Vtsqq.exe Not Found - Hjt Log Posted

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > HijackThis Logs and Malware Removal

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

2 Pages

1 2 >

Vtsqq.exe Not Found - Hjt Log Posted

Options

theodore View Member Profile	Jun 22 2008, 10:41 AM Post #1
Member Group: Members Posts: 15 Joined: 19-June 08 Member No.: 217,237	At start up two error messages appear, one is cannot run C:\WINDOWS\system32\vtsqq.exe, the other is error loading C:\WINDOWS\system32\qkailcxn.dll i copied and pasted the above from 'flatdeck''s post as his issue is identical to mine. i have heeded the warnings not to just copy what he was told to do. below is my hijack this log in full(also attached). Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:22:03, on 19/06/2008 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wdfmgr.exe C:\WINDOWS\mrofinu1535.exe C:\DOCUME~1\trojan87\LOCALS~1\Temp\winlogan.exe C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\Rundll32.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\WgaTray.exe C:\DOCUME~1\trojan87\LOCALS~1\Temp\csrssc.exe C:\WINDOWS\System32\wbem\wmiprvse.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.rd.yahoo.com/customize/ycomp/def.../search/ie.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/def...://uk.yahoo.com R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) F3 - REG:win.ini: load=C:\WINDOWS\System32\vtsqq.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe, O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SManager] smanager.7.exe O4 - HKLM\..\Run: [ipmon] ipmon.exe O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1535.exe 61A847B5BBF7281337983D466188719AB689201522886B092CBD44BD8689220221DD3257 O4 - HKLM\..\Run: [jdgf894jrghoiiskd] C:\DOCUME~1\trojan87\LOCALS~1\Temp\winlogan.exe O4 - HKLM\..\Run: [BMN] "C:\Program Files\Common Files\AntiSpywareMaster\bm.exe" dm=http://antispywaremaster.com ad=http://antispywaremaster.com sd=http://ykeeper.antispywaremaster.com O4 - HKLM\..\Run: [a88d7fca] rundll32.exe "C:\WINDOWS\System32\ysnjmfdr.dll",b O4 - HKLM\..\Run: [BMabbe4c56] Rundll32.exe "C:\WINDOWS\System32\jernldph.dll",s O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [EPSON Stylus DX4400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\E_S20IC1.EXE /FU "C:\DOCUME~1\trojan87\LOCALS~1\Temp\E_S1B.tmp" /EF "HKCU" O4 - HKCU\..\Run: [jdgf894jrghoiiskd] C:\DOCUME~1\trojan87\LOCALS~1\Temp\winlogan.exe O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\trojan87\LOCALS~1\Temp\csrssc.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{BF4F422E-4E00-4F57-805C-FF332126BB01}: NameServer = 158.43.128.72,158.43.192.1,158.43.128.1 O21 - SSODL: SysRun - {D7FFD784-5276-42D1-887B-00267870A4C7} - (no file) O21 - SSODL: WinCTL - {009541A0-3B00-1F1C-00F3-040224009C02} - (no file) O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\System32\jfiehayd.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\dcphkhmt.exe (file missing) O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\System32\PSIService.exe (file missing) -- End of file - 6480 bytes all help appreciated theodore This post has been edited by Orange Blossom: Jun 22 2008, 07:20 PM Reason for edit: Fix code tags and spelling. ~ OB Attached File(s) hijackthislog_190608.log ( 6.33k ) Number of downloads: 5

Baabiouz View Member Profile	Jun 23 2008, 10:56 AM Post #2
Finnish Malware Fighter Group: HJT Team Posts: 1,143 Joined: 4-May 07 From: Finland Member No.: 128,832	Hello Theodore! I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible. I'm in Hijackthis school and Teachers will check my posts. --------------------

Baabiouz View Member Profile	Jun 24 2008, 10:55 AM Post #3
Finnish Malware Fighter Group: HJT Team Posts: 1,143 Joined: 4-May 07 From: Finland Member No.: 128,832	Hello Your computer appears to have been infected by a backdoor trojan. These programs have the ability to steal passwords and other information from your system. If you use your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately: * Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use. * Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account. * Consider what other private information could possibly have been taken from your computer and take appropriate steps This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer. If you wish to reformat then please let me know in your next response, I'll now continue with instructions for cleaning. __________________________ Step #1 Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page. Please download SDFix by AndyManchesta and save it to your desktop. When using this tool, you must use the Administrator's account* or an account with "Administrative rights"* Double click SDFix.exe and it will extract the files to %systemdrive% (this is the drive that contains the Windows Directory, typically C:\SDFix). DO NOT use it just yet. Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". Open the SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt. Copy and paste the contents of the results file Report.txt in your next replyalong with a new HijackThis log. -- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..." Please go to Start Menu > Run > and copy/paste the following line: %systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg Press Ok and then run SDFix again. -- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line: %systemdrive%\SDFix\apps\FixPath.exe /Q Reboot and then run SDFix again. -- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe. %SystemRoot%\system32\cmd.exe Step #2 Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix Link 1 Link 2 Link 3 Note: It is important that it is saved directly to your desktop -------------------------------------------------------------------- 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. -------------------------------------------------------------------- Double click on combofix.exe & follow the prompts. When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall Step #3 You are missing one important program on that computer: An antivirus. This is somewhat suicidal in today's digital world. You need to install an antivirus program as soon as you can and run a complete scan of the computer: Antivir Avast Free AVG Free Bitdefender Free Install it and then run a full scan. Let it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove. Step #4 Please post Combofix log, Sdfix log and a fresh HijackThis log back here. --------------------

