Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple IEXPLORE.EXE in task mgr


  • This topic is locked This topic is locked
35 replies to this topic

#1 billj7341

billj7341

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 03 November 2008 - 07:35 PM

Hi there. My father-in-law's computer is filled with lots of crap that I've been trying to clean out for the past few days. I have 3 IEXPLORE.EXE files running on my task manager, even when MSIE is closed. I also have "Daemon Tools" on here and I've tried to delete but it keeps popping up. I also have something called "irikrgos.dll" which can't be removed. Any help would be greatly appreciated. Anyway, here's my log:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\AhnLab\Smart Update Utility\AhnSD.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AhnLab\Smart Update Utility\Ahnsdsv.exe
C:\PROGRA~1\Ahnlab\V3\MonSvcNT.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AHNSD] "C:\Program Files\AhnLab\Smart Update Utility\AhnSD.exe"
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Transparent_Agent] C:\Program Files\ClickToTweak-Fusion\Trans.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Pul] "C:\Program Files\Common Files\?уmbols\rυndll.exe"
O4 - HKLM\..\Policies\Explorer\Run: [HFDF] C:\WINDOWS\system32\hfmd00001.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O15 - Trusted Zone: http://*.filenori.co.kr
O15 - Trusted Zone: http://*.filenori.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {97F3D1C1-C8C2-471D-A139-298DEAA35E0B} (ToonsXComicPlus Control) - http://comicplus.donga.com/viewer/ToonsXComicPlus.cab
O16 - DPF: {B6787F48-6F87-433C-AF92-0FB51FFCC32B} (ToonsXComicPlus2 Control) - http://www.comicplus.com/tviewer/ToonsXComicPlus2.cab
O16 - DPF: {E2CB1916-9B25-442C-ACC0-7AFC93E1FF2A} (FilenoriUploadControl Control) - http://korea.filenori.com/app/FilenoriUploadControl.cab
O16 - DPF: {F2965546-AD6C-4C52-8A80-2A336FB50CA8} (FilenoriDownloadControl Control) - http://korea.filenori.com/app/FilenoriDownloadControl.cab
O18 - Filter hijack: text/html - {DC186800-657F-11D4-B0B5-0050BABFC904} - C:\WINDOWS\system32\ccofgnt.dll
O18 - Filter: text/plain - {DC186800-657F-11D4-B0B5-0050BABFC904} - C:\WINDOWS\system32\ccofgnt.dll
O20 - Winlogon Notify: irikrgos - C:\WINDOWS\SYSTEM32\irikrgos.dll
O21 - SSODL: VoTdY - {28E7B12D-824D-1B87-02CF-B0EA5E09DB68} - C:\WINDOWS\system32\esom.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AhnLab Task Scheduler - AhnLab, Inc. - C:\Program Files\AhnLab\Smart Update Utility\Ahnsdsv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MonSvcNT - AhnLab, Inc. - C:\PROGRA~1\Ahnlab\V3\MonSvcNT.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\services.exe (file missing)

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:26 PM

Posted 04 November 2008 - 05:30 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 billj7341

billj7341
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 05 November 2008 - 09:07 PM

Thanks! Log att'd. Computer rebooted during ComboFix, then finished when it came back. Is this normal?

ComboFix 08-11-04.02 - Administrator 2008-11-05 20:52:54.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.949.1.1042.18.239 [GMT -5:00]
Running from: c:\documents and settings\Administrator\바탕 화면\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\시작 메뉴\프로그램\시작프로그램\Deewoo.lnk
c:\documents and settings\Administrator\시작 메뉴\프로그램\시작프로그램\DW_Start.lnk
c:\documents and settings\Administrator\시작 메뉴\프로그램\Outerinfo
c:\documents and settings\Administrator\시작 메뉴\프로그램\Outerinfo\Terms.lnk
c:\documents and settings\Administrator\시작 메뉴\프로그램\Outerinfo\Uninstall.lnk
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\LocalService\Application Data\1393587716.exe
c:\windows\IE4 Error Log.txt
c:\windows\system32\bb1.dat
c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\CPV.stt
c:\windows\system32\cookie1.dat
c:\windows\system32\Ir32_a.exe
c:\windows\system32\Ir32_b.exe
c:\windows\system32\lm.dat
c:\windows\system32\lo.dll
c:\windows\system32\Microsoft\backup.ftp
c:\windows\system32\sn.txt
c:\windows\system32\tb.dr
c:\windows\system32\TDSSmupe.dat
c:\windows\wiaservv.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_fci
-------\Legacy_icf
-------\Legacy_TCPSR
-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-10-06 to 2008-11-06 )))))))))))))))))))))))))))))))
.

2008-11-03 18:53 . 2008-11-03 18:53 <DIR> d-------- c:\program files\Trend Micro
2008-11-02 02:02 . 2008-11-02 02:02 702 --a------ c:\windows\system32\MRT.INI
2008-10-31 10:22 . 2008-10-31 11:55 59,904 --a------ c:\windows\system32\00setup.exe
2008-10-31 03:22 . 2008-11-01 09:51 7 --a------ c:\windows\system32\nxg.bin
2008-10-31 03:13 . 2008-10-31 03:13 8,608 --a------ c:\windows\system32\dplx.sys
2008-10-30 08:02 . 2008-10-30 12:26 <DIR> d-------- c:\documents and settings\Administrator\.housecall6.6
2008-10-30 08:00 . 2008-10-30 08:58 <DIR> d-------- c:\windows\system32\CatRoot_bak
2008-10-30 08:00 . 2008-06-14 12:59 270,336 --------- c:\windows\system32\drivers\bthport.sys
2008-10-30 08:00 . 2008-06-14 12:59 270,336 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-10-30 07:59 . 2008-08-14 08:43 2,182,016 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-30 07:59 . 2008-08-14 08:43 2,137,600 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-30 07:59 . 2008-08-14 08:43 2,059,392 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-30 07:59 . 2008-08-14 08:43 2,017,280 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-30 07:57 . 2008-11-02 02:00 <DIR> d--h----- c:\windows\$hf_mig$
2008-10-30 07:57 . 2005-06-28 10:21 22,752 --a------ c:\windows\system32\spupdsvc.exe
2008-10-30 07:54 . 2008-10-30 07:54 3,584 --a------ c:\windows\nttoxcdi.exe
2008-10-29 18:35 . 2008-11-03 08:41 <DIR> d-------- C:\HKEY-LOCAL
2008-10-29 18:23 . 2008-10-29 18:23 63,488 --a------ c:\windows\system32\ccofgnt.dll
2008-10-29 18:23 . 2008-10-29 18:23 10,752 --a------ c:\windows\system32\asdns.dll
2008-10-29 10:14 . 2008-10-29 10:14 16,451 --a------ c:\windows\gmail.com-error.html
2008-10-29 10:14 . 2008-10-29 10:14 6,182 --a------ c:\windows\live.com-error.html
2008-10-29 10:14 . 2008-10-29 10:14 5,596 --a------ c:\windows\aol.com-error.html
2008-10-29 10:14 . 2008-10-29 10:14 3,696 --a------ c:\windows\google.com-error.html
2008-10-29 10:14 . 2008-10-29 10:14 1,994 --a------ c:\windows\search.yahoo.com-error.html
2008-10-29 01:16 . 2008-10-30 08:05 4,286 --a------ c:\windows\system32\Jamster.ico
2008-10-28 21:21 . 2008-10-30 08:05 9,662 --a------ c:\windows\system32\ZoneAlarmIconUS.ico
2008-10-28 21:09 . 2008-10-29 15:07 <DIR> d-------- c:\windows\system32\Αdobe
2008-10-28 21:09 . 2008-10-30 11:33 <DIR> d-------- c:\program files\Common Files\?уmbols
2008-10-28 20:58 . 2008-10-28 20:58 153,484 --a------ c:\windows\system32\g42.exe
2008-10-28 20:58 . 2008-10-28 21:00 78,628 --a------ c:\windows\system32\pqylhfcbpr.exe
2008-10-28 20:37 . 2008-10-28 20:37 90,915 --a------ c:\windows\system32\eafotaqlgqtlec.dll-uninst.exe
2008-10-28 20:30 . 2008-11-05 15:52 32,768 --a------ c:\windows\system32\drivers\ati0hmxx.sys
2008-10-28 20:30 . 2008-10-30 11:19 22 --a------ C:\WINDOWSMY_Photos_15301.zip
2008-10-27 10:13 . 2008-10-27 10:13 245 --a------ c:\windows\tmp125790.bat
2008-10-27 09:49 . 2008-10-27 09:49 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-10-27 09:48 . 2008-10-27 09:49 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-10-27 09:48 . 2008-10-27 09:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-27 09:48 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-27 09:48 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-10-27 07:59 . 2008-10-27 07:59 19,456 --a------ C:\VC3.exe
2008-10-27 06:49 . 2008-10-27 06:49 <DIR> d-------- c:\program files\Lavasoft
2008-10-27 06:49 . 2008-10-27 06:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-27 06:48 . 2008-10-27 06:48 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-10-27 01:41 . 2007-08-01 22:47 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-10-27 01:21 . 2008-10-30 08:02 <DIR> d-------- c:\windows\system32\HouseCall 6.6
2008-10-27 01:21 . 2008-10-27 01:52 <DIR> d-------- c:\documents and settings\Administrator\Application Data\HouseCall 6.6
2008-10-24 05:38 . 2008-10-24 06:10 <DIR> d-------- C:\XviD-MU
2008-10-12 14:05 . 2008-11-01 09:55 32,256 --a------ c:\windows\system32\hfmd00001.exe
2008-10-12 14:05 . 2008-11-05 20:29 20,480 --a------ c:\windows\system32\hfmd00001.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-06 00:51 17,408 ----a-w c:\windows\system32\svchost.exe
2008-10-29 04:20 42,496 ----a-w c:\windows\system32\ftp.exe
2008-10-29 01:30 359,040 ------w c:\windows\system32\drivers\tcpip.sys
2008-10-17 22:08 --------- d-----w c:\program files\NetFolder
2008-09-15 15:37 1,845,632 ----a-w c:\windows\system32\win32k.sys
2008-08-20 05:36 648,704 ----a-w c:\windows\system32\wininet.dll
2008-08-14 13:43 2,182,016 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 13:43 2,059,392 ----a-w c:\windows\system32\ntkrnlpa.exe
2007-10-25 18:18 5,262,215 ----a-w c:\program files\NetFolder_Setup.exe
.

