556eb9843 6b65a8c1ffae674c83d197f\sp2qfe\tcpip.sys MD5 Checksum: [C:\WINDOWS\SYSTEM32\DRIVERS\tcpip.sys] E883CB0AAC89B91A6B053ACA99484FF0 [C:\WINDOWS\SYSTEM32\dllcache\tcpip.sys] E883CB0AAC89B91A6B053ACA99484FF0 [C:\WINDOWS\SoftwareDistribution\Download\556eb9843 6b65a8c1ffae674c83d197f\sp2gdr\tcpip.sys] 1DBF125862891817F374F407626967F4 [C:\WINDOWS\SoftwareDistribution\Download\556eb9843 6b65a8c1ffae674c83d197f\sp2qfe\tcpip.sys] B2220C618B42A2212A59D91EBD6FC4B4 Detected Patched Files Are Listed Below: C:\WINDOWS\SYSTEM32\DRIVERS\tcpip.sys C:\WINDOWS\SYSTEM32\dllcache\tcpip.sys Note: SDFix Does Not Repair This File! Please Scan All Files Above At VirusTotal! If No Clean Copies Are Found Download The Below Update To Restore Original Files: http://www.microsoft.com/technet/sec.../ms06-032.mspx Restoring Windows Registry Values Restoring Windows Default Hosts File Restoring Missing Security Center Service Restoring Missing SharedAccess Service Hijacjthis: Logfile of HijackThis v1.99.1 Scan saved at 1:18:46 AM, on 8/6/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\HJT\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dog.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = % R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http://NTSERVER:80 O2 - BHO: H - {83E915D4-DDDB-4450-B957-7A3240E9CE66} - zoox1.dll (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [szkzojal.exe] C:\WINDOWS\system32\szkzojal.exe O4 - HKLM\..\Run: [BillGatesLoh.exe] C:\WINDOWS\BillGatesLoh.exe O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second O4 - HKLM\..\RunOnce: [SDFix] C:\SDFIX\RUNTHIS.BAT /second O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll O16 - DPF: Win32 Classes - O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct1_x.cab O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KXHCM10 Control) - http://birdieboutique.viewnetcam.com:87/kxhcm10.ocx O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1177565592151 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/dow...in/actxcab.cab O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/A...oadcontrol.cab O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...setup142f1.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE O23 - Service: TCP/IP NetBIOS Helper LmHostsdmserver (LmHostsdmserver) - Unknown owner - C:\WINDOWS\system32\HCFCSA32t.exe (file missing) O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing) O23 - Service: System Restore Service (srservice) - Unknown owner - % (file missing) Last edited by sweetiris; August 6th, 2007 at 09:10 PM.
|
|
#4
August 6th, 2007, 09:29 PM
|
||||
|
||||
|
Pretty seriously infected - quite a bit removed by those very good tools but there is an essential net access file that has been modified by infection, and the backup for it as well. I am going to need to review for the best method to get a clean file copy installed to correct that.
|
|
#5
August 6th, 2007, 09:33 PM
|
||||
|
||||
|
If you would, PM me and provide an email address where I can send a clean copy of this file to as an attachment. You will need to retrieve it from another machine via email and transfer it to this one to replace the bad file. Or if you have another XP computer in the home, locate and make a copy of the following file and save that to a floppy or flash drive - some method of transferring it to this problem computer.
C:\WINDOWS\system32\drivers\tcpip.sys
|
|
#9
August 7th, 2007, 07:58 PM
|
||||
|
||||
|
The infection has many items of infection loading as services, as well as that essential modifed file we have been discussing. Assuming you have a copy of tcpip.sys now and placed in the C drive folder as I suggested, let's see what procedures will work here. This may take a few trials to find what will be the best method.
Go to Start - Run, type notepad (and Enter). In the open textbox copy/paste the following. Code:
@ECHO OFF cd c:\windows\system32\drivers attrib -r -s tcpip.sys ren tcpip.sys tcpip.vir copy c:\tcpip.sys c:\windows\system32\drivers cd C:\WINDOWS\system32\dllcache attrib -r -s tcpip.sys ren tcpip.sys tcpip.vir copy c:\tcpip.sys C:\WINDOWS\system32\dllcache exit ========================================== Reboot into Safe Mode (at startup tap F8 and select Safe Mode). Once in Safe Mode locate and click on renner.bat - a window will open and close quickly - this is normal. Then again go to the C:\SDFix folder and and double click RunThis.bat to start the script. Next type Y to begin the script. Once the fix has run it will prompt you to restart your computer. Press any key to restart at this time. Your system will take longer that normal to restart as the fixtool will be running and removing files. When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons. Then open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back here. ============================================ After the reboot Download The Avenger from here to your Desktop and unzip it. Copy all the text contained in the code box below by highlighting it and right clicking and selecting "Copy" Code:
Drivers to unload: spooldr Jhrr64 symavc32 fhlmrcmmbrqg x97uzh74 Files to delete: C:\Windows\spooldr.exe C:\Windows\system32\drivers\spooldr.sys C:\WINDOWS\SYSTEM32\DRIVERS\Jhrr64.sys C:\WINDOWS\SYSTEM32\DRIVERS\symavc32.sys C:\WINDOWS\BillGatesLoh.exe C:\WINDOWS\win32.exe C:\WINDOWS\SYSTEM32\sporder.dll C:\WINDOWS\uvx.exe C:\WINDOWS\system32\858330841.dat C:\WINDOWS\x97uzh74.exe C:\WINDOWS\SYSTEM32\DRIVERS\fhlmrcmmbrqg.sys C:\ycrle.exe C:\WINDOWS\system32\szkzojal.exe Folders to delete: C:\FOUND.000 C:\FOUND.010 The Avenger will restart your computer. (if the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.) When you have rebooted, a black command window briefly opens on your desktop, this is normal. A logfile will be created that records all actions that The Avenger performed. This log file is saved to C:\avenger.txt. The deleted files will be backed up and saved to C:\avenger\backup.zip. ================================================= Once your computer has rebooted, run a new ComboFix scan and post that log back here along with the SDFix report.txt log and the avenger.txt log please.
|
|
#10
August 10th, 2007, 06:04 PM
|
|||
|
|||
|
The computer will now boot into normal mode but I still see the blue error screen flicker for a second before it does.