theodore View Member Profile	Jun 27 2008, 09:13 AM Post #4
Member Group: Members Posts: 15 Joined: 19-June 08 Member No.: 217,237	HERE IS THE SDFIX REPORT. --------------------------------------- SDFix: Version 1.197 Run by Administrator on 25/06/2008 at 18:56 Microsoft Windows XP [Version 5.1.2600] Running From: C:\DOCUME~1\ADMINI~1\Desktop\sdfix\SDFix Checking Services : Name : narqwe runtime smtpdrv wincom32 xpdx Path : \??\C:\WINDOWS\system32\narqwe.sys \??\C:\WINDOWS\System32\drivers\runtime.sys System32\DRIVERS\smtpdrv.sys \??\C:\WINDOWS\System32\wincom32.sys \??\C:\WINDOWS\System32\xpdx.sys narqwe - Deleted runtime - Deleted smtpdrv - Deleted wincom32 - Deleted xpdx - Deleted Restoring Default Security Values Restoring Default Hosts File Rebooting Service asc355O - Deleted Checking Files : Trojan Files Found: C:\WINDOWS\system32\wvUmljig.dll - Deleted C:\WINDOWS\system32\WINZOA32.dll - Deleted C:\WINDOWS\system32\jfiehayd.dll - Deleted C:\WINDOWS\SYSTEM32\VTSQQ.EXE - Deleted C:\Program Files\mjc\mjc.exe - Deleted C:\WINDOWS\b152.exe - Deleted C:\WINDOWS\mrofinu1535.exe - Deleted C:\WINDOWS\system32\8_exception.nls - Deleted C:\WINDOWS\system32\bsn32.dll - Deleted C:\WINDOWS\system32\csm.txt - Deleted C:\WINDOWS\system32\googlech.dll - Deleted C:\WINDOWS\system32\pac.txt - Deleted C:\WINDOWS\system32\sys.dat - Deleted C:\WINDOWS\system32\drivers\asc355O.sys - Deleted C:\WINDOWS\system32\narqwe.sys - Deleted C:\WINDOWS\system32\ntos.exe - Deleted C:\WINDOWS\system32\drivers\asc355O.sys - Deleted C:\WINDOWS\system32\narqwe.sys - Deleted C:\WINDOWS\system32\ntos.exe - Deleted C:\WINDOWS\system32\wsnpoem\audio.dll.cla - Deleted C:\WINDOWS\system32\wsnpoem\video.dll - Deleted C:\Documents and Settings\Guest.XFDXFG-1NPE3D14\Application Data\wsnpoem\video.dll - Deleted C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted C:\Documents and Settings\Guest.XFDXFG-1NPE3D14\Application Data\wsnpoem\audio.dll - Deleted C:\WINDOWS\Fonts\.zip - 1 File(s) 16,384 bytes - Deleted C:\WINDOWS\Fonts\'\.zip - 993 File(s) 16,270,305 bytes - Deleted Folder C:\Program Files\InetGet2 - Removed Folder C:\Program Files\mjc - Removed Folder C:\Program Files\Temporary - Removed Folder C:\WINDOWS\system32\wsnpoem - Removed Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-26 19:30:55 Windows 5.1.2600 Service Pack 1 FAT NTAPI scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : runtime Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "c:\\windows\\system32\\nvsvct0.exe"="c:\\windows\\system32\\nvsvct0.exe::Enabled:nvsvct0" "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE::Enabled:Internet Explorer" "C:\\WINDOWS\\System32\\dcphkhmt.exe"="C:\\WINDOWS\\System32\\dcp" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] Remaining Files : File Backups: - C:\DOCUME~1\ADMINI~1\Desktop\sdfix\SDFix\backups\backups.zip Files with Hidden Attributes : Sat 5 May 2007 879,180 ..SH. --- "C:\WINDOWS\system32\npqss.tmp" Sun 17 Jun 2007 1,216,996 ..SH. --- "C:\WINDOWS\system32\npqss.bak1" Thu 6 Sep 2007 848 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys" Wed 20 Jun 2007 1,227,731 ..SH. --- "C:\WINDOWS\system32\npqss.bak2" Thu 6 Sep 2007 88 ..SHR --- "C:\WINDOWS\system32\93E7034298.sys" Sat 9 Feb 2008 20,532 ..SH. --- "C:\WINDOWS\system32\isuhibja.dllbox" Wed 3 Sep 2003 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv12.bak" Wed 3 Sep 2003 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Mon 6 Aug 2007 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv10.bak" Thu 26 Jun 2008 15,505 ...H. --- "C:\Documents and Settings\vicki morgan\Local Settings\Temp\csrssc.exe" Sun 28 Oct 2007 20,222,992 A..H. --- "C:\Documents and Settings\vicki morgan\Local Settings\Temp\BITF.tmp" Sun 28 Oct 2007 20,222,992 A..H. --- "C:\Documents and Settings\vicki morgan\Local Settings\Temp\BIT51.tmp" Sun 28 Oct 2007 20,222,992 A..H. --- "C:\Documents and Settings\vicki morgan\Local Settings\Temp\BIT2.tmp" Sun 28 Oct 2007 20,222,992 ...H. --- "C:\Documents and Settings\trojan87\Local Settings\Temp\BIT14.tmp" Thu 26 Jun 2008 15,505 ...H. --- "C:\Documents and Settings\trojan87\Local Settings\Temp\csrssc.exe" Sun 28 Oct 2007 20,222,992 A..H. --- "C:\Documents and Settings\trojan87\Local Settings\Temp\BIT2.tmp" Fri 23 Nov 2007 65,536 ...H. --- "C:\Documents and Settings\nubian2\My Documents\COMM CHAMPIONS\~WRL2231.tmp" Fri 23 Nov 2007 65,536 ...H. --- "C:\Documents and Settings\nubian2\My Documents\COMM CHAMPIONS\~WRL1845.tmp" Fri 23 Nov 2007 65,536 ...H. --- "C:\Documents and Settings\nubian2\My Documents\COMM CHAMPIONS\~WRL3546.tmp" Fri 23 Nov 2007 65,536 ...H. --- "C:\Documents and Settings\nubian2\My Documents\COMM CHAMPIONS\~WRL2318.tmp" Thu 19 Jun 2008 22,016 ...H. --- "C:\Documents and Settings\nubian2\My Documents\RITES OF PASSAGE\~WRL2884.tmp" Thu 19 Jun 2008 22,528 ...H. --- "C:\Documents and Settings\nubian2\My Documents\RITES OF PASSAGE\~WRL3997.tmp" Thu 19 Jun 2008 25,088 ...H. --- "C:\Documents and Settings\nubian2\My Documents\RITES OF PASSAGE\~WRL2612.tmp" Thu 19 Jun 2008 25,088 ...H. --- "C:\Documents and Settings\nubian2\My Documents\RITES OF PASSAGE\~WRL0694.tmp" Fri 20 Jun 2008 27,648 ...H. --- "C:\Documents and Settings\nubian2\My Documents\RITES OF PASSAGE\~WRL3942.tmp" Fri 20 Jun 2008 28,160 ...H. --- "C:\Documents and Settings\nubian2\My Documents\RITES OF PASSAGE\~WRL1945.tmp" Fri 20 Jun 2008 29,696 ...H. --- "C:\Documents and Settings\nubian2\My Documents\RITES OF PASSAGE\~WRL0146.tmp" Fri 20 Jun 2008 