Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Warning Potential Spyware Operation


  • This topic is locked This topic is locked
7 replies to this topic

#1 plus766

plus766

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:57 PM

Posted 01 December 2007 - 03:27 PM

Your computer is making unathorized copies of your system and Internet files. Run full scan now to "pervent" any "unathorised" access to your files!

These dummies can't spell but they sure can mess up my friend's computer!
I have been working on this all week, and I need help. I have ran spybot search and destroy several times and got my control panel back, but I sitll can't get windows updates, tells me that it is disabled by the administrator and I am logged on as administrator.
Ran smitfraud and it worked - seemingly - but then the next time I tried to run it, it had turned the program errors into another language. so i reinstalled and ran it again.
Downloaded hijack this, and this is my log.
Any help would be appreciated. I have posted this in three forums, I'm sorry if some of you work the other forums, but this is his work computer and he's hitting the road again on Monday, so I need to get it back to him tomorrow.
Thank you in advance for any suggestions.
Pam
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:45 PM, on 11/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\RunOnce: [SpybotDeletingA4748] command /c del "C:\WINDOWS\system32\WinAvXX.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC946] cmd /c del "C:\WINDOWS\system32\WinAvXX.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy_karen\TeaTimer.exe
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - Startup: system.exe
O4 - Global Startup: autorun.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\All Users\Documents\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\All Users\Documents\PartyPoker.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~3\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~3\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158600381187
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio/en/qdiagh.cab?326
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Security Center (wscsvc) - Unknown owner - C:\WINDOWS\C:\WINDOWS\System32\svchost.exe (file missing)

--
End of file - 4655 bytes

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:57 PM

Posted 01 December 2007 - 05:29 PM

Hi,

Please reply in the other forums that you are already receiving help here, so the helpers there can help someone else instead.

Some remarks first... This log was posted from Windows Safe mode. I really need to see a log from Windows normal mode.

Also..

Any help would be appreciated. I have posted this in three forums, I'm sorry if some of you work the other forums, but this is his work computer and he's hitting the road again on Monday, so I need to get it back to him tomorrow.

Since you are posting a log from a Company owned computer... There are a few things that need attention first before we proceed with this..

* You must inform your Supervisor immediately.

This because of:
  • Most company machines are connected into a network at some time or other, and your infection may compromise the security of that network.
  • If sensitive material is compromised by an infection, your company could be held liable.
* Your Company must give permission for us to give you assistance.

This because of:
  • We are not here to replace your company's IT Department. If there's an IT Department, then they are responsible to deal with this.
  • There may be sensitive material on your computer that your company would not want revealed in an open forum.
What I also don't understand is the fact that I don't see a running Antivirus. I do see some parts of Symantec installed, but most parts are missing, so this Antivirus doesn't work anyway and was probably already partially deleted previously.
Not having a working Antivirus is IRRESPONSIBLE for a computer used at work.

That's why this is a first step..

* Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 plus766

plus766
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:57 PM

Posted 01 December 2007 - 06:52 PM

Thank you so much for your response. I am downloading the anitvirus software. The computer had antivirus software but it was deleted when this infection came on.
The gentleman that gave it to me to work on is the supervisor, I deleted the tech user, and will re-add a tech user when the computer gets clean. He has given me permission to do whatever it takes to bring the computer back, including if needed, switching out the hard drive and installing windows again.
I told him that I did not think this would need to be done.
The IT dept is 1200 miles away and these are field computers only, no vpn connections and not going to be hooked to the corporate network.
I have given the user the list of recommendations to not get re-infected, and he is committed to keeping the computer clean.
I have ran some scans myself, and I think I may have irradicated most of the infection, but will post my logs as soon as the scan gets done.
Thank you so much for all of your help.
Oh- and I am going to post that you are helping me in the other forums.
Pam

#4 plus766

plus766
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:57 PM

Posted 01 December 2007 - 07:56 PM

Here is my hijack this log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:53:43 PM, on 12/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158600381187
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio/en/qdiagh.cab?326
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 3930 bytes

and here is my avira log:



AntiVir PersonalEdition Classic
Report file date: Saturday, December 01, 2007 19:03

Scanning for 955520 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: FLA-TECH02

