Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Constant Popups


  • This topic is locked This topic is locked
17 replies to this topic

#1 sam07

sam07

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:18 AM

Posted 12 August 2007 - 05:50 PM

Hello, I've recently been getting random popups when I open my explorer browser. It is always the same few sites and it is constant.

Here is my hijackthis logfile.

Please help!! Thanks!!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:32:24 PM, on 8/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tbone\Desktop\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.ca
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Tbone\Application Data\svchost.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\khifed.dll",forkonce
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Firewall auto setup] C:\DOCUME~1\Tbone\LOCALS~1\Temp\winlogon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_03] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c0023853.dat
O22 - SharedTaskScheduler: amateurishly - {1152a0e8-5be5-41cc-8312-556581690a61} - C:\WINDOWS\system32\cfqbw.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\qwerty12.exe (file missing)
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5240 bytes

BC AdBot (Login to Remove)

 


#2 Trevuren

Trevuren

  • Malware Response Team
  • 1,006 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:03:18 AM

Posted 12 August 2007 - 10:29 PM

Hi sam07 and welcome to BleepingComputers Forums.

My name is Trevuren and I will be helping you with your problem.


A. Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum


B.
Please download this file - combofix.exe by sUBs
  • You must download it to and run it from your Desktop
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log.
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.


C. Reports/logs to Post:
  • Report.txt from SDFix
  • ComboFix.txt
  • HijackThis log run after the two previous tools have been run

Regards,

Trevuren

Microsoft MVP - Consumer Security 2008 - 2009

Posted Image

#3 sam07

sam07
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:18 AM

Posted 12 August 2007 - 11:16 PM

I followed your detailed instructions and produced the following:

SDFIX:
SDFix: Version 1.98

Run by Tbone on Sun 08/12/2007 at 09:06 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
DomainService
runtime
SysLibrary

ImagePath:
C:\WINDOWS\system32\qwerty12.exe /service
\??\C:\WINDOWS\System32\drivers\runtime.sys
\??\C:\WINDOWS\system32\DefLib.sys

DomainService - Deleted
runtime - Deleted
SysLibrary - Deleted



Patched tcpip.sys Found!

tcpip.sys File Locations:

C:\WINDOWS\system32\dllcache\tcpip.sys
C:\WINDOWS\system32\drivers\tcpip.sys

MD5 Checksum:

[C:\WINDOWS\system32\dllcache\tcpip.sys] 43DBF31719D86C30285927BCD9680ACE
[C:\WINDOWS\system32\drivers\tcpip.sys] 43DBF31719D86C30285927BCD9680ACE


Detected Patched Files Are Listed Below:

C:\WINDOWS\system32\dllcache\tcpip.sys
C:\WINDOWS\system32\drivers\tcpip.sys

Note: SDFix Does Not Repair This File!

Please Scan All Files Above At VirusTotal!
If No Clean Copies Are Found Download The Below Update To Restore Original Files:

http://www.microsoft.com/technet/security/...n/ms06-032.mspx


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Service asc3550u - Deleted after Reboot
Service runtime2 - Deleted after Reboot

Normal Mode:
Checking Files:

Trojan Files Found:

C:\Documents and Settings\Tbone\Application Data\tmp58.tmp.exe - Deleted
C:\WINDOWS\system32\1_exception.nls - Deleted
C:\WINDOWS\system32\svcp.csv - Deleted
C:\WINDOWS\system32\winsub.xml - Deleted
C:\WINDOWS\Temp\startdrv.exe - Deleted
C:\WINDOWS\system32\drivers\runtime2.sys - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\WINDOWS\\system32\\qwerty12.exe"="C:\\WINDOWS\\system32\\qwe"
"C:\\WINDOWS\\system32\\svchost.exe"="C:\\WINDOWS\\system32\\svchost.exe:*:Enabled:svchost"
"C:\\WINDOWS\\spooldr.exe"="C:\\WINDOWS\\spooldr.exe:*:Enabled:enable"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\WINDOWS\defihk.tmp

Finished
ComboFix:

ComboFix 07-08-13.3 - "Tbone" 2007-08-12 21:10:59.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1630 [GMT -7:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Tdot\APPLIC~1\FunWebProducts
C:\DOCUME~1\Tdot\APPLIC~1\FunWebProducts\Data\Tdot\avatar.dat
C:\Documents and Settings\Tbone\spooldr.ini
C:\fwdrv.sys
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\WINDOWS\defihk.ini
C:\WINDOWS\defihk.ini2
C:\WINDOWS\defihk.tmp
C:\WINDOWS\khifed.dll
C:\WINDOWS\system32\__c0023853.dat
C:\WINDOWS\system32\dn0052fe2e.dat


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_IPRIP
-------\fwdrv.sys
-------\Iprip


((((((((((((((((((((((((( Files Created from 2007-07-13 to 2007-08-13 )))))))))))))))))))))))))))))))


2007-08-12 21:10 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-12 21:05 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-12 16:34 <DIR> d-------- C:\Program Files\InterMute
2007-08-09 16:14 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-08 18:49 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-08-08 18:49 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-08-08 18:49 26,752 -ra------ C:\WINDOWS\system32\drivers\RimSerial.sys
2007-08-08 18:49 <DIR> d-------- C:\DOCUME~1\Tbone\APPLIC~1\Research In Motion
2007-08-08 18:48 <DIR> d-------- C:\Program Files\Research In Motion
2007-08-08 18:48 <DIR> d-------- C:\Program Files\Common Files\Research In Motion
2007-08-08 18:46 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-08-07 21:20 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-07 21:20 <DIR> d-------- C:\DOCUME~1\Tbone\APPLIC~1\Lavasoft
2007-08-07 21:07 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-08-05 13:17 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-08-05 13:17 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-08-05 13:17 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-08-05 13:12 <DIR> d-------- C:\VundoFix Backups
2007-08-05 12:34 164 --a------ C:\install.dat
2007-08-05 12:31 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-08-05 00:57 <DIR> d-------- C:\Program Files\RogueRemover FREE
2007-08-04 23:29 25,664 --a------ C:\WINDOWS\system32\04QAQk4Y.exe
2007-08-03 21:25 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-08-03 21:25 <DIR> d-------- C:\DOCUME~1\Tbone\APPLIC~1\SUPERAntiSpyware.com
2007-08-03 21:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-03 21:14 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-23 20:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Zylom
2007-07-16 22:38 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-07-16 22:36 29,752 --------- C:\WINDOWS\system32\InstHelper.dll
2007-07-16 22:35 94,720 --a------ C:\WINDOWS\system32\dneinobj.dll
2007-07-16 22:35 5,315 --a------ C:\WINDOWS\system32\drivers\CVirtA.sys
2007-07-16 22:35 303,740 --a------ C:\WINDOWS\system32\drivers\CVPNDRVA.sys
2007-07-16 22:35 197,680 --a------ C:\WINDOWS\system32\vpnapi.dll
2007-07-16 22:35 193,584 --a------ C:\WINDOWS\system32\CSGina.dll
2007-07-16 22:35 110,080 --a------ C:\WINDOWS\system32\drivers\dne2000.sys
2007-07-16 22:35 <DIR> d-------- C:\Program Files\Common Files\Deterministic Networks
2007-07-16 22:35 <DIR> d-------- C:\Program Files\Cisco Systems