30,720 ...H. --- "C:\Documents and Settings\nubian2\My Documents\RITES OF PASSAGE\~WRL1437.tmp" Fri 20 Jun 2008 34,304 ...H. --- "C:\Documents and Settings\nubian2\My Documents\RITES OF PASSAGE\~WRL0131.tmp" Tue 17 Apr 2007 19,456 ...H. --- "C:\Documents and Settings\vicki morgan\My Documents\Coursework1\Drama\~WRL2283.tmp" Sun 8 Oct 2006 27,136 ...H. --- "C:\Documents and Settings\Francine\Application Data\Microsoft\Templates\~WRL3317.tmp" Sun 23 Jul 2006 23,040 ...H. --- "C:\Documents and Settings\Francine\Application Data\Microsoft\Word\~WRL0197.tmp" Sat 14 Apr 2007 35,328 ...H. --- "C:\Documents and Settings\Francine\Application Data\Microsoft\Word\~WRL0004.tmp" Sat 14 Apr 2007 35,840 ...H. --- "C:\Documents and Settings\Francine\Application Data\Microsoft\Word\~WRL2862.tmp" Thu 29 Mar 2007 30,720 ...H. --- "C:\Documents and Settings\Francine\Application Data\Microsoft\Word\~WRL2591.tmp" Thu 29 Mar 2007 31,744 ...H. --- "C:\Documents and Settings\Francine\Application Data\Microsoft\Word\~WRL1543.tmp" Sun 21 Jan 2007 22,528 ...H. --- "C:\Documents and Settings\Francine\Application Data\Microsoft\Word\~WRL0003.tmp" Sun 21 Jan 2007 24,064 ...H. --- "C:\Documents and Settings\Francine\Application Data\Microsoft\Word\~WRL0005.tmp" Thu 29 Mar 2007 35,328 ...H. --- "C:\Documents and Settings\Francine\Application Data\Microsoft\Word\~WRL1826.tmp" Thu 29 Mar 2007 35,840 ...H. --- "C:\Documents and Settings\Francine\Application Data\Microsoft\Word\~WRL1974.tmp" Thu 29 Mar 2007 35,328 ...H. --- "C:\Documents and Settings\Francine\Application Data\Microsoft\Word\~WRL2178.tmp" Sun 10 Dec 2006 138,752 ...H. --- "C:\Documents and Settings\trojan87\Application Data\Microsoft\Word\~WRL0004.tmp" Mon 12 Nov 2007 182,272 ...H. --- "C:\Documents and Settings\nubian2\Application Data\Microsoft\Word\~WRL0081.tmp" Mon 12 Nov 2007 182,784 ...H. --- "C:\Documents and Settings\nubian2\Application Data\Microsoft\Word\~WRL2643.tmp" Thu 7 Sep 2006 32,256 ...H. --- "C:\Documents and Settings\nubian2\Application Data\Microsoft\Word\~WRL3863.tmp" Fri 30 Dec 2005 26,624 ...H. --- "C:\Documents and Settings\nubian2\Application Data\Microsoft\Word\~WRL2486.tmp" Fri 30 Dec 2005 27,136 ...H. --- "C:\Documents and Settings\nubian2\Application Data\Microsoft\Word\~WRL0981.tmp" Wed 12 Apr 2006 26,624 ...H. --- "C:\Documents and Settings\nubian2\Application Data\Microsoft\Word\~WRL2864.tmp" Wed 12 Apr 2006 27,648 ...H. --- "C:\Documents and Settings\nubian2\Application Data\Microsoft\Word\~WRL2865.tmp" Wed 12 Apr 2006 28,672 ...H. --- "C:\Documents and Settings\nubian2\Application Data\Microsoft\Word\~WRL3277.tmp" Wed 12 Apr 2006 27,136 ...H. --- "C:\Documents and Settings\nubian2\Application Data\Microsoft\Word\~WRL1818.tmp" Thu 7 Sep 2006 19,456 ...H. --- "C:\Documents and Settings\nubian2\Application Data\Microsoft\Word\~WRL1693.tmp" Fri 20 Jun 2008 31,744 ...H. --- "C:\Documents and Settings\nubian2\Application Data\Microsoft\Word\~WRL0133.tmp" Fri 20 Jun 2008 32,256 ...H. --- "C:\Documents and Settings\nubian2\Application Data\Microsoft\Word\~WRL1197.tmp" Fri 20 Jun 2008 33,792 ...H. --- "C:\Documents and Settings\nubian2\Application Data\Microsoft\Word\~WRL1421.tmp" Sun 17 Apr 2005 23,040 ...H. --- "C:\Documents and Settings\nubian2\Application Data\Microsoft\Word\~WRL0004.tmp" Sun 17 Apr 2005 23,040 ...H. --- "C:\Documents and Settings\nubian2\Application Data\Microsoft\Word\~WRL2359.tmp" Sun 17 Apr 2005 23,040 ...H. --- "C:\Documents and Settings\nubian2\Application Data\Microsoft\Word\~WRL3733.tmp" Sun 17 Apr 2005 22,528 ...H. --- "C:\Documents and Settings\nubian2\Application Data\Microsoft\Word\~WRL1028.tmp" Finished! Rebooting Checking Files : No Trojan Files Found Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-26 20:50:26 Windows 5.1.2600 Service Pack 1 FAT NTAPI scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "c:\\windows\\system32\\nvsvct0.exe"="c:\\windows\\system32\\nvsvct0.exe::Enabled:nvsvct0" "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE::Enabled:Internet Explorer" "C:\\WINDOWS\\System32\\dcphkhmt.exe"="C:\\WINDOWS\\System32\\dcp" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] Remaining Files : File Backups: - C:\DOCUME~1\ADMINI~1\Desktop\sdfix\SDFix\backups\backups.zip Files with Hidden Attributes : Thu 6 Sep 2007 848 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys" Thu 6 Sep 2007 88 ..SHR --- "C:\WINDOWS\system32\93E7034298.sys" Sat 9 Feb 2008 20,532 ..SH. --- "C:\WINDOWS\system32\isuhibja.dllbox" Wed 3 Sep 2003 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv12.bak" Wed 3 Sep 2003 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Mon 6 Aug 2007 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv10.bak" Sun 28 Oct 2007 20,222,992 A..H. --- "C:\Documents and Settings\trojan87\Local Settings\Temp\BIT4.tmp" Fri 23 Nov 2007 65,536 ...H. --- "C:\Documents and Settings\nubian2\My Documents\COMM CHAMPIONS\~WRL2231.tmp" Fri 23 Nov 2007 65,536 ...H. --- "C:\Documents and Settings\nubian2\My Documents\COMM CHAMPIONS\~WRL1845.tmp" Fri 23 Nov 2007 65,536 ...H. --- "C:\Documents and Settings\nubian2\My Documents\COMM CHAMPIONS\~WRL3546.tmp" Fri 23 Nov 2007 65,536 ...H. --- "C:\Documents and Settings\nubian2\My Documents\COMM CHAMPIONS\~WRL2318.tmp" Thu 19 Jun 2008 22,016 ...H. --- "C:\Documents and Settings\nubian2\My Documents\RITES OF PASSAGE\~WRL2884.tmp" Thu 19 Jun 2008 22,528 ...H. --- "C:\Documents and Settings\nubian2\My Documents\RITES OF PASSAGE\~WRL3997.tmp" Thu 