SDFIx: SDFix: Version 1.95 Run by jlsadm on Wed 08/08/2007 at 10:19 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting... Normal Mode: Checking Files: Trojan Files Found: C:\30.TMP - Deleted C:\858330~1 - Deleted C:\Documents and Settings\jlsadm\Local Settings\Temp\v3xd1.g22me - Deleted C:\Documents and Settings\jlsadm\Local Settings\Temp\v5xd2.g3ame - Deleted C:\Documents and Settings\jlsadm\Local Settings\Temp\v4xd3.ga2me - Deleted C:\Documents and Settings\jlsadm\Local Settings\Temp\v5xd4.ga2me - Deleted C:\Documents and Settings\jlsadm\Local Settings\Temp\v4xd6.gam5e - Deleted C:\Documents and Settings\jlsadm\Local Settings\Temp\v6xdt4.game - Deleted C:\Documents and Settings\jlsadm\Local Settings\Temp\vx3dt2.game - Deleted C:\Documents and Settings\jlsadm\Local Settings\Temp\vx1dt3.game - Deleted C:\WINDOWS\spooldr.exe - Deleted C:\WINDOWS\system32\commands.xml - Deleted C:\WINDOWS\system32\help.txt - Deleted C:\WINDOWS\system32\kr_done1 - Deleted C:\WINDOWS\system32\spooldr.sys - Deleted C:\WINDOWS\win32.exe - Deleted C:\SDFix\backups_old1\v3xd1.g22me - Deleted C:\SDFix\backups_old1\v5xd2.g3ame - Deleted C:\SDFix\backups_old1\v4xd3.ga2me - Deleted C:\SDFix\backups_old1\v5xd4.ga2me - Deleted C:\SDFix\backups_old1\v4xd6.gam5e - Deleted C:\SDFix\backups_old1\v6xdt4.game - Deleted C:\SDFix\backups_old1\vx3dt2.game - Deleted C:\SDFix\backups_old1\vx1dt3.game - Deleted C:\SDFix\backups_old1\v3xd1.g22me - Deleted C:\SDFix\backups_old1\v5xd2.g3ame - Deleted C:\SDFix\backups_old1\v4xd3.ga2me - Deleted C:\SDFix\backups_old1\v5xd4.ga2me - Deleted C:\SDFix\backups_old1\v4xd6.gam5e - Deleted C:\SDFix\backups_old1\v6xdt4.game - Deleted C:\SDFix\backups_old1\vx3dt2.game - Deleted C:\SDFix\backups_old1\vx1dt3.game - Deleted C:\DOCUME~1\jlsadm\LOCALS~1\Temp\A.tmp.taras - Deleted C:\DOCUME~1\jlsadm\LOCALS~1\Temp\9.tmp.taras - Deleted Removing Temp Files... ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" [HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" Remaining Files: --------------- Backups Folder: - C:\SDFix\backups\backups.zip Files with Hidden Attributes: C:\Program Files\Uninstall Information\IE40.Comctl32\AINF0000 C:\Program Files\Uninstall Information\mshtml.DllReg\AINF0000 C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe C:\Program Files\Autodesk\Autodesk Express Viewer\Setup.exe C:\20F.tmp C:\212.tmp C:\3.tmp C:\WINDOWS\SYSTEM32\config\SECURITY.tmp.LOG C:\WINDOWS\SYSTEM32\config\SOFTWARE.tmp.LOG C:\WINDOWS\SYSTEM32\config\SYSTEM.tmp.LOG C:\WINDOWS\SYSTEM32\config\DEFAULT.tmp.LOG C:\WINDOWS\SYSTEM32\config\SAM.tmp.LOG C:\Documents and Settings\All Users\Desktop\David folder\~WRL2027.TMP C:\Documents and Settings\All Users\Desktop\David folder\~WRL2203.TMP C:\Documents and Settings\All Users\Desktop\David folder\~WRL0003.TMP C:\Documents and Settings\All Users\Desktop\David folder\~WRL2421.tmp C:\Documents and Settings\All Users\Desktop\David folder\~WRL2878.tmp C:\Documents and Settings\All Users\Desktop\David folder\~WRL3599.TMP C:\Documents and Settings\All Users\Desktop\David folder\~WRL3402.TMP C:\Documents and Settings\All Users\Desktop\David folder\~WRL3676.TMP C:\Documents and Settings\All Users\Desktop\David folder\~WRL3214.TMP C:\Documents and Settings\jlsadm\~WRL2068.tmp C:\Documents and Settings\jlsadm\Application Data\Microsoft\Word\~WRL0001.TMP C:\Documents and Settings\jlsadm\Application Data\Microsoft\Word\~WRL0004.TMP C:\Documents and Settings\jlsadm\Application Data\Microsoft\Word\~WRL0005.TMP C:\Documents and Settings\jlsadm\Application Data\Microsoft\Word\~WRL0929.TMP C:\Documents and Settings\jlsadm\Application Data\Microsoft\Word\~WRL3072.TMP C:\Documents and Settings\jlsadm\Application Data\Microsoft\Word\~WRL3456.TMP C:\Documents and Settings\jlsadm\Application Data\Microsoft\Word\~WRL0816.TMP C:\Documents and Settings\jlsadm\Application Data\Microsoft\Word\~WRL3404.TMP C:\Documents and Settings\jlsadm\Application Data\Microsoft\Word\~WRL0006.TMP C:\Documents and Settings\jlsadm\Application Data\Microsoft\Word\~WRL0387.TMP C:\Documents and Settings\jlsadm\Application Data\Microsoft\Word\~WRL0007.tmp C:\Documents and Settings\jlsadm\Application Data\Microsoft\Word\~WRL0478.tmp C:\Documents and Settings\jlsadm\Application Data\Microsoft\Word\~WRL0008.tmp C:\Documents and Settings\jlsadm\Application Data\Microsoft\Word\~WRL1592.tmp C:\Documents and Settings\jlsadm\Application Data\Microsoft\Word\~WRL0089.tmp C:\Documents and Settings\jlsadm\Application Data\Microsoft\Word\~WRL0436.tmp C:\Documents and Settings.000\Owner\Application Data\Microsoft\Word\~WRL0003.TMP C:\Documents and Settings.000\Owner\Application Data\Microsoft\Word\~WRL0472.TMP C:\Documents and Settings.000\Owner\Application Data\Microsoft\Word\~WRL1603.TMP C:\Documents and Settings.000\Owner\Application Data\Microsoft\Word\~WRL0191.TMP C:\Documents and Settings.000\Owner\Application Data\Microsoft\Word\~WRL2526.TMP C:\Documents and Settings.000\Owner\Application Data\Microsoft\Word\~WRL1498.TMP C:\Documents and Settings.000\Owner\Application Data\Microsoft\Word\~WRL3660.TMP C:\Documents and Settings.000\Owner\Application Data\Microsoft\Word\~WRL0004.TMP Finished Avenger: ÿþL o g f i l e o f T h e A v e n g e r v e r s i o n 1 , b y S w a