Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PE DARKSNOW Hijack This please help


  • This topic is locked This topic is locked
24 replies to this topic

#1 knish

knish

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 06 January 2009 - 07:20 PM

Picked up what I believe is the PE DARKSNOW virus from using a jumpdrive in another machine. I was hoping that I removed all traces of the virus off my machine but I keep getting an error when I start windows.

I've attempted to attach the error message as a jpg, and I've posted a hijackthis log below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:08:27 PM, on 06/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\system32\sistray.EXE
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\start\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico Internet Service
F2 - REG:system.ini: Shell=Explorer.exe %PROGRAMFILES%\SYSTMEM.EXE
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SiSUSBRG] "C:\WINDOWS\SiSUSBrg.exe"
O4 - HKLM\..\Run: [Cmaudio] "C:\WINDOWS\system32\rundll32.exe" cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.photolab.ca/Upload/ImageUploader4.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=24931
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://www.easypix.ca/upload/activex/v2_0_...upv2.0.0.11.cab?
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe

--
End of file - 7381 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:02:16 AM

Posted 07 January 2009 - 05:02 AM

Hello ,

Welcome to Bleeping Computer.

My name mas_pogi and I will be helping you with your Malware problem.
As I am still in training I will be helping you under supervision of our expert teachers, so there may be a delay between posts.

Attention!

Please do not run any other tool untill instructed to do so.
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.
Please reply to this thread, do not start another.




You might want to save this page on your bookmark, so you can find it again when you return.

Firefox: Posted Image Then click on Done.

IExplorer: Posted Image Then click on Add.

Stay calm and everything will be just alright.

I will be analyzing your log. I will get back to you with instructions after it is approved.

With Regards,
mas_pogi

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:16 AM

Posted 07 January 2009 - 05:42 AM

Edit

Post removed - I see someone else already posted

Edited by miekiemoes, 07 January 2009 - 05:44 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:02:16 AM

Posted 08 January 2009 - 07:42 AM

hi.

Let start cleaning your computer.

Please follow the instructions below,

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Virustotal

When the virutotal page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\Program files\SYSTMEM.EXE


Please post back the results of the scan in your next post.

If Virustotal is busy, try the same at Jotti: http://virusscan.jotti.org/


We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Please also include C:\QooBox\Add-Remove Programs.txt.

Mark

Edited by mas_pogi, 08 January 2009 - 07:44 AM.


#5 knish

knish
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 08 January 2009 - 01:08 PM

There is no file under C:\Program files\SYSTMEM.EXE , and I couldn't find systmem anywhere else on my system.

Here are the logs:
Combofix:
ComboFix 09-01-07.02 - start 2009-01-08 12:32:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.682 [GMT -5:00]
Running from: c:\documents and settings\start\Desktop\ComboFix.exe
AV: Webroot Internet Security Essentials *On-access scanning disabled* (Outdated)
FW: Webroot Internet Security Essentials *disabled*
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\start\Application Data\inst.exe
c:\windows\regedit.com
c:\windows\system32\.exe
c:\windows\system32\open.ico
c:\windows\system32\taskmgr.com

.
((((((((((((((((((((((((( Files Created from 2008-12-08 to 2009-01-08 )))))))))))))))))))))))))))))))
.

2009-01-05 12:26 . 2009-01-05 12:25 107,272 --a------ c:\windows\system32\drivers\pwipf6.sys
2008-12-25 09:38 . 2009-01-05 12:12 <DIR> d-------- c:\program files\DVDFab 5
2008-12-25 09:38 . 2008-12-25 09:39 <DIR> d-------- c:\documents and settings\start\Application Data\Vso
2008-12-25 09:38 . 2008-12-25 09:38 47,360 --a------ c:\windows\system32\drivers\pcouffin.sys
2008-12-25 09:38 . 2008-12-25 09:38 47,360 --a------ c:\documents and settings\start\Application Data\pcouffin.sys
2008-12-22 21:38 . 2009-01-06 19:16 <DIR> d-------- c:\program files\Duplicate Finder
2008-12-22 21:38 . 2000-01-18 23:45 69,632 --a------ c:\windows\system32\CrcCtrl.ocx

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-07 00:25 --------- d-----w c:\documents and settings\start\Application Data\Azureus
2009-01-07 00:08 --------- d-----w c:\program files\Trend Micro
2009-01-06 03:48 --------- d-----w c:\documents and settings\start\Application Data\ImgBurn
2009-01-06 03:47 --------- d-----w c:\program files\CCleaner
2009-01-05 21:53 --------- d-----w c:\documents and settings\start\Application Data\Webroot
2009-01-05 21:32 --------- d-----w c:\documents and settings\All Users\Application Data\Webroot
2009-01-02 13:05 --------- d-----w c:\documents and settings\start\Application Data\AdobeUM
2009-01-02 13:02 --------- d-----w c:\program files\Common Files\Adobe
2008-12-14 03:16 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-11-30 18:31 --------- d-----w c:\program files\Framing Station
2008-11-28 04:43 --------- d-----w c:\program files\mIRC
2008-11-27 17:34 --------- d-----w c:\program files\Azureus
2008-11-23 16:20 --------- d-----w c:\documents and settings\start\Application Data\EBookSys
2008-11-14 01:21 --------- d-----w c:\program files\LimeWire
2008-11-13 22:11 1,553,272 ----a-w c:\windows\WRSetup.dll
2008-11-12 21:02 29,808 ----a-w c:\windows\system32\drivers\ssfs0bbc.sys
2008-11-12 21:02 23,152 ----a-w c:\windows\system32\drivers\sshrmd.sys
2008-11-12 21:02 170,608 ----a-w c:\windows\system32\drivers\ssidrv.sys
2008-11-12 02:58 --------- d-----w c:\program files\Java
2008-11-10 22:57 --------- d-----w c:\program files\avisplit
2005-09-09 23:55 7,155,864 ----a-w c:\program files\NGhost10.msi
2005-09-09 23:55 4,588,454 ----a-w c:\program files\setup.exe
2005-09-09 23:55 37,766,164 ----a-w c:\program files\Data1.cab
2005-09-09 23:55 35 ----a-w c:\program files\SCSSDist.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2008-11-13 17:04 238968 --a------ c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2009-01-04 106496]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-08-18 94208]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-29 344064]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2003-05-15 114688]
"SiS Tray"="c:\windows\system32\sistray.EXE" [2003-08-19 667648]
"Lexmark 1200 Series"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2006-07-13 57344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-04 98304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-11 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"vidc.dvsd"= dvc.dll
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.l3fhg"= mp3fhg.acm
"msacm.imc"= imc32.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-03 11:39 133104 c:\documents and settings\start\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2009-01-05 00:06 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2009-01-04 23:45 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiS Windows KeyHook]
--a------ 2009-01-05 00:06 241664 c:\windows\system32\Keyhook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2009-01-04 23:34 180224 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 15:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ImapiService"=3 (0x3)
"Messenger"=2 (0x2)
"iPodService"=3 (0x3)
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"bgsvcgen"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Java\\j2re1.4.2_04\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"17020:TCP"= 17020:TCP:BitComet 17020 TCP
"17020:UDP"= 17020:UDP:BitComet 17020 UDP

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-08-09 29808]
R0 stwlfbus;stwlfbus;c:\windows\system32\drivers\stwlfbus.sys [2003-04-27 8704]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2005-05-25 58016]
R1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [2009-01-05 107272]
R3 st3wolf;st3wolf;c:\windows\system32\drivers\st3wolf.sys [2003-04-27 99360]
R4 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [2009-01-05 1086840]
S1 SiSEsc;SISLIB_ESC;c:\windows\system32\sisesc.sys [2004-03-27 28416]
S3 NaiAvFilter101;NAI Anti Virus;\Device\NaiAvFilter101.sys --> \Device\NaiAvFilter101.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ENTDRV51