------- Sigcheck -------

2008-04-13 21:27 14336 0c1a8c93c1bb8c85c1deb0fcdecf2326 c:\windows\SoftwareDistribution\Download\98d847fc4c6ec1df384c602ded3b9fd3\svchost.exe
2008-11-05 19:51 17408 e4d7e25ee1b151c7054a24f00a0cad85 c:\windows\system32\svchost.exe

2008-04-13 14:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\SoftwareDistribution\Download\98d847fc4c6ec1df384c602ded3b9fd3\tcpip.sys
2008-10-28 20:30 359040 3bb4b08619c111c7be8bda07aa0de6a2 c:\windows\system32\dllcache\tcpip.sys
2008-10-28 20:30 359040 3bb4b08619c111c7be8bda07aa0de6a2 c:\windows\system32\drivers\tcpip.sys

2008-04-13 21:27 497664 762382b886e915bb03e27782586c6f99 c:\windows\SoftwareDistribution\Download\98d847fc4c6ec1df384c602ded3b9fd3\winlogon.exe
2004-08-05 07:00 494080 8d73559ec611752bad890d086c4fbbf7 c:\windows\system32\winlogon.exe

2004-08-05 07:00 1032704 5b54bc286e65cc7519ab57a0df4c23c2 c:\windows\explorer.exe
2008-04-13 21:27 1031680 8f539521bb70c9f195355e0445c04e8b c:\windows\SoftwareDistribution\Download\98d847fc4c6ec1df384c602ded3b9fd3\explorer.exe

2008-04-13 21:27 108544 5651e762659bb6fb6ecafd53a433c4e3 c:\windows\SoftwareDistribution\Download\98d847fc4c6ec1df384c602ded3b9fd3\services.exe
2004-08-05 07:00 110592 3a8418db5f44e8cfb907a864787cfbe0 c:\windows\system32\services.exe

2008-04-13 21:27 13312 534d60486885550759f6123228dec5ca c:\windows\SoftwareDistribution\Download\98d847fc4c6ec1df384c602ded3b9fd3\lsass.exe
2004-08-05 07:00 14848 0a6980e3bc6a386b7a7df89e1cf4a2ed c:\windows\system32\lsass.exe

2008-04-13 21:27 57856 d4ae1bec9bfee0ae8ae83b63f9dd2f7d c:\windows\SoftwareDistribution\Download\98d847fc4c6ec1df384c602ded3b9fd3\spoolsv.exe
2004-08-05 07:00 58880 b7c4a50e00c14ce6e1e1c982728c68f8 c:\windows\system32\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pul"="c:\program files\Common Files\?уmbols\rυndll.exe" [?]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-05 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-08-29 171464]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-15 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-05 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-05 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-05 455168]
"AHNSD"="c:\program files\AhnLab\Smart Update Utility\AhnSD.exe" [2008-01-16 199368]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-05 59392]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-09 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-09 118784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"nttoxcdi.exe"="c:\windows\nttoxcdi.exe" [2008-10-30 3584]
"ctfmon.exe"="ctfmon.exe" [2004-08-05 c:\windows\system32\ctfmon.exe]

c:\documents and settings\All Users\시작 메뉴\프로그램\시작프로그램\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-13 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3iv2"= 3ivxVfWCodec.dll
"msacm.divxa32"= msaud32_divx.acm
"VIDC.HFYU"= huffyuv.dll
"VIDC.VP31"= vp31vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati0hmxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\AhnlabAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 ati0hmxx;ati0hmxx;c:\windows\system32\Drivers\ati0hmxx.sys [2008-11-05 32768]
R0 Defrag32b;Defrag32Boot;c:\windows\system32\drivers\Defrag32b.sys [2004-10-22 54424]
R1 AnfdTDnt;AnfdTDnt;c:\windows\system32\drivers\AnfdTDnt.sys [2006-09-11 73828]
R2 AhnLab Task Scheduler;AhnLab Task Scheduler;c:\program files\AhnLab\Smart Update Utility\Ahnsdsv.exe [2008-01-18 174792]
R2 AnfdIont;AnfdIont;c:\windows\system32\drivers\AnfdIont.sys [2006-08-07 8292]
R2 Defrag32;Defrag32;c:\windows\system32\drivers\Defrag32.sys [2004-10-22 54424]
R2 MonSvcNT;MonSvcNT;c:\progra~1\Ahnlab\V3\MonSvcNT.exe [2006-06-07 131207]
R2 V3NfeNt;V3NfeNt;c:\program files\Ahnlab\V3\V3NfeNt.sys [2005-12-11 14113]
R3 AhnFlt2K;AhnFlt2K;c:\windows\system32\Drivers\AhnFlt2K.sys [2006-09-27 45824]
R3 AhnRec2K;AhnRec2K;c:\windows\system32\Drivers\AhnRec2K.sys [2005-02-14 13696]
R3 v3engine;v3engine;c:\windows\system32\drivers\v3engine.sys [2008-03-14 1339008]
R3 V3Flt2K;V3Flt2K;c:\progra~1\Ahnlab\V3\V3Flt2K.sys [2007-03-02 108032]
S2 PDSched;PDScheduler;c:\program files\Raxco\PerfectDisk\PDSched.exe [2004-10-31 237635]
S3 {BEE686B9-4C84-4487-9D72-9F40F051E973};{BEE686B9-4C84-4487-9D72-9F40F051E973};c:\windows\System32\svchost.exe [2008-11-05 17408]
S3 ApfIPXX;ApfIPXX;c:\progra~1\Ahnlab\V3\ApfIPXX.sys [2003-11-04 13227]
S3 SC1200A;SmartEther SC1200A 10/100 PCI Ethernet Windows 2000 Driver;c:\windows\system32\DRIVERS\SNDIS5.sys [2000-09-19 24302]
S3 scskusbf;USB SCSK Filter Driver Service;c:\windows\system32\drivers\scskusbf.sys [2007-10-26 20616]
S3 scskusbs;USB SCSK Driver Service;c:\windows\system32\drivers\scskusbs.sys [2007-10-26 106568]
S3 V3IFt2K;V3IFt2K;c:\progra~1\Ahnlab\V3\V3IFt2K.sys [2004-08-08 19712]
S3 V3IPXX;V3IPXX;c:\progra~1\Ahnlab\V3\V3IPXX.sys [2004-05-22 10954]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{204082b0-89aa-11dc-8669-000874bcf1db}]
\Shell\AutoRun\command - "G:\Install FreeAgent Tools.exe" /run

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{edbbb3a4-880c-11d9-a4a1-806d6172696f}]
\Shell\AutoRun\command - G:\setup.exe
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Transparent_Agent - c:\program files\ClickToTweak-Fusion\Trans.exe
SSODL-VoTdY-{28E7B12D-824D-1B87-02CF-B0EA5E09DB68} - c:\windows\system32\esom.dll
SafeBoot-dplx.sys


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com
R0 -: HKCU-Main,Search Page = hxxp://www.google.com
R0 -: HKCU-Main,Search Bar = hxxp://www.google.com/ie
R0 -: HKLM-Main,Default_Search_URL = hxxp://www.google.com/ie
R0 -: HKLM-Main,Start Page = hxxp://www.google.com
R0 -: HKLM-Main,Window Title = Microsoft Internet Explorer
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://kr.yahoo.com/
R0 -: HKCU-Search,SearchAssistant = hxxp://www.google.com/ie
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
R0 -: HKLM-Search,SearchAssistant = hxxp://www.google.com/ie
O8 -: Microsoft Excel로 내보내기(&X) - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O18 -: Filter: text/plain - {DC186800-657F-11D4-B0B5-0050BABFC904} - c:\windows\system32\ccofgnt.dll

O16 -: {97F3D1C1-C8C2-471D-A139-298DEAA35E0B} - hxxp://comicplus.donga.com/viewer/ToonsXComicPlus.cab
c:\windows\Downloaded Program Files\ToonsXComicPlus.inf
c:\windows\system32\ToonsXComicPlus.ocx

O16 -: {B6787F48-6F87-433C-AF92-0FB51FFCC32B} - hxxp://www.comicplus.com/tviewer/ToonsXComicPlus2.cab
c:\windows\Downloaded Program Files\ToonsXComicPlus2.inf
c:\windows\system32\MAIS.VXD
c:\windows\system32\IMGSFMGR.dll
c:\windows\system32\IMGSFLOADER.exe
c:\windows\system32\IMGSF03.dll
c:\windows\system32\IMGSF02.dll
c:\windows\system32\IMGSF01.dll
c:\windows\system32\CaptureProtect.dll
c:\windows\dreamwiz.ico
c:\windows\comicplus.ico
c:\windows\system32\ToonsXHook.dll
c:\windows\system32\WaveletDecoder.dll
c:\windows\system32\IndexedColorDecoder.dll
c:\windows\system32\ToonsXComicPlus2.ocx

O16 -: {E2CB1916-9B25-442C-ACC0-7AFC93E1FF2A} - hxxp://korea.filenori.com/app/FilenoriUploadControl.cab
c:\windows\Downloaded Program Files\FilenoriUploadControl.inf
c:\windows\system32\mfc42.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\olepro32.dll
c:\windows\system32\FilenoriMTWma.dll
c:\windows\system32\FilenoriMT.dll
c:\windows\system32\FilenoriUpLoad.exe
c:\windows\Downloaded Program Files\FilenoriUploadControl.ocx

O16 -: {F2965546-AD6C-4C52-8A80-2A336FB50CA8} - hxxp://korea.filenori.com/app/FilenoriDownloadControl.cab
c:\windows\Downloaded Program Files\FilenoriDownloadControl.inf
c:\windows\system32\mfc42.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\olepro32.dll
c:\windows\system32\FilenoriIcon.ico
c:\windows\system32\FilenoriFileData.exe
c:\windows\system32\FilenoriDownLoad.exe
c:\windows\Downloaded Program Files\FilenoriDownloadControl.ocx
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-05 20:58:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{BEE686B9-4C84-4487-9D72-9F40F051E973}]
"ServiceDll"="c:\docume~1\ADMINI~1\LOCALS~1\Temp\F.tmp"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\conime.exe
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-11-05 21:02:03 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-11-06 02:01:55

Pre-Run: 65,194,655,744 바이트 남음
Post-Run: 65,760,772,096 바이트 남음

264 --- E O F --- 2008-11-03 17:01:40

Attached Files


Edited by Buckeye_Sam, 06 November 2008 - 10:34 AM.
Pasted log


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:26 PM

Posted 06 November 2008 - 10:38 AM

It rebooted in order to remove some files. I'm puzzled why you don't have the recovery console installed though. Was there a problem?