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-07 21:49 374528 --a--c--- C:\WINDOWS\system32\dllcache\tcpip.sys
2007-08-07 21:49 374528 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
2007-08-07 21:18 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-06 21:51 14336 --a--c--- C:\WINDOWS\system32\dllcache\svchost.exe
2007-08-06 21:51 14336 --a------ C:\WINDOWS\system32\svchost.exe
2007-07-16 22:35 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-11 18:38 --------- d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-06-30 14:49 --------- d-------- C:\Program Files\Logitech
2007-06-30 14:49 --------- d-------- C:\Program Files\Common Files\Logitech
2007-06-30 14:43 --------- d-------- C:\DOCUME~1\Tbone\APPLIC~1\Ventrilo
2007-06-30 12:54 --------- d-------- C:\Program Files\Google
2007-06-30 02:45 --------- d-------- C:\Program Files\Ventrilo
2007-06-30 02:43 --------- d-------- C:\DOCUME~1\Tbone\APPLIC~1\DivX
2007-06-30 02:21 --------- d-------- C:\Program Files\DivX
2007-06-30 02:06 73728 --a------ C:\WINDOWS\ALCFDRTM.EXE
2007-06-30 01:55 --------- d-------- C:\Program Files\Realtek
2007-06-30 01:43 2722 --a------ C:\WINDOWS\pchealth\helpctr\PackageStore\SkuStore.bin
2007-06-30 01:42 8972 --a------ C:\WINDOWS\pchealth\helpctr\Config\Cntstore.bin
2007-06-30 01:31 --------- d-------- C:\Program Files\DIFX
2007-06-30 01:30 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-06-30 01:30 --------- d-------- C:\Program Files\BIOSTAR
2007-06-30 01:13 --------- d-------- C:\Program Files\Driver
2007-06-30 01:12 --------- d-------- C:\Program Files\NVIDIA Corporation
2007-06-30 00:52 --------- d-------- C:\Program Files\microsoft frontpage
2007-06-30 00:49 0 -rahs---- C:\MSDOS.SYS
2007-06-30 00:49 0 -rahs---- C:\IO.SYS
2007-06-30 00:49 0 --a------ C:\CONFIG.SYS
2007-06-30 00:49 0 --a------ C:\AUTOEXEC.BAT
2007-06-30 00:49 --------- d-------- C:\Program Files\AC3Filter
2007-06-30 00:47 --------- d--h----- C:\Program Files\WindowsUpdate
2007-06-30 00:47 --------- d-------- C:\Program Files\Movie Maker
2007-06-30 00:47 --------- d-------- C:\Program Files\Common Files\MSSoap
2007-06-30 00:45 --------- d-------- C:\Program Files\Online Services
2007-06-30 00:45 --------- d-------- C:\Program Files\MSN Gaming Zone
2007-06-30 00:45 --------- d-------- C:\Program Files\Messenger
2007-06-30 00:45 --------- d-------- C:\Program Files\Games
2007-06-30 00:44 --------- d-------- C:\Program Files\Windows NT
2007-06-29 17:40 --------- d-------- C:\Program Files\Common Files\SpeechEngines
2007-06-29 17:40 --------- d-------- C:\Program Files\Common Files\ODBC
2007-05-30 23:45 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-05-30 23:44 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-05-30 23:44 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-05-30 23:44 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-05-30 23:44 740442 --a------ C:\WINDOWS\system32\DivX.dll

C:\WINDOWS\system32\drivers\tcpip.sys ... is infected !! (additional data below)
374,528 2007-08-08 04:49:28 C:\WINDOWS\system32\dllcache\tcpip.sys
374,528 2007-08-08 04:49:30 C:\WINDOWS\system32\drivers\tcpip.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-06 13:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2005-05-25 20:02 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-06 13:00 C:\WINDOWS\system32\rundll32.exe]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 17:21 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 C:\WINDOWS\SkyTel.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 09:50 C:\WINDOWS\LOGI_MWX.EXE]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-07 21:56]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2007-07-16 22:35:49]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=1 (0x1)
"NoSMConfigurePrograms"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=1 (0x1)
"NoSMConfigurePrograms"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\__c0023853.dat

R1 BIOS;BIOS;\??\C:\WINDOWS\system32\drivers\BIOS.sys
R1 NVTCP;NVIDIA TCP/IP Protocol Driver;C:\WINDOWS\system32\DRIVERS\NVTcp.sys
R2 CVPND;Cisco Systems, Inc. VPN Service;"C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"
R2 CVPNDRVA;Cisco Systems IPsec Driver;\??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
R2 ForceWare Intelligent Application Manager (IAM);ForceWare Intelligent Application Manager (IAM);C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
R2 SimpTcp;Simple TCP/IP Services;C:\WINDOWS\system32\tcpsvcs.exe
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe
R2 SNMP;SNMP Service;C:\WINDOWS\System32\snmp.exe
R3 DNE;Deterministic Network Enhancer Miniport;C:\WINDOWS\system32\DRIVERS\dne2000.sys
S3 CVirtA;Cisco Systems VPN Adapter;C:\WINDOWS\system32\DRIVERS\CVirtA.sys
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 SNMPTRAP;SNMP Trap Service;C:\WINDOWS\System32\snmptrap.exe
S3 WINFLASH;WINFLASH;\??\C:\Program Files\BIOSTAR\T-Utility BIOS Live Update\WinFlash.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\start.exe