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{858ab262-4807-11da-93a5-806d6172696f}]
\Shell\AutoRun\command - D:\autorun.exe
\Shell\directx\command - d:\directx\dxsetup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-1326574676-1417001333-1003.job
- c:\documents and settings\start\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 11:39]

2008-10-03 c:\windows\Tasks\wrSpySweeperFullSweep.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-11-13 17:11]

2008-10-03 c:\windows\Tasks\wrSpySweeperFullSweep.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-11-13 17:11]

2008-10-03 c:\windows\Tasks\wrSpySweeperFullSweep.job
- c:\","d:\" []
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Cmaudio - cmicnfg.cpl
MSConfigStartUp-eligmini - c:\program files\Fisher-Price\Easy-Link internet launch pad\Easy-Link internet launch pad.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-Microsoft AOL Instant Messenger - MSAOL32.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.wightman.ca/~jeffandkim/links.html
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
Trusted Zone: *.windowsupdate.microsoft.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-08 12:39:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1343024091-1326574676-1417001333-1003\Software\Zepter Software\RegLib*NULL*2cdbb407\CloneDVD/2]
"1"=dword:4452db67
"2"=dword:4504c5fb

[HKEY_USERS\S-1-5-21-1343024091-1326574676-1417001333-1003\Software\Zepter Software\RegLib*NULL*2cdbb407\CloneDVD2/2]
"1"=dword:4452db67
"2"=dword:4504c5fa

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{63BF9C16-61FD-5246-D28A6F9B6DBA4643}\{A1662382-7299-AE2E-23313B5BBD368ECE}\{683884CE-C1AE-773A-12388A76175B81B9}*NULL*]
"63AUOURV1X6YIYB2ELIFO4LTRC1"=hex:01,00,01,00,00,00,00,00,87,da,ad,38,2b,26,f8,\
c3,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(576)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(632)
c:\windows\system32\EntApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\DVDRAMSV.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\drivers\KodakCCS.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\VirusScan\Mcshield.exe
c:\program files\Network Associates\VirusScan\VsTskMgr.exe
c:\windows\system32\ScsiAccess.EXE
c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\rundll32.exe
c:\program files\Lexmark 1200 Series\lxczbmon.exe
.
**************************************************************************
.
Completion time: 2009-01-08 12:45:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-08 17:44:54

Pre-Run: 1,243,197,440 bytes free
Post-Run: 1,160,167,424 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

226 --- E O F --- 2008-12-18 22:27:06



ADD/REMOVE PROGRAMS:

7-Zip 4.42
Ad-aware 6 Personal
Adobe Flash Player Plugin
Adobe MPEG Encoder
Adobe Premiere 6.5
Adobe Reader 7.0.5 Language Support
Adobe Reader 7.0.9
Adobe Shockwave Player
Advanced RealMedia Export Plug-in for Premiere 6.0
afreeCodecVT 1.1.52
AMP WinOFF
ArcSoft PhotoStudio 5
Arthur's Math Games
aspi
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Auto Gordian Knot 2.45
AutoUpdate
AVI Splitter
AVIcodec (remove only)
AviSynth 2.5
Azureus Vuze
Blue's Kindergarten
C-Media 3D Audio
C-Media WDM Audio Driver
CCHelp
CCleaner (remove only)
CCScore
Corel Applications
Corel Uninstaller
Cosmo Player 2.1.1 (41451)
CR2
DAEMON Tools
Disney Print Studio Deluxe NCR Mailing
Disney Print Studio Deluxe NCR Printer 2nd Ed
Disney Print Studio Deluxe NCR Stickers
Disney Print Studio Deluxe NCR Stickers 2nd Ed
Disney/Pixar Finding Nemo: Learning with Nemo
DivX Codec
DivX Converter
DivX Player
DivX Web Player
Dora Backpack
Dora Dance Rescue
Dora Fairytale Adventure
Dora Lost City
Dr. DivX 2.0 OSS
Drawing for Children
Duplicate Finder
DVD-RAM Driver
DVD Decrypter (Remove Only)
DVD Profiler Version 2.4.0
DVD Shrink 3.2
DVDFab (Platinum/Gold/HD Decrypter) (Option: Mobile) 5.2.2.2
DVDFab Decrypter 3.0.7.5 Beta
DVDFab HD Decrypter 3.1.0.8
Easy Video Downloader v. 2.0
Emsa FlexInfo Pro 1.0
ESSAdpt
ESSANUP
ESSBrwr
ESSCAM
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSTUTOR
ESSvpaht
ESSvpot
ExamView Pro
Fisher-Price® - Toddler
Framing Station
GetDataBack for FAT and GetDataBack for NTFS
Google Chrome
Google Earth
GSpot Codec Information Appliance
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
ImgBurn
Ipswitch WS_FTP Home
Java 2 Runtime Environment, SE v1.4.2_04
Java™ 6 Update 10
K-Lite Codec Pack 2.76 Full
KC Softwares VideoInspector
Kodak EasyShare software
KSU
Lexmark 1200 Series
LimeWire 4.18.8
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Extension Manager
Macromedia Flash 5
Matroska Pack - Lazy Man's MKV 1.0.1-alpha6
Max Movie Maker 3.0
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft IntelliPoint 5.0
Microsoft IntelliType Pro 5.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft Office FrontPage 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Windows Media Video 9 VCM
Microsoft XML Parser and SDK
mIRC
Mozilla (1.6)
Mp3Decode
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML4SP2
Nero 6 Ultra Edition
Notifier
OTtBP
Password Corral v3.4.6
PCDLNCH
PowerDVD
Quick Zip 4.50 Beta 15
QuickTime
Reader Rabbit's Preschool
Reader Rabbit Thinking Adventures Ages 4-6
Reader Rabbit Toddler
RealPlayer
RealProducer Basic 10
Recover My Files
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB960714)
Sentinel Protection Installer 7.0.0
SFR
SFR2
Shockwave
SiS 661FX_760_741_M661FX_M760_M741
SiS 900 PCI Fast Ethernet Adapter Driver
SMPlayer Extra Codecs 20071007
SoftK56 Data Fax
SoftV92 Data Fax Modem
Sport Video Player 1.51
Spy Sweeper Core
TMPGEnc DVD Author 3 with DivX Authoring
TMPGEnc Plus 2.5
Twins Video Player
UFile 2005
UFile 2006
UFile 2007
UFile Updater 2005
UFile Updater 2006
UFile Updater 2007
Unlocker 1.8.3
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
VideoLAN VLC media player 0.8.4a
VobSub v2.23 (Remove Only)
WebFldrs XP
Webroot Internet Security Essentials
WillExpert
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinZip
WordPerfect Office 2002 Professional
XMPEG 5.0
XP Codec Pack
Xvid 1.1.3 final uninstall
XviD MPEG4 Video Codec (remove only)
ZoneAlarm Pro

#6 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:02:16 AM

Posted 08 January 2009 - 10:47 PM

hi.


Could you also post a fresh hijackthis log?

Thanks.

Mark

#7 knish

knish
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 08 January 2009 - 10:55 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54:49 PM, on 08/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\system32\sistray.EXE
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wightman.ca/~jeffandkim/links.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SiSUSBRG] "C:\WINDOWS\SiSUSBrg.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.photolab.ca/Upload/ImageUploader4.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=24931
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://www.easypix.ca/upload/activex/v2_0_...upv2.0.0.11.cab?
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe

--
End of file - 7097 bytes

#8 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:02:16 AM

Posted 09 January 2009 - 06:47 PM

hi.

Lets continue,



You have two AV installed
McAfee VirusScan Enterprise
Webroot Internet Security Essentials

If you're McAfee is still not expired, you can uninstall webroot IS Essential. Keep one and uninstall the other.