n d o g 4 6 R u n n i n g f r o m r e g i s t r y k e y : \ R e g i s t r y \ M a c h i n e \ S y s t e m \ C u r r e n t C o n t r o l S e t \ S e r v i c e s \ y w k q r j i j * * * * * * * * * * * * * * * * * * * S c r i p t f i l e l o c a t e d a t : \ ? ? \ C : \ D o c u m e n t s a n d S e t t i n g s \ r r y m b b j g . t x t S c r i p t f i l e o p e n e d s u c c e s s f u l l y . S c r i p t f i l e r e a d s u c c e s s f u l l y B a c k u p s d i r e c t o r y o p e n e d s u c c e s s f u l l y a t C : \ A v e n g e r * * * * * * * * * * * * * * * * * * * B e g i n n i n g t o p r o c e s s s c r i p t f i l e : R e g i s t r y k e y \ R e g i s t r y \ M a c h i n e \ S y s t e m \ C u r r e n t C o n t r o l S e t \ S e r v i c e s \ s p o o l d r n o t f o u n d ! U n l o a d o f d r i v e r s p o o l d r f a i l e d ! C o u l d n o t p r o c e s s l i n e : s p o o l d r S t a t u s : 0 x c 0 0 0 0 0 3 4 R e g i s t r y k e y \ R e g i s t r y \ M a c h i n e \ S y s t e m \ C u r r e n t C o n t r o l S e t \ S e r v i c e s \ J h r r 6 4 n o t f o u n d ! U n l o a d o f d r i v e r J h r r 6 4 f a i l e d ! C o u l d n o t p r o c e s s l i n e : J h r r 6 4 S t a t u s : 0 x c 0 0 0 0 0 3 4 R e g i s t r y k e y \ R e g i s t r y \ M a c h i n e \ S y s t e m \ C u r r e n t C o n t r o l S e t \ S e r v i c e s \ s y m a v c 3 2 n o t f o u n d ! U n l o a d o f d r i v e r s y m a v c 3 2 f a i l e d ! C o u l d n o t p r o c e s s l i n e : s y m a v c 3 2 S t a t u s : 0 x c 0 0 0 0 0 3 4 D r i v e r f h l m r c m m b r q g u n l o a d e d s u c c e s s f u l l y . R e g i s t r y k e y \ R e g i s t r y \ M a c h i n e \ S y s t e m \ C u r r e n t C o n t r o l S e t \ S e r v i c e s \ x 9 7 u z h 7 4 n o t f o u n d ! U n l o a d o f d r i v e r x 9 7 u z h 7 4 f a i l e d ! C o u l d n o t p r o c e s s l i n e : x 9 7 u z h 7 4 S t a t u s : 0 x c 0 0 0 0 0 3 4 F i l e C : \ W i n d o w s \ s p o o l d r . e x e n o t f o u n d ! D e l e t i o n o f f i l e C : \ W i n d o w s \ s p o o l d r . e x e f a i l e d ! C o u l d n o t p r o c e s s l i n e : C : \ W i n d o w s \ s p o o l d r . e x e S t a t u s : 0 x c 0 0 0 0 0 3 4 F i l e C : \ W i n d o w s \ s y s t e m 3 2 \ d r i v e r s \ s p o o l d r . s y s n o t f o u n d ! D e l e t i o n o f f i l e C : \ W i n d o w s \ s y s t e m 3 2 \ d r i v e r s \ s p o o l d r . s y s f a i l e d ! C o u l d n o t p r o c e s s l i n e : C : \ W i n d o w s \ s y s t e m 3 2 \ d r i v e r s \ s p o o l d r . s y s S t a t u s : 0 x c 0 0 0 0 0 3 4 F i l e C : \ W I N D O W S \ S Y S T E M 3 2 \ D R I V E R S \ J h r r 6 4 . s y s d e l e t e d s u c c e s s f u l l y . F i l e C : \ W I N D O W S \ S Y S T E M 3 2 \ D R I V E R S \ s y m a v c 3 2 . s y s d e l e t e d s u c c e s s f u l l y . F i l e C : \ W I N D O W S \ B i l l G a t e s L o h . e x e d e l e t e d s u c c e s s f u l l y . F i l e C : \ W I N D O W S \ w i n 3 2 . e x e n o t f o u n d ! D e l e t i o n o f f i l e C : \ W I N D O W S \ w i n 3 2 . e x e f a i l e d ! C o u l d n o t p r o c e s s l i n e : C : \ W I N D O W S \ w i n 3 2 . e x e S t a t u s : 0 x c 0 0 0 0 0 3 4 F i l e C : \ W I N D O W S \ S Y S T E M 3 2 \ s p o r d e r . d l l d e l e t e d s u c c e s s f u l l y . F i l e C : \ W I N D O W S \ u v x . e x e d e l e t e d s u c c e s s f u l l y . F i l e C : \ W I N D O W S \ s y s t e m 3 2 \ 8 5 8 3 3 0 8 4 1 . d a t d e l e t e d s u c c e s s f u l l y . F i l e C : \ W I N D O W S \ x 9 7 u z h 7 4 . e x e d e l e t e d s u c c e s s f u l l y . F i l e C : \ W I N D O W S \ S Y S T E M 3 2 \ D R I V E R S \ f h l m r c m m b r q g . s y s d e l e t e d s u c c e s s f u l l y . F i l e C : \ y c r l e . e x e d e l e t e d s u c c e s s f u l l y . F i l e C : \ W I N D O W S \ s y s t e m 3 2 \ s z k z o j a l . e x e d e l e t e d s u c c e s s f u l l y . F o l d e r C : \ F O U N D . 0 0 0 d e l e t e d s u c c e s s f u l l y . F o l d e r C : \ F O U N D . 0 1 0 d e l e t e d s u c c e s s f u l l y . C o m p l e t e d s c r i p t p r o c e s s i n g . * * * * * * * * * * * * * * * * * * * F i n i s h e d ! T e r m i n a t e . Combofix: ComboFix 07-08-04.3 - "jlsadm" 2007-08-08 22:59:13.2 [GMT -4:00] - FAT32 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.True ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\DOCUME~1\jlsadm\APPLIC~1\Microsoft\20509.dat ((((((((((((((((((((((((( Files Created from 2007-07-09 to 2007-08-09 ))))))))))))))))))))))))))))))) 2007-08-05 23:43 <DIR> d-------- C:\WINDOWS\ERUNT 2007-08-05 22:57 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-08-05 22:53 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft 2007-07-18 06:00 22,752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe 2007-07-18 06:00 <DIR> d--h----- C:\WINDOWS\$hf_mig$ 2007-07-18 06:00 <DIR> d-------- C:\WINDOWS\SYSTEM32\PreInstall 2007-07-17 23:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan 2007-07-17 20:28 <DIR> d-------- C:\WINDOWS\BDOSCAN8 2007-07-17 16:02 3,670,016 --ah----- C:\DOCUME~1\ADMINI~1\ntuser.dat 2007-07-17 15:45 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys 2007-07-11 21:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan 2007-07-11 21:32 <DIR> d-------- C:\Program Files\Security Task Manager (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) 2007-07-30 01:52 374400 --a------ C:\WINDOWS\system32\drivers\tcpip.vir 2007-07-30 01:52 374400 --a------ C:\WINDOWS\system32\dllcache\tcpip.vir 2007-07-06 15:08 58832 --a------ C:\DOCUME~1\jlsadm\APPLIC~1\GDIPFONTCACHEV1.DAT 2007-07-06 15:08 116906 --a------ C:\WINDOWS\HPHins10.dat 2007-07-04 16:52 1632 --a------ C:\WINDOWS\system32\d3d8caps.dat 2007-06-28 22:10 --------- d-------- C:\Program Files\SpywareBlaster 2007-05-28 00:14 78144 --a------ C:\WINDOWS\hpfins05.dat 2003-12-01 17:13 793 --a------ C:\Program Files\INSTALL.LOG 2002-09-22 15:28 266 ---hs---- C:\Program Files\desktop.ini 2002-09-22 15:28 11079 --a------ C:\Program Files\folder.htt ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "IntelliType"="C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-21 21:41] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "gf1.0.0.2"="C:\WINDOWS\system32\NBPDtJPa.exe" [] [HKEY_USERS\.default\software\microsoft\windows\cur rentversion\runonce] "Printing Migration"=rundll32.exe C:\WINDOWS\system32\spool\migrate.dll,ProcessWin9x NetworkPrinters C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\Osa9.exe [1999-02-17 20:05:56] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2007-04-26 21:18 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD LT Startup Accelerator.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD LT Startup Accelerator.lnk backup=C:\WINDOWS\pss\AutoCAD LT Startup Accelerator.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-] "EnsoniqMixer"=C:\WINDOWS\starter.exe "CriticalUpdate"=C:\WINDOWS\SYSTEM32\WUCRTUPD. EXE -startup [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\setup\disabledrunkeys] "LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme "TCASUTIEXE"=TCAUDIAG.EXE -off "WinampAgent"="C:\Program Files\Winamp3\winampa.exe" "LoadQM"=loadqm.exe "CallControl 4.5"=C:\Program Files\FaxTalk Communicator\FTCtrl32.exe /autoload "NetOnHold"=C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe "HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe R0 PrevxDriver;PREVX Kernel Mode Agent;C:\WINDOWS\system32\DRIVERS\pxfsf.sys R1 PREVXTdi;PREVX TDI filter;C:\WINDOWS\system32\DRIVERS\pxtdi.sys R1 PXRDDriver;PREVX Rootkitscan driver;C:\WINDOWS\system32\DRIVERS\pxrd.sys R1 SASDIFSV;SASDIFSV;\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS R1 SASKUTIL;SASKUTIL;\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys R2 CdaC15BA;CdaC15BA;\??\C:\WINDOWS\system32\drivers\ CDAC15BA.SYS R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys S2 LmHostsdmserver;TCP/IP NetBIOS Helper LmHostsdmserver;C:\WINDOWS\system32\HCFCSA32t.exe srv S3 PREVXEmulator;PREVX Emulator driver;C:\WINDOWS\system32\DRIVERS\PxEmu.sys S3 SASENUM;SASENUM;\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}] "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] C:\WINDOWS\SYSTEM32\UPDCRL.EXE -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl Contents of the 'Scheduled Tasks' folder 2007-07-07 18:00:04 C:\WINDOWS\Tasks\Tune-up Application Start.job ************************************************** ************************ catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-08-08 23:05:39 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************** ************************ Completion time: 2007-08-08 23:08:46 C:\ComboFix-quarantined-files.txt ... 2007-08-08 23:08 C:\ComboFix2.txt ... 2007-08-05 23:35 --- E O F ---
|
|
#11
August 11th, 2007, 01:22 AM
|
||||
|
||||
|
Excellent work, and I think I see the source of the remaining bootup flicker.
Can you tell me why the following has, at some past time, been disabled from startup? It appears to be a known normal Windows update indicator. "CriticalUpdate"=C:\WINDOWS\SYSTEM32\WUCRTUPD. EXE -startup Also when you post back let me know if Prevx is still installed there - some of it's services show but little else. Go to Start > Run and type cmd and OK. Type (or copy/paste one at a time) the below commands and hit "Enter" after each line sc stop LmHostsdmserver sc delete LmHostsdmserver Type Exit to close. Next locate and delete those infected files you renamed with that bat file. C:\WINDOWS\system32\drivers\tcpip.vir C:\WINDOWS\system32\dllcache\tcpip.vir Go Here and download ATF cleaner. Click on the downloaded file to run it, and select "Select All", then click Empty Selected (and close ATF). If you have them, also click on Firefox/Opera at the top and repeat the steps (and close ATF). Firefox/Opera will need to be closed first for the cleaning to be effective. Then Disable your antivirus program (remember to re-enable it once this scan is complete) and go here (be sure to re-enable it after the scan completes) and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and take a break for a while. When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export the scan report". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit - Select All. Then copy/paste that log back here along with a new HijackThis and ComboFix scan log please.
|
|
#12
August 15th, 2007, 07:08 AM
|
|||
|
|||
|
I have no idea why that was disabled at startup.