Contents of the 'Scheduled Tasks' folder
2007-08-05 07:01:00 C:\WINDOWS\Tasks\At1.job
2007-08-05 06:29:48 C:\WINDOWS\Tasks\At10.job - C:\WINDOWS\system32\04QAQk4Y.exe
2007-08-05 06:29:48 C:\WINDOWS\Tasks\At11.job - C:\WINDOWS\system32\04QAQk4Y.exe
2007-08-05 06:29:48 C:\WINDOWS\Tasks\At12.job - C:\WINDOWS\system32\04QAQk4Y.exe
2007-08-05 19:01:50 C:\WINDOWS\Tasks\At13.job - C:\WINDOWS\system32\04QAQk4Y.exe
2007-08-05 20:02:13 C:\WINDOWS\Tasks\At14.job - C:\WINDOWS\system32\04QAQk4Y.exe
2007-08-12 21:02:01 C:\WINDOWS\Tasks\At15.job - C:\WINDOWS\system32\04QAQk4Y.exe
2007-08-12 22:01:00 C:\WINDOWS\Tasks\At16.job - C:\WINDOWS\system32\04QAQk4Y.exe
2007-08-12 23:01:00 C:\WINDOWS\Tasks\At17.job - C:\WINDOWS\system32\04QAQk4Y.exe
2007-08-13 00:01:00 C:\WINDOWS\Tasks\At18.job - C:\WINDOWS\system32\04QAQk4Y.exe
2007-08-07 01:01:00 C:\WINDOWS\Tasks\At19.job
2007-08-05 08:01:48 C:\WINDOWS\Tasks\At2.job - C:\WINDOWS\system32\04QAQk4Y.exe
2007-08-12 02:01:59 C:\WINDOWS\Tasks\At20.job - C:\WINDOWS\system32\04QAQk4Y.exe
2007-08-09 03:01:00 C:\WINDOWS\Tasks\At21.job - C:\WINDOWS\system32\04QAQk4Y.exe
2007-08-13 04:01:52 C:\WINDOWS\Tasks\At22.job - C:\WINDOWS\system32\04QAQk4Y.exe
2007-08-08 05:01:51 C:\WINDOWS\Tasks\At23.job - C:\WINDOWS\system32\04QAQk4Y.exe
2007-08-07 06:01:00 C:\WINDOWS\Tasks\At24.job - C:\WINDOWS\system32\04QAQk4Y.exe
2007-08-05 06:29:48 C:\WINDOWS\Tasks\At3.job - C:\WINDOWS\system32\04QAQk4Y.exe
2007-08-05 06:29:48 C:\WINDOWS\Tasks\At4.job
2007-08-05 06:29:48 C:\WINDOWS\Tasks\At5.job - C:\WINDOWS\system32\04QAQk4Y.exe
2007-08-05 06:29:48 C:\WINDOWS\Tasks\At6.job - C:\WINDOWS\system32\04QAQk4Y.exe
2007-08-05 06:29:48 C:\WINDOWS\Tasks\At7.job - C:\WINDOWS\system32\04QAQk4Y.exe
2007-08-05 06:29:48 C:\WINDOWS\Tasks\At8.job
2007-08-05 06:29:48 C:\WINDOWS\Tasks\At9.job - C:\WINDOWS\system32\04QAQk4Y.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-12 21:13:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-12 21:13:57 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-12 21:13

--- E O F ---

NEW Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:14:26 PM, on 8/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Tbone\Desktop\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_03] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c0023853.dat
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4734 bytes

#4 Trevuren

Trevuren

  • Malware Response Team
  • 1,006 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:03:18 AM

Posted 13 August 2007 - 12:32 AM

These are big time problems we are dealing with. Be prepared to do some some if we are to try and salvage this system.

There are two files that I need to have checked:

Please go to: VirusTotal
  • On the page you'll find a "Browse" button.
  • Next to the browse button you'll see a box to enter text.
  • Please copy/paste the following in BOLD:

    C:\WINDOWS\system32\dllcache\tcpip.sys

  • Then click the "Send File " button just below.
  • This will scan the file. Please be patient.
  • Once scanned, copy and paste the results in your next reply.
  • Now repeat the same procedures with the following file
C:\WINDOWS\system32\drivers\tcpip.sys
Microsoft MVP - Consumer Security 2008 - 2009

Posted Image

#5 sam07

sam07
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:18 AM

Posted 15 August 2007 - 10:57 PM

I did what you asked and it displayed only:

0 bytes size received / Se ha recibido un archivo vacio

I tried another online scanner and it gave me an error saying the file is 0kb.

Edited by sam07, 15 August 2007 - 11:15 PM.


#6 sam07

sam07
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:18 AM

Posted 15 August 2007 - 11:07 PM

If it helps, AVG detected C:\WINDOWS\system32\dllcache\tcpip.sys as Win32/PEPatch virus

#7 Trevuren

Trevuren

  • Malware Response Team
  • 1,006 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:03:18 AM

Posted 15 August 2007 - 11:48 PM

This should provide you with "clean" tcpip.sys files:

Visit Microsoft > http://www.microsoft.com/downloads/d...displaylang=en
Download & install the update, KB917953 then reboot.

Then run ComboFix again and post the new ComboFix.txt


Good Luck

Trevuren

Edited by Trevuren, 15 August 2007 - 11:49 PM.

Microsoft MVP - Consumer Security 2008 - 2009

Posted Image

#8 sam07

sam07
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:18 AM

Posted 16 August 2007 - 12:32 AM

ComboFix 07-08-13.3 - "Tbone" 2007-08-15 22:29:03.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1658 [GMT -7:00]


((((((((((((((((((((((((( Files Created from 2007-07-16 to 2007-08-16 )))))))))))))))))))))))))))))))