Version information:
BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 8/23/2007 19:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 8/16/2007 18:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 8/14/2007 21:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 8/21/2007 18:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 00:01:06
ANTIVIR1.VDF : 7.0.0.0 1640448 Bytes 9/13/2007 00:01:06
ANTIVIR2.VDF : 7.0.1.30 1575424 Bytes 11/30/2007 00:01:06
ANTIVIR3.VDF : 7.0.1.31 2048 Bytes 11/30/2007 00:01:06
AVEWIN32.DLL : 7.6.0.34 3125760 Bytes 12/2/2007 00:01:08
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 16:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 7/18/2007 13:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 19:16:24
AVPACK32.DLL : 7.3.0.15 360488 Bytes 8/3/2007 14:46:00
AVREG.DLL : 7.0.1.6 30760 Bytes 7/18/2007 13:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 8/28/2007 18:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 7/18/2007 13:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 17:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 8/7/2007 18:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 8/21/2007 18:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 7/23/2007 15:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Saturday, December 01, 2007 19:03

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wanmpsvc.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'symlcsvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'NICServ.exe' - '1' Module(s) have been scanned
Scan process 'NicConfigSvc.exe' - '1' Module(s) have been scanned
Scan process 'sqlservr.exe' - '1' Module(s) have been scanned
Scan process 'MDM.EXE' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
29 processes with 29 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '16' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll
[WARNING] The file could not be opened!
C:\qoobox\Quarantine\C\Documents and Settings\Administrator\Start Menu\Programs\Startup\system.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\qoobox\Quarantine\C\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\qoobox\Quarantine\C\Documents and Settings\Conam Administrator\Start Menu\Programs\Startup\system.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\qoobox\Quarantine\C\WINDOWS\xlavba6.exe.vir
[DETECTION] Is the Trojan horse TR/Dldr.Wixud.I
[INFO] The file was deleted!
C:\qoobox\Quarantine\C\WINDOWS\system32\printer.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\qoobox\Quarantine\C\WINDOWS\system32\WinAvXX.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\ip6fw.sys.vir
[DETECTION] Contains detection pattern of the rootkit RKIT/Agent.DQ.31.A
[INFO] RKIT/Agent.DQ.31.A:[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services//Runtime]
[INFO] RKIT/Agent.DQ.31.A:[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Runtime//Enum]
[INFO] RKIT/Agent.DQ.31.A:[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services//Runtime]
[INFO] RKIT/Agent.DQ.31.A:[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME\0000//Control]
[INFO] RKIT/Agent.DQ.31.A:[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME//0000]
[INFO] RKIT/Agent.DQ.31.A:[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root//LEGACY_RUNTIME]
[INFO] The file was deleted!
C:\SDFix\backups_old1\backups.zip
[0] Archive type: ZIP
--> backups/autorun.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
--> backups/ip6fw.sys
[DETECTION] Contains detection pattern of the rootkit RKIT/Ntech.I
--> backups/mskvtns.dll
[DETECTION] Is the Trojan horse TR/Spy.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP592\A0108073.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP592\A0108074.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP592\A0108075.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP592\A0109070.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP592\A0109071.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP592\A0109072.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP592\A0109087.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP592\A0109088.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP592\A0109097.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP592\A0109098.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP592\A0109099.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP592\A0109124.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP592\A0109126.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP592\A0109127.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP592\A0109158.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP592\A0109159.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP592\A0109160.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP592\A0110158.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP592\A0110159.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP592\A0110160.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP592\A0110170.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP592\A0110601.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP592\A0110602.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP592\A0110603.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP592\A0111630.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP592\A0111631.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP592\A0111632.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP592\A0112630.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP592\A0112631.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP592\A0112632.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP592\A0113630.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP592\A0113631.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP592\A0113632.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP592\A0114630.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP592\A0114631.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP592\A0114632.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP592\A0114641.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP592\A0114642.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP592\A0114643.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP593\A0114675.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP593\A0114676.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP593\A0114677.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP593\A0115675.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP593\A0115676.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP593\A0115677.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP593\A0115687.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP593\A0115688.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP593\A0115689.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP593\A0115698.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP593\A0115699.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP593\A0115700.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP593\A0115707.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP593\A0115708.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP593\A0115709.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP593\A0115719.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP593\A0115720.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP593\A0115721.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP593\A0115732.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP593\A0115733.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP594\A0115778.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP594\A0115779.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP594\A0115780.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP594\A0116778.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP594\A0116779.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP594\A0116780.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP594\A0117775.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP594\A0117776.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP594\A0117778.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP594\A0117785.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP594\A0117786.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP594\A0117792.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP594\A0117793.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP594\A0117794.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP594\A0117810.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP594\A0117823.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP594\A0117824.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP594\A0117825.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP594\A0117827.exe
[DETECTION] Is the Trojan horse TR/Zlob.BYJ
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP594\A0117828.exe
[DETECTION] Is the Trojan horse TR/Zlob.BYJ
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP594\A0117829.exe
[DETECTION] Is the Trojan horse TR/Dldr.Zlob.efe
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP594\A0117830.exe
[DETECTION] Is the Trojan horse TR/Dldr.Zlob.ehp.1
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP594\A0117831.dll
[DETECTION] Is the Trojan horse TR/Zlob.bxh.3
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP594\A0117833.exe
[DETECTION] Is the Trojan horse TR/Zlob.BXH
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP594\A0117834.exe
[DETECTION] Is the Trojan horse TR/Zlob.BWX