Read below for warning:
Using more than one anti-virus program is not advisable. The primary concern with using more than one anti-virus program is due to conflicts that can arise when they are running in real-time mode simultaneously. Even when one of them is disabled for use as a stand-alone scanner, it can affect the other. Anti-virus software components insert themselves into the operating systems core and using more than one can cause instability, crash your computer, slow performance and waste system resources. When actively running in the background while connected to the Internet, they both may try to update their definition databases at the same time. As the programs compete for resources required to download the necessary files this often can result in sluggish system performance or unresponsive behavior.

Each anti-virus will often interpret the activity of the other as a virus and there is a greater chance of them alerting you to a "False Positive". If one finds a virus and then the other also finds the same virus, both programs will be competing over exclusive rights on dealing with that virus. Each anti-virus will attempt to remove the offending file and quarantine it. If one finds and quarantines the file before the other one does, then you encounter the problem of both wanting to scan each other's zipped or archived files and each reporting the other's quarantined contents. This can lead to a repetitive cycle of endless alerts that continually warn you that a virus has been found when that is not the case.

Anti-virus scanners use virus definitions to check for viruses and these can include a fragment of the virus code which may be recognized by other anti-virus programs as the virus itself. Because of this, most anti-virus programs encrypt their definitions so that they do not trigger a false alarm when scanned by other security programs. However, some anti-virus vendors do not encrypt their definitions and will trigger false alarms if used while another resident anti-virus program is active.

To avoid these problems, use only one anti-virus solution.


You also have two installed third party firewall


Zonealarm
Webroot Internet Security Essentials(already has a firewall)


Uninstalling Webroot Internet Security Essentials will also uninstall its bundled firewall .

  • Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case Azureus, LimeWire, BitComet). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

    It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

    It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

    Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

  • Please uninstall the following using ADD/REMOVE program at the Control Panel.

    Duplicate Finder <--bundled with trojan. Read here

    Java 2 Runtime Environment, SE v1.4.2_04 <--Outdated java runtimes
    Java™ 6 Update 10 <--Outdated java runtimes

    Then updated your java here. Choose Java Runtime Environment (JRE) 6 Update 11.

  • Did you set them in msconfig?

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "ImapiService"=3 (0x3) manual
    "Messenger"=2 (0x2) automatic
    "iPodService"=3 (0x3) manual
    "sdCoreService"=3 (0x3) manual
    "sdAuxService"=3 (0x3) manual
    "RemoteRegistry"=2 (0x2) automatic
    "RDSessMgr"=3 (0x3) manual
    "RasMan"=3 (0x3) manual
    "RasAuto"=3 (0x3) manual
    "bgsvcgen"=2 (0x2) automatic

  • Please make sure that you can view all hidden files. Instructions on how to do this can be found here:


    How to see hidden files in Windows

    Please click this link-->Virustotal

    When the virutotal page has finished loading, click the Browse button and navigate to the following file and click Submit.

    c:\program files\NGhost10.msi
    c:\program files\setup.exe
    c:\program files\Data1.cab
    c:\program files\SCSSDist.ini


    Please post back the results of the scan in your next post.

    If Jotti is busy, try the same at Jotti: http://virusscan.jotti.org/

  • 1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open notepad and copy/paste the text in the quotebox below into it:

    EXTRA::

    REGISTRY::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000000
    "UpdatesDisableNotify"=dword:00000000
    "AntiVirusOverride"=dword:00000000
    "FirewallOverride"=dword:00000000

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"=dword:00000001


    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

  • Please download ATF Cleaner by Atribune & save it to your desktop.
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main "Select Files to Delete" choose: Select All.
    • Click the Empty Selected button.
    • If you use Firefox browser click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
      If you would like to keep your saved passwords, please click No at the prompt.
    • If you use Opera browser click Opera at the top and choose: Select All
    • Click the Empty Selected button.
      If you would like to keep your saved passwords, please click No at the prompt.
    • Click Exit on the Main menu to close the program.
    Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

  • Please do a scan with Kaspersky Online Scanner

    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

    Click on the Accept button and install any components it needs.
    • The program will install and then begin downloading the latest definition files.
    • After the files have been downloaded on the left side of the page in the Scan section select My Computer
    • This will start the program and scan your system.
    • The scan will take a while, so be patient and let it run.
    • Once the scan is complete, click on View scan report
    • Now, click on the Save Report as button.
    • Save the file to your desktop.
    • Copy and paste that information in your next post.

In your reply, please post

C:\combofix.txt
C:\QooBox\Add-Remove Programs.txt
Kaspersky scan result
Answer to my questions
Virustotal result


Mark

#9 knish

knish
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 10 January 2009 - 08:22 AM

I had webroot installed to remove spyware but I've now uninstalled it.
3. Did you set them in msconfig?

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ImapiService"=3 (0x3) manual
"Messenger"=2 (0x2) automatic
"iPodService"=3 (0x3) manual
"sdCoreService"=3 (0x3) manual
"sdAuxService"=3 (0x3) manual
"RemoteRegistry"=2 (0x2) automatic
"RDSessMgr"=3 (0x3) manual
"RasMan"=3 (0x3) manual
"RasAuto"=3 (0x3) manual
"bgsvcgen"=2 (0x2) automatic

- I often use msconfig to run only the programs that I need at startup, I never use messenger or ipod services, the rest I am unfamiliar with.
4. I've tried to scan data1.cab to both sites but the file is much to large, it won't upload.


- Other scans are posted:
nghost10.msi

Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.10 -
AhnLab-V3 2009.1.10.0 2009.01.09 -
AntiVir 7.9.0.54 2009.01.09 -
Authentium 5.1.0.4 2009.01.10 -
Avast 4.8.1281.0 2009.01.09 -
AVG 8.0.0.229 2009.01.09 -
BitDefender 7.2 2009.01.10 -
CAT-QuickHeal 10.00 2009.01.09 -
ClamAV 0.94.1 2009.01.09 -
Comodo 905 2009.01.09 -
DrWeb 4.44.0.09170 2009.01.09 -
eSafe 7.0.17.0 2009.01.08 Suspicious File
eTrust-Vet 31.6.6301 2009.01.10 -
F-Prot 4.4.4.56 2009.01.09 -
F-Secure 8.0.14470.0 2009.01.10 -
Fortinet 3.117.0.0 2009.01.09 -
GData 19 2009.01.10 -
Ikarus T3.1.1.45.0 2009.01.10 -
K7AntiVirus 7.10.584 2009.01.09 -
Kaspersky 7.0.0.125 2009.01.10 -
McAfee 5490 2009.01.09 -
McAfee+Artemis 5490 2009.01.09 -
Microsoft 1.4205 2009.01.10 -
NOD32 3755 2009.01.09 -
Norman 5.99.02 2009.01.09 -
Panda 9.4.3.3 2009.01.09 -
PCTools 4.4.2.0 2009.01.09 -
Prevx1 V2 2009.01.10 -
Rising 21.11.42.00 2009.01.09 -
SecureWeb-Gateway 6.7.6 2009.01.10 Virus.FileInfector.gen!92
Sophos 4.37.0 2009.01.10 -
Sunbelt 3.2.1831.2 2009.01.09 -
Symantec 10 2009.01.10 -
TheHacker 6.3.1.4.216 2009.01.10 -
TrendMicro 8.700.0.1004 2009.01.09 -
VBA32 3.12.8.10 2009.01.09 -
ViRobot 2009.1.9.1552 2009.01.09 -
VirusBuster 4.5.11.0 2009.01.09 -
Additional information
File size: 7155864 bytes
MD5...: a85dab4e34a983aa6a92f897505a6ed7
SHA1..: 9bb75e37ab441e50289c4d9feeac61b3e24cce5c
SHA256: db142f8976301a32a84fc4c370f70c68f2d1d858b12de6ff5528a8f07a4f4e16
SHA512: a6139155308d2a033a8dc261d3e161e435ed636d8767c5bf55942e2816190e9c
d702dec99f08cebbefde4629b6bfa161e10e1a437c88d466cee8f6d120426f72

ssdeep: 98304:JlCYjeOjYteKYkqEUSgDZGb41wrzvqCHf2Yy43jFht9MV9:vCAjYtlDUSU
ZGkQzvqUtpuP