2007-08-15 22:26 <DIR> d-------- C:\08bb318934611245a0
2007-08-15 22:16 1,265,664 --a------ C:\DOCUME~1\Tbone\ntuser.dat
2007-08-15 22:15 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-08-15 21:17 359,040 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
2007-08-12 21:10 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-12 21:05 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-12 16:34 <DIR> d-------- C:\Program Files\InterMute
2007-08-09 16:14 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-08 18:49 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-08-08 18:49 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-08-08 18:49 26,752 -ra------ C:\WINDOWS\system32\drivers\RimSerial.sys
2007-08-08 18:49 <DIR> d-------- C:\DOCUME~1\Tbone\APPLIC~1\Research In Motion
2007-08-08 18:48 <DIR> d-------- C:\Program Files\Research In Motion
2007-08-08 18:48 <DIR> d-------- C:\Program Files\Common Files\Research In Motion
2007-08-08 18:46 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-08-07 21:20 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-07 21:20 <DIR> d-------- C:\DOCUME~1\Tbone\APPLIC~1\Lavasoft
2007-08-07 21:07 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-08-05 13:17 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-08-05 13:17 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-08-05 13:17 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-08-05 13:12 <DIR> d-------- C:\VundoFix Backups
2007-08-05 12:34 164 --a------ C:\install.dat
2007-08-05 12:31 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-08-05 00:57 <DIR> d-------- C:\Program Files\RogueRemover FREE
2007-08-04 23:29 25,664 --a------ C:\WINDOWS\system32\04QAQk4Y.exe
2007-08-03 21:25 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-08-03 21:25 <DIR> d-------- C:\DOCUME~1\Tbone\APPLIC~1\SUPERAntiSpyware.com
2007-08-03 21:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-03 21:14 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-23 20:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Zylom
2007-07-16 22:38 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-07-16 22:36 29,752 --------- C:\WINDOWS\system32\InstHelper.dll
2007-07-16 22:35 94,720 --a------ C:\WINDOWS\system32\dneinobj.dll
2007-07-16 22:35 5,315 --a------ C:\WINDOWS\system32\drivers\CVirtA.sys
2007-07-16 22:35 303,740 --a------ C:\WINDOWS\system32\drivers\CVPNDRVA.sys
2007-07-16 22:35 197,680 --a------ C:\WINDOWS\system32\vpnapi.dll
2007-07-16 22:35 193,584 --a------ C:\WINDOWS\system32\CSGina.dll
2007-07-16 22:35 110,080 --a------ C:\WINDOWS\system32\drivers\dne2000.sys
2007-07-16 22:35 <DIR> d-------- C:\Program Files\Common Files\Deterministic Networks
2007-07-16 22:35 <DIR> d-------- C:\Program Files\Cisco Systems


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-07 21:18 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-06 21:51 14336 --a--c--- C:\WINDOWS\system32\dllcache\svchost.exe
2007-08-06 21:51 14336 --a------ C:\WINDOWS\system32\svchost.exe
2007-07-16 22:35 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-11 18:38 --------- d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-06-30 14:49 --------- d-------- C:\Program Files\Logitech
2007-06-30 14:49 --------- d-------- C:\Program Files\Common Files\Logitech
2007-06-30 14:43 --------- d-------- C:\DOCUME~1\Tbone\APPLIC~1\Ventrilo
2007-06-30 12:54 --------- d-------- C:\Program Files\Google
2007-06-30 02:45 --------- d-------- C:\Program Files\Ventrilo
2007-06-30 02:43 --------- d-------- C:\DOCUME~1\Tbone\APPLIC~1\DivX
2007-06-30 02:21 --------- d-------- C:\Program Files\DivX
2007-06-30 02:06 73728 --a------ C:\WINDOWS\ALCFDRTM.EXE
2007-06-30 01:55 --------- d-------- C:\Program Files\Realtek
2007-06-30 01:43 2722 --a------ C:\WINDOWS\pchealth\helpctr\PackageStore\SkuStore.bin
2007-06-30 01:42 8972 --a------ C:\WINDOWS\pchealth\helpctr\Config\Cntstore.bin
2007-06-30 01:31 --------- d-------- C:\Program Files\DIFX
2007-06-30 01:30 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-06-30 01:30 --------- d-------- C:\Program Files\BIOSTAR
2007-06-30 01:13 --------- d-------- C:\Program Files\Driver
2007-06-30 01:12 --------- d-------- C:\Program Files\NVIDIA Corporation
2007-06-30 00:52 --------- d-------- C:\Program Files\microsoft frontpage
2007-06-30 00:49 0 -rahs---- C:\MSDOS.SYS
2007-06-30 00:49 0 -rahs---- C:\IO.SYS
2007-06-30 00:49 0 --a------ C:\CONFIG.SYS
2007-06-30 00:49 0 --a------ C:\AUTOEXEC.BAT
2007-06-30 00:49 --------- d-------- C:\Program Files\AC3Filter
2007-06-30 00:47 --------- d--h----- C:\Program Files\WindowsUpdate
2007-06-30 00:47 --------- d-------- C:\Program Files\Movie Maker
2007-06-30 00:47 --------- d-------- C:\Program Files\Common Files\MSSoap
2007-06-30 00:45 --------- d-------- C:\Program Files\Online Services
2007-06-30 00:45 --------- d-------- C:\Program Files\MSN Gaming Zone
2007-06-30 00:45 --------- d-------- C:\Program Files\Messenger
2007-06-30 00:45 --------- d-------- C:\Program Files\Games
2007-06-30 00:44 --------- d-------- C:\Program Files\Windows NT
2007-06-29 17:40 --------- d-------- C:\Program Files\Common Files\SpeechEngines
2007-06-29 17:40 --------- d-------- C:\Program Files\Common Files\ODBC
2007-05-30 23:45 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-05-30 23:44 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-05-30 23:44 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-05-30 23:44 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-05-30 23:44 740442 --a------ C:\WINDOWS\system32\DivX.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-06 13:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2005-05-25 20:02 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-06 13:00 C:\WINDOWS\system32\rundll32.exe]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 17:21 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 C:\WINDOWS\SkyTel.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 09:50 C:\WINDOWS\LOGI_MWX.EXE]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-07 21:56]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2007-07-16 22:35:49]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=1 (0x1)
"NoSMConfigurePrograms"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=1 (0x1)
"NoSMConfigurePrograms"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\__c0023853.dat

R1 BIOS;BIOS;\??\C:\WINDOWS\system32\drivers\BIOS.sys
R1 NVTCP;NVIDIA TCP/IP Protocol Driver;C:\WINDOWS\system32\DRIVERS\NVTcp.sys
R2 CVPND;Cisco Systems, Inc. VPN Service;"C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"
R2 CVPNDRVA;Cisco Systems IPsec Driver;\??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
R2 ForceWare Intelligent Application Manager (IAM);ForceWare Intelligent Application Manager (IAM);C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
R2 SimpTcp;Simple TCP/IP Services;C:\WINDOWS\system32\tcpsvcs.exe
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe
R2 SNMP;SNMP Service;C:\WINDOWS\System32\snmp.exe
R3 DNE;Deterministic Network Enhancer Miniport;C:\WINDOWS\system32\DRIVERS\dne2000.sys
S3 CVirtA;Cisco Systems VPN Adapter;C:\WINDOWS\system32\DRIVERS\CVirtA.sys
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 SNMPTRAP;SNMP Trap Service;C:\WINDOWS\System32\snmptrap.exe
S3 WINFLASH;WINFLASH;\??\C:\Program Files\BIOSTAR\T-Utility BIOS Live Update\WinFlash.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\start.exe