19 Jun 2008 25,088 ...H. --- "C:\Documents and Settings\nubian2\My Documents\RITES OF PASSAGE\~WRL2612.tmp" Thu 19 Jun 2008 25,088 ...H. --- "C:\Documents and Settings\nubian2\My Documents\RITES OF PASSAGE\~WRL0694.tmp" Fri 20 Jun 2008 27,648 ...H. --- "C:\Documents and Settings\nubian2\My Documents\RITES OF PASSAGE\~WRL3942.tmp" Fri 20 Jun 2008 28,160 ...H. --- "C:\Documents and Settings\nubian2\My Documents\RITES OF PASSAGE\~WRL1945.tmp" Fri 20 Jun 2008 29,696 ...H. --- "C:\Documents and Settings\nubian2\My Documents\RITES OF PASSAGE\~WRL0146.tmp" Fri 20 Jun 2008 30,720 ...H. --- "C:\Documents and Settings\nubian2\My Documents\RITES OF PASSAGE\~WRL1437.tmp" Fri 20 Jun 2008 34,304 ...H. --- "C:\Documents and Settings\nubian2\My Documents\RITES OF PASSAGE\~WRL0131.tmp" Tue 17 Apr 2007 19,456 ...H. --- "C:\Documents and Settings\vicki morgan\My Documents\Coursework1\Drama\~WRL2283.tmp" Sun 8 Oct 2006 27,136 ...H. --- "C:\Documents and Settings\Francine\Application Data\Microsoft\Templates\~WRL3317.tmp" Sun 23 Jul 2006 23,040 ...H. --- "C:\Documents and Settings\Francine\Application Data\Microsoft\Word\~WRL0197.tmp" Sat 14 Apr 2007 35,328 ...H. --- "C:\Documents and Settings\Francine\Application Data\Microsoft\Word\~WRL0004.tmp" Sat 14 Apr 2007 35,840 ...H. --- "C:\Documents and Settings\Francine\Application Data\Microsoft\Word\~WRL2862.tmp" Thu 29 Mar 2007 30,720 ...H. --- "C:\Documents and Settings\Francine\Application Data\Microsoft\Word\~WRL2591.tmp" Thu 29 Mar 2007 31,744 ...H. --- "C:\Documents and Settings\Francine\Application Data\Microsoft\Word\~WRL1543.tmp" Sun 21 Jan 2007 22,528 ...H. --- "C:\Documents and Settings\Francine\Application Data\Microsoft\Word\~WRL0003.tmp" Sun 21 Jan 2007 24,064 ...H. --- "C:\Documents and Settings\Francine\Application Data\Microsoft\Word\~WRL0005.tmp" Thu 29 Mar 2007 35,328 ...H. --- "C:\Documents and Settings\Francine\Application Data\Microsoft\Word\~WRL1826.tmp" Thu 29 Mar 2007 35,840 ...H. --- "C:\Documents and Settings\Francine\Application Data\Microsoft\Word\~WRL1974.tmp" Thu 29 Mar 2007 35,328 ...H. --- "C:\Documents and Settings\Francine\Application Data\Microsoft\Word\~WRL2178.tmp" Sun 10 Dec 2006 138,752 ...H. --- "C:\Documents and Settings\trojan87\Application Data\Microsoft\Word\~WRL0004.tmp" Mon 12 Nov 2007 182,272 ...H. --- "C:\Documents and Settings\nubian2\Application Data\Microsoft\Word\~WRL0081.tmp" Mon 12 Nov 2007 182,784 ...H. --- "C:\Documents and Settings\nubian2\Application Data\Microsoft\Word\~WRL2643.tmp" Thu 7 Sep 2006 32,256 ...H. --- "C:\Documents and Settings\nubian2\Application Data\Microsoft\Word\~WRL3863.tmp" Fri 30 Dec 2005 26,624 ...H. --- "C:\Documents and Settings\nubian2\Application Data\Microsoft\Word\~WRL2486.tmp" Fri 30 Dec 2005 27,136 ...H. --- "C:\Documents and Settings\nubian2\Application Data\Microsoft\Word\~WRL0981.tmp" Wed 12 Apr 2006 26,624 ...H. --- "C:\Documents and Settings\nubian2\Application Data\Microsoft\Word\~WRL2864.tmp" Wed 12 Apr 2006 27,648 ...H. --- "C:\Documents and Settings\nubian2\Application Data\Microsoft\Word\~WRL2865.tmp" Wed 12 Apr 2006 28,672 ...H. --- "C:\Documents and Settings\nubian2\Application Data\Microsoft\Word\~WRL3277.tmp" Wed 12 Apr 2006 27,136 ...H. --- "C:\Documents and Settings\nubian2\Application Data\Microsoft\Word\~WRL1818.tmp" Thu 7 Sep 2006 19,456 ...H. --- "C:\Documents and Settings\nubian2\Application Data\Microsoft\Word\~WRL1693.tmp" Fri 20 Jun 2008 31,744 ...H. --- "C:\Documents and Settings\nubian2\Application Data\Microsoft\Word\~WRL0133.tmp" Fri 20 Jun 2008 32,256 ...H. --- "C:\Documents and Settings\nubian2\Application Data\Microsoft\Word\~WRL1197.tmp" Fri 20 Jun 2008 33,792 ...H. --- "C:\Documents and Settings\nubian2\Application Data\Microsoft\Word\~WRL1421.tmp" Sun 17 Apr 2005 23,040 ...H. --- "C:\Documents and Settings\nubian2\Application Data\Microsoft\Word\~WRL0004.tmp" Sun 17 Apr 2005 23,040 ...H. --- "C:\Documents and Settings\nubian2\Application Data\Microsoft\Word\~WRL2359.tmp" Sun 17 Apr 2005 23,040 ...H. --- "C:\Documents and Settings\nubian2\Application Data\Microsoft\Word\~WRL3733.tmp" Sun 17 Apr 2005 22,528 ...H. --- "C:\Documents and Settings\nubian2\Application Data\Microsoft\Word\~WRL1028.tmp" Finished! HERE IS THE COMBOFIX REPORT ------------------------------------------ ComboFix 08-06-20.4 - trojan87 2008-06-26 19:35:44.1 - FAT32x86 Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.72 [GMT 1:00] Running from: C:\Documents and Settings\trojan87\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Application Data\salesmonitor C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007 C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007\Data\Abbr C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007\Data\ActivationCode C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007\Data\ProductCode C:\Documents and Settings\vicki morgan\Application Data\macromedia\Flash Player\#SharedObjects\BC5PEFQJ\iforex.com C:\Documents and Settings\vicki morgan\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com C:\Program Files\Common Files\companion wizard C:\Program Files\Common Files\companion wizard\compwiz.exe C:\Program Files\Common Files\companion wizard\WapCHK.dll C:\Program Files\Common Files\winantivirus pro 2007 C:\Program Files\Common Files\winantivirus pro 2007\err.log C:\UWA7P C:\WINDOWS\BMabbe4c56.xml C:\WINDOWS\cookies.ini C:\WINDOWS\Fonts\' C:\WINDOWS\pskt.ini C:\WINDOWS\system32\abomnwpy.ini C:\WINDOWS\system32\acwikyea.ini