Prevx was on there but after unistalling it I still can't get rid of all of it. Bitdefender: BitDefender Online Scanner Scan report generated at: Wed, Aug 15, 2007 - 01:28:44 Scan path: A:\;C:\;D:\; Statistics Time 01:27:21 Files 129064 Folders 3408 Boot Sectors 2 Archives 1229 Packed Files 7087 Results Identified Viruses 29 Infected Files 114 Suspect Files 3 Warnings 0 Disinfected 0 Deleted Files 114 Engines Info Virus Definitions 711068 Engine build AVCORE v1.0 (build 2411) (i386) (Jul 9 2007 12:10:22) Scan plugins 14 Archive plugins 37 Unpack plugins 6 E-mail plugins 6 System plugins 1 Scan Settings First Action Disinfect Second Action Prompt Heuristics Yes Enable Warnings Yes Scanned Extensions *; Exclude Extensions Scan Emails Yes Scan Archives Yes Scan Packed Yes Scan Files Yes Scan Boot Yes Scanned File Status C:\cd1500.nls Infected with: Trojan.Spambot.BXZ C:\cd1500.nls Disinfection failed C:\cd1500.nls Deleted C:\WINDOWS\SYSTEM32\ActiveScan\pskahk.dll Infected with: Generic.Malware.SIMDWYNVdprn.D9407F4E C:\WINDOWS\SYSTEM32\ActiveScan\pskahk.dll Disinfection failed C:\WINDOWS\SYSTEM32\ActiveScan\pskahk.dll Deleted C:\cd1467.nls Infected with: Trojan.Spambot.BXZ C:\cd1467.nls Disinfection failed C:\cd1467.nls Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0052828.exe Suspected of: Generic.Malware.Fdld.647C17D5 C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0052828.exe Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0053837.exe Infected with: Trojan.Tibs.BU C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0053837.exe Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0053837.exe Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0060955.EXE Infected with: Trojan.Peed.IBB C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0060955.EXE Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0060955.EXE Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0057877.EXE Infected with: Trojan.Peed.IBB C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0057877.EXE Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0057877.EXE Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0057889.EXE Infected with: Trojan.Peed.IBB C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0057889.EXE Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0057889.EXE Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0057904.EXE Infected with: Trojan.Peed.IBB C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0057904.EXE Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0057904.EXE Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0059927.EXE Infected with: Trojan.Peed.IBB C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0059927.EXE Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0059927.EXE Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0069198.exe Infected with: DeepScan:Generic.PWS.Games.4.D5CBC5F6 C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0069198.exe Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0069198.exe Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0059939.EXE Infected with: Trojan.Peed.IBB C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0059939.EXE Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0059939.EXE Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0061966.EXE Infected with: Trojan.Peed.IBB C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0061966.EXE Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0061966.EXE Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0061974.exe Infected with: Trojan.Dropper.Small.NCF C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0061974.exe Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0061974.exe Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0061975.exe=>(Embedded EXE o) Infected with: DeepScan:Generic.Malware.dld!!.12EBAEDE C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0061975.exe=>(Embedded EXE o) Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0061975.exe=>(Embedded EXE o) Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0061975.exe Update failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0061976.exe Infected with: Trojan.Downloader.Small.AACM C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0061976.exe Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0061976.exe Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0062965.dll Infected with: Trojan.Peed.HUA C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0062965.dll Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0062965.dll Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0062967.EXE Infected with: Trojan.Peed.IBB C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0062967.EXE Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0062967.EXE Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0062972.exe Infected with: Trojan.Peed.IBB C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0062972.exe Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0062972.exe Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0062973.exe Infected with: Trojan.Peed.IBS C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0062973.exe Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0062973.exe Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0062975.dll Infected with: Trojan.Peed.HUA C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0062975.dll Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0062975.dll Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0062977.EXE Infected with: Trojan.Peed.IBB C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0062977.EXE Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0062977.EXE Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0052825.dll Infected with: Trojan.Peed.HUA C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0052825.dll Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0052825.dll Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0058913.dll Infected with: Trojan.Spy.VL C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0058913.dll Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0058913.dll Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0062987.EXE Infected with: Trojan.Peed.IBB C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0062987.EXE Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0062987.EXE Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0064999.DLL Infected with: Trojan.Peed.HUA C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0064999.DLL Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0064999.DLL Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0065002.EXE Infected with: Trojan.Peed.IBB C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0065002.EXE Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0065002.EXE Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0066006.dll Infected with: Trojan.Peed.HUA C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0066006.dll Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0066006.dll Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0067014.EXE Infected with: Trojan.Peed.IBB C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0067014.EXE Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0067014.EXE Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0067023.EXE Infected with: Trojan.Peed.IBB C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0067023.EXE Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0067023.EXE Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0067055.dll Infected with: Trojan.Spy.Agent.NFX C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0067055.dll Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0067055.dll Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0067058.dll Infected with: Trojan.Pws.Banker.BU C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0067058.dll Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0067058.dll Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0067064.EXE Infected with: Trojan.Peed.IBB C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0067064.EXE Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0067064.EXE Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0067075.exe Infected with: Trojan.Dropper.Small.NCF C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0067075.exe Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0067075.exe Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0067076.exe Infected with: DeepScan:Generic.Malware.dld!!.33F290E1 C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0067076.exe Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0067076.exe Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0067077.exe Infected with: Trojan.Peed.IBB C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0067077.exe Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0067077.exe Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0067078.exe Infected with: Trojan.Downloader.Small.AADY C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0067078.exe Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0067078.exe Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0067079.exe Infected with: Trojan.Peed.IBB C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0067079.exe Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0067079.exe Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0067080.exe Infected with: Trojan.Peed.Gen C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0067080.exe Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0067080.exe Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0067081.exe Infected with: Trojan.Peed.IAM C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0067081.exe Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0067081.exe Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068063.exe Suspected of: Generic.Malware.Fdld.647C17D5 C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068063.exe Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068065.EXE Infected with: Trojan.Peed.IBB C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068065.EXE Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068065.EXE Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068102.dll Infected with: Trojan.Spy.VL C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068102.dll Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068102.dll Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068103.dll Infected with: Trojan.Peed.HUA C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068103.dll Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068103.dll Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068104.dll Infected with: Trojan.Spy.Agent.NFX C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068104.dll Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068104.dll Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068122.exe Infected with: Dropped:Rootkit.Agent.GE C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068122.exe Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068122.exe Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068123.DLL Infected with: Trojan.Pws.Banker.BU C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068123.DLL Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068123.DLL Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068124.DLL Infected with: Trojan.Spambot.BXB C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068124.DLL Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068124.DLL Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068125.exe Infected with: Trojan.Downloader.Small.CXX C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068125.exe Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068125.exe Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068144.exe Infected with: Trojan.Peed.IBY C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068144.exe Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068144.exe Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068153.exe Infected with: Trojan.Dropper.Small.NCF C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068153.exe Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068153.exe Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068154.exe Infected with: DeepScan:Generic.Malware.dld!!.7A5D2237 C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068154.exe Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068154.exe Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068155.exe Infected with: Trojan.Peed.IBY C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068155.exe Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068155.exe Deleted
|
|
#13
August 15th, 2007, 07:09 AM
|
|||
|
|||
|
C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068156.exe
Infected with: Trojan.Downloader.Small.AADY C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068156.exe Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068156.exe Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068157.exe Infected with: Trojan.Peed.IBY C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068157.exe Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068157.exe Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068158.exe Infected with: Trojan.Peed.IBX C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068158.exe Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068158.exe Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068159.exe Infected with: Trojan.Peed.IBB C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068159.exe Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068159.exe Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068160.exe Infected with: Trojan.Peed.IBB C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068160.exe Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068160.exe Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068161.exe Infected with: Trojan.Peed.IBB C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068161.exe Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068161.exe Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068162.exe Infected with: Trojan.Peed.IBU C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068162.exe Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068162.exe Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068164.exe Infected with: Trojan.Peed.IBY C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068164.exe Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068164.exe Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068166.exe Infected with: Trojan.LdPinch.AA C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068166.exe Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068166.exe Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068168.exe Infected with: Trojan.Peed.IBB C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068168.exe Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068168.exe Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068172.sys Infected with: Trojan.Dropper.Spambot.BXZ C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068172.sys Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0068172.sys Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0069272.exe Infected with: Trojan.Peed.IBY C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0069272.exe Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0069272.exe Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0069273.sys Infected with: Trojan.Peed.HZS C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0069273.sys Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0069273.sys Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0069274.exe Infected with: Trojan.Peed.IBB C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0069274.exe Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0069274.exe Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0069325.sys Infected with: Trojan.Patched.X C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0069325.sys Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0069325.sys Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0069326.sys Infected with: Trojan.Patched.X C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0069326.sys Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0069326.sys Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0069405.exe Infected with: Trojan.LdPinch.AA C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0069405.exe Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0069405.exe Deleted C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0069532.dll Infected with: Generic.Malware.SIMDWYNVdprn.D9407F4E C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0069532.dll Disinfection failed C:\System Volume Information\_restore{E56DC6F5-D08E-49AE-B734-69F4623AB38D}\RP117\A0069532.dll Deleted C:\cd1334.nls Infected with: Trojan.Spambot.BXZ C:\cd1334.nls