Contents of the 'Scheduled Tasks' folder
2007-08-15 07:01:00 C:\WINDOWS\Tasks\At1.job
2007-08-15 16:01:00 C:\WINDOWS\Tasks\At10.job - C:\WINDOWS\system32\04QAQk4Y.exe
2007-08-15 17:01:00 C:\WINDOWS\Tasks\At11.job
2007-08-15 18:01:00 C:\WINDOWS\Tasks\At12.job - C:\WINDOWS\system32\04QAQk4Y.exe
2007-08-15 19:01:00 C:\WINDOWS\Tasks\At13.job - C:\WINDOWS\system32\04QAQk4Y.exe
2007-08-15 20:01:00 C:\WINDOWS\Tasks\At14.job - C:\WINDOWS\system32\04QAQk4Y.exe
2007-08-15 21:01:00 C:\WINDOWS\Tasks\At15.job - C:\WINDOWS\system32\04QAQk4Y.exe
2007-08-15 22:01:00 C:\WINDOWS\Tasks\At16.job - C:\WINDOWS\system32\04QAQk4Y.exe
2007-08-15 23:01:00 C:\WINDOWS\Tasks\At17.job - C:\WINDOWS\system32\04QAQk4Y.exe
2007-08-16 00:01:00 C:\WINDOWS\Tasks\At18.job - C:\WINDOWS\system32\04QAQk4Y.exe
2007-08-16 01:01:00 C:\WINDOWS\Tasks\At19.job
2007-08-15 08:01:00 C:\WINDOWS\Tasks\At2.job - C:\WINDOWS\system32\04QAQk4Y.exe
2007-08-16 02:01:00 C:\WINDOWS\Tasks\At20.job - C:\WINDOWS\system32\04QAQk4Y.exe
2007-08-16 03:01:00 C:\WINDOWS\Tasks\At21.job - C:\WINDOWS\system32\04QAQk4Y.exe
2007-08-16 04:01:00 C:\WINDOWS\Tasks\At22.job - C:\WINDOWS\system32\04QAQk4Y.exe
2007-08-16 05:01:00 C:\WINDOWS\Tasks\At23.job - C:\WINDOWS\system32\04QAQk4Y.exe
2007-08-15 06:01:00 C:\WINDOWS\Tasks\At24.job - C:\WINDOWS\system32\04QAQk4Y.exe
2007-08-15 09:01:00 C:\WINDOWS\Tasks\At3.job - C:\WINDOWS\system32\04QAQk4Y.exe
2007-08-15 10:01:00 C:\WINDOWS\Tasks\At4.job
2007-08-15 11:01:00 C:\WINDOWS\Tasks\At5.job - C:\WINDOWS\system32\04QAQk4Y.exe
2007-08-15 12:01:00 C:\WINDOWS\Tasks\At6.job - C:\WINDOWS\system32\04QAQk4Y.exe
2007-08-15 13:01:00 C:\WINDOWS\Tasks\At7.job - C:\WINDOWS\system32\04QAQk4Y.exe
2007-08-15 14:01:00 C:\WINDOWS\Tasks\At8.job
2007-08-15 15:01:00 C:\WINDOWS\Tasks\At9.job - C:\WINDOWS\system32\04QAQk4Y.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-15 22:29:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-15 22:29:56
C:\ComboFix-quarantined-files.txt ... 2007-08-15 22:29
C:\ComboFix2.txt ... 2007-08-12 21:13

--- E O F ---

#9 Trevuren

Trevuren

  • Malware Response Team
  • 1,006 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:03:18 AM

Posted 16 August 2007 - 01:02 AM

Please provide a list of uninstallable programs.

To Provide a List of Installed Programs
  • Run HijackThis.
  • Click Config>>Miscellaneous Tools>>Open Uninstall Manager>>Save List
  • Save list to Desktop
  • Copy the Notepad list and Paste it into this thread.

Microsoft MVP - Consumer Security 2008 - 2009

Posted Image

#10 sam07

sam07
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:18 AM

Posted 16 August 2007 - 11:31 PM

AC3Filter (remove only)
Ad-Aware SE Professional
Adobe Reader 8.1.0
AVG 7.5
BlackBerry Desktop Software 4.2
BlackBerry Desktop Software 4.2
DivX Codec
DivX Converter
DivX Player
DivX Web Player
High Definition Audio Driver Package - KB835221
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Logitech MouseWare 9.80
Microsoft .NET Framework 1.1 SP1
Microsoft .NET Framework 2.0
NVIDIA Drivers
NVIDIA ForceWare Network Access Manager
Realtek High Definition Audio Driver
Security Update for Windows XP (KB917953)
T-Utility BIOS Live Update
Ventrilo Client
VPN Client
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Media Format 11 runtime
Windows Media Player 11

#11 Trevuren

Trevuren

  • Malware Response Team
  • 1,006 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:03:18 AM

Posted 17 August 2007 - 12:24 AM

A. Please RUN HijackThis
  • Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_03] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'NETWORK SERVICE')
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab
    O20 - AppInit_DLLs: C:\WINDOWS\system32\__c0023853.dat


  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

B. 1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\04QAQk4Y.exe
C:\install.dat
C:\WINDOWS\system32\04QAQk4Y.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job 
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job 
C:\WINDOWS\Tasks\At13.job 
C:\WINDOWS\Tasks\At14.job 
C:\WINDOWS\Tasks\At15.job 
C:\WINDOWS\Tasks\At16.job 
C:\WINDOWS\Tasks\At17.job 
C:\WINDOWS\Tasks\At18.job 
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job 
C:\WINDOWS\Tasks\At20.job 
C:\WINDOWS\Tasks\At21.job 
C:\WINDOWS\Tasks\At22.job 
C:\WINDOWS\Tasks\At23.job 
C:\WINDOWS\Tasks\At24.job 
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job 
C:\WINDOWS\Tasks\At7.job 
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
E:\start.exe