C:\WINDOWS\system32\agkxixux.ini C:\WINDOWS\system32\akfkajuk.ini C:\WINDOWS\system32\amgvofkh.ini C:\WINDOWS\system32\aoaxwune.ini C:\WINDOWS\system32\auimusra.ini C:\WINDOWS\system32\awtrOgdD.dll C:\WINDOWS\system32\barhgibo.ini C:\WINDOWS\system32\bboigoif.ini C:\WINDOWS\system32\bdlootnu.dll C:\WINDOWS\system32\bfmunyqj.ini C:\WINDOWS\system32\bfytnnpw.ini C:\WINDOWS\system32\bmf.cs C:\WINDOWS\system32\bmstqpms.dll C:\WINDOWS\system32\boyulgxp.ini C:\WINDOWS\system32\bqlftnbv.ini C:\WINDOWS\system32\btfsyhya.ini C:\WINDOWS\system32\bvxodpqf.dll C:\WINDOWS\system32\bwnjqhoh.ini C:\WINDOWS\system32\bxxcniui.ini C:\WINDOWS\system32\ccs.so C:\WINDOWS\system32\ckhfojfc.ini C:\WINDOWS\system32\cobpkbbe.ini C:\WINDOWS\system32\ctfmon.exe.tmp C:\WINDOWS\system32\cvdwmgtc.ini C:\WINDOWS\system32\cvschitc.ini C:\WINDOWS\system32\cwwbtwqg.dll C:\WINDOWS\system32\cyvllwgr.ini C:\WINDOWS\system32\dbiomvnj.ini C:\WINDOWS\system32\DdgOrtwa.ini C:\WINDOWS\system32\DdgOrtwa.ini2 C:\WINDOWS\system32\dfhwjykn.ini C:\WINDOWS\system32\dtokpqfv.ini C:\WINDOWS\system32\dtpnllem.ini C:\WINDOWS\system32\dvnyxwik.ini C:\WINDOWS\system32\ediddfse.ini C:\WINDOWS\system32\eejxsgxn.ini C:\WINDOWS\system32\ekbntqrf.ini C:\WINDOWS\system32\emngxkna.ini C:\WINDOWS\system32\eosfvfdc.ini C:\WINDOWS\system32\ewfkfevk.ini C:\WINDOWS\system32\eyovvwug.dll C:\WINDOWS\system32\fcklxffa.ini C:\WINDOWS\system32\flminmwb.dll C:\WINDOWS\system32\fosvacwl.ini C:\WINDOWS\system32\fovmydnv.ini C:\WINDOWS\system32\fshlwluc.ini C:\WINDOWS\system32\fsjateyt.ini C:\WINDOWS\system32\ftctfmmb.ini C:\WINDOWS\system32\gcqmhbyt.ini C:\WINDOWS\system32\gipcojmt.ini C:\WINDOWS\system32\gqiwcniw.ini C:\WINDOWS\system32\gvjtmell.ini C:\WINDOWS\system32\hbaaibgj.ini C:\WINDOWS\system32\hlfxsjrh.ini C:\WINDOWS\system32\ho.ln C:\WINDOWS\system32\hoecpcgp.ini C:\WINDOWS\system32\hpfrofhv.ini C:\WINDOWS\system32\hrhvegcc.dll C:\WINDOWS\system32\htqhgkxq.ini C:\WINDOWS\system32\idhuecdn.ini C:\WINDOWS\system32\igbwxxog.ini C:\WINDOWS\system32\iijdwmsu.ini C:\WINDOWS\system32\iitvrglg.ini C:\WINDOWS\system32\ioyvcyfy.ini C:\WINDOWS\system32\ipfftxlg.dll C:\WINDOWS\system32\irmtylkr.ini C:\WINDOWS\system32\jernldph.dll C:\WINDOWS\system32\jeslostt.ini C:\WINDOWS\system32\jgwundor.dll C:\WINDOWS\system32\jkkpappb.dll C:\WINDOWS\system32\jmklakpx.ini C:\WINDOWS\system32\jtcygxnn.ini C:\WINDOWS\system32\jvxglepm.ini C:\WINDOWS\system32\khkogwij.ini C:\WINDOWS\system32\klvplqrl.ini C:\WINDOWS\system32\kmmollgf.ini C:\WINDOWS\system32\ko.o C:\WINDOWS\system32\kujljjot.ini C:\WINDOWS\system32\kxhvraoo.ini C:\WINDOWS\system32\lbffphgy.ini C:\WINDOWS\system32\ljJDSlJb.dll C:\WINDOWS\system32\lmqtqkbo.dll C:\WINDOWS\system32\lqeoagkg.ini C:\WINDOWS\system32\lrjycgsm.ini C:\WINDOWS\system32\lrmfixqc.ini C:\WINDOWS\system32\ltptlput.ini C:\WINDOWS\system32\lxjrbofy.ini C:\WINDOWS\system32\lyrjwcmw.ini C:\WINDOWS\system32\lytfhpkg.ini C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\mdrmsvlp.ini C:\WINDOWS\system32\mfixnqoc.dll C:\WINDOWS\system32\mfsgtdkc.dll C:\WINDOWS\system32\mjsmmvdq.ini C:\WINDOWS\system32\mlJAPIyY.dll C:\WINDOWS\system32\mmdvrtba.ini C:\WINDOWS\system32\mn.n C:\WINDOWS\system32\mqljhnax.ini C:\WINDOWS\system32\MSINET.oca C:\WINDOWS\system32\muahukrb.ini C:\WINDOWS\system32\mwpyfdcn.ini C:\WINDOWS\system32\nbeuijgs.dll C:\WINDOWS\system32\nhrjwvtu.ini C:\WINDOWS\system32\nhtemaqe.ini C:\WINDOWS\system32\nipjmcdh.ini C:\WINDOWS\system32\nkpuuxpr.ini C:\WINDOWS\system32\nnyqyrik.ini C:\WINDOWS\system32\npqss.bak1 C:\WINDOWS\system32\npqss.bak2 C:\WINDOWS\system32\npqss.ini C:\WINDOWS\system32\npqss.ini2 C:\WINDOWS\system32\npqss.tmp C:\WINDOWS\system32\nultkcac.ini C:\WINDOWS\system32\nvbattql.ini C:\WINDOWS\system32\nvrsma.dll C:\WINDOWS\system32\oemhuvse.dll C:\WINDOWS\system32\ogajkuik.ini C:\WINDOWS\system32\oipauddm.ini C:\WINDOWS\system32\omkjwemy.ini C:\WINDOWS\system32\orjqadof.ini C:\WINDOWS\system32\oxlpskvx.ini C:\WINDOWS\system32\oytpcttb.dll C:\WINDOWS\system32\pcspajvs.ini C:\WINDOWS\system32\pdlqwlhe.ini C:\WINDOWS\system32\pfbfaqjm.ini C:\WINDOWS\system32\phkubfdw.ini C:\WINDOWS\system32\pklkbbea.ini C:\WINDOWS\system32\povgjujj.ini C:\WINDOWS\system32\proxupeb.ini C:\WINDOWS\system32\psmohxbs.ini C:\WINDOWS\system32\pvbswsds.ini C:\WINDOWS\system32\pyeumogm.dll C:\WINDOWS\system32\qaoskvir.ini C:\WINDOWS\system32\qnkrcxxe.ini C:\WINDOWS\system32\qoMgfeDw.dll C:\WINDOWS\system32\qpdodtbg.dll C:\WINDOWS\system32\qqstv.ini C:\WINDOWS\system32\qqstv.ini2 C:\WINDOWS\system32\qwhwabtv.ini C:\WINDOWS\system32\qxygewtf.ini C:\WINDOWS\system32\rdfmjnsy.ini C:\WINDOWS\system32\rigyjqte.ini C:\WINDOWS\system32\rlmbolho.ini C:\WINDOWS\system32\roibnwrs.ini C:\WINDOWS\system32\rrartfpy.ini C:\WINDOWS\system32\rrxnashi.ini C:\WINDOWS\system32\rsschips.ini C:\WINDOWS\system32\rubjdrbe.dll C:\WINDOWS\system32\sacahpte.ini C:\WINDOWS\system32\saesgcxc.ini C:\WINDOWS\system32\salypoxt.ini C:\WINDOWS\system32\sasboene.ini C:\WINDOWS\system32\seffkedi.ini C:\WINDOWS\system32\snqvsikj.ini C:\WINDOWS\system32\snyokjfg.ini C:\WINDOWS\system32\stera.job C:\WINDOWS\system32\stera.log C:\WINDOWS\system32\strhufsa.ini C:\WINDOWS\system32\syeluwps.ini C:\WINDOWS\system32\sykoqncw.ini C:\WINDOWS\system32\taamjayg.ini C:\WINDOWS\system32\thjjxdou.ini C:\WINDOWS\system32\tjcacxuw.ini C:\WINDOWS\system32\tjeytynn.ini C:\WINDOWS\system32\tkwxdfct.ini C:\WINDOWS\system32\tnflwrbs.ini C:\WINDOWS\system32\toesevdt.ini C:\WINDOWS\system32\tutywskj.ini