PEiD..: -
TrID..: File type identification
Microsoft Windows Installer (89.7%)
Windows SDK Setup Transform Script (6.1%)
iGrafx FlowCharter document (3.2%)
Generic OLE2 / Multistream Compound File (0.7%)
PEInfo: -
packers (Kaspersky): XLok


File SCSSDist.ini received on 08.21.2008 16:38:30 (CET)
Current status: finished

Result: 0/35 (0.00%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.8.21.0 2008.08.21 -
AntiVir 7.8.1.23 2008.08.21 -
Authentium 5.1.0.4 2008.08.21 -
Avast 4.8.1195.0 2008.08.21 -
AVG 8.0.0.161 2008.08.21 -
BitDefender 7.2 2008.08.21 -
CAT-QuickHeal 9.50 2008.08.21 -
ClamAV 0.93.1 2008.08.21 -
DrWeb 4.44.0.09170 2008.08.21 -
eSafe 7.0.17.0 2008.08.21 -
eTrust-Vet 31.6.6039 2008.08.21 -
Ewido 4.0 2008.08.21 -
F-Prot 4.4.4.56 2008.08.20 -
F-Secure 7.60.13501.0 2008.08.21 -
Fortinet 3.14.0.0 2008.08.21 -
GData 2.0.7306.1023 2008.08.20 -
Ikarus T3.1.1.34.0 2008.08.21 -
K7AntiVirus 7.10.422 2008.08.20 -
Kaspersky 7.0.0.125 2008.08.21 -
McAfee 5366 2008.08.21 -
Microsoft 1.3807 2008.08.21 -
NOD32v2 3375 2008.08.21 -
Norman 5.80.02 2008.08.20 -
Panda 9.0.0.4 2008.08.21 -
PCTools 4.4.2.0 2008.08.21 -
Prevx1 V2 2008.08.21 -
Rising 20.58.32.00 2008.08.21 -
Sophos 4.32.0 2008.08.21 -
Sunbelt 3.1.1564.1 2008.08.21 -
Symantec 10 2008.08.21 -
TheHacker 6.3.0.6.056 2008.08.21 -
TrendMicro 8.700.0.1004 2008.08.21 -
ViRobot 2008.8.21.1344 2008.08.21 -
VirusBuster 4.5.11.0 2008.08.21 -
Webwasher-Gateway 6.6.2 2008.08.21 -
Additional information
File size: 35 bytes
MD5...: 74358262cc9ce8f6a8ec01231b0fee33
SHA1..: bc938dfd741c9d16b565fb12e080d6168fb07a2b
SHA256: a64bb73b22830ca0c84170edf618c4b0c51a199a7aaf7ce14daacdf3063aaf61
SHA512: b553ff9cedf7d21389f27e4782000eb935b36d00e8bd3f37093f963135de5c45
18072207a0086e9cfa8f21d4286c566bb8162f52b4e86cdcc0f9a2dfefe1b360
PEiD..: -
PEInfo: -


File setup.exe received on 01.10.2009 14:07:51 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/38 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.10 -
AhnLab-V3 2009.1.10.0 2009.01.09 -
AntiVir 7.9.0.54 2009.01.10 -
Authentium 5.1.0.4 2009.01.10 -
Avast 4.8.1281.0 2009.01.09 -
AVG 8.0.0.229 2009.01.09 -
BitDefender 7.2 2009.01.10 -
CAT-QuickHeal 10.00 2009.01.09 -
ClamAV 0.94.1 2009.01.10 -
Comodo 910 2009.01.10 -
DrWeb 4.44.0.09170 2009.01.10 -
eSafe 7.0.17.0 2009.01.08 -
eTrust-Vet 31.6.6301 2009.01.10 -
F-Prot 4.4.4.56 2009.01.09 -
F-Secure 8.0.14470.0 2009.01.10 -
Fortinet 3.117.0.0 2009.01.10 -
GData 19 2009.01.10 -
Ikarus T3.1.1.45.0 2009.01.10 -
K7AntiVirus 7.10.584 2009.01.09 -
Kaspersky 7.0.0.125 2009.01.10 -
McAfee 5490 2009.01.09 -
McAfee+Artemis 5490 2009.01.09 -
Microsoft 1.4205 2009.01.10 -
NOD32 3756 2009.01.10 -
Norman 5.99.02 2009.01.09 -
Panda 9.4.3.3 2009.01.10 -
PCTools 4.4.2.0 2009.01.10 -
Prevx1 V2 2009.01.10 -
Rising 21.11.52.00 2009.01.10 -
SecureWeb-Gateway 6.7.6 2009.01.10 -
Sophos 4.37.0 2009.01.10 -
Sunbelt 3.2.1831.2 2009.01.09 -
Symantec 10 2009.01.10 -
TheHacker 6.3.1.4.216 2009.01.10 -
TrendMicro 8.700.0.1004 2009.01.09 -
VBA32 3.12.8.10 2009.01.09 -
ViRobot 2009.1.10.1553 2009.01.10 -
VirusBuster 4.5.11.0 2009.01.09 -
Additional information
File size: 4588454 bytes
MD5...: 093e47e5f16547d485846838327d5575
SHA1..: 510602186d69a88b492e80e34b48cb966ea2d978
SHA256: 08c65cd39846ac6a7892ac96ac772d150bebf08ff2e39625bf0b1308ef4b9117
SHA512: ddfa7e77c488fb0c1f96e9f481a9ab55a612bc36688f0eb6c671b6bc89843c1b
2aa8fc54924557e8aad522977fec711bfca92c3077b9c7f54f8015a61a27d75b

ssdeep: 98304:LsFfGMTPQLco1gufrVqV26hgDFrteSdeROyT5Wxn:LsFfGMkASVqV26hgD
neSsROy9e

PEiD..: Armadillo v1.71
TrID..: File type identification
InstallShield setup (42.6%)
Win32 Executable MS Visual C++ (generic) (37.3%)
Win32 Executable Generic (8.4%)
Win32 Dynamic Link Library (generic) (7.5%)
Generic Win/DOS Executable (1.9%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4194ec
timedatestamp.....: 0x3f55afcb (Wed Sep 03 09:09:31 2003)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x21e5e 0x22000 6.55 1800d395c4bea5fe2c83eeaecea229a8
.rdata 0x23000 0x4170 0x5000 4.77 ecf9768c6247b32bb5d8cb151a74fd54
.data 0x28000 0x9298 0x5000 3.16 34bbf9132e82dfd335ec84b3397ecc0e
.rsrc 0x32000 0xa2e0 0xb000 7.24 19769785eb94d278ba0f3e72db799582