Folder::
C:\08bb318934611245a0

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Microsoft MVP - Consumer Security 2008 - 2009

Posted Image

#12 sam07

sam07
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:18 AM

Posted 17 August 2007 - 01:05 AM

Results:

ComboFix 07-08-13.3 - "Tbone" 2007-08-16 22:59:10.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1553 [GMT -7:00]
Command switches used :: C:\Documents and Settings\Tbone\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\04QAQk4Y.exe
C:\install.dat
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
E:\start.exe


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\08bb318934611245a0
C:\08bb318934611245a0\SP1QFE\tcpip.sys
C:\08bb318934611245a0\SP2GDR\tcpip.sys
C:\08bb318934611245a0\SP2QFE\tcpip.sys
C:\08bb318934611245a0\spmsg.dll
C:\08bb318934611245a0\spuninst.exe
C:\08bb318934611245a0\update\branches.inf
C:\08bb318934611245a0\update\KB917953.CAT
C:\08bb318934611245a0\update\spcustom.dll
C:\08bb318934611245a0\update\update.exe
C:\08bb318934611245a0\update\update.ver
C:\08bb318934611245a0\update\update_SP1QFE.inf
C:\08bb318934611245a0\update\update_SP2GDR.inf
C:\08bb318934611245a0\update\update_SP2QFE.inf
C:\08bb318934611245a0\update\updatebr.inf
C:\08bb318934611245a0\update\updspapi.dll
C:\install.dat
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job


((((((((((((((((((((((((( Files Created from 2007-07-17 to 2007-08-17 )))))))))))))))))))))))))))))))


2007-08-16 22:04 <DIR> d-------- C:\DOCUME~1\Tbone\APPLIC~1\Sandbox
2007-08-16 22:03 <DIR> d-------- C:\Program Files\Sandboxie
2007-08-15 22:16 1,265,664 --a------ C:\DOCUME~1\Tbone\ntuser.dat
2007-08-15 22:15 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-08-15 21:17 359,040 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
2007-08-12 21:10 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-12 21:05 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-12 16:34 <DIR> d-------- C:\Program Files\InterMute
2007-08-09 16:14 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-08 18:49 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-08-08 18:49 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-08-08 18:49 26,752 -ra------ C:\WINDOWS\system32\drivers\RimSerial.sys
2007-08-08 18:49 <DIR> d-------- C:\DOCUME~1\Tbone\APPLIC~1\Research In Motion
2007-08-08 18:48 <DIR> d-------- C:\Program Files\Research In Motion
2007-08-08 18:48 <DIR> d-------- C:\Program Files\Common Files\Research In Motion
2007-08-08 18:46 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-08-07 21:20 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-07 21:20 <DIR> d-------- C:\DOCUME~1\Tbone\APPLIC~1\Lavasoft
2007-08-07 21:07 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-08-05 13:17 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-08-05 13:17 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-08-05 13:17 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-08-05 13:12 <DIR> d-------- C:\VundoFix Backups
2007-08-05 12:31 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-08-05 00:57 <DIR> d-------- C:\Program Files\RogueRemover FREE
2007-08-03 21:25 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-08-03 21:25 <DIR> d-------- C:\DOCUME~1\Tbone\APPLIC~1\SUPERAntiSpyware.com
2007-08-03 21:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-03 21:14 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-23 20:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Zylom
2007-07-16 22:38 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-07-16 22:36 29,752 --------- C:\WINDOWS\system32\InstHelper.dll
2007-07-16 22:35 94,720 --a------ C:\WINDOWS\system32\dneinobj.dll
2007-07-16 22:35 5,315 --a------ C:\WINDOWS\system32\drivers\CVirtA.sys
2007-07-16 22:35 303,740 --a------ C:\WINDOWS\system32\drivers\CVPNDRVA.sys
2007-07-16 22:35 197,680 --a------ C:\WINDOWS\system32\vpnapi.dll
2007-07-16 22:35 193,584 --a------ C:\WINDOWS\system32\CSGina.dll
2007-07-16 22:35 110,080 --a------ C:\WINDOWS\system32\drivers\dne2000.sys
2007-07-16 22:35 <DIR> d-------- C:\Program Files\Common Files\Deterministic Networks
2007-07-16 22:35 <DIR> d-------- C:\Program Files\Cisco Systems


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-07 21:18 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-06 21:51 14336 --a--c--- C:\WINDOWS\system32\dllcache\svchost.exe
2007-08-06 21:51 14336 --a------ C:\WINDOWS\system32\svchost.exe
2007-07-16 22:35 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-11 18:38 --------- d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-06-30 14:49 --------- d-------- C:\Program Files\Logitech
2007-06-30 14:49 --------- d-------- C:\Program Files\Common Files\Logitech
2007-06-30 14:43 --------- d-------- C:\DOCUME~1\Tbone\APPLIC~1\Ventrilo
2007-06-30 12:54 --------- d-------- C:\Program Files\Google
2007-06-30 02:45 --------- d-------- C:\Program Files\Ventrilo
2007-06-30 02:43 --------- d-------- C:\DOCUME~1\Tbone\APPLIC~1\DivX
2007-06-30 02:21 --------- d-------- C:\Program Files\DivX
2007-06-30 02:06 73728 --a------ C:\WINDOWS\ALCFDRTM.EXE
2007-06-30 01:55 --------- d-------- C:\Program Files\Realtek
2007-06-30 01:43 2722 --a------ C:\WINDOWS\pchealth\helpctr\PackageStore\SkuStore.bin
2007-06-30 01:42 8972 --a------ C:\WINDOWS\pchealth\helpctr\Config\Cntstore.bin
2007-06-30 01:31 --------- d-------- C:\Program Files\DIFX
2007-06-30 01:30 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-06-30 01:30 --------- d-------- C:\Program Files\BIOSTAR
2007-06-30 01:13 --------- d-------- C:\Program Files\Driver
2007-06-30 01:12 --------- d-------- C:\Program Files\NVIDIA Corporation
2007-06-30 00:52 --------- d-------- C:\Program Files\microsoft frontpage
2007-06-30 00:49 0 -rahs---- C:\MSDOS.SYS
2007-06-30 00:49 0 -rahs---- C:\IO.SYS
2007-06-30 00:49 0 --a------ C:\CONFIG.SYS
2007-06-30 00:49 0 --a------ C:\AUTOEXEC.BAT
2007-06-30 00:49 --------- d-------- C:\Program Files\AC3Filter
2007-06-30 00:47 --------- d--h----- C:\Program Files\WindowsUpdate
2007-06-30 00:47 --------- d-------- C:\Program Files\Movie Maker
2007-06-30 00:47 --------- d-------- C:\Program Files\Common Files\MSSoap
2007-06-30 00:45 --------- d-------- C:\Program Files\Online Services
2007-06-30 00:45 --------- d-------- C:\Program Files\MSN Gaming Zone
2007-06-30 00:45 --------- d-------- C:\Program Files\Messenger
2007-06-30 00:45 --------- d-------- C:\Program Files\Games
2007-06-30 00:44 --------- d-------- C:\Program Files\Windows NT
2007-06-29 17:40 --------- d-------- C:\Program Files\Common Files\SpeechEngines
2007-06-29 17:40 --------- d-------- C:\Program Files\Common Files\ODBC
2007-05-30 23:45 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-05-30 23:44 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-05-30 23:44 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-05-30 23:44 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-05-30 23:44 740442 --a------ C:\WINDOWS\system32\DivX.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-06 13:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2005-05-25 20:02 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-06 13:00 C:\WINDOWS\system32\rundll32.exe]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 17:21 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 C:\WINDOWS\SkyTel.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 09:50 C:\WINDOWS\LOGI_MWX.EXE]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-16 09:10]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06]
"SandboxieControl"="C:\Program Files\Sandboxie\Control.exe" [2007-08-15 20:07]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2007-07-16 22:35:49]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=1 (0x1)
"NoSMConfigurePrograms"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=1 (0x1)
"NoSMConfigurePrograms"=1 (0x1)