Please do an online scan with Kaspersky WebScanner.
  • Please visit the Kaspersky Online Scanner website.
  • Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 billj7341

billj7341
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 06 November 2008 - 03:17 PM

Hmmm. I did the Kapersky scan, found scads of infected files, hit "view" and then, at the end, when I hit "Save as" -- nothing happened. I waited, and then a few minutes later, the window where all the Trojans and RookIts and whatnots were located went blank. Nothing appears to have been saved. I checked around on my C drive, but couldn't find anything. Now, I'm trying to scan again but am getting error messages: "Update has failed. Program failed to Start." What happened?

Here's the error message [Note, I have closed and restarted Kapersky twice]:

Program is starting. Please wait...
Update source selected: http://www.kaspersky.com
Downloading file: packages/kos-extras.jar
Program has started.

Program database is being updated. Please wait...
Update source selected: http://dnl-10.geo.kaspersky.com/
Downloading file: index/master.xml.klz

Update has failed. Program has failed to start. Close the Kaspersky Online Scanner 7.0 window and open it again to install the program. You must be online to update the Kaspersky Online Scanner 7 database. With the latest database updates, you can find new viruses and other threats. Please go online to use Kaspersky Online Scanner 7. [ERROR: Scan has failed to start. [0x80004005]]

Edited by billj7341, 06 November 2008 - 03:21 PM.


#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:26 PM

Posted 06 November 2008 - 03:30 PM

Ok, let's clean up a few things and then we'll try a different virus scan.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Driver::
{BEE686B9-4C84-4487-9D72-9F40F051E973}
ati0hmxx

File::
c:\windows\system32\Drivers\ati0hmxx.sys
c:\windows\nttoxcdi.exe
c:\windows\system32\g42.exe
c:\windows\system32\pqylhfcbpr.exe
c:\windows\system32\eafotaqlgqtlec.dll-uninst.exe

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"nttoxcdi.exe"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pul"=-

Dirlook::
c:\windows\system32\Αdobe
c:\program files\Common Files\?уmbols
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), [b]post the contents of Combofix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 billj7341

billj7341
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 06 November 2008 - 05:35 PM

Wait, I got it. See below:

Thursday, November 6, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, November 06, 2008 17:36:36
Records in database: 1372674


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\
E:\
H:\

Scan statistics
Files scanned 52995
Threat name 51
Infected objects 248
Suspicious objects 0
Duration of the scan 01:08:23

File name Threat name Threats count
C:\WINDOWS\system32\winlogon.exe/C:\WINDOWS\system32\winlogon.exe Infected: Trojan.Win32.Patched.cx 1

C:\WINDOWS\system32\irikrgos32.dll/C:\WINDOWS\system32\irikrgos32.dll Infected: Backdoor.Win32.Hijack.ac 1

C:\WINDOWS\system32\services.exe/C:\WINDOWS\system32\services.exe Infected: Trojan.Win32.Patched.cx 1

C:\WINDOWS\system32\lsass.exe/C:\WINDOWS\system32\lsass.exe Infected: Trojan.Win32.Patched.cx 1

C:\WINDOWS\system32\svchost.exe/C:\WINDOWS\system32\svchost.exe Infected: Trojan.Win32.Patched.cx 17

C:\WINDOWS\System32\svchost.exe/C:\WINDOWS\System32\svchost.exe Infected: Trojan.Win32.Patched.cx 4

C:\WINDOWS\Explorer.EXE/C:\WINDOWS\Explorer.EXE Infected: Trojan.Win32.Patched.cx 1

svchost.exe\svchost.exe/svchost.exe\svchost.exe Infected: Trojan.Win32.Agent.goa 1

svchost.exe\svchost.exe/svchost.exe\svchost.exe Infected: Trojan.Win32.Agent.ady 1

C:\WINDOWS\system32\irikrgos.dll/C:\WINDOWS\system32\irikrgos.dll Infected: Backdoor.Win32.Hijack.ac 1

C:\WINDOWS\system32\spoolsv.exe/C:\WINDOWS\system32\spoolsv.exe Infected: Trojan.Win32.Patched.cx 1

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\10.tmp.bac_a03132 Infected: Backdoor.Win32.Sinowal.zf 1

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\12810[1].exe.bac_a03132 Infected: Trojan-Dropper.Win32.Agent.ykp 1

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\1409776099.exe.bac_a03132 Infected: Trojan-Mailfinder.Win32.Mailbot.cz 1

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\A0017170.exe.bac_a03132 Infected: Trojan.Win32.Inject.ivt 1

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\A0017178.exe.bac_a03132 Infected: Trojan-Spy.Win32.Agent.eox 1

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\A0026199.exe.bac_a03132 Infected: Trojan-Downloader.Win32.FraudLoad.vdbu 1

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\A0027245.exe.bac_a03132 Infected: Trojan.Win32.Patched.cx 1

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\A0027246.exe.bac_a03132 Infected: Trojan.Win32.Patched.cx 1

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\A0027247.exe.bac_a03132 Infected: Trojan.Win32.Patched.cx 1

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\A0027248.exe.bac_a03132 Infected: Trojan.Win32.Patched.cx 1

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\A0027249.exe.bac_a03132 Infected: Trojan.Win32.Patched.cx 1

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\A0027251.exe.bac_a03132 Infected: Trojan.Win32.Patched.cx 1

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\A0028267.exe.bac_a03132 Infected: Trojan.Win32.Patched.cx 1

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\A0028298.exe.bac_a03132 Infected: Trojan.Win32.Patched.cx 1

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\A0029368.exe.bac_a03132 Infected: Trojan.Win32.Patched.cx 1

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\A0029382.exe.bac_a03132 Infected: Trojan.Win32.Patched.cx 1

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\A0029392.exe.bac_a03132 Infected: Trojan.Win32.Patched.cx 1

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\A0029473.exe.bac_a03132 Infected: Trojan.Win32.Patched.cx 1

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\A0029475.exe.bac_a03132 Infected: Trojan-Mailfinder.Win32.Mailbot.cz 1

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\A0029533.exe.bac_a03132 Infected: Trojan.Win32.Patched.cx 1

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\A0030573.exe.bac_a03132 Infected: Trojan-Downloader.Win32.Zlob.ymu 1

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\A0030574.exe.bac_a03132 Infected: Packed.Win32.PolyCrypt.d 1

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\A0030578.exe.bac_a03132 Infected: Packed.Win32.PolyCrypt.d 1

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\A0030583.exe.bac_a03132 Infected: Trojan.Win32.Patched.cx 1

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\A0030593.dll.bac_a03132 Infected: Trojan-Downloader.Win32.Zlob.ymu 1

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\A0030628.exe.bac_a03132 Infected: Trojan.Win32.Patched.cx 1

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\beep.sys.bac_a03132 Infected: Backdoor.Win32.UltimateDefender.a 1

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\E.tmp.bac_a03132 Infected: Backdoor.Win32.Sinowal.zf 1

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\explorer.exe.bac_a03132 Infected: Trojan.Win32.Patched.cx 1

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\lGwnCMuth.com.bac_a03132 Infected: Trojan-Downloader.Win32.Losabel.amg 1

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\lsass.exe.bac_a03132 Infected: Trojan.Win32.Patched.cx 1

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\psyh872810oi[1].exe.bac_a03132 Infected: Trojan-Mailfinder.Win32.Mailbot.cz 1

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\services.exe.bac_a03132 Infected: Trojan.Win32.Patched.cx 1

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\spoolsv.exe.bac_a03132 Infected: Trojan.Win32.Patched.cx 1

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\svchost.exe.bac_a03132 Infected: Trojan.Win32.Patched.cx 1

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\WINDOWSMY_Photos_15301.zip.bac_a03132 Infected: Trojan.Win32.Agent.ajqf 1

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winlogon.exe.bac_a03132 Infected: Trojan.Win32.Patched.cx 1

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\wmder[1].exe.bac_a03132 Infected: Trojan-PSW.Win32.WOW.bhd 1

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\wrdwn10.bac_a03132 Infected: Trojan.Win32.Agent.akkh 1

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\wrdwn13.bac_a03132 Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.bf 1

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\[건강]기질의 장단점.rar.bac_a03132 Infected: Trojan.Win32.Agent.ajqf 1

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\[백투에덴]물과 치료원리.rar.bac_a03132 Infected: Trojan.Win32.Agent.ajqf 1

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ORW9Y30N\w32tms[1].exe Infected: Trojan.Win32.Inject.jbz 1

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SHATW18Z\vwipxspxa[1].exe Infected: Trojan.Win32.Agent.altb 1

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QN8RC9QX\w32tms[1].exe Infected: Trojan.Win32.Inject.jbz 1