( 9 imports )
> VERSION.dll: VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
> SHELL32.dll: SHBrowseForFolderA, SHGetMalloc, SHGetPathFromIDListA
> COMCTL32.dll: -
> KERNEL32.dll: DeleteFileA, lstrlenW, WriteFile, InterlockedIncrement, InterlockedDecrement, QueryPerformanceFrequency, CreateEventA, Sleep, lstrcatA, CompareStringA, CompareStringW, GetVersionExA, SetFilePointer, SetFileAttributesA, SetFileTime, LocalFileTimeToFileTime, DosDateTimeToFileTime, FreeLibrary, GetProcAddress, LoadLibraryA, LockResource, LoadResource, SizeofResource, FindResourceA, CreateProcessA, GetSystemDefaultLCID, GlobalHandle, VerLanguageNameA, SetCurrentDirectoryA, GetPrivateProfileSectionA, WaitForSingleObject, GetSystemInfo, GetModuleFileNameA, IsValidCodePage, FlushFileBuffers, LocalFree, FormatMessageA, GetDiskFreeSpaceA, _lclose, OpenFile, GetDriveTypeA, lstrcpynA, CreateDirectoryA, GetFileAttributesA, RemoveDirectoryA, GetExitCodeProcess, GetCurrentProcess, GetCurrentThread, GetLocaleInfoA, FreeEnvironmentStringsW, lstrlenA, UnhandledExceptionFilter, GetOEMCP, GetACP, GetCPInfo, SetUnhandledExceptionFilter, WideCharToMultiByte, VirtualAlloc, VirtualFree, HeapCreate, HeapDestroy, GetEnvironmentVariableA, DeleteCriticalSection, InitializeCriticalSection, TlsGetValue, TlsAlloc, TlsSetValue, GetCurrentThreadId, HeapSize, HeapReAlloc, LeaveCriticalSection, EnterCriticalSection, GetVersion, GetCommandLineA, GetStartupInfoA, GetModuleHandleA, TerminateProcess, ExitProcess, RaiseException, HeapFree, HeapAlloc, RtlUnwind, SystemTimeToFileTime, QueryPerformanceCounter, ResetEvent, SetEvent, GetShortPathNameA, SearchPathA, GetStringTypeA, FindFirstFileA, VirtualProtect, VirtualQuery, FindClose, GetStringTypeW, IsBadReadPtr, IsBadCodePtr, LCMapStringA, LCMapStringW, SetStdHandle, CreateFileA, GetFileSize, GlobalAlloc, CloseHandle, GlobalLock, ReadFile, GlobalUnlock, GlobalFree, GetLastError, SetLastError, CopyFileA, MultiByteToWideChar, CreateThread, GetExitCodeThread, GetTickCount, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GetPrivateProfileIntA, GetTempPathA, SetErrorMode, GetWindowsDirectoryA, GetTempFileNameA, WritePrivateProfileStringA, lstrcpyA, GetPrivateProfileStringA, CreateFileMappingA, MapViewOfFile, IsBadWritePtr, UnmapViewOfFile, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, FreeEnvironmentStringsA
> USER32.dll: GetWindowTextLengthA, GetWindowTextA, MoveWindow, GetWindowPlacement, DrawIcon, DestroyIcon, GetDlgCtrlID, SetWindowTextA, FillRect, GetParent, EnableWindow, GetDlgItemTextA, SetCursor, UpdateWindow, GetClassInfoA, wvsprintfA, LoadStringA, GetSysColor, GetSysColorBrush, IsDialogMessageA, SendMessageA, GetSystemMetrics, SetRect, FindWindowA, IntersectRect, SubtractRect, CharPrevA, DestroyWindow, CreateDialogParamA, CharNextA, MessageBoxA, WaitForInputIdle, GetWindowLongA, BeginPaint, EndPaint, SetWindowLongA, GetClientRect, ClientToScreen, SetWindowPos, GetWindowDC, EndDialog, GetDlgItem, ShowWindow, DialogBoxParamA, GetDesktopWindow, wsprintfA, MsgWaitForMultipleObjects, PeekMessageA, DefWindowProcA, PostMessageA, KillTimer, PostQuitMessage, SetTimer, LoadIconA, LoadCursorA, RegisterClassA, CreateWindowExA, GetMessageA, TranslateMessage, DispatchMessageA, GetDC, ReleaseDC, ExitWindowsEx, SendDlgItemMessageA, IsWindow, CharLowerBuffA, GetWindowRect
> GDI32.dll: GetTextExtentPointA, SetBkMode, SetTextColor, GetObjectA, CreateFontIndirectA, CreateSolidBrush, CreateCompatibleDC, SelectObject, TranslateCharsetInfo, DeleteDC, DeleteObject, GetStockObject, GetSystemPaletteEntries, CreatePalette, GetDeviceCaps, SelectPalette, RealizePalette, CreateDIBitmap, BitBlt
> ADVAPI32.dll: RegQueryValueA, RegOpenKeyA, RegEnumValueA, RegCreateKeyExA, RegSetValueExA, RegDeleteValueA, RegOpenKeyExA, RegQueryValueExA, RegCloseKey, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, FreeSid, EqualSid, AllocateAndInitializeSid, GetTokenInformation, OpenThreadToken, RegDeleteKeyA
> ole32.dll: StringFromCLSID, CoTaskMemFree, CoCreateGuid, CoCreateInstance, GetRunningObjectTable, StgIsStorageFile, StgOpenStorage, CoUninitialize, CoInitialize, CreateItemMoniker
> OLEAUT32.dll: -, -, -, -, -, -, -

( 0 exports )


COMBOFIX:

ComboFix 09-01-07.02 - start 2009-01-09 23:43:41.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.820 [GMT -5:00]
Running from: c:\documents and settings\start\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\start\Desktop\cfscript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-12-10 to 2009-01-10 )))))))))))))))))))))))))))))))
.

2009-01-09 20:28 . 2009-01-09 20:27 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-09 20:10 . 2009-01-09 23:28 4,194,947 --a------ c:\windows\pfirewall.log.old
2008-12-25 09:38 . 2009-01-05 12:12 <DIR> d-------- c:\program files\DVDFab 5
2008-12-25 09:38 . 2008-12-25 09:39 <DIR> d-------- c:\documents and settings\start\Application Data\Vso
2008-12-25 09:38 . 2008-12-25 09:38 47,360 --a------ c:\windows\system32\drivers\pcouffin.sys
2008-12-25 09:38 . 2008-12-25 09:38 47,360 --a------ c:\documents and settings\start\Application Data\pcouffin.sys
2008-12-22 21:38 . 2009-01-09 20:09 <DIR> d-------- c:\program files\Duplicate Finder

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-10 04:16 --------- d-----w c:\documents and settings\start\Application Data\Azureus
2009-01-10 01:27 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-01-10 01:27 --------- d-----w c:\program files\Java
2009-01-10 01:13 --------- d-----w c:\documents and settings\start\Application Data\Webroot
2009-01-07 00:08 --------- d-----w c:\program files\Trend Micro
2009-01-06 03:48 --------- d-----w c:\documents and settings\start\Application Data\ImgBurn
2009-01-06 03:47 --------- d-----w c:\program files\CCleaner
2009-01-06 02:11 64,000 ----a-w c:\windows\system32\cleanmgr.exe
2009-01-05 05:07 98,304 ----a-w c:\windows\system32\verifier.exe
2009-01-05 05:06 9,728 ----a-w c:\windows\system32\label.exe
2009-01-05 05:05 9,216 ----a-w c:\windows\system32\finger.exe
2009-01-05 05:04 44,544 ----a-w c:\windows\system32\alg.exe
2009-01-05 05:04 25,088 ----a-w c:\windows\system32\at.exe
2009-01-05 05:04 14,336 ----a-w c:\windows\system32\auditusr.exe
2009-01-05 05:00 150,528 ----a-w c:\windows\PCHEALTH\UploadLB\Binaries\uploadm.exe
2009-01-05 04:59 99,840 ----a-w c:\windows\PCHEALTH\HELPCTR\Binaries\HelpHost.exe
2009-01-05 04:59 769,024 ----a-w c:\windows\PCHEALTH\HELPCTR\Binaries\helpctr.exe
2009-01-05 04:59 744,448 ----a-w c:\windows\PCHEALTH\HELPCTR\Binaries\helpsvc.exe
2009-01-05 04:59 35,328 ----a-w c:\windows\PCHEALTH\HELPCTR\Binaries\notiflag.exe
2009-01-05 04:59 18,432 ----a-w c:\windows\PCHEALTH\HELPCTR\Binaries\hscupd.exe
2009-01-05 04:59 169,984 ----a-w c:\windows\PCHEALTH\HELPCTR\Binaries\msconfig.exe
2009-01-02 13:05 --------- d-----w c:\documents and settings\start\Application Data\AdobeUM
2009-01-02 13:02 --------- d-----w c:\program files\Common Files\Adobe
2008-12-14 03:16 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-11-30 18:31 --------- d-----w c:\program files\Framing Station
2008-11-28 04:43 --------- d-----w c:\program files\mIRC
2008-11-27 17:34 --------- d-----w c:\program files\Azureus
2008-11-23 16:20 --------- d-----w c:\documents and settings\start\Application Data\EBookSys
2008-11-14 01:21 --------- d-----w c:\program files\LimeWire
2008-11-10 22:57 --------- d-----w c:\program files\avisplit
2008-11-05 00:20 43,698 ----a-w c:\windows\system32\xvid-uninstall.exe
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-10-28 22:35 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-10-28 22:35 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-10-28 22:35 684,032 ----a-w c:\windows\system32\DivX.dll
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 01:00 666,112 ----a-w c:\windows\system32\wininet.dll
2005-09-09 23:55 7,155,864 ----a-w c:\program files\NGhost10.msi
2005-09-09 23:55 4,588,454 ----a-w c:\program files\setup.exe
2005-09-09 23:55 37,766,164 ----a-w c:\program files\Data1.cab
2005-09-09 23:55 35 ----a-w c:\program files\SCSSDist.ini
2001-11-22 13:08 712,704 ----a-w c:\windows\inf\OTHER\AUDIO3D.DLL
.