R1 BIOS;BIOS;\??\C:\WINDOWS\system32\drivers\BIOS.sys
R1 NVTCP;NVIDIA TCP/IP Protocol Driver;C:\WINDOWS\system32\DRIVERS\NVTcp.sys
R2 CVPND;Cisco Systems, Inc. VPN Service;"C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"
R2 CVPNDRVA;Cisco Systems IPsec Driver;\??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
R2 ForceWare Intelligent Application Manager (IAM);ForceWare Intelligent Application Manager (IAM);C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
R2 SimpTcp;Simple TCP/IP Services;C:\WINDOWS\system32\tcpsvcs.exe
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe
R2 SNMP;SNMP Service;C:\WINDOWS\System32\snmp.exe
R3 DNE;Deterministic Network Enhancer Miniport;C:\WINDOWS\system32\DRIVERS\dne2000.sys
R3 SbieDrv;SbieDrv;\??\C:\Program Files\Sandboxie\SbieDrv.sys
S3 CVirtA;Cisco Systems VPN Adapter;C:\WINDOWS\system32\DRIVERS\CVirtA.sys
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 SNMPTRAP;SNMP Trap Service;C:\WINDOWS\System32\snmptrap.exe
S3 WINFLASH;WINFLASH;\??\C:\Program Files\BIOSTAR\T-Utility BIOS Live Update\WinFlash.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc


Contents of the 'Scheduled Tasks' folder
2007-08-16 09:01:00 C:\WINDOWS\Tasks\At3.job - C:\WINDOWS\system32\04QAQk4Y.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-16 23:01:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-16 23:01:55 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-16 23:01
C:\ComboFix2.txt ... 2007-08-15 22:29
C:\ComboFix3.txt ... 2007-08-12 21:13

--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:02:25 PM, on 8/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sandboxie\Control.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Tbone\Desktop\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SandboxieControl] C:\Program Files\Sandboxie\Control.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_02] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_02] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe

--
End of file - 4682 bytes

#13 Trevuren

Trevuren

  • Malware Response Team
  • 1,006 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:03:18 AM

Posted 17 August 2007 - 09:42 AM

There is a file in your log of which I am unsure. For that reason, I need you to submit it to Jotti's for analysis.

1. Click HERE to get to Jotti's site.

2. At the top of the Jotti window, use the Browse button to locate the following file on your system:

C:\WINDOWS\system32\04QAQk4Y.exe

3. Once you have located the file, click SUBMIT and the content of the file will be uploaded by the site and analysed.

4. Please provide me with the results of the analysis.


Then to make sure that there are no more "baddies" lurking, please do the following:

Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner
Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
Posted Image
Posted Image
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply, along with a fresh HijackThis log

Regards,

Trevuren

Microsoft MVP - Consumer Security 2008 - 2009

Posted Image

#14 sam07

sam07
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:18 AM

Posted 17 August 2007 - 09:33 PM

C:\WINDOWS\system32\04QAQk4Y.exe could not be found, therefore I could not scan it.

Here are the logs requested:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, August 17, 2007 7:30:18 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 18/08/2007
Kaspersky Anti-Virus database records: 384773
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 44753
Number of viruses found: 3
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 00:30:02