C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Application Data\1393587716.exe.vir Infected: Trojan-Mailfinder.Win32.Mailbot.da 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP350\A0017131.sys Infected: Rootkit.Win32.Small.ba 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP350\A0017132.sys Infected: Rootkit.Win32.Small.ba 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP353\A0017143.dll Infected: Trojan-Spy.Win32.Agent.esm 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP353\A0017145.sys Infected: Rootkit.Win32.Small.ba 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP353\A0017147.sys Infected: Rootkit.Win32.Small.ba 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP353\A0017154.exe Infected: Trojan-Spy.Win32.Agent.env 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP353\A0017155.sys Infected: Rootkit.Win32.Small.bc 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP353\A0017156.sys Infected: Rootkit.Win32.Small.bc 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP353\A0017157.exe Infected: Trojan-Spy.Win32.Agent.env 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP355\A0017168.dll Infected: Trojan-Spy.Win32.Agent.esm 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP355\A0017175.sys Infected: Rootkit.Win32.Small.bc 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP355\A0017177.sys Infected: Rootkit.Win32.Small.bc 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP361\A0017190.exe Infected: Trojan.Win32.Inject.iws 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP364\A0027204.dll Infected: Trojan-Downloader.Win32.Agent.fjf 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP364\A0027214.sys Infected: Rootkit.Win32.Small.bc 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP364\A0027216.sys Infected: Rootkit.Win32.Small.bc 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0027254.exe Infected: Trojan-Downloader.Win32.Agent.amlg 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0027267.sys Infected: Rootkit.Win32.Small.bc 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0027268.sys Infected: Rootkit.Win32.Small.bc 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0027270.exe Infected: Trojan-Spy.Win32.Agent.eox 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0027273.exe Infected: Trojan-Downloader.Win32.Tibs.kux 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0027276.exe Infected: Trojan.Win32.Agent.akso 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0028267.exe Infected: Trojan.Win32.Agent.albj 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0028269.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0028270.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0028273.exe Infected: Trojan-Spy.Win32.Agent.epi 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0028280.exe Infected: Trojan.Win32.Agent.akso 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0028285.dll Infected: Trojan-Clicker.Win32.Agent.bso 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0028298.exe Infected: Trojan.Win32.Agent.albj 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0028299.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0028300.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0028302.exe Infected: Trojan-Spy.Win32.Agent.epi 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0028310.exe Infected: Trojan.Win32.Agent.akso 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0029295.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0029296.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0029310.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0029311.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0029335.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0029336.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0029347.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0029348.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0029361.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0029362.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0029368.exe Infected: Trojan.Win32.Crypt.zo 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0029369.exe Infected: Trojan-Spy.Win32.Agent.epi 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0029379.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0029380.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0029382.exe Infected: Trojan.Win32.Agent.albj 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0029384.exe Infected: Trojan-Spy.Win32.Agent.epi 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0029392.exe Infected: Trojan.Win32.Crypt.zo 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0029398.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0029399.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0029401.exe Infected: Trojan-Spy.Win32.Agent.epi 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0029414.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0029415.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0029425.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0029426.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0029438.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0029439.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0029457.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0029458.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0029469.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0029470.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0029473.exe Infected: Trojan.Win32.Crypt.zo 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0029474.exe Infected: Trojan-Spy.Win32.Agent.epi 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0029485.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0029486.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0029500.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0029501.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0029516.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0029517.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0029529.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0029530.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0029533.exe Infected: Trojan.Win32.Crypt.zo 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0029534.exe Infected: Trojan-Spy.Win32.Agent.epi 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0030528.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0030529.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0030550.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0030551.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0030557.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ce 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0030560.exe Infected: Trojan-Downloader.Win32.Agent.alda 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0030561.exe Infected: Trojan-Downloader.Win32.Agent.aldb 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0030562.exe Infected: not-a-virus:AdWare.Win32.Agent.gnd 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0030576.exe Infected: Trojan-Mailfinder.Win32.Mailbot.da 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0030577.dll Infected: Trojan-Downloader.Win32.BHO.yd 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0030583.exe Infected: Trojan.Win32.Crypt.zo 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0030584.exe Infected: Trojan-Downloader.Win32.PurityScan.gb 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0030585.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gp 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0030587.exe Infected: Trojan.Win32.Agent.akso 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0030591.exe Infected: Trojan-Downloader.Win32.Exchanger.alv 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0030600.dll Infected: Trojan-GameThief.Win32.WOW.cfh 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0030601.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0030602.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0030612.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0030613.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0030616.exe Infected: Trojan-Spy.Win32.Agent.epi 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0030625.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0030626.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0030628.exe Infected: Trojan.Win32.Agent.albj 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0030640.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0030641.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0030644.exe Infected: Trojan-Spy.Win32.Agent.epi 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0030663.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0030665.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0030673.exe Infected: Trojan-Spy.Win32.Agent.epi 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP366\A0030777.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP366\A0030778.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP366\A0030780.exe Infected: Trojan-Spy.Win32.Agent.epi 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP366\A0030800.exe Infected: Trojan-Mailfinder.Win32.Mailbot.cz 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP366\A0030801.sys Infected: Backdoor.Win32.UltimateDefender.a 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP366\A0030812.exe Infected: Trojan.Win32.Patched.cx 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP366\A0030812.exe Infected: Trojan.Win32.Crypt.zo 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP366\A0030815.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP366\A0030816.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP366\A0030818.exe Infected: Trojan-Spy.Win32.Agent.epi 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP366\A0030819.exe Infected: Trojan.Win32.Agent.albj 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP366\A0030832.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP366\A0030833.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP366\A0030836.exe Infected: Trojan-Spy.Win32.Agent.epi 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP366\A0030843.exe Infected: Trojan.Win32.Patched.cx 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP366\A0030843.exe Infected: Trojan.Win32.Crypt.zo 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP366\A0030845.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP366\A0030846.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP366\A0030848.exe Infected: Trojan-Spy.Win32.Agent.epi 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP367\A0031005.exe Infected: Trojan.Win32.Patched.cx 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP367\A0031005.exe Infected: Trojan.Win32.Crypt.zo 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP367\A0031010.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP367\A0031011.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP367\A0031012.exe Infected: Trojan-Spy.Win32.Agent.epi 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP368\A0031023.exe Infected: Trojan.Win32.Patched.cx 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP368\A0031023.exe Infected: Trojan.Win32.Agent.albj 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP368\A0031037.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP368\A0031038.sys Infected: Rootkit.Win32.Small.be 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP368\A0031040.exe Infected: Trojan-Spy.Win32.Agent.epi 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP370\A0032053.exe Infected: Trojan.Win32.Patched.cx 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP370\A0032053.exe Infected: Trojan.Win32.Crypt.zo 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP370\A0032065.exe Infected: Trojan.Win32.Patched.cx 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP370\A0032102.exe Infected: Trojan.Win32.Patched.cx 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP370\A0032102.exe Infected: Trojan.Win32.Crypt.zo 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP371\A0032121.exe Infected: Trojan.Win32.Patched.cx 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP371\A0032121.exe Infected: Trojan.Win32.Agent.alxn 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP371\A0032136.exe Infected: Trojan.Win32.Patched.cx 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP371\A0032136.exe Infected: Trojan.Win32.Agent.alxn 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP371\A0033150.exe Infected: Trojan.Win32.Patched.cx 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP371\A0033150.exe Infected: Trojan.Win32.Agent.alxn 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP371\A0034194.exe Infected: Trojan.Win32.Patched.cx 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP371\A0034194.exe Infected: Trojan.Win32.Agent.alxn 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP372\A0034210.exe Infected: Trojan.Win32.Patched.cx 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP372\A0034210.exe Infected: Trojan.Win32.Agent.alwf 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP372\A0035259.exe Infected: Trojan-Mailfinder.Win32.Mailbot.da 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP372\A0035312.sys Infected: Rootkit.Win32.Protector.bd 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP372\A0035319.sys Infected: Rootkit.Win32.Protector.bd 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP372\A0035320.exe Infected: Trojan.Win32.Patched.cx 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP372\A0035320.exe Infected: Trojan.Win32.Agent.alwf 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP374\A0035334.sys Infected: Rootkit.Win32.Protector.bd 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP374\A0035335.dll Infected: Backdoor.Win32.Hijack.ac 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP374\A0035337.exe Infected: Trojan.Win32.Patched.cx 1

C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP374\A0035337.exe Infected: Trojan.Win32.Agent.alxn 1

C:\VC3.exe Infected: Trojan-Downloader.Win32.Agent.amdt 1

C:\WINDOWS\explorer.exe Infected: Trojan.Win32.Patched.cx 1

C:\WINDOWS\nttoxcdi.exe Infected: Trojan-Downloader.Win32.Small.agbh 1

C:\WINDOWS\system32\00setup.exe Infected: Trojan-Spy.Win32.Zbot.fpn 1

C:\WINDOWS\system32\g42.exe Infected: Trojan-Clicker.Win32.Agent.bso 1

C:\WINDOWS\system32\hfmd00001.exe Infected: Trojan-GameThief.Win32.OnLineGames.trdk 1

C:\WINDOWS\system32\irikrgos.dll Infected: Backdoor.Win32.Hijack.ac 1

C:\WINDOWS\system32\irikrgos32.dll Infected: Backdoor.Win32.Hijack.ac 1

C:\WINDOWS\system32\lsass.exe Infected: Trojan.Win32.Patched.cx 1

C:\WINDOWS\system32\services.exe Infected: Trojan.Win32.Patched.cx 1

C:\WINDOWS\system32\spoolsv.exe Infected: Trojan.Win32.Patched.cx 1

C:\WINDOWS\system32\svchost.exe Infected: Trojan.Win32.Patched.cx 1

C:\WINDOWS\system32\svchost.exe Infected: Trojan.Win32.Agent.alxn 1

C:\WINDOWS\system32\winlogon.exe Infected: Trojan.Win32.Patched.cx 1

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:26 PM

Posted 06 November 2008 - 07:37 PM

Go ahead with the step I posted with combofix.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
Please post the contents of the log from DrWeb and the new combofix log in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 billj7341

billj7341
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 06 November 2008 - 09:44 PM

Here's COMBOFIX:

omboFix 08-11-05.02 - Administrator 2008-11-06 21:30:39.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.949.1.1042.18.290 [GMT -5:00]
Running from: c:\documents and settings\Administrator\바탕 화면\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\바탕 화면\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\nttoxcdi.exe
c:\windows\system32\Drivers\ati0hmxx.sys
c:\windows\system32\eafotaqlgqtlec.dll-uninst.exe
c:\windows\system32\g42.exe
c:\windows\system32\pqylhfcbpr.exe
.
ADS - svchost.exe: deleted 25088 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
c:\windows\nttoxcdi.exe
c:\windows\system32\Drivers\ati0hmxx.sys
c:\windows\system32\eafotaqlgqtlec.dll-uninst.exe
c:\windows\system32\g42.exe
c:\windows\system32\irikrgos.dll
c:\windows\system32\irikrgos32.dll
c:\windows\system32\pqylhfcbpr.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ATI0HMXX
-------\Legacy_FCI
-------\Legacy_ICF
-------\Legacy_TCPSR
-------\Legacy_{BEE686B9-4C84-4487-9D72-9F40F051E973}
-------\Service_{BEE686B9-4C84-4487-9D72-9F40F051E973}
-------\Service_ati0hmxx
-------\Service_FCI
-------\Service_ICF
-------\Service_tcpsr


((((((((((((((((((((((((( Files Created from 2008-10-07 to 2008-11-07 )))))))))))))))))))))))))))))))
.