((((((((((((((((((((((((((((( snapshot@2009-01-08_12.43.13.22 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-12 02:58:47 144,792 ----a-w c:\windows\system32\java.exe
+ 2009-01-10 01:27:54 144,792 ----a-w c:\windows\system32\java.exe
- 2008-11-12 02:58:47 144,792 ----a-w c:\windows\system32\javaw.exe
+ 2009-01-10 01:27:54 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-11-12 02:58:47 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2009-01-10 01:27:54 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2008-10-05 03:16:26 235,936 ----a-r c:\windows\system32\Macromed\Flash\FlashUtil10a.exe
+ 2009-01-09 12:25:31 88,590 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2009-01-10 01:28:19 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_fb0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2009-01-04 106496]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-08-18 94208]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-29 344064]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2003-05-15 114688]
"SiS Tray"="c:\windows\system32\sistray.EXE" [2003-08-19 667648]
"Lexmark 1200 Series"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2006-07-13 57344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-04 98304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-09 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"vidc.dvsd"= dvc.dll
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.l3fhg"= mp3fhg.acm
"msacm.imc"= imc32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-03 11:39 133104 c:\documents and settings\start\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2009-01-05 00:06 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2009-01-04 23:45 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiS Windows KeyHook]
--a------ 2009-01-05 00:06 241664 c:\windows\system32\Keyhook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2009-01-04 23:34 180224 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 15:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ImapiService"=3 (0x3)
"Messenger"=2 (0x2)
"iPodService"=3 (0x3)
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"bgsvcgen"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"17020:TCP"= 17020:TCP:BitComet 17020 TCP
"17020:UDP"= 17020:UDP:BitComet 17020 UDP

R0 stwlfbus;stwlfbus;c:\windows\system32\drivers\stwlfbus.sys [2003-04-27 8704]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2005-05-25 58016]
R3 st3wolf;st3wolf;c:\windows\system32\drivers\st3wolf.sys [2003-04-27 99360]
S1 SiSEsc;SISLIB_ESC;c:\windows\system32\sisesc.sys [2004-03-27 28416]
S3 NaiAvFilter101;NAI Anti Virus;\Device\NaiAvFilter101.sys --> \Device\NaiAvFilter101.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ENTDRV51
*NewlyCreated* - JAVAQUICKSTARTERSERVICE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{858ab262-4807-11da-93a5-806d6172696f}]
\Shell\AutoRun\command - D:\autorun.exe
\Shell\directx\command - d:\directx\dxsetup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-1326574676-1417001333-1003.job
- c:\documents and settings\start\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 11:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.wightman.ca/~jeffandkim/links.html
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
Trusted Zone: *.windowsupdate.microsoft.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-09 23:46:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1343024091-1326574676-1417001333-1003\Software\Zepter Software\RegLib*NULL*2cdbb407\CloneDVD/2]
"1"=dword:4452db67
"2"=dword:4504c5fb

[HKEY_USERS\S-1-5-21-1343024091-1326574676-1417001333-1003\Software\Zepter Software\RegLib*NULL*2cdbb407\CloneDVD2/2]
"1"=dword:4452db67
"2"=dword:4504c5fa

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{63BF9C16-61FD-5246-D28A6F9B6DBA4643}\{A1662382-7299-AE2E-23313B5BBD368ECE}\{683884CE-C1AE-773A-12388A76175B81B9}*NULL*]
"63AUOURV1X6YIYB2ELIFO4LTRC1"=hex:01,00,01,00,00,00,00,00,87,da,ad,38,2b,26,f8,\
c3,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(564)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(620)
c:\windows\system32\EntApi.dll
.
Completion time: 2009-01-09 23:48:56
ComboFix-quarantined-files.txt 2009-01-10 04:47:59
ComboFix2.txt 2009-01-10 04:24:19
ComboFix3.txt 2009-01-08 17:45:09

Pre-Run: 4,819,025,920 bytes free
Post-Run: 4,801,683,456 bytes free

203 --- E O F --- 2008-12-18 22:27:06


7-Zip 4.42
Ad-aware 6 Personal
Adobe Flash Player 10 ActiveX
Adobe Flash Player Plugin
Adobe MPEG Encoder
Adobe Premiere 6.5
Adobe Reader 7.0.5 Language Support
Adobe Reader 7.0.9
Adobe Shockwave Player
Advanced RealMedia Export Plug-in for Premiere 6.0
afreeCodecVT 1.1.52
AMP WinOFF
ArcSoft PhotoStudio 5
Arthur's Math Games
aspi
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Auto Gordian Knot 2.45
AutoUpdate
AVI Splitter
AVIcodec (remove only)
AviSynth 2.5
Azureus Vuze
Blue's Kindergarten
C-Media 3D Audio
C-Media WDM Audio Driver
CCHelp
CCleaner (remove only)
CCScore
Corel Applications
Corel Uninstaller
Cosmo Player 2.1.1 (41451)
CR2
DAEMON Tools
Disney Print Studio Deluxe NCR Mailing
Disney Print Studio Deluxe NCR Printer 2nd Ed
Disney Print Studio Deluxe NCR Stickers
Disney Print Studio Deluxe NCR Stickers 2nd Ed
Disney/Pixar Finding Nemo: Learning with Nemo
DivX Codec
DivX Converter
DivX Player
DivX Web Player
Dora Backpack
Dora Dance Rescue
Dora Fairytale Adventure
Dora Lost City
Dr. DivX 2.0 OSS
Drawing for Children
DVD-RAM Driver
DVD Decrypter (Remove Only)
DVD Profiler Version 2.4.0
DVD Shrink 3.2
DVDFab (Platinum/Gold/HD Decrypter) (Option: Mobile) 5.2.2.2
DVDFab Decrypter 3.0.7.5 Beta
DVDFab HD Decrypter 3.1.0.8
Easy Video Downloader v. 2.0
Emsa FlexInfo Pro 1.0
ESSAdpt
ESSANUP
ESSBrwr
ESSCAM
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSTUTOR
ESSvpaht
ESSvpot
ExamView Pro
Fisher-Price® - Toddler
Framing Station
GetDataBack for FAT and GetDataBack for NTFS
Google Chrome
Google Earth
GSpot Codec Information Appliance
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
ImgBurn
Ipswitch WS_FTP Home
Java™ 6 Update 11
K-Lite Codec Pack 2.76 Full
KC Softwares VideoInspector
Kodak EasyShare software
KSU
Lexmark 1200 Series
LimeWire 4.18.8
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Extension Manager
Macromedia Flash 5
Matroska Pack - Lazy Man's MKV 1.0.1-alpha6
Max Movie Maker 3.0
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft IntelliPoint 5.0
Microsoft IntelliType Pro 5.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft Office FrontPage 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Windows Media Video 9 VCM
Microsoft XML Parser and SDK
mIRC
Mozilla (1.6)
Mp3Decode
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML4SP2
Nero 6 Ultra Edition
Notifier
OTtBP
Password Corral v3.4.6
PCDLNCH
PowerDVD
Quick Zip 4.50 Beta 15
QuickTime
Reader Rabbit's Preschool
Reader Rabbit Thinking Adventures Ages 4-6
Reader Rabbit Toddler
RealPlayer
RealProducer Basic 10
Recover My Files
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB960714)
Sentinel Protection Installer 7.0.0
SFR
SFR2
Shockwave
SiS 661FX_760_741_M661FX_M760_M741
SiS 900 PCI Fast Ethernet Adapter Driver
SMPlayer Extra Codecs 20071007
SoftK56 Data Fax
SoftV92 Data Fax Modem
Sport Video Player 1.51
TMPGEnc DVD Author 3 with DivX Authoring
TMPGEnc Plus 2.5
Twins Video Player
UFile 2005
UFile 2006
UFile 2007
UFile Updater 2005
UFile Updater 2006
UFile Updater 2007
Unlocker 1.8.3
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
VideoLAN VLC media player 0.8.4a
VobSub v2.23 (Remove Only)
WebFldrs XP
WillExpert
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinZip
WordPerfect Office 2002 Professional
XMPEG 5.0
XP Codec Pack
Xvid 1.1.3 final uninstall
XviD MPEG4 Video Codec (remove only)
ZoneAlarm Pro