Disinfection failed C:\cd1334.nls Deleted C:\cd2169.nls Infected with: Trojan.Spambot.BXZ C:\cd2169.nls Disinfection failed C:\cd2169.nls Deleted C:\cd2724.nls Infected with: Trojan.Spambot.BXZ C:\cd2724.nls Disinfection failed C:\cd2724.nls Deleted C:\cd2478.nls Infected with: Trojan.Spambot.BXZ C:\cd2478.nls Disinfection failed C:\cd2478.nls Deleted C:\cd2358.nls Infected with: Trojan.Spambot.BXZ C:\cd2358.nls Disinfection failed C:\cd2358.nls Deleted C:\cd1962.nls Infected with: Trojan.Spambot.BXZ C:\cd1962.nls Disinfection failed C:\cd1962.nls Deleted C:\cd1464.nls Infected with: Trojan.Spambot.BXZ C:\cd1464.nls Disinfection failed C:\cd1464.nls Deleted C:\cd2705.nls Infected with: Trojan.Spambot.BXZ C:\cd2705.nls Disinfection failed C:\cd2705.nls Deleted C:\cd1145.nls Infected with: Trojan.Spambot.BXZ C:\cd1145.nls Disinfection failed C:\cd1145.nls Deleted C:\cd2281.nls Infected with: Trojan.Spambot.BXZ C:\cd2281.nls Disinfection failed C:\cd2281.nls Deleted C:\cd1827.nls Infected with: Trojan.Spambot.BXZ C:\cd1827.nls Disinfection failed C:\cd1827.nls Deleted C:\cd2961.nls Infected with: Trojan.Spambot.BXZ C:\cd2961.nls Disinfection failed C:\cd2961.nls Deleted C:\cd1491.nls Infected with: Trojan.Spambot.BXZ C:\cd1491.nls Disinfection failed C:\cd1491.nls Deleted C:\cd1995.nls Infected with: Trojan.Spambot.BXZ C:\cd1995.nls Disinfection failed C:\cd1995.nls Deleted C:\cd2942.nls Infected with: Trojan.Spambot.BXZ C:\cd2942.nls Disinfection failed C:\cd2942.nls Deleted C:\cd2436.nls Infected with: Trojan.Spambot.BXZ C:\cd2436.nls Disinfection failed C:\cd2436.nls Deleted C:\cd1391.nls Infected with: Trojan.Spambot.BXZ C:\cd1391.nls Disinfection failed C:\cd1391.nls Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\gmc.exe.ex e.vir Infected with: Trojan.Peed.IBY C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\gmc.exe.ex e.vir Disinfection failed C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\gmc.exe.ex e.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vedxga4me1 .exe.vir Infected with: Trojan.Dropper.Small.NCF C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vedxga4me1 .exe.vir Disinfection failed C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vedxga4me1 .exe.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vedxga3me2 .exe.vir Infected with: DeepScan:Generic.Malware.dld!!.7A5D2237 C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vedxga3me2 .exe.vir Disinfection failed C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vedxga3me2 .exe.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vedxg4am1e t2.exe.vir Infected with: Trojan.Peed.IBY C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vedxg4am1e t2.exe.vir Disinfection failed C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vedxg4am1e t2.exe.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vedxga5me3 .exe.vir Infected with: Trojan.Downloader.Small.AADY C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vedxga5me3 .exe.vir Disinfection failed C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vedxga5me3 .exe.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vedxg6ame4 .exe.vir Infected with: Trojan.Peed.IBY C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vedxg6ame4 .exe.vir Disinfection failed C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vedxg6ame4 .exe.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vedxga4m1e t4.exe.vir Infected with: Trojan.Peed.IBX C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vedxga4m1e t4.exe.vir Disinfection failed C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vedxga4m1e t4.exe.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dllh8jkd1q 2.exe.vir Infected with: Trojan.Peed.IBB C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dllh8jkd1q 2.exe.vir Disinfection failed C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dllh8jkd1q 2.exe.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dllh8jkd1q 6.exe.vir Infected with: Trojan.Peed.IBB C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dllh8jkd1q 6.exe.vir Disinfection failed C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dllh8jkd1q 6.exe.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dllh8jkd1q 7.exe.vir Infected with: Trojan.Peed.IBB C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dllh8jkd1q 7.exe.vir Disinfection failed C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dllh8jkd1q 7.exe.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dllh8jkd1q 1.exe.vir Infected with: Trojan.Peed.IBU C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dllh8jkd1q 1.exe.vir Disinfection failed C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dllh8jkd1q 1.exe.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dllh8jkd1q 5.exe.vir Infected with: Trojan.Peed.IBY C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dllh8jkd1q 5.exe.vir Disinfection failed C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dllh8jkd1q 5.exe.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\kernelwind 32.exe.vir Infected with: Trojan.Peed.IBB C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\kernelwind 32.exe.vir Disinfection failed C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\kernelwind 32.exe.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\nd is.sys.vir Infected with: Trojan.Dropper.Spambot.BXZ C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\nd is.sys.vir Disinfection failed C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\nd is.sys.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\csrss.exe.vir Infected with: Trojan.LdPinch.AA C:\QooBox\Quarantine\C\WINDOWS\csrss.exe.vir Disinfection failed C:\QooBox\Quarantine\C\WINDOWS\csrss.exe.vir Deleted C:\QooBox\Quarantine\C\Documents and Settings\All Users\Documents\Settings\bot.dll.vir Infected with: Trojan.Agent.AANB C:\QooBox\Quarantine\C\Documents and Settings\All Users\Documents\Settings\bot.dll.vir Disinfection failed C:\QooBox\Quarantine\C\Documents and Settings\All Users\Documents\Settings\bot.dll.vir Deleted C:\SDFix\backups\backups.zip=>backups/v3xd1.g22me Infected with: Trojan.Dropper.Small.NCF C:\SDFix\backups\backups.zip=>backups/v3xd1.g22me Disinfection failed C:\SDFix\backups\backups.zip=>backups/v3xd1.g22me Deleted C:\SDFix\backups\backups.zip Updated C:\SDFix\backups\backups.zip=>backups/v5xd2.g3ame Infected with: DeepScan:Generic.Malware.dld!!.7A5D2237 C:\SDFix\backups\backups.zip=>backups/v5xd2.g3ame Disinfection failed C:\SDFix\backups\backups.zip=>backups/v5xd2.g3ame Deleted C:\SDFix\backups\backups.zip Updated C:\SDFix\backups\backups.zip=>backups/v4xd3.ga2me Infected with: Trojan.Downloader.Small.AADY C:\SDFix\backups\backups.zip=>backups/v4xd3.ga2me Disinfection failed C:\SDFix\backups\backups.zip=>backups/v4xd3.ga2me Deleted C:\SDFix\backups\backups.zip Updated C:\SDFix\backups\backups.zip=>backups/v5xd4.ga2me Infected with: Trojan.Peed.IBY C:\SDFix\backups\backups.zip=>backups/v5xd4.ga2me Disinfection failed C:\SDFix\backups\backups.zip=>backups/v5xd4.ga2me Deleted C:\SDFix\backups\backups.zip Updated C:\SDFix\backups\backups.zip=>backups/v4xd6.gam5e Infected with: Trojan.Peed.Gen C:\SDFix\backups\backups.zip=>backups/v4xd6.gam5e Disinfection failed C:\SDFix\backups\backups.zip=>backups/v4xd6.gam5e Deleted C:\SDFix\backups\backups.zip Updated C:\SDFix\backups\backups.zip=>backups/v6xdt4.game Infected with: Trojan.Peed.IBX C:\SDFix\backups\backups.zip=>backups/v6xdt4.game Disinfection failed C:\SDFix\backups\backups.zip=>backups/v6xdt4.game Deleted C:\SDFix\backups\backups.zip Updated C:\SDFix\backups\backups.zip=>backups/vx3dt2.game Infected with: Trojan.Peed.IBY C:\SDFix\backups\backups.zip=>backups/vx3dt2.game Disinfection failed C:\SDFix\backups\backups.zip=>backups/vx3dt2.game Deleted C:\SDFix\backups\backups.zip Updated C:\SDFix\backups\backups.zip=>backups/vx1dt3.game Suspected of: Generic.Malware.Fdld.647C17D5 C:\SDFix\backups\backups.zip=>backups/vx1dt3.game Disinfection failed C:\SDFix\backups_old2\30.tmp Infected with: Trojan.Peed.IAM C:\SDFix\backups_old2\30.tmp Disinfection failed C:\SDFix\backups_old2\30.tmp Deleted C:\SDFix\backups_old2\spooldr.exe Infected with: Trojan.Peed.IBY C:\SDFix\backups_old2\spooldr.exe Disinfection failed C:\SDFix\backups_old2\spooldr.exe Deleted C:\SDFix\backups_old2\spooldr.sys Infected with: Trojan.Peed.HZS C:\SDFix\backups_old2\spooldr.sys Disinfection failed C:\SDFix\backups_old2\spooldr.sys Deleted C:\SDFix\backups_old2\win32.exe Infected with: Trojan.Peed.IBB C:\SDFix\backups_old2\win32.exe Disinfection failed C:\SDFix\backups_old2\win32.exe Deleted C:\avenger\backup.zip=>avenger/uvx.exe Infected with: Trojan.LdPinch.AA C:\avenger\backup.zip=>avenger/uvx.exe Disinfection failed C:\avenger\backup.zip=>avenger/uvx.exe Deleted C:\avenger\backup.zip Updated