2008-11-06 13:41 . 2008-11-06 13:41 <DIR> d-------- c:\windows\Sun
2008-11-06 13:40 . 2008-11-06 13:40 <DIR> d-------- c:\program files\Sun
2008-11-06 13:39 . 2008-11-06 13:39 <DIR> d-------- c:\program files\Java
2008-11-06 13:39 . 2008-11-06 13:39 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-06 13:39 . 2008-11-06 13:39 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-03 18:53 . 2008-11-03 18:53 <DIR> d-------- c:\program files\Trend Micro
2008-11-02 02:02 . 2008-11-02 02:02 702 --a------ c:\windows\system32\MRT.INI
2008-10-31 10:22 . 2008-10-31 11:55 59,904 --a------ c:\windows\system32\00setup.exe
2008-10-31 03:22 . 2008-11-01 09:51 7 --a------ c:\windows\system32\nxg.bin
2008-10-31 03:13 . 2008-10-31 03:13 8,608 --a------ c:\windows\system32\dplx.sys
2008-10-30 08:02 . 2008-10-30 12:26 <DIR> d-------- c:\documents and settings\Administrator\.housecall6.6
2008-10-30 08:00 . 2008-10-30 08:58 <DIR> d-------- c:\windows\system32\CatRoot_bak
2008-10-30 08:00 . 2008-06-14 12:59 270,336 --------- c:\windows\system32\drivers\bthport.sys
2008-10-30 08:00 . 2008-06-14 12:59 270,336 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-10-30 07:59 . 2008-08-14 08:43 2,182,016 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-30 07:59 . 2008-08-14 08:43 2,137,600 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-30 07:59 . 2008-08-14 08:43 2,059,392 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-30 07:59 . 2008-08-14 08:43 2,017,280 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-30 07:57 . 2008-11-02 02:00 <DIR> d--h----- c:\windows\$hf_mig$
2008-10-30 07:57 . 2005-06-28 10:21 22,752 --a------ c:\windows\system32\spupdsvc.exe
2008-10-29 18:35 . 2008-11-03 08:41 <DIR> d-------- C:\HKEY-LOCAL
2008-10-29 18:23 . 2008-10-29 18:23 63,488 --a------ c:\windows\system32\ccofgnt.dll
2008-10-29 18:23 . 2008-10-29 18:23 10,752 --a------ c:\windows\system32\asdns.dll
2008-10-29 10:14 . 2008-10-29 10:14 16,451 --a------ c:\windows\gmail.com-error.html
2008-10-29 10:14 . 2008-10-29 10:14 6,182 --a------ c:\windows\live.com-error.html
2008-10-29 10:14 . 2008-10-29 10:14 5,596 --a------ c:\windows\aol.com-error.html
2008-10-29 10:14 . 2008-10-29 10:14 3,696 --a------ c:\windows\google.com-error.html
2008-10-29 10:14 . 2008-10-29 10:14 1,994 --a------ c:\windows\search.yahoo.com-error.html
2008-10-29 01:16 . 2008-10-30 08:05 4,286 --a------ c:\windows\system32\Jamster.ico
2008-10-28 21:21 . 2008-10-30 08:05 9,662 --a------ c:\windows\system32\ZoneAlarmIconUS.ico
2008-10-28 21:09 . 2008-10-29 15:07 <DIR> d-------- c:\windows\system32\Αdobe
2008-10-28 21:09 . 2008-10-30 11:33 <DIR> d-------- c:\program files\Common Files\?уmbols
2008-10-28 20:30 . 2008-10-30 11:19 22 --a------ C:\WINDOWSMY_Photos_15301.zip
2008-10-27 10:13 . 2008-10-27 10:13 245 --a------ c:\windows\tmp125790.bat
2008-10-27 09:49 . 2008-10-27 09:49 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-10-27 09:48 . 2008-10-27 09:49 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-10-27 09:48 . 2008-10-27 09:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-27 09:48 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-27 09:48 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-10-27 07:59 . 2008-10-27 07:59 19,456 --a------ C:\VC3.exe
2008-10-27 06:49 . 2008-10-27 06:49 <DIR> d-------- c:\program files\Lavasoft
2008-10-27 06:49 . 2008-10-27 06:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-27 06:48 . 2008-10-27 06:48 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-10-27 01:41 . 2007-08-01 22:47 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-10-27 01:21 . 2008-10-30 08:02 <DIR> d-------- c:\windows\system32\HouseCall 6.6
2008-10-27 01:21 . 2008-10-27 01:52 <DIR> d-------- c:\documents and settings\Administrator\Application Data\HouseCall 6.6
2008-10-24 05:38 . 2008-10-24 06:10 <DIR> d-------- C:\XviD-MU
2008-10-12 14:05 . 2008-11-01 09:55 32,256 --a------ c:\windows\system32\hfmd00001.exe
2008-10-12 14:05 . 2008-11-05 20:29 20,480 --a------ c:\windows\system32\hfmd00001.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-06 20:23 17,408 ----a-w c:\windows\system32\svchost.exe
2008-10-29 04:20 42,496 ----a-w c:\windows\system32\ftp.exe
2008-10-29 01:30 359,040 ------w c:\windows\system32\drivers\tcpip.sys
2008-10-17 22:08 --------- d-----w c:\program files\NetFolder
2008-09-15 15:37 1,845,632 ----a-w c:\windows\system32\win32k.sys
2008-08-20 05:36 648,704 ----a-w c:\windows\system32\wininet.dll
2008-08-14 13:43 2,182,016 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 13:43 2,059,392 ----a-w c:\windows\system32\ntkrnlpa.exe
2007-10-25 18:18 5,262,215 ----a-w c:\program files\NetFolder_Setup.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\program files\Common Files\?¬ambols ----

c:\program files\Common Files\?¬ambols\

---- Directory of c:\windows\system32\¥Adobe ----

c:\windows\system32\¥Adobe\


------- Sigcheck -------

2008-04-13 21:27 14336 0c1a8c93c1bb8c85c1deb0fcdecf2326 c:\windows\SoftwareDistribution\Download\98d847fc4c6ec1df384c602ded3b9fd3\svchost.exe
2008-11-06 15:23 17408 e4d7e25ee1b151c7054a24f00a0cad85 c:\windows\system32\svchost.exe

2008-04-13 14:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\SoftwareDistribution\Download\98d847fc4c6ec1df384c602ded3b9fd3\tcpip.sys
2008-10-28 20:30 359040 3bb4b08619c111c7be8bda07aa0de6a2 c:\windows\system32\dllcache\tcpip.sys
2008-10-28 20:30 359040 3bb4b08619c111c7be8bda07aa0de6a2 c:\windows\system32\drivers\tcpip.sys

2008-04-13 21:27 497664 762382b886e915bb03e27782586c6f99 c:\windows\SoftwareDistribution\Download\98d847fc4c6ec1df384c602ded3b9fd3\winlogon.exe
2004-08-05 07:00 494080 8d73559ec611752bad890d086c4fbbf7 c:\windows\system32\winlogon.exe

2004-08-05 07:00 1032704 5b54bc286e65cc7519ab57a0df4c23c2 c:\windows\explorer.exe
2008-04-13 21:27 1031680 8f539521bb70c9f195355e0445c04e8b c:\windows\SoftwareDistribution\Download\98d847fc4c6ec1df384c602ded3b9fd3\explorer.exe

2008-04-13 21:27 108544 5651e762659bb6fb6ecafd53a433c4e3 c:\windows\SoftwareDistribution\Download\98d847fc4c6ec1df384c602ded3b9fd3\services.exe
2004-08-05 07:00 110592 3a8418db5f44e8cfb907a864787cfbe0 c:\windows\system32\services.exe

2008-04-13 21:27 13312 534d60486885550759f6123228dec5ca c:\windows\SoftwareDistribution\Download\98d847fc4c6ec1df384c602ded3b9fd3\lsass.exe
2004-08-05 07:00 14848 0a6980e3bc6a386b7a7df89e1cf4a2ed c:\windows\system32\lsass.exe