Saturday, January 10, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, January 10, 2009 04:31:27
Records in database: 1596657


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\
E:\

Scan statistics
Files scanned 90820
Threat name 5
Infected objects 98
Suspicious objects 0
Duration of the scan 01:56:10

File name Threat name Threats count
C:\Documents and Settings\start\Desktop\kim\ca_setup.exe Infected: not-a-virus:PSWTool.Win32.Cain.284 1

C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 1

C:\Program Files\pgcedit\bin\pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.k 1

C:\quarantine\Av-test.txt.Vir Infected: EICAR-Test-File 1

C:\quarantine\Av-test.txt.Vir.0 Infected: EICAR-Test-File 1

C:\quarantine\SYSTMEM.EXE.Vir Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.0 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.1 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.10 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.11 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.12 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.13 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.14 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.15 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.16 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.17 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.18 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.19 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.2 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.20 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.21 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.22 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.23 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.24 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.25 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.26 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.27 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.28 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.29 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.3 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.30 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.31 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.32 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.33 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.34 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.35 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.36 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.37 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.38 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.39 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.4 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.40 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.41 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.42 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.43 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.44 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.45 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.46 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.47 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.48 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.49 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.5 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.50 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.51 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.52 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.53 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.54 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.55 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.56 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.57 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.58 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.59 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.6 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.60 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.61 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.62 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.63 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.64 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.65 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.66 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.67 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.68 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.69 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.7 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.70 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.71 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.72 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.73 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.74 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.75 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.76 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.77 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.78 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.79 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.8 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.80 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.81 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.82 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.83 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.84 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.85 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.86 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.87 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.88 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.89 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.9 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.90 Infected: Backdoor.Win32.SdBot.jki 1

C:\quarantine\SYSTMEM.EXE.Vir.91 Infected: Backdoor.Win32.SdBot.jki 1

The selected area was scanned.

#10 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:02:16 AM

Posted 10 January 2009 - 09:49 AM

hi.


- I often use msconfig to run only the programs that I need at startup, I never use messenger or ipod services, the rest I am unfamiliar with.

That would not hurt though. Lets just keep it.

I've tried to scan data1.cab to both sites but the file is much to large, it won't upload.

That's ok.

Well, I want to bring to your attention some software like

Mozilla (1.6)

Version now is 3.05. You can update it to fix the security holes.


Also you got some remnants of Symantec AV particularly LiveUpdate 2.6 (Symantec Corporation).
Since you already have McAfee VirusScan Enterprise we will remove it.

Please visit this site here. And follow step #3 only.

Continue here;
  • Browse to C:\quarantine.
    Please empty the folder by deleting the content of Quarantine folder :thumbsup:

  • Run ESET Online Scan

    Please do an online scan with ESET Online Scanner. Please use Internet Explorer as it uses ActiveX.
    • Check (tick) this box: YES, I accept the Terms of Use.
    • Click on the Start button next to it.
    • When prompted to run ActiveX. click Yes.
    • You will be asked to install an ActiveX. Click Install.
    • Once installed, the scanner will be initialized.
    • After the scanner is initialized, click Start.
    • Uncheck (untick) Remove found threats box.
    • Check (tick) Scan unwanted applications.
    • Click on Scan.
    • It will start scanning. Please be patient.
    • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.
  • How's your computer?

In your reply, please post the result of kaspersky and answer to my question.


Mark

#11 knish

knish
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 10 January 2009 - 10:01 PM

The computer is running great but the scan still found problems:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3756 (20090110)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=0d45665249e2d043a563ab652e989bb7
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2009-01-11 02:56:32
# local_time=2009-01-10 09:56:32 (-0500, Eastern Standard Time)
# country="Canada"
# osver=5.1.2600 NT Service Pack 3
# scanned=261331
# found=93
# scan_time=6166
C:\quarantine\SYSTMEM.EXE.Vir Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.0 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.1 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.10 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.11 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.12 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.13 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.14 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.15 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.16 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.17 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.18 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.19 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.2 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.20 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.21 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.22 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.23 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.24 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.25 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.26 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.27 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.28 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.29 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.3 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.30 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.31 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.32 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.33 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.34 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.35 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.36 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.37 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.38 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.39 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.4 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.40 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.41 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.42 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.43 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.44 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.45 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.46 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.47 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.48 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.49 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.5 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.50 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.51 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.52 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.53 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.54 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.55 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.56 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.57 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.58 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.59 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.6 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.60 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.61 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.62 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.63 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.64 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.65 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.66 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.67 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.68 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.69 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.7 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.70 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.71 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.72 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.73 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.74 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.75 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.76 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.77 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.78 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.79 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.8 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.80 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.81 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.82 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.83 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.84 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.85 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.86 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.87 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.88 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.89 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.9 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.90 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564
C:\quarantine\SYSTMEM.EXE.Vir.91 Win32/AutoRun.Agent.FM worm F9257217A7543EFE6FF13957599A6564

#12 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:02:16 AM

Posted 10 January 2009 - 10:55 PM

hi.

Ok. I have a question.

Did you empty first the C:\quarantine folder before you did the ESET online scan?
Or the other way around?


Let me know in your next reply.

Mark

#13 knish

knish
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 10 January 2009 - 11:09 PM

I emptied it before, which sent it to the recycle bin and the virus scanner picked up the virus. Then I emptied the recycle bin and deleted the files from quarantine via the commad prompt, then I ran the eset scan. When I open the quarantine folder it says it's empty.

#14 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:02:16 AM

Posted 11 January 2009 - 05:21 AM

hi.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards.




Lets continue,
  • Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

    How to see hidden files in Windows

    Please click this link-->Virustotal

    When the virutotal page has finished loading, click the Browse button and navigate to the following file and click Submit.

    C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe


    Please post back the results of the scan in your next post.