C:\WINDOWS\system32\twkwfegy.ini C:\WINDOWS\system32\uacftykh.ini C:\WINDOWS\system32\ubedbyun.dll C:\WINDOWS\system32\udqxepwk.ini C:\WINDOWS\system32\uixtrkua.ini C:\WINDOWS\system32\ujviotpd.dll C:\WINDOWS\system32\ulvbdtyo.ini C:\WINDOWS\system32\urtwqgxy.ini C:\WINDOWS\system32\utgxmovg.ini C:\WINDOWS\system32\uuarherv.ini C:\WINDOWS\system32\uvijlarw.ini C:\WINDOWS\system32\uvusoyxe.ini C:\WINDOWS\system32\uvyjfukl.ini C:\WINDOWS\system32\uxlgqnxi.ini C:\WINDOWS\system32\vbfmiwex.ini C:\WINDOWS\system32\vdudmhls.dll C:\WINDOWS\system32\vetdanjv.ini C:\WINDOWS\system32\vhfjxboq.ini C:\WINDOWS\system32\vlytjrgm.ini C:\WINDOWS\system32\vnnfjlrg.ini C:\WINDOWS\system32\vwcaxyhp.dll C:\WINDOWS\system32\vybkorty.ini C:\WINDOWS\system32\weygwswk.ini C:\WINDOWS\system32\wgigymjn.ini C:\WINDOWS\system32\wilbcusf.ini C:\WINDOWS\system32\windbg___ C:\WINDOWS\system32\wjlmffgw.ini C:\WINDOWS\system32\wpeplmxo.ini C:\WINDOWS\system32\xbewhmgc.dll C:\WINDOWS\system32\xdkdndfc.ini C:\WINDOWS\system32\xjvomsjy.dll C:\WINDOWS\system32\xjyndkve.ini C:\WINDOWS\system32\xkoyfgna.ini C:\WINDOWS\system32\xnovboik.ini C:\WINDOWS\system32\xqxukhel.ini C:\WINDOWS\system32\xtxaukoh.ini C:\WINDOWS\system32\xvksplxo.dll C:\WINDOWS\system32\xxsnhffv.ini C:\WINDOWS\system32\ydkfdfbu.ini C:\WINDOWS\system32\yemkhqys.ini C:\WINDOWS\system32\yjnvocxr.ini C:\WINDOWS\system32\ykpxqybl.ini C:\WINDOWS\system32\ymxlkmvl.ini C:\WINDOWS\system32\ypacsxdk.dll C:\WINDOWS\system32\ypiknofo.ini C:\WINDOWS\system32\yptwfqtv.ini C:\WINDOWS\system32\ytvqcmua.ini C:\WINDOWS\system32\yuhngdsd.ini C:\WINDOWS\system32\yywuwbti.ini C:\WINDOWS\winhelp.ini . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_DOMAINSERVICE -------\Legacy_FOPN -------\Legacy_RUNTIME -------\Legacy_SMTPDRV -------\Legacy_WINCOM32 -------\Legacy_WINDEV-4AF9-514C -------\Service_DomainService -------\Service_runtime -------\Service_windev-4af9-514c ((((((((((((((((((((((((( Files Created from 2008-05-26 to 2008-06-26 ))))))))))))))))))))))))))))))) . 2008-06-26 19:53 . 2008-06-26 19:53 294 ---hs---- C:\WINDOWS\system32\gipcojmt.ini 2008-06-26 18:40 . 2008-06-26 18:41 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-06-26 18:40 . 2008-06-26 18:41 1,409 --a------ C:\WINDOWS\QTFont.for 2008-06-26 18:25 . 2008-06-26 18:25 107,008 --a------ C:\WINDOWS\system32\ucwhbtno.dll 2008-06-26 18:25 . 2008-06-26 18:25 95,232 --a------ C:\WINDOWS\system32\kllkthue.dll 2008-06-26 18:25 . 2008-06-26 18:25 86,016 --a------ C:\WINDOWS\system32\tmjocpig.dll 2008-06-26 18:24 . 2008-06-26 18:24 107,008 --a------ C:\WINDOWS\system32\fdvjimrd.dll 2008-06-26 18:21 . 2008-06-26 18:21 86,016 --a------ C:\WINDOWS\system32\kiukjago.dll 2008-06-26 18:20 . 2008-06-26 18:20 107,008 --a------ C:\WINDOWS\system32\ufdqbnyn.dll 2008-06-26 18:20 . 2008-06-26 18:20 95,232 --a------ C:\WINDOWS\system32\ddxvisvu.dll 2008-06-25 19:51 . 2008-06-25 19:51 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy 2008-06-25 19:25 . 2008-06-25 19:25 <DIR> d--hs---- C:\FOUND.003 2008-06-25 18:49 . 2008-06-25 18:49 <DIR> d-------- C:\WINDOWS\ERUNT 2008-06-25 18:42 . 2008-06-25 15:45 <DIR> d-------- C:\SDFix 2008-06-25 18:25 . 2008-06-25 18:25 <DIR> d-------- C:\Documents and Settings\Administrator 2008-06-25 18:24 . 2008-06-25 18:24 <DIR> d--hs---- C:\FOUND.002 2008-06-25 18:00 . 2008-06-25 18:00 <DIR> d--hs---- C:\FOUND.001 2008-06-25 17:51 . 2008-06-25 17:51 <DIR> d-------- C:\Program Files\Common Files\Softwin 2008-06-25 17:44 . 2008-06-25 17:44 107,520 --a------ C:\WINDOWS\system32\ajwjmxkt.dll 2008-06-25 17:38 . 2008-06-25 17:38 95,232 --a------ C:\WINDOWS\system32\eucniien.dll 2008-06-23 19:24 . 2008-06-23 19:24 106,496 --a------ C:\WINDOWS\system32\msgsmuqf.dll 2008-06-23 19:21 . 2008-06-23 19:21 95,232 --a------ C:\WINDOWS\system32\qvijbtpw.dll 2008-06-21 18:07 . 2008-06-21 18:07 <DIR> d-------- C:\Program Files\Disc2Phone 2008-06-21 16:56 . 2008-06-21 16:56 101,888 --a------ C:\WINDOWS\system32\wuaregfa.dll 2008-06-21 16:48 . 2008-06-21 16:49 94,208 --a------ C:\WINDOWS\system32\mcveadln.dll 2008-06-19 19:49 . 2008-06-19 19:49 <DIR> d-------- C:\WINDOWS\Sun 2008-06-19 19:21 . 2008-06-19 19:21 <DIR> d-------- C:\Program Files\Trend Micro 2008-06-19 16:59 . 2008-06-19 16:59 <DIR> d---s---- C:\WINDOWS\Downloaded Program Files 2008-06-19 14:58 . 2008-06-19 14:58 <DIR> d--hs---- C:\FOUND.000 2008-06-18 20:39 . 2008-06-18 20:39 2,855 --a------ C:\WINDOWS\system32\vtsqq.PIF 2008-06-18 18:51 . 2008-06-18 18:51 <DIR> d-------- C:\WINDOWS\system32\NtmsData 2008-06-18 18:33 . 2008-06-18 18:33 <DIR> d-------- C:\Program Files\Zone Labs 2008-06-18 18:33 . 2008-06-18 18:33 <DIR> d--hs---- C:\AntiSpywareMaster 2008-06-18 18:06 . 2008-06-18 18:06 <DIR> d-------- C:\Documents and Settings\Guest.XFDXFG-1NPE3D14 2008-06-16 18:44 . 2008-06-16 18:44 <DIR> d-------- C:\Program Files\Comodo 2008-06-16 18:42 . 2008-06-16 18:42 7,943,248 --------- C:\CFP_Setup_English_2.4.18.184.exe 2008-06-16 15:57 . 2008-04-02 21:07 75,248 --a------ C:\WINDOWS\zllsputility.exe 2008-06-16 15:57 . 2008-06-16 16:30 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat 2008-06-16 15:56 . 2008-06-16 15:56 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs 2008-06-16 15:38 . 2008-06-16 15:38 28,515,288 --------- C:\a2FreeSetup.exe 2008-06-16 15:38 . 2008-06-16 15:38 1,670,040 --------- C:\a2HiJackFreeSetup.exe 2008-06-16 14:12 . 2008-06-16 14:11 140,288 --------- C:\vcleaner.