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP594\A0117845.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP594\A0117846.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP594\A0117847.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP594\A0117857.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP594\A0117858.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP594\A0117859.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP594\A0118856.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP594\A0118857.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP594\A0118859.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP594\A0118869.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP594\A0118870.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP595\A0118903.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP595\A0118904.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP595\A0118905.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP595\A0118918.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP595\A0118919.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP595\A0118920.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP595\A0118929.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP595\A0118930.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP595\A0118931.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP595\A0118935.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '4782fd05.qua'!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP595\A0118936.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP595\A0118941.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP595\A0118942.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP595\A0118943.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP595\A0119531.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP595\A0119532.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP595\A0119533.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP595\A0119541.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP595\A0119554.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP595\A0119555.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP595\A0119556.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP595\A0119567.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP595\A0119568.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP595\A0119569.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP595\A0119589.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP595\A0119590.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP595\A0119591.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP595\A0119612.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP595\A0119613.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP595\A0119614.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP595\A0119629.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP595\A0119630.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP595\A0119631.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP595\A0119663.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP595\A0119664.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP595\A0119665.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP596\A0119694.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP596\A0119695.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP596\A0119696.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP596\A0120691.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP596\A0120692.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP596\A0120693.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP596\A0120745.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP596\A0120746.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP597\A0120769.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP597\A0120770.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP597\A0120771.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP597\A0120790.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP597\A0120791.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP597\A0120792.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP597\A0120802.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP597\A0120803.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP597\A0120804.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP597\A0120814.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP597\A0120815.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP597\A0120816.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP597\A0120875.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP597\A0120876.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP597\A0120877.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP597\A0120906.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP597\A0120907.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP597\A0120908.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP597\A0120918.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP597\A0120919.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP597\A0120920.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP597\A0120927.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP597\A0120928.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP597\A0120929.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP597\A0121938.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP597\A0121944.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP597\A0121945.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP597\A0121946.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP597\A0121947.dll
[DETECTION] Is the Trojan horse TR/Dldr.Bojo.Q
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP597\A0121948.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP597\A0121949.dll
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP597\A0121966.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP599\A0122895.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP599\A0122900.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP599\A0122901.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP599\A0122902.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP599\A0122903.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP599\A0122920.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP599\A0122921.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP599\A0123567.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP599\A0123572.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP599\A0123573.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP599\A0123575.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP599\A0123585.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP599\A0123586.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP599\A0123587.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP599\A0123592.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP599\A0123593.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP599\A0123594.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP599\A0124617.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP599\A0124618.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP599\A0124619.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP599\A0124634.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP599\A0124635.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP599\A0124636.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP599\A0124639.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP599\A0124740.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP599\A0124741.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP599\A0124742.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP599\A0125738.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP599\A0125739.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP599\A0125740.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP599\A0125742.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP599\A0125754.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP599\A0125755.dll
[DETECTION] Is the Trojan horse TR/Spy.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP599\A0125763.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP599\A0125764.sys
[DETECTION] Contains detection pattern of the rootkit RKIT/Agent.DQ.31.A
[INFO] RKIT/Agent.DQ.31.A:[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services//Runtime]
[INFO] RKIT/Agent.DQ.31.A:[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Runtime//Enum]
[INFO] RKIT/Agent.DQ.31.A:[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services//Runtime]
[INFO] RKIT/Agent.DQ.31.A:[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME\0000//Control]
[INFO] RKIT/Agent.DQ.31.A:[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME//0000]
[INFO] RKIT/Agent.DQ.31.A:[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root//LEGACY_RUNTIME]
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP599\A0125765.dll
[DETECTION] Is the Trojan horse TR/Spy.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP599\A0125794.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP599\A0125795.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP599\A0125799.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP599\A0125800.exe
[DETECTION] Is the Trojan horse TR/Dldr.Wixud.I
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP599\A0125801.sys
[DETECTION] Contains detection pattern of the rootkit RKIT/Agent.DQ.31.A
[INFO] RKIT/Agent.DQ.31.A:[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services//Runtime]
[INFO] RKIT/Agent.DQ.31.A:[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Runtime//Enum]
[INFO] RKIT/Agent.DQ.31.A:[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services//Runtime]
[INFO] RKIT/Agent.DQ.31.A:[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME\0000//Control]
[INFO] RKIT/Agent.DQ.31.A:[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME//0000]
[INFO] RKIT/Agent.DQ.31.A:[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root//LEGACY_RUNTIME]
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP599\A0125802.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP601\A0126245.dll
[DETECTION] Contains detection pattern of the Windows virus W95/Blumblebee.1738
[INFO] The file was deleted!
C:\WINDOWS\dracee.exe
[DETECTION] Is the Trojan horse TR/Spy.BZub.bun
[INFO] The file was deleted!
C:\WINDOWS\rearede.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was deleted!
C:\WINDOWS\xlravcrx.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was deleted!
C:\WINDOWS\pss\autorun.exeCommon Startup
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!