    If Jotti is busy, try the same at Jotti: http://virusscan.jotti.org/

  • Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
    When using this tool, you must use the Administrator's account or an account with "Administrative rights"
    • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
    • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
    • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
    • Please copy and paste the contents of Report.txt in your next reply.
    • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
    -- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

  • Please run a BitDefender Online Scan
    • Click I Agree to agree to the EULA.
    • Allow the ActiveX control to install when prompted.
    • Click Click here to scan to begin the scan.
    • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
    • When the scan is finished, click on Click here to export the scan results.
    • Save the report to your desktop so you can post it in your next reply.

In your reply, please post the result of

SDfix's report.txt
Bitdefender result


#15 knish

knish
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 11 January 2009 - 06:25 PM

I always use ccleaner to erase history after banking and I haven't been back online since the first virus showed up. I'm thinking I should be ok????

Here are the scan results....


SDFix: Version 1.240
Run by start on 11/01/2009 at 11:53 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\sdfix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Program Files\Setup.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-11 13:44:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Disabled:LEXPPS.EXE"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Disabled:Azureus"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Disabled:Windows Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\start\\Local Settings\\temp\\WZSE0.TMP\\SymNRT.exe"="C:\\Documents and Settings\\start\\Local Settings\\temp\\WZSE0.TMP\\SymNRT.exe:*:Enabled:Norton Removal Tool"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 27 Mar 2004 864 A.SH. --- "C:\tjfja6hw.sys"
Fri 7 Nov 1997 5,920,768 ...H. --- "C:\Corel\Graphics8\Programs\CNSFlt80.dll"
Thu 6 Nov 1997 413,184 ...H. --- "C:\Corel\Graphics8\Programs\convintl.dll"
Wed 5 Nov 1997 77,312 ...H. --- "C:\Corel\Graphics8\Programs\Mos1680.dll"
Wed 5 Nov 1997 4,608 ...H. --- "C:\Corel\Graphics8\Programs\Mos3280.dll"
Sun 20 Jun 2004 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 3 Nov 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 7 Nov 2005 37,888 ...H. --- "C:\Documents and Settings\start\Application Data\Microsoft\Word\~WRL0005.tmp"
Mon 7 Nov 2005 29,184 ...H. --- "C:\Documents and Settings\start\Application Data\Microsoft\Word\~WRL2873.tmp"
Thu 26 Oct 2000 25 A..H. --- "C:\Documents and Settings\start\My Documents\kims files\GQWIN\WGRADE4.DLL"
Sun 20 Jun 2004 4,348 ...H. --- "C:\Documents and Settings\start\My Documents\My Music\License Backup\drmv1key.bak"
Mon 13 Dec 2004 20 A..H. --- "C:\Documents and Settings\start\My Documents\My Music\License Backup\drmv1lic.bak"
Sun 20 Jun 2004 400 A.SH. --- "C:\Documents and Settings\start\My Documents\My Music\License Backup\drmv2key.bak"
Thu 2 Feb 2006 27,136 A..H. --- "C:\Documents and Settings\start\Desktop\laptop\sept\STRATFORD\H Planning\500 Ontario Street (2004)\~WRL0012.tmp"
Fri 17 Nov 2006 2,438,144 A..H. --- "C:\Documents and Settings\start\Desktop\laptop\sept\STRATFORD\H Planning\Affordable Housing\~WRL2100.tmp"
Thu 11 Jan 2007 74,240 A..H. --- "C:\Documents and Settings\start\Desktop\laptop\sept\STRATFORD\H Planning\Site Plan\Site Plan Agreements\~WRL1554.tmp"
Thu 11 Jan 2007 72,192 A..H. --- "C:\Documents and Settings\start\Desktop\laptop\sept\STRATFORD\H Planning\Site Plan\Site Plan Agreements\~WRL2907.tmp"

Finished!


BitDefender Online Scanner



Scan report generated at: Sun, Jan 11, 2009 - 15:41:53





Scan path: A:\;C:\;D:\;E:\;







Statistics

Time
01:37:30

Files
252114

Folders
5875

Boot Sectors
0

Archives
6192

Packed Files
20539




Results

Identified Viruses
2

Infected Files
94

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
3




Engines Info

Virus Definitions
2435596

Engine build
AVCORE v1.7 (build 8314.19) (i386) (Sep 29 2008 17:19:14)

Scan plugins
17

Archive plugins
45

Unpack plugins
7

E-mail plugins
6

System plugins
4




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Documents and Settings\start\Desktop\kim\ca_setup.exe=>wise0026
Infected with: Trojan.Crypt.Ulpm.DI

C:\Documents and Settings\start\Desktop\kim\ca_setup.exe=>wise0026
Deleted

C:\Documents and Settings\start\Desktop\kim\ca_setup.exe
Update failed

C:\quarantine\SYSTMEM.EXE.Vir
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir
Deleted

C:\quarantine\SYSTMEM.EXE.Vir.0
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.0
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.0
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.1
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.1
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.1
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.10
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.10
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.10
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.11
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.11
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.11
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.12
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.12
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.12
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.13
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.13
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.13
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.14
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.14
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.14
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.15
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.15
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.15
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.16
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.16
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.16
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.17
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.17
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.17
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.18
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.18
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.18
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.19
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.19
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.19
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.2
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.2
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.2
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.20
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.20
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.20
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.21
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.21
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.21
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.22
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.22
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.22
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.23
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.23
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.23
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.24
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.24
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.24
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.25
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.25
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.25
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.26
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.26
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.26
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.27
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.27
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.27
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.28
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.28
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.28
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.29
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.29
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.29
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.3
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.3
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.3
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.30
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.30
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.30
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.31
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.31
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.31
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.32
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.32
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.32
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.33
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.33
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.33
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.34
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.34
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.34
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.35
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.35
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.35
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.36
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.36
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.36
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.37
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.37
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.37
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.38
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.38
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.38
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.39
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.39
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.39
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.4
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.4
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.4
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.40
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.40
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.40
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.41
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.41
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.41
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.42
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.42
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.42
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.43
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.43
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.43
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.44
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.44
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.44
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.45
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.45
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.45
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.46
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.46
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.46
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.47
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.47
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.47
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.48
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.48
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.48
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.49
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.49
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.49
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.5
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.5
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.5
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.50
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.50
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.50
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.51
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.51
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.51
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.52
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.52
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.52
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.53
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.53
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.53
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.54
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.54
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.54
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.55
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.55
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.55
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.56
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.56
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.56
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.57
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.57
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.57
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.58
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.58
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.58
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.59
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.59
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.59
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.6
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.6
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.6
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.60
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.60
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.60
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.61
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.61
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.61
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.62
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.62
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.62
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.63
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.63
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.63
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.64
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.64
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.64
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.65
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.65
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.65
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.66
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.66
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.66
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.67
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.67
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.67
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.68
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.68
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.68
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.69
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.69
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.69
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.7
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.7
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.7
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.70
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.70
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.70
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.71
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.71
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.71
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.72
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.72
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.72
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.73
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.73
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.73
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.74
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.74
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.74
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.75
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.75
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.75
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.76
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.76
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.76
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.77
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.77
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.77
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.78
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.78
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.78
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.79
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.79
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.79
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.8
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.8
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.8
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.80
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.80
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.80
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.81
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.81
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.81
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.82
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.82
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.82
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.83
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.83
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.83
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.84
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.84
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.84
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.85
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.85
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.85
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.86
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.86
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.86
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.87
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.87
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.87
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.88
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.88
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.88
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.89
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.89
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.89
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.9
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.9
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.9
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.90
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.90
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.90
Delete failed

C:\quarantine\SYSTMEM.EXE.Vir.91
Infected with: Backdoor.Bot.71413

C:\quarantine\SYSTMEM.EXE.Vir.91
Disinfection failed

C:\quarantine\SYSTMEM.EXE.Vir.91
Deleted




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users