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-13 13:29 561,152 ----a-w C:\WINDOWS\system32\user32.DLL 2008-06-13 13:29 561,152 ----a-w C:\WINDOWS\system32\dllcache\user32.dll 2008-05-20 12:48 --------- d-----w C:\Documents and Settings\vicki morgan\Application Data\U3 2008-05-17 18:23 51,716 ----a-w C:\WINDOWS\system32\pdf995mon.dll 2008-05-17 18:23 249,856 ----a-w C:\WINDOWS\system32\pdfmona.dll 2008-05-17 17:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995 2008-05-17 17:41 --------- d-----w C:\Program Files\pdf995 2008-04-28 19:10 --------- d-----w C:\Program Files\LimeWire 2008-04-15 22:46 89,070 ----a-w C:\WINDOWS\system32\myss_sb_uninstall.exe 2008-01-05 22:35 77 ------w C:\Documents and Settings\nubian2\2012.bat 2006-11-18 09:12 318,336 ----a-w C:\Documents and Settings\vicki morgan\Application Data\GDIPFONTCACHEV1.DAT 2007-09-06 19:48 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys 2007-09-06 19:48 88 --sh--r C:\WINDOWS\system32\93E7034298.sys . CODE <pre> ----a-w 13,312 2008-01-21 10:54:04 C:\WINDOWS\system32\ctfmon .exe </pre> C:\WINDOWS\system32\user32.dll ... is infected !! (additional data below) 561,152 2008-06-13 13:29:38 C:\WINDOWS\system32\user32.DLL 561,152 2008-06-13 13:29:38 C:\WINDOWS\system32\dllcache\user32.dll ------- Sigcheck ------- 2008-06-13 14:29 561152 359469dda81d28aee3f8790225a084ab C:\WINDOWS\system32\user32.DLL 2008-06-13 14:29 561152 359469dda81d28aee3f8790225a084ab C:\WINDOWS\system32\dllcache\user32.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{167B2B6C-BB60-4EDD-AAD7-4686EA75B595}] C:\WINDOWS\System32\awtrOgdD.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{514A5C49-0C7D-42c3-A71B-38864A269B7A}] C:\WINDOWS\System32\bmstqpms.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77377263-961e-497c-9a64-f4e78059a20a}] 2008-06-26 18:25 107008 --a------ C:\WINDOWS\System32\ucwhbtno.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [ ] "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352] "EPSON Stylus DX4400 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\E_S20IC1.EXE" [ ] "jdgf894jrghoiiskd"="C:\DOCUME~1\trojan87\LOCALS~1\Temp\winlogan.exe" [ ] "Jnskdfmf9eldfd"="C:\DOCUME~1\trojan87\LOCALS~1\Temp\csrssc.exe" [ ] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ] "ipmon"="ipmon.exe" [] "MPSExe"="c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" [ ] "SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [ ] "ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [ ] "ISUSScheduler"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" [ ] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ] "SDFix"="C:\DOCUME~1\ADMINI~1\Desktop\sdfix\SDFix\RunThis.bat" [2008-06-25 15:43 734899] "jdgf894jrghoiiskd"="C:\DOCUME~1\trojan87\LOCALS~1\Temp\winlogan.exe" [ ] "a88d7fca"="C:\WINDOWS\System32\tmjocpig.dll" [2008-06-26 18:25 86016] "combofix"="C:\WINDOWS\system32\CF20704.exe" [2001-08-18 11:00 375808] "BMabbe4c56"="C:\WINDOWS\System32\kllkthue.dll" [2008-06-26 18:25 95232] C:\Documents and Settings\vicki morgan\Start Menu\Programs\Startup\ LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-04-18 20:21:09 147456] C:\Documents and Settings\trojan87\Start Menu\Programs\Startup\ Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 110592] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "disableregistrytools"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoFolderOptions"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{FFF29BE4-24AC-4E31-B99B-45238B764111}"= C:\WINDOWS\system32\byxvvut.dll [ ] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxvvut] byxvvut.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\isuhibja] isuhibja.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpn] C:\WINDOWS\System32\ssqpn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winubg32] winubg32.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvvwv] xxyvvwv.dll [HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows] "load"=C:\WINDOWS\System32\vtsqq.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=msgsmuqf.dll "wapInit_Dlls"=nvrsma [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\windows\\system32\\nvsvct0.exe"= "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"= "C:\WINDOWS\System32\dcphkhmt.exe"= C:\WINDOWS\System32\dcp R3 iadusb;MT882;C:\WINDOWS\System32\DRIVERS\glauiad.sys [2006-07-27 16:37] S3 w200bus;Sony Ericsson W200 driver (WDM);C:\WINDOWS\System32\DRIVERS\w200bus.sys [2006-11-07 09:42] S3 w200mdfl;Sony Ericsson W200 USB WMC Modem Filter;C:\WINDOWS\System32\DRIVERS\w200mdfl.sys [2006-10-24 14:11] S3 w200mdm;Sony Ericsson W200 USB WMC Modem Driver;C:\WINDOWS\System32\DRIVERS\w200mdm.sys [2006-10-24 14:11] S3 w200mgmt;Sony Ericsson W200 USB WMC Device Management Drivers (WDM);C:\WINDOWS\System32\DRIVERS\w200mgmt.sys [2006-10-24 14:12] S3 w200obex;Sony Ericsson W200 USB WMC OBEX Interface;C:\WINDOWS\System32\DRIVERS\w200obex.sys [2006-10-24 14:12] . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-26 19:53:00 Windows 5.1.2600 Service Pack 1 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\PROGRAM FILES\GRISOFT\AVG ANTI-SPYWARE 7.5\GUARD.EXE C:\WINDOWS\SYSTEM32\WDFMGR.EXE C:\WINDOWS\System32\WgaTray.exe C:\WINDOWS\SYSTEM32\RUNDLL32.EXE C:\WINDOWS\SYSTEM32\RUNDLL32.EXE . ************************************************************************ . Completion time: 2008-06-26 19:56:22 - machine was rebooted ComboFix-quarantined-files.txt 2008-06-26 18:56:18 Pre-Run: 4,395,220,992 bytes free Post-Run: 4,842,962,944 bytes free 421 --- E O F --- 2008-06-12 09:29:48