|
|
#14
August 15th, 2007, 07:10 AM
|
|||
|
|||
|
Combofix:
ComboFix 07-08-04.3 - "jlsadm" 2007-08-15 1:41:01.3 [GMT -4:00] - FAT32 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.True ((((((((((((((((((((((((( Files Created from 2007-07-15 to 2007-08-15 ))))))))))))))))))))))))))))))) 2007-08-09 01:59 <DIR> d-------- C:\4168f3ed4a781bd6ff61 2007-08-09 01:52 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles 2007-08-09 01:52 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\UMDF 2007-08-09 01:48 <DIR> d-------- C:\WINDOWS\LastGood 2007-08-09 01:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage 2007-08-05 23:43 <DIR> d-------- C:\WINDOWS\ERUNT 2007-08-05 22:57 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-08-05 22:53 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft 2007-07-18 06:00 23,856 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe 2007-07-18 06:00 <DIR> d--h----- C:\WINDOWS\$hf_mig$ 2007-07-18 06:00 <DIR> d-------- C:\WINDOWS\SYSTEM32\PreInstall 2007-07-17 23:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan 2007-07-17 20:28 <DIR> d-------- C:\WINDOWS\BDOSCAN8 2007-07-17 16:02 3,670,016 --ah----- C:\DOCUME~1\ADMINI~1\ntuser.dat 2007-07-17 15:45 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) 2007-07-11 21:32 --------- d-------- C:\Program Files\Security Task Manager 2007-07-06 15:08 58832 --a------ C:\DOCUME~1\jlsadm\APPLIC~1\GDIPFONTCACHEV1.DAT 2007-07-06 15:08 116906 --a------ C:\WINDOWS\HPHins10.dat 2007-07-04 16:52 1632 --a------ C:\WINDOWS\system32\d3d8caps.dat 2007-06-28 22:10 --------- d-------- C:\Program Files\SpywareBlaster 2007-05-28 00:14 78144 --a------ C:\WINDOWS\hpfins05.dat 2003-12-01 17:13 793 --a------ C:\Program Files\INSTALL.LOG 2002-09-22 15:28 266 ---hs---- C:\Program Files\desktop.ini 2002-09-22 15:28 11079 --a------ C:\Program Files\folder.htt ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "IntelliType"="C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-21 21:41] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "gf1.0.0.2"="C:\WINDOWS\system32\NBPDtJPa.exe" [] [HKEY_USERS\.default\software\microsoft\windows\cur rentversion\runonce] "Printing Migration"=rundll32.exe C:\WINDOWS\system32\spool\migrate.dll,ProcessWin9x NetworkPrinters C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\Osa9.exe [1999-02-17 20:05:56] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2007-04-26 21:18 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD LT Startup Accelerator.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD LT Startup Accelerator.lnk backup=C:\WINDOWS\pss\AutoCAD LT Startup Accelerator.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-] "EnsoniqMixer"=C:\WINDOWS\starter.exe "CriticalUpdate"=C:\WINDOWS\SYSTEM32\WUCRTUPD. EXE -startup [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\setup\disabledrunkeys] "LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme "TCASUTIEXE"=TCAUDIAG.EXE -off "WinampAgent"="C:\Program Files\Winamp3\winampa.exe" "LoadQM"=loadqm.exe "CallControl 4.5"=C:\Program Files\FaxTalk Communicator\FTCtrl32.exe /autoload "NetOnHold"=C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe "HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe R0 PrevxDriver;PREVX Kernel Mode Agent;C:\WINDOWS\system32\DRIVERS\pxfsf.sys R1 PREVXTdi;PREVX TDI filter;C:\WINDOWS\system32\DRIVERS\pxtdi.sys R1 PXRDDriver;PREVX Rootkitscan driver;C:\WINDOWS\system32\DRIVERS\pxrd.sys R1 SASDIFSV;SASDIFSV;\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS R1 SASKUTIL;SASKUTIL;\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys R2 CdaC15BA;CdaC15BA;\??\C:\WINDOWS\system32\drivers\ CDAC15BA.SYS R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys S2 spupdsvc;Windows Service Pack Installer update service;C:\WINDOWS\system32\spupdsvc.exe S3 PREVXEmulator;PREVX Emulator driver;C:\WINDOWS\system32\DRIVERS\PxEmu.sys S3 SASENUM;SASENUM;\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}] "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] C:\WINDOWS\SYSTEM32\UPDCRL.EXE -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl Contents of the 'Scheduled Tasks' folder 2007-07-07 18:00:04 C:\WINDOWS\Tasks\Tune-up Application Start.job ************************************************** ************************ catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-08-15 01:47:19 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************** ************************ Completion time: 2007-08-15 1:53:26 C:\ComboFix-quarantined-files.txt ... 2007-08-15 01:53 C:\ComboFix3.txt ... 2007-08-05 23:35 C:\ComboFix2.txt ... 2007-08-08 23:08 --- E O F --- Hijackthis: Logfile of HijackThis v1.99.1 Scan saved at 1:57:10 AM, on 8/15/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\netdde.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\drivers\CDAC11BA.EXE C:\WINDOWS\system32\clipsrv.exe C:\WINDOWS\System32\vssvc.exe C:\Program Files\Microsoft Hardware\Keyboard\type32.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\drwtsn32.exe C:\WINDOWS\system32\drwtsn32.exe C:\WINDOWS\system32\drwtsn32.exe C:\WINDOWS\system32\drwtsn32.exe C:\WINDOWS\explorer.exe C:\HJT\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dog.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = % R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http://NTSERVER:80 O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [gf1.0.0.2] C:\WINDOWS\system32\NBPDtJPa.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll O16 - DPF: Win32 Classes - O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct1_x.cab O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KXHCM10 Control) - http://birdieboutique.viewnetcam.com:87/kxhcm10.ocx O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1177565592151 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/dow...in/actxcab.cab O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/A...oadcontrol.cab O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...setup142f1.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing) O23 - Service: System Restore Service (srservice) - Unknown owner - % (file missing)
|
|
#15
August 15th, 2007, 08:58 PM
|
||||
|
||||
|
Looking much better. We'll need to follow up with cleaning but I still am assessing the best means of correcting the corrupted System Restore Service here, which is most often fairly complex, and we're still not sure what damaged that. The settings that show here and the changes are so far unique to your system, and almost all reflect recent failed or interrupted updating procedures.
One idea is that SuperAntiSpyware has with it a System Restore repair I was recently made aware of, but I will need to get better details on that before suggesting you use it here. Close Internet Explorer and all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis. O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/dow...in/actxcab.cab O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/A...oadcontrol.cab sc qc srservice > c:\slocate.txt & start notepad c:\slocate.txt Open Notepad and copy and paste the above hilighted text into the text file. Now go to File > Save As and call it servfind.bat Where it says "Files of Type", select All Files and click on Save and save it to your desktop. Exit Notepad, Then Click on servfind.bat and allow it to run. A text box will open - please copy/paste the contents back here.
|
|
| Bookmarks |
«
Previous Topic
|
Next Topic
»
| Topic Tools | |
|
|
Similar Topics
|
||||
| Topic | Topic Starter | Forum | Replies | Last Post |
| Windows 7 will not load Safe Mode | deltatango | Windows 7 | 6 | September 2nd, 2015 04:44 PM |
| Cant load windows/init.exe error (not even in safe mode) | JunkyJr | Windows XP | 3 | February 24th, 2009 12:04 AM |
| windows crashed and will not load again, will not open in safe mode either | coopdawg1 | Windows XP | 3 | December 20th, 2006 04:27 AM |
| ME freezing in safe mode and cant restore | glasgowloulou | Windows ME | 3 | April 19th, 2006 01:25 PM |
All times are GMT +1. The time now is 02:20 AM.