End of the scan: Saturday, December 01, 2007 19:51
Used time: 48:26 min

The scan has been done completely.

4044 Scanning directories
317738 Files were scanned
227 viruses and/or unwanted programs were found
1 Files were classified as suspicious:
225 files were deleted
0 files were repaired
1 files were moved to quarantine
0 files were renamed
3 Files cannot be scanned
317511 Files not concerned
10780 Archives were scanned
3 Warnings
0 Notes


Thank you for any help you can give me.
Pam

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:57 PM

Posted 02 December 2007 - 03:48 AM

Hi Pam,

I see Avira already made a difference :thumbsup:

Let's deal with the rest now...

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then, * Download ComboFix from here.
**Save it to your desktop**

In case you have used Combofix before, please delete the version you are having and redownload it again, because Combofix is being updated everyday.

In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix, please disable your scanner and redownload Combofix again. Because some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.


* Doubleclick combofix.exe
Follow the prompts.
Note - Your internet connection will be terminated while ComboFix runs. Do Not attempt to re-enable it. Should ComboFix terminate prematurely, restart the computer to restore connectivity.
Don't click on the window while the fix is running, because that will cause your system to hang.
In case you see a sed.cfexe error with the option to send a report or not, choose "don't send".

When finished and after reboot (in case it rebooted), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
Post the contents of this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 plus766

plus766
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:57 PM

Posted 03 December 2007 - 01:29 AM

I'm afraid I won't have the computer back until next weekend. They had to take it on the road again, and I'm not sure which city it's in. I will try to get to it during the week, but in case I don't; is it safe enough to use for the weeK?
I had used combo fix and some other programs (sdfix, atf cleaner and adaware 2007), but will reinstall combo fix when I get it.
Thanks for your help, and I'm sorry to have to drag this on for a week.
Pam

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:57 PM

Posted 03 December 2007 - 02:05 AM

Hi,

No, this computer is not safe to use yet. Passwords may be known and Security is badly compromised and may be still infected although it runs OK now.
So try to get your hands on this computer asap :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:57 PM

Posted 13 December 2007 - 04:40 PM

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users