theodore

Jun 27 2008, 09:14 AM

Post #5

Member

Group: Members
Posts: 15
Joined: 19-June 08
Member No.: 217,237

HERE IS THE COMBOFIX QUARANTINED FILES REPORT

---------------------------------------------------------------

2007-04-26 05:30 29184 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\MSINET.oca.vir
2007-04-26 14:23 1509574 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\strhufsa.ini.vir
2007-05-05 18:54 879180 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\npqss.ini.vir
2007-05-05 18:54 879180 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\npqss.tmp.vir
2007-05-10 18:45 1445272 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\vhfjxboq.ini.vir
2007-05-12 23:02 1431341 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\syeluwps.ini.vir
2007-05-13 18:09 1431626 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\orjqadof.ini.vir
2007-05-13 18:11 1431350 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\oipauddm.ini.vir
2007-05-13 19:34 1431386 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\udqxepwk.ini.vir
2007-05-13 19:34 1431446 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\bfmunyqj.ini.vir
2007-05-13 19:35 1429676 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\yuhngdsd.ini.vir
2007-05-13 21:52 1431368 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\qnkrcxxe.ini.vir
2007-05-14 10:16 1429883 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\omkjwemy.ini.vir
2007-05-14 10:47 1429695 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tkwxdfct.ini.vir
2007-05-15 11:47 1328520 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\klvplqrl.ini.vir
2007-05-15 11:48 1462725 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\bfytnnpw.ini.vir
2007-05-15 16:19 1462803 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\iitvrglg.ini.vir
2007-05-15 16:22 1462431 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\jvxglepm.ini.vir
2007-05-15 20:51 1464735 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\acwikyea.ini.vir
2007-05-16 08:40 1466274 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\xkoyfgna.ini.vir
2007-05-18 12:49 844889 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\iijdwmsu.ini.vir
2007-05-18 19:16 833222 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\nkpuuxpr.ini.vir
2007-05-19 00:48 833282 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\barhgibo.ini.vir
2007-05-19 12:06 833221 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tjeytynn.ini.vir
2007-05-21 18:35 831918 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\lytfhpkg.ini.vir
2007-05-21 18:35 832517 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\rrartfpy.ini.vir
2007-05-22 20:52 830763 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\mjsmmvdq.ini.vir
2007-05-23 18:22 828102 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\wilbcusf.ini.vir
2007-05-23 22:34 574180 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\nvbattql.ini.vir
2007-05-24 10:10 690289 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\aoaxwune.ini.vir
2007-05-24 10:10 719996 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\abomnwpy.ini.vir
2007-05-24 23:01 1010897 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tutywskj.ini.vir
2007-05-24 23:02 1010776 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\irmtylkr.ini.vir
2007-05-27 11:36 1083839 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\lbffphgy.ini.vir
2007-05-27 12:49 1083838 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\sasboene.ini.vir
2007-05-28 12:54 1084198 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\gqiwcniw.ini.vir
2007-05-28 19:50 1083899 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\psmohxbs.ini.vir
2007-05-30 14:05 657104 --a------ C:\Qoobox\Quarantine\C\Program Files\Common Files\Companion Wizard\compwiz.exe.vir
2007-05-30 23:36 1105592 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\weygwswk.ini.vir
2007-05-30 23:38 1105119 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\eejxsgxn.ini.vir
2007-05-31 22:28 1101454 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\pvbswsds.ini.vir
2007-06-01 13:48 1100540 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\xxsnhffv.ini.vir
2007-06-02 11:34 1067896 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ykpxqybl.ini.vir
2007-06-03 16:29 1101076 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ypiknofo.ini.vir
2007-06-04 21:20 1099265 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\dvnyxwik.ini.vir
2007-06-04 21:23 1061572 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\rigyjqte.ini.vir
2007-06-05 18:40 1045683 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\sacahpte.ini.vir
2007-06-05 20:50 1045682 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\xqxukhel.ini.vir
2007-06-06 08:47 1067167 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\utgxmovg.ini.vir
2007-06-06 21:14 1105927 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\saesgcxc.ini.vir
2007-06-06 21:17 1011925 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\igbwxxog.ini.vir
2007-06-07 12:49 1004770 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\pcspajvs.ini.vir
2007-06-08 01:03 1005071 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\rlmbolho.ini.vir
2007-06-08 01:04 983922 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\nnyqyrik.ini.vir
2007-06-08 09:10 982784 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\vbfmiwex.ini.vir
2007-06-08 13:41 982905 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\lrmfixqc.ini.vir
2007-06-08 13:42 971662 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\hpfrofhv.ini.vir
2007-06-08 19:54 970851 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\jmklakpx.ini.vir
2007-06-09 11:02 970851 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\pklkbbea.ini.vir
2007-06-09 21:26 970793 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ftctfmmb.ini.vir
2007-06-10 19:04 970792 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\fosvacwl.ini.vir
2007-06-10 19:34 970914 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\cvschitc.ini.vir
2007-06-10 19:37 970793 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\muahukrb.ini.vir
2007-06-11 21:19 1912771 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\bboigoif.ini.vir
2007-06-11 21:20 1908073 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\wjlmffgw.ini.vir
2007-06-11 21:24 943748 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\akfkajuk.ini.vir
2007-06-12 09:18 943808 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\nhtemaqe.ini.vir
2007-06-12 09:21 943868 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\htqhgkxq.ini.vir
2007-06-12 13:43 943928 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\pfbfaqjm.ini.vir
2007-06-13 11:56 938089 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\uuarherv.ini.vir
2007-06-13 12:56 943758 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\seffkedi.ini.vir
2007-06-13 22:00 943927 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\phkubfdw.ini.vir
2007-06-13 22:09 931081 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\nhrjwvtu.ini.vir
2007-06-13 22:55 936862 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\bxxcniui.ini.vir
2007-06-13 22:56 936922 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ulvbdtyo.ini.vir
2007-06-14 07:13 931144 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\cyvllwgr.ini.vir
2007-06-14 10:11 931274 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\agkxixux.ini.vir
2007-06-14 10:15 931263 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\wpeplmxo.ini.vir
2007-06-14 13:22 933882 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\taamjayg.ini.vir
2007-06-14 22:55 934003 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\idhuecdn.ini.vir
2007-06-15 05:53 934123 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\auimusra.ini.vir
2007-06-15 05:55 922130 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\dbiomvnj.ini.vir
2007-06-15 07:16 921830 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ymxlkmvl.ini.vir
2007-06-15 07:27 921949 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\vnnfjlrg.ini.vir
2007-06-15 09:15 922069 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\lxjrbofy.ini.vir
2007-06-15 09:16 922129 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\mwpyfdcn.ini.vir
2007-06-15 21:17 921768 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ediddfse.ini.vir
2007-06-16 13:44 921950 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\uixtrkua.ini.vir
2007-06-16 15:29 921828 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\qaoskvir.ini.vir
2007-06-16 15:30 921767 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\qwhwabtv.ini.vir
2007-06-16 16:20 921829 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\hoecpcgp.ini.vir
2007-06-16 16:27 921890 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\yemkhqys.ini.vir
2007-06-16 16:35 921768 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\mqljhnax.ini.vir
2007-06-17 09:16 921950 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\boyulgxp.ini.vir
2007-06-17 09:17 921769 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ytvqcmua.ini.vir
2007-06-17 11:38 921950 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\xjyndkve.ini.vir
2007-06-17 13:31 922069 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\xtxaukoh.ini.vir
2007-06-17 13:51 921768 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\qxygewtf.ini.vir
2007-06-17 13:51 921769 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\sykoqncw.ini.vir
2007-06-17 14:32 1216996 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\npqss.bak1.vir
2007-06-17 15:15 921830 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\fcklxffa.ini.vir
2007-06-17 15:16 921769 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\bwnjqhoh.ini.vir
2007-06-17 15:16 921770 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\kxhvraoo.ini.vir
2007-06-17 15:26 921768 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\lqeoagkg.ini.vir
2007-06-17 18:25 921830 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\yywuwbti.ini.vir
2007-06-17 18:26 921769 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ydkfdfbu.ini.vir
2007-06-17 18:26 921770 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\pdlqwlhe.ini.vir
2007-06-1