2008-04-13 21:27 57856 d4ae1bec9bfee0ae8ae83b63f9dd2f7d c:\windows\SoftwareDistribution\Download\98d847fc4c6ec1df384c602ded3b9fd3\spoolsv.exe
2004-08-05 07:00 58880 b7c4a50e00c14ce6e1e1c982728c68f8 c:\windows\system32\spoolsv.exe
.
((((((((((((((((((((((((((((( snapshot@2008-11-05_21.01.26.77 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-06 00:51:41 49,152 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-11-07 01:47:20 49,152 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-11-06 00:51:41 98,304 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-07 01:47:20 98,304 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-06 20:30:35 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008110620081107\index.dat
+ 2008-11-06 18:39:22 144,792 ----a-w c:\windows\system32\java.exe
+ 2008-11-06 18:39:22 144,792 ----a-w c:\windows\system32\javaw.exe
+ 2008-11-06 18:39:22 148,888 ----a-w c:\windows\system32\javaws.exe
- 2008-11-05 15:39:50 27,954 ----a-w c:\windows\system32\spool\printer.dat
+ 2008-11-06 21:24:04 27,229 ----a-w c:\windows\system32\spool\printer.dat
+ 2008-11-07 02:34:43 16,384 ----atw c:\windows\TEMP\Perflib_Perfdata_528.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-05 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-08-29 171464]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-15 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-05 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-05 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-05 455168]
"AHNSD"="c:\program files\AhnLab\Smart Update Utility\AhnSD.exe" [2008-01-16 199368]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-05 59392]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-09 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-09 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-06 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [2004-08-05 c:\windows\system32\ctfmon.exe]

c:\documents and settings\All Users\시작 메뉴\프로그램\시작프로그램\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-13 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3iv2"= 3ivxVfWCodec.dll
"msacm.divxa32"= msaud32_divx.acm
"VIDC.HFYU"= huffyuv.dll
"VIDC.VP31"= vp31vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\AhnlabAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 Defrag32b;Defrag32Boot;c:\windows\system32\drivers\Defrag32b.sys [2004-10-22 54424]
R1 AnfdTDnt;AnfdTDnt;c:\windows\system32\drivers\AnfdTDnt.sys [2006-09-11 73828]
R2 AhnLab Task Scheduler;AhnLab Task Scheduler;c:\program files\AhnLab\Smart Update Utility\Ahnsdsv.exe [2008-01-18 174792]
R2 AnfdIont;AnfdIont;c:\windows\system32\drivers\AnfdIont.sys [2006-08-07 8292]
R2 Defrag32;Defrag32;c:\windows\system32\drivers\Defrag32.sys [2004-10-22 54424]
R2 JavaQuickStarterService;Java Quick Starter;c:\program files\Java\jre6\bin\jqs.exe [2008-11-06 152984]
R2 MonSvcNT;MonSvcNT;c:\progra~1\Ahnlab\V3\MonSvcNT.exe [2006-06-07 131207]
R2 V3NfeNt;V3NfeNt;c:\program files\Ahnlab\V3\V3NfeNt.sys [2005-12-11 14113]
R3 AhnFlt2K;AhnFlt2K;c:\windows\system32\Drivers\AhnFlt2K.sys [2006-09-27 45824]
R3 AhnRec2K;AhnRec2K;c:\windows\system32\Drivers\AhnRec2K.sys [2005-02-14 13696]
R3 v3engine;v3engine;c:\windows\system32\drivers\v3engine.sys [2008-03-14 1339008]
R3 V3Flt2K;V3Flt2K;c:\progra~1\Ahnlab\V3\V3Flt2K.sys [2007-03-02 108032]
S2 PDSched;PDScheduler;c:\program files\Raxco\PerfectDisk\PDSched.exe [2004-10-31 237635]
S3 ApfIPXX;ApfIPXX;c:\progra~1\Ahnlab\V3\ApfIPXX.sys [2003-11-04 13227]
S3 SC1200A;SmartEther SC1200A 10/100 PCI Ethernet Windows 2000 Driver;c:\windows\system32\DRIVERS\SNDIS5.sys [2000-09-19 24302]
S3 scskusbf;USB SCSK Filter Driver Service;c:\windows\system32\drivers\scskusbf.sys [2007-10-26 20616]
S3 scskusbs;USB SCSK Driver Service;c:\windows\system32\drivers\scskusbs.sys [2007-10-26 106568]
S3 V3IFt2K;V3IFt2K;c:\progra~1\Ahnlab\V3\V3IFt2K.sys [2004-08-08 19712]
S3 V3IPXX;V3IPXX;c:\progra~1\Ahnlab\V3\V3IPXX.sys [2004-05-22 10954]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{204082b0-89aa-11dc-8669-000874bcf1db}]
\Shell\AutoRun\command - "G:\Install FreeAgent Tools.exe" /run

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{edbbb3a4-880c-11d9-a4a1-806d6172696f}]
\Shell\AutoRun\command - G:\setup.exe
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-ati0hmxx.sys



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-06 21:34:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\conime.exe
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-11-06 21:37:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-07 02:37:21
ComboFix2.txt 2008-11-06 02:02:05

Pre-Run: 65,732,395,008 바이트 남음
Post-Run: 65,769,701,376 바이트 남음

225 --- E O F --- 2008-11-03 17:01:40

#10 billj7341

billj7341
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 06 November 2008 - 11:32 PM

And Here's DrWeb:

explorer.exe;c:\windows;Trojan.Starter.384;Cured.;
lsass.exe;c:\windows\system32;Trojan.Starter.384;Cured.;
services.exe;c:\windows\system32;Trojan.Starter.384;Cured.;
spoolsv.exe;c:\windows\system32;Trojan.Starter.384;Cured.;
svchost.exe;c:\windows\system32;Trojan.Starter.384;Cured.;
winlogon.exe;c:\windows\system32;Trojan.Starter.384;Cured.;
VC3.exe;C:\;Trojan.DownLoad.4915;Deleted.;
ComboFix.exe\32788R22FWJFW\C.bat;C:\Documents and Settings\Administrator\바탕 화면\ComboFix.exe;Probably BATCH.Virus;;
ComboFix.exe\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\Administrator\바탕 화면\ComboFix.exe;Program.PsExec.171;;
ComboFix.exe;C:\Documents and Settings\Administrator\바탕 화면;Archive contains infected objects;Moved.;
NetFolderUpdate.exe;C:\Program Files\NetFolder;Probably BACKDOOR.Trojan;Incurable.Moved.;
irikrgos.dll.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;BackDoor.JackBot.1;Deleted.;
irikrgos32.dll.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;BackDoor.JackBot.1;Deleted.;
A0015729.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP299;Probably BACKDOOR.Trojan;Incurable.Moved.;
A0015730.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP299;Probably BACKDOOR.Trojan;Incurable.Moved.;
A0017131.sys;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP350;Trojan.PWS.Wsgame.7692;Deleted.;
A0017132.sys;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP350;Trojan.PWS.Wsgame.7692;Deleted.;
A0017143.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP353;Trojan.PWS.Wsgame.7692;Deleted.;
A0017145.sys;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP353;Trojan.PWS.Wsgame.7692;Deleted.;
A0017147.sys;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP353;Trojan.PWS.Wsgame.7692;Deleted.;
A0017154.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP353;Trojan.PWS.Wsgame.7692;Deleted.;
A0017155.sys;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP353;Trojan.Sdter.30;Deleted.;
A0017156.sys;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP353;Trojan.Sdter.30;Deleted.;
A0017157.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP353;Trojan.PWS.Wsgame.7692;Deleted.;
A0017168.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP355;Trojan.PWS.Wsgame.7692;Deleted.;
A0017175.sys;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP355;Trojan.Sdter.30;Deleted.;
A0017177.sys;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP355;Trojan.Sdter.30;Deleted.;
A0017190.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP361;Trojan.PWS.Reggin.74;Deleted.;
A0027203.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP364;Trojan.PWS.Snap.437;Deleted.;
A0027214.sys;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP364;Trojan.Sdter.30;Deleted.;
A0027216.sys;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP364;Trojan.Sdter.30;Deleted.;
A0027238.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.DownLoad.6103;Deleted.;
A0027244.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.DownLoad.6103;Deleted.;
A0027254.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.DownLoad.9198;Deleted.;
A0027259.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.PWS.Snap.437;Deleted.;
A0027267.sys;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.Sdter.30;Deleted.;
A0027268.sys;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.Sdter.30;Deleted.;
A0027270.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.PWS.Wsgame.7746;Deleted.;
A0027273.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.Packed.1216;Deleted.;
A0027276.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.DownLoad.6103;Deleted.;
A0027278.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.DownLoad.6103;Deleted.;
A0028258.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.PWS.Snap.437;Deleted.;
A0028273.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.PWS.Wsgame.8147;Deleted.;
A0028280.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.DownLoad.6103;Deleted.;
A0028289.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.PWS.Snap.437;Deleted.;
A0028302.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.PWS.Wsgame.8147;Deleted.;
A0028310.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.DownLoad.6103;Deleted.;
A0028312.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.DownLoad.6103;Deleted.;
A0028313.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.DownLoad.6103;Deleted.;
A0029288.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.PWS.Snap.437;Deleted.;
A0029303.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.PWS.Snap.437;Deleted.;
A0029327.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.PWS.Snap.437;Deleted.;
A0029342.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.PWS.Snap.437;Deleted.;
A0029356.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.PWS.Snap.437;Deleted.;
A0029369.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.PWS.Wsgame.8147;Deleted.;
A0029374.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.PWS.Snap.437;Deleted.;
A0029384.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.PWS.Wsgame.8147;Deleted.;
A0029391.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.PWS.Snap.437;Deleted.;
A0029401.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.PWS.Wsgame.8147;Deleted.;
A0029408.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.PWS.Snap.437;Deleted.;
A0029421.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.PWS.Snap.437;Deleted.;
A0029433.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.PWS.Snap.437;Deleted.;
A0029452.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.PWS.Snap.437;Deleted.;
A0029464.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.PWS.Snap.437;Deleted.;
A0029474.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.PWS.Wsgame.8147;Deleted.;
A0029480.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.PWS.Snap.437;Deleted.;
A0029493.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.PWS.Snap.437;Deleted.;
A0029511.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.PWS.Snap.437;Deleted.;
A0029524.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.PWS.Snap.437;Deleted.;
A0029534.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.PWS.Wsgame.8147;Deleted.;
A0030523.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.PWS.Snap.437;Deleted.;
A0030544.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.PWS.Snap.437;Deleted.;
A0030557.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Adware.ClickSpring.17;Incurable.Moved.;
A0030584.exe\data001;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0030584.exe;Adware.ClickSpring.13;;
A0030584.exe\data002;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365\A0030584.exe;Adware.MediaTicket.81;;
A0030584.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Archive contains infected objects;Moved.;
A0030585.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Adware.Outer;Incurable.Moved.;
A0030587.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.DownLoad.6103;Deleted.;
A0030591.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.Packed.1219;Incurable.Moved.;
A0030592.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Adware.Adrotate.12;Incurable.Moved.;
A0030599.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.PWS.Snap.437;Deleted.;
A0030600.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.PWS.Wow.951;Deleted.;
A0030610.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.PWS.Snap.437;Deleted.;
A0030616.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.PWS.Wsgame.8147;Deleted.;
A0030624.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.PWS.Snap.437;Deleted.;
A0030635.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.PWS.Snap.437;Deleted.;
A0030644.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.PWS.Wsgame.8147;Deleted.;
A0030655.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.PWS.Snap.437;Deleted.;
A0030673.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP365;Trojan.PWS.Wsgame.8147;Deleted.;
A0030771.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP366;Trojan.PWS.Snap.437;Deleted.;
A0030780.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP366;Trojan.PWS.Wsgame.8147;Deleted.;
A0030801.sys;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP366;Trojan.Fakealert.458;Deleted.;
A0030812.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP366;Trojan.Starter.384;Cured.;
A0030814.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP366;Trojan.PWS.Snap.437;Deleted.;
A0030818.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP366;Trojan.PWS.Wsgame.8147;Deleted.;
A0030826.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP366;Trojan.PWS.Snap.437;Deleted.;
A0030836.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP366;Trojan.PWS.Wsgame.8147;Deleted.;
A0030843.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP366;Trojan.Starter.384;Cured.;
A0030844.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP366;Trojan.PWS.Snap.437;Deleted.;
A0030848.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP366;Trojan.PWS.Wsgame.8147;Deleted.;
A0031005.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP367;Trojan.Starter.384;Cured.;
A0031007.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP367;Trojan.PWS.Snap.437;Deleted.;
A0031012.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP367;Trojan.PWS.Wsgame.8147;Deleted.;
A0031023.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP368;Trojan.Starter.384;Cured.;
A0031032.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP368;Trojan.PWS.Snap.437;Deleted.;
A0031040.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP368;Trojan.PWS.Wsgame.8147;Deleted.;
A0031054.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP369;Trojan.PWS.Snap.437;Deleted.;
A0032053.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP370;Trojan.Starter.384;Cured.;
A0032055.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP370;Probably DLOADER.Trojan;Incurable.Moved.;
A0032065.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP370;Trojan.Starter.384;Cured.;
A0032072.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP370;Probably DLOADER.Trojan;Incurable.Moved.;
A0032083.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP370;Probably DLOADER.Trojan;Incurable.Moved.;
A0032092.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP370;Probably DLOADER.Trojan;Incurable.Moved.;
A0032102.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP370;Trojan.Starter.384;Cured.;
A0032109.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP370;Probably DLOADER.Trojan;Incurable.Moved.;
A0032121.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP371;Trojan.Starter.384;Cured.;
A0032124.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP371;Probably DLOADER.Trojan;Incurable.Moved.;
A0032133.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP371;Probably DLOADER.Trojan;Incurable.Moved.;
A0032136.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP371;Trojan.Starter.384;Cured.;
A0032146.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP371;Probably DLOADER.Trojan;Incurable.Moved.;
A0033145.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP371;Probably DLOADER.Trojan;Incurable.Moved.;
A0033150.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP371;Trojan.Starter.384;Cured.;
A0033158.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP371;Probably DLOADER.Trojan;Incurable.Moved.;
A0033170.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP371;Probably DLOADER.Trojan;Incurable.Moved.;
A0033179.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP371;Probably DLOADER.Trojan;Incurable.Moved.;
A0033191.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP371;Probably DLOADER.Trojan;Incurable.Moved.;
A0034190.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP371;Probably DLOADER.Trojan;Incurable.Deleted.;
A0034194.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP371;Trojan.Starter.384;Cured.;
A0034201.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP371;Probably DLOADER.Trojan;Incurable.Moved.;
A0034210.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP372;Trojan.Starter.384;Cured.;
A0035200.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP372;Probably DLOADER.Trojan;Incurable.Moved.;
A0035210.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP372;Probably DLOADER.Trojan;Incurable.Moved.;
A0035218.bat;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP372;Probably BATCH.Virus;Incurable.Moved.;
A0035270.bat;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP372;Probably BATCH.Virus;Incurable.Moved.;
A0035279.EXE;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP372;Program.PsExec.170;Incurable.Moved.;
A0035312.sys;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP372;BackDoor.Bulknet.240;Deleted.;
A0035319.sys;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP372;BackDoor.Bulknet.240;Deleted.;
A0035320.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP372;Trojan.Starter.384;Cured.;
A0035334.sys;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP374;BackDoor.Bulknet.240;Deleted.;
A0035335.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP374;BackDoor.JackBot.1;Deleted.;
A0035337.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP374;Trojan.Starter.384;Cured.;
A0035342.exe\32788R22FWJFW\C.bat;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP374\A0035342.exe;Probably BATCH.Virus;;
A0035342.exe\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP374\A0035342.exe;Program.PsExec.171;;
A0035342.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP374;Archive contains infected objects;Moved.;
A0035345.bat;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP374;Probably BATCH.Virus;Incurable.Moved.;
A0035379.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP375;Trojan.Starter.384;Cured.;
A0035386.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP375;BackDoor.JackBot.1;Deleted.;
A0035387.dll;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP375;BackDoor.JackBot.1;Deleted.;
A0035400.bat;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP375;Probably BATCH.Virus;Incurable.Moved.;
A0035409.EXE;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP375;Program.PsExec.170;Incurable.Moved.;
A0035444.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP375;Trojan.Starter.384;Cured.;
A0035445.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP375;Trojan.Starter.384;Cured.;
A0035446.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP375;Trojan.Starter.384;Cured.;
A0035447.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP375;Trojan.Starter.384;Cured.;
A0035448.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP375;Trojan.Starter.384;Cured.;
A0035449.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP375;Trojan.Starter.384;Cured.;
A0035450.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP375;Trojan.DownLoad.4915;Deleted.;
A0035451.exe\32788R22FWJFW\C.bat;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP375\A0035451.exe;Probably BATCH.Virus;;
A0035451.exe\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP375\A0035451.exe;Program.PsExec.171;;
A0035451.exe;C:\System Volume Information\_restore{7A09A577-5585-432A-BB68-EE1AD2967CC2}\RP375;Archive contains infected objects;Moved.;
hfmd00001.dll;C:\WINDOWS\system32;Probably DLOADER.Trojan;Incurable.Moved.;
hfmd00001.exe\data001;C:\WINDOWS\system32\hfmd00001.exe;Probably DLOADER.Trojan;;
hfmd00001.exe;C:\WINDOWS\system32;Archive contains infected objects;Moved.;
hfmd00001.exe;C:\WINDOWS\system32;Probably MULDROP.Trojan;Invalid path to file ;

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:26 PM

Posted 07 November 2008 - 04:30 AM

Let's clean out your system restore files as many of them are infected and they'll be of no use to you.


Flush your system restore, this will delete any restore points that you have but it will also make sure that any malware hiding in system restore will be booted off.

Turn off System Restore:
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
Restart your computer, turn it back on and create a restore point.

Create a restore point:
  • Click Start and point to All Programs.
  • Mouse over Accessories, then System Tools, and select System Restore.
  • In the System Restore wizard, select the box next the text labeled "Create a
    restore point" and click the Next button.
  • Type a description for your new restore point. Something like "After
    cleanup". Click Create and you're done.



Now let's do a little more work with Combofix.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

http://www.bleepingcomputer.com/forums/t/177904/multiple-iexploreexe-in-task-mgr/
Suspect::[52]
c:\windows\tmp125790.bat
c:\windows\system32\nxg.bin
c:\windows\system32\dplx.sys
c:\windows\system32\ccofgnt.dll
c:\windows\system32\asdns.dll
c:\windows\gmail.com-error.html

Dirlook::
C:\HKEY-LOCAL
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 billj7341

billj7341
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 07 November 2008 - 08:08 AM

Did the first part of system restore, no problem. On restart, clicked on "System Restoe" icon in system tools, but was only given dialog box that asked "Do you want to create a system restore point" [Yes/No]. clicked Yes and it took me to original box where we unchecked Restore. No wizard, and no prompts to Create a point.

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:26 PM

Posted 07 November 2008 - 08:26 AM

As long as you turned it back on, it will have created a new restore point automatically. So no worries.
Go ahead and follow the next step with Combofix.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 billj7341

billj7341
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 07 November 2008 - 09:58 AM

EDIT: Att'd C:\Qoobox\Quarantine\[52]-Submit_2008-11-07@9.46.zip

--Tried again with System Restore and it worked. Yay.

--Strangely, ComboFix disappeared from my computer completely in the past 24 hours. (had to download it again and ran it with new code). Got a message to upload the following file to Bleeping Computer. Followed instructions, but doesn't look like anything happened. Not sure if it worked:

Submit malware to Bleeping Computer for analysis.

Copy/Paste the filepath below into the box above and click Send.

File path ---> C:\Qoobox\Quarantine\[52]-Submit_2008-11-07@9.46.zip


Here is COMBOFIX LOG:

mboFix 08-11-06.01 - Administrator 2008-11-07 9:46:24.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.949.1.1042.18.237 [GMT -5:00]
Running from: C:\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\바탕 화면\CFScript2.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-10-07 to 2008-11-07 )))))))))))))))))))))))))))))))
.