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Tbone\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Tbone\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Tbone\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Tbone\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tbone\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tbone\ntuser.dat Object is locked skipped
C:\Documents and Settings\Tbone\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\fwdrv.sys.vir Infected: SpamTool.Win32.Agent.u skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP16\A0003338.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP35\A0003729.dll Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP35\A0003730.exe Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP35\A0003731.exe Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP36\A0003734.exe Infected: not-a-virus:FraudTool.Win32.VirusProtectPro.d skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP36\A0003749.exe Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP36\A0003750.exe Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP36\A0003751.exe Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP36\A0003752.exe Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP36\A0003753.dll Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP36\A0003754.dll Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP38\A0003791.dll Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP38\A0003792.exe Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP38\A0003793.dll Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP38\A0003801.exe Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP38\A0003802.exe Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP38\A0003803.exe Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP38\A0003889.sys Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP38\A0003903.sys Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP38\A0003904.sys Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP40\A0004097.sys Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP40\A0004110.sys Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP40\A0004111.sys Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP40\A0005102.sys Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP40\A0005103.sys Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP40\A0005104.sys Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP41\A0005109.exe Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP41\A0005110.exe Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP41\A0005111.dll Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP41\A0005112.dll Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP41\A0005113.sys Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP41\A0005114.exe Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP41\A0005131.exe Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP41\A0005132.exe Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP41\A0005133.sys Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP41\A0005134.sys Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP42\A0005193.sys Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP43\A0005216.sys Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP43\A0005231.exe Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP43\A0005238.exe Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP44\A0005282.sys Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP44\A0005288.dll Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP44\A0005290.sys Infected: SpamTool.Win32.Agent.u skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP46\A0005397.sys Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP46\A0005398.sys Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP48\A0005510.exe Object is locked skipped
C:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP49\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edbtmp.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Perflib_Perfdata_1c0.dat Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP15\A0000649.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP15\A0000650.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP15\A0000651.sys Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP15\A0000652.cat Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP15\A0000653.inf Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP15\A0000654.ver Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP15\A0000655.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP15\A0000656.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP15\A0000657.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP15\A0000658.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP15\A0000659.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP15\A0000660.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP15\A0000661.ver Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP15\A0000662.inf Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP15\A0000663.cat Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP15\A0000664.sys Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP15\A0000665.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP15\A0000666.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP15\A0000667.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP15\A0000668.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP15\A0000669.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP16\A0000677.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP16\A0000678.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP16\A0000679.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP16\A0000680.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP16\A0000681.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP16\A0000682.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP16\A0000683.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP16\A0000684.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP16\A0000685.ver Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP16\A0000686.inf Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP16\A0000687.cat Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP16\A0000688.sys Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP16\A0000689.ver Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP16\A0000690.inf Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP16\A0000691.cat Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP16\A0000692.sys Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP16\A0000693.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP16\A0000694.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP16\A0000695.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP16\A0000696.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP16\A0000697.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP17\A0000705.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP17\A0000706.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP17\A0000707.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP17\A0000708.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP17\A0000709.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP17\A0000710.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP17\A0000711.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP17\A0000712.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP17\A0000713.ver Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP17\A0000714.ver Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP17\A0000715.cat Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP17\A0000716.cat Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP17\A0000717.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP17\A0000718.inf Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP17\A0000719.inf Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP17\A0000720.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP17\A0000721.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP17\A0000722.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP17\A0000723.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP17\A0000724.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP17\A0000725.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP18\A0000737.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP18\A0000738.ocx Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP18\A0000739.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP18\A0000740.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP18\A0000741.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP18\A0000742.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP18\A0000743.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP18\A0000744.cat Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP18\A0000745.inf Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP18\A0000746.ver Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP18\A0000747.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP18\A0000748.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP18\A0000749.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP18\A0000750.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP18\A0000751.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP18\A0000752.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP18\A0000753.ver Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP18\A0000754.inf Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP18\A0000755.cat Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP18\A0000756.ocx Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP18\A0000757.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP18\A0000758.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP18\A0000759.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP18\A0000760.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP18\A0000761.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP18\A0000762.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP18\A0000763.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP18\A0000764.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP18\A0000765.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP19\A0000772.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP19\A0000773.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP19\A0000774.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP19\A0000775.cat Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP19\A0000776.inf Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP19\A0000777.ver Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP19\A0000778.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP19\A0000779.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP19\A0000780.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP19\A0000781.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP19\A0000782.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP19\A0000783.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP19\A0000784.ver Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP19\A0000785.inf Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP19\A0000786.cat Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP19\A0000787.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP19\A0000788.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP19\A0000789.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP19\A0000790.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP19\A0000791.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP19\A0000792.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP20\A0000799.sys Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP20\A0000800.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP20\A0000801.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP20\A0000802.cat Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP20\A0000803.inf Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP20\A0000804.ver Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP20\A0000805.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP20\A0000806.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP20\A0000807.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP20\A0000808.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP20\A0000809.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP20\A0000810.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP20\A0000811.ver Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP20\A0000812.inf Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP20\A0000813.cat Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP20\A0000814.sys Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP20\A0000815.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP20\A0000816.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP20\A0000817.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP20\A0000818.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP20\A0000819.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP21\A0000846.ver Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP21\A0000847.inf Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP21\A0000848.inf Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP21\A0000849.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP21\A0000850.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP21\A0000851.cat Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP21\A0000852.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP21\A0000853.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP21\A0000854.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP21\A0000855.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP21\A0000856.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP21\A0000857.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP21\A0000858.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP21\A0000859.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP21\A0000860.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP21\A0000861.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP21\A0000862.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP21\A0000863.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP21\A0000864.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP21\A0000865.cat Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP22\A0000876.ver Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP22\A0000877.inf Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP22\A0000878.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP22\A0000879.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP22\A0000880.cat Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP22\A0000881.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP22\A0000882.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP22\A0000883.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP22\A0000884.cnv Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000926.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000927.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000928.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000929.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000930.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000931.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000932.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000933.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000934.inf Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000935.inf Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000936.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000937.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000938.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000939.cat Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000940.cat Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000941.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000942.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000943.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000944.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000945.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000946.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000947.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000948.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000949.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000950.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000951.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000952.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000953.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000954.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000955.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000956.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000957.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000958.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000959.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000960.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000961.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000962.tsp Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000963.TSP Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000964.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000965.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000966.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000967.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000968.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000969.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000970.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000971.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000972.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000973.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000974.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000975.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000976.ver Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000977.ver Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP23\A0000978.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001022.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001023.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001024.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001025.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001026.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001027.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001028.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001029.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001030.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001031.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001032.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001033.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001034.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001035.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001036.inf Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001037.inf Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001038.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001039.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001040.cat Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001041.cat Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001042.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001043.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001044.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001045.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001046.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001047.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001048.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001049.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001050.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001051.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001052.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001053.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001054.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001055.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001056.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001057.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001058.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001059.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001060.ver Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001061.ver Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001062.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001063.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001064.exe Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001065.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001066.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001067.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001068.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001069.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001070.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001071.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001072.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001073.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001074.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001075.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001076.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001077.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001078.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001079.dll Object is locked skipped
D:\System Volume Information\_restore{275DEED1-2BD6-461D-9485-BCEDD6FD6E7A}\RP24\A0001080.dll Object is locked skipped
D:\System Volume Information\_restore{834FB65E-3BB9-4403-8302-BC91FA4C8C3A}\RP49\change.log Object is locked skipped

Scan process completed.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:30:58 PM, on 8/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Tbone\Desktop\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SandboxieControl] C:\Program Files\Sandboxie\Control.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_02] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_02] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe

--
End of file - 4702 bytes

#15 Trevuren

Trevuren

  • Malware Response Team
  • 1,006 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:03:18 AM

Posted 18 August 2007 - 01:07 AM

Please RUN HijackThis
  • Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

  • Reboot Your System


  • Finally, RUN Hijackthis again and produce a new HJT log. Post it in this thread so we can check how everything looks now. In addition, please tell me if there are any more malware problems that you are aware of.
Regards,

Trevuren

Microsoft MVP - Consumer Security 2008 - 2009

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users