2008-11-07 09:44 . 2008-11-07 09:44 3,043,965 -ra------ C:\ComboFix.exe
2008-11-06 21:47 . 2008-11-06 21:47 <DIR> d-------- c:\documents and settings\Administrator\DoctorWeb
2008-11-06 13:41 . 2008-11-06 13:41 <DIR> d-------- c:\windows\Sun
2008-11-06 13:40 . 2008-11-06 13:40 <DIR> d-------- c:\program files\Sun
2008-11-06 13:39 . 2008-11-06 13:39 <DIR> d-------- c:\program files\Java
2008-11-06 13:39 . 2008-11-06 13:39 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-06 13:39 . 2008-11-06 13:39 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-03 18:53 . 2008-11-03 18:53 <DIR> d-------- c:\program files\Trend Micro
2008-11-02 02:02 . 2008-11-02 02:02 702 --a------ c:\windows\system32\MRT.INI
2008-10-31 10:22 . 2008-10-31 11:55 59,904 --a------ c:\windows\system32\00setup.exe
2008-10-31 03:22 . 2008-11-01 09:51 7 --a------ c:\windows\system32\nxg.bin
2008-10-31 03:13 . 2008-10-31 03:13 8,608 --a------ c:\windows\system32\dplx.sys
2008-10-30 08:02 . 2008-10-30 12:26 <DIR> d-------- c:\documents and settings\Administrator\.housecall6.6
2008-10-30 08:00 . 2008-10-30 08:58 <DIR> d-------- c:\windows\system32\CatRoot_bak
2008-10-30 08:00 . 2008-06-14 12:59 270,336 --------- c:\windows\system32\drivers\bthport.sys
2008-10-30 08:00 . 2008-06-14 12:59 270,336 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-10-30 07:59 . 2008-08-14 08:43 2,182,016 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-30 07:59 . 2008-08-14 08:43 2,137,600 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-30 07:59 . 2008-08-14 08:43 2,059,392 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-30 07:59 . 2008-08-14 08:43 2,017,280 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-30 07:57 . 2008-11-02 02:00 <DIR> d--h----- c:\windows\$hf_mig$
2008-10-30 07:57 . 2005-06-28 10:21 22,752 --a------ c:\windows\system32\spupdsvc.exe
2008-10-29 18:35 . 2008-11-03 08:41 <DIR> d-------- C:\HKEY-LOCAL
2008-10-29 18:23 . 2008-10-29 18:23 63,488 --a------ c:\windows\system32\ccofgnt.dll
2008-10-29 18:23 . 2008-10-29 18:23 10,752 --a------ c:\windows\system32\asdns.dll
2008-10-29 10:14 . 2008-10-29 10:14 16,451 --a------ c:\windows\gmail.com-error.html
2008-10-29 10:14 . 2008-10-29 10:14 6,182 --a------ c:\windows\live.com-error.html
2008-10-29 10:14 . 2008-10-29 10:14 5,596 --a------ c:\windows\aol.com-error.html
2008-10-29 10:14 . 2008-10-29 10:14 3,696 --a------ c:\windows\google.com-error.html
2008-10-29 10:14 . 2008-10-29 10:14 1,994 --a------ c:\windows\search.yahoo.com-error.html
2008-10-29 01:16 . 2008-10-30 08:05 4,286 --a------ c:\windows\system32\Jamster.ico
2008-10-28 21:21 . 2008-10-30 08:05 9,662 --a------ c:\windows\system32\ZoneAlarmIconUS.ico
2008-10-28 21:09 . 2008-10-29 15:07 <DIR> d-------- c:\windows\system32\Αdobe
2008-10-28 21:09 . 2008-10-30 11:33 <DIR> d-------- c:\program files\Common Files\?уmbols
2008-10-28 20:30 . 2008-10-30 11:19 22 --a------ C:\WINDOWSMY_Photos_15301.zip
2008-10-27 10:13 . 2008-10-27 10:13 245 --a------ c:\windows\tmp125790.bat
2008-10-27 09:49 . 2008-10-27 09:49 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-10-27 09:48 . 2008-10-27 09:49 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-10-27 09:48 . 2008-10-27 09:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-27 09:48 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-27 09:48 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-10-27 06:49 . 2008-10-27 06:49 <DIR> d-------- c:\program files\Lavasoft
2008-10-27 06:49 . 2008-10-27 06:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-27 06:48 . 2008-10-27 06:48 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-10-27 01:41 . 2007-08-01 22:47 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-10-27 01:21 . 2008-10-30 08:02 <DIR> d-------- c:\windows\system32\HouseCall 6.6
2008-10-27 01:21 . 2008-10-27 01:52 <DIR> d-------- c:\documents and settings\Administrator\Application Data\HouseCall 6.6
2008-10-24 05:38 . 2008-10-24 06:10 <DIR> d-------- C:\XviD-MU

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-07 04:25 --------- d-----w c:\program files\NetFolder
2008-11-06 20:23 17,408 ----a-w c:\windows\system32\svchost.exe
2008-10-29 04:20 42,496 ----a-w c:\windows\system32\ftp.exe
2008-10-29 01:30 359,040 ------w c:\windows\system32\drivers\tcpip.sys
2008-09-15 15:37 1,845,632 ----a-w c:\windows\system32\win32k.sys
2008-08-20 05:36 648,704 ----a-w c:\windows\system32\wininet.dll
2008-08-14 13:43 2,182,016 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 13:43 2,059,392 ----a-w c:\windows\system32\ntkrnlpa.exe
2007-10-25 18:18 5,262,215 ----a-w c:\program files\NetFolder_Setup.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\HKEY-LOCAL ----

2008-11-03 08:41 36707442 --a------ c:\hkey-local\HKEY-DAEMON.reg
2008-10-29 18:38 36329676 --a------ c:\hkey-local\HKEY.reg


((((((((((((((((((((((((((((( snapshot@2008-11-05_21.01.26.77 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-06 00:51:41 49,152 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-11-07 01:47:20 49,152 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-11-06 00:51:41 98,304 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-07 01:47:20 98,304 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-06 20:30:35 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008110620081107\index.dat
+ 2008-11-06 18:39:22 144,792 ----a-w c:\windows\system32\java.exe
+ 2008-11-06 18:39:22 144,792 ----a-w c:\windows\system32\javaw.exe
+ 2008-11-06 18:39:22 148,888 ----a-w c:\windows\system32\javaws.exe
- 2008-11-05 15:39:50 27,954 ----a-w c:\windows\system32\spool\printer.dat
+ 2008-11-06 21:24:04 27,229 ----a-w c:\windows\system32\spool\printer.dat
+ 2008-11-07 12:56:21 16,384 ----atw c:\windows\TEMP\Perflib_Perfdata_d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-05 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-08-29 171464]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-15 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-05 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-05 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-05 455168]
"AHNSD"="c:\program files\AhnLab\Smart Update Utility\AhnSD.exe" [2008-01-16 199368]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-05 59392]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-09 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-09 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-06 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [2004-08-05 c:\windows\system32\ctfmon.exe]

c:\documents and settings\All Users\시작 메뉴\프로그램\시작프로그램\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-13 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3iv2"= 3ivxVfWCodec.dll
"msacm.divxa32"= msaud32_divx.acm
"VIDC.HFYU"= huffyuv.dll
"VIDC.VP31"= vp31vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\AhnlabAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 Defrag32b;Defrag32Boot;c:\windows\system32\drivers\Defrag32b.sys [2004-10-22 54424]
R1 AnfdTDnt;AnfdTDnt;c:\windows\system32\drivers\AnfdTDnt.sys [2006-09-11 73828]
R2 AhnLab Task Scheduler;AhnLab Task Scheduler;c:\program files\AhnLab\Smart Update Utility\Ahnsdsv.exe [2008-01-18 174792]
R2 AnfdIont;AnfdIont;c:\windows\system32\drivers\AnfdIont.sys [2006-08-07 8292]
R2 Defrag32;Defrag32;c:\windows\system32\drivers\Defrag32.sys [2004-10-22 54424]
R2 JavaQuickStarterService;Java Quick Starter;c:\program files\Java\jre6\bin\jqs.exe [2008-11-06 152984]
R2 MonSvcNT;MonSvcNT;c:\progra~1\Ahnlab\V3\MonSvcNT.exe [2006-06-07 131207]
R2 V3NfeNt;V3NfeNt;c:\program files\Ahnlab\V3\V3NfeNt.sys [2005-12-11 14113]
R3 AhnFlt2K;AhnFlt2K;c:\windows\system32\Drivers\AhnFlt2K.sys [2006-09-27 45824]
R3 AhnRec2K;AhnRec2K;c:\windows\system32\Drivers\AhnRec2K.sys [2005-02-14 13696]
R3 v3engine;v3engine;c:\windows\system32\drivers\v3engine.sys [2008-03-14 1339008]
R3 V3Flt2K;V3Flt2K;c:\progra~1\Ahnlab\V3\V3Flt2K.sys [2007-03-02 108032]
S2 PDSched;PDScheduler;c:\program files\Raxco\PerfectDisk\PDSched.exe [2004-10-31 237635]
S3 ApfIPXX;ApfIPXX;c:\progra~1\Ahnlab\V3\ApfIPXX.sys [2003-11-04 13227]
S3 SC1200A;SmartEther SC1200A 10/100 PCI Ethernet Windows 2000 Driver;c:\windows\system32\DRIVERS\SNDIS5.sys [2000-09-19 24302]
S3 scskusbf;USB SCSK Filter Driver Service;c:\windows\system32\drivers\scskusbf.sys [2007-10-26 20616]
S3 scskusbs;USB SCSK Driver Service;c:\windows\system32\drivers\scskusbs.sys [2007-10-26 106568]
S3 V3IFt2K;V3IFt2K;c:\progra~1\Ahnlab\V3\V3IFt2K.sys [2004-08-08 19712]
S3 V3IPXX;V3IPXX;c:\progra~1\Ahnlab\V3\V3IPXX.sys [2004-05-22 10954]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{204082b0-89aa-11dc-8669-000874bcf1db}]
\Shell\AutoRun\command - "G:\Install FreeAgent Tools.exe" /run

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{edbbb3a4-880c-11d9-a4a1-806d6172696f}]
\Shell\AutoRun\command - G:\setup.exe
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-07 09:48:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\system32\winlogon.exe
-> c:\windows\system32\ccofgnt.dll
.
Completion time: 2008-11-07 9:49:03
ComboFix-quarantined-files.txt 2008-11-07 14:48:58
ComboFix2.txt 2008-11-07 02:37:29
ComboFix3.txt 2008-11-06 02:02:05

Pre-Run: 66,426,462,208 바이트 남음
Post-Run: 66,415,022,080 바이트 남음

171 --- E O F --- 2008-11-03 17:01:40

Edited by Buckeye_Sam, 07 November 2008 - 11:17 AM.


#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:26 PM

Posted 07 November 2008 - 11:19 AM

Ok, I've got the attached file. Then I removed it for security purposes.
Give me a few minutes to analyze these guys and I'll be right back.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users