Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

... is not a win32 application [RESOLVED]


  • This topic is locked This topic is locked

#1
tbono

tbono

    Member

  • Member
  • PipPip
  • 32 posts
Hello,

I seem to have contracted something. It disabled my Norton 360. When I tried to run it, I got a message saying it is not a valid win32 application. I uninstalled and tried to reinstall it but it failed.
I then tried to instal Antivir personal edition and it seemed to install but when i click on the icon, i get a message that says it is not a valid win32 application.
I then tried to run Hijack this to generate a log - same error message.
The only thing i have been able to do is run a Kaspersky online scan. I have attached the log rather than past it in as it is rather lengthy.

Any help would be most appreciated.

Tom

Attached Files


  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello tbono

Welcome to G2Go. :)
====================
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
  • 0

#3
tbono

tbono

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
kahdah,

Thanks for the quick response.
I ran comb fix and post the log here.

Couple updates, still can't run an anti-virus or hijack this - not a valid win32 application.
Downloaded and ran Super anti spyware and it crashes the machine as it scans the registry.
Can't boot in to safe mode. Get the screens and all and when I select safe mode, it just reboots, but not in to safe mode.

Anyway, here is the combo fix log:

ComboFix 08-02-20.2 - Big 2008-02-19 22:06:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2113 [GMT -5:00]
Running from: C:\Documents and Settings\Big\Desktop\Combo-Fix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\mdelk.exe
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\drivers\down
C:\WINDOWS\system32\drivers\down\101975343.exe
C:\WINDOWS\system32\drivers\down\101978828.exe
C:\WINDOWS\system32\drivers\down\101980046.exe
C:\WINDOWS\system32\drivers\down\101982000.exe
C:\WINDOWS\system32\drivers\down\101999062.exe
C:\WINDOWS\system32\drivers\down\101999265.exe
C:\WINDOWS\system32\drivers\down\102002093.exe
C:\WINDOWS\system32\drivers\down\102003312.exe
C:\WINDOWS\system32\drivers\down\102004625.exe
C:\WINDOWS\system32\drivers\down\102006531.exe
C:\WINDOWS\system32\drivers\down\102010453.exe
C:\WINDOWS\system32\drivers\down\102015593.exe
C:\WINDOWS\system32\drivers\down\102016218.exe
C:\WINDOWS\system32\drivers\down\102016687.exe
C:\WINDOWS\system32\drivers\down\102017265.exe
C:\WINDOWS\system32\drivers\down\102019265.exe
C:\WINDOWS\system32\drivers\down\102020546.exe
C:\WINDOWS\system32\drivers\down\102046828.exe
C:\WINDOWS\system32\drivers\down\102048500.exe
C:\WINDOWS\system32\drivers\down\110859.exe
C:\WINDOWS\system32\drivers\down\111093.exe
C:\WINDOWS\system32\drivers\down\111750.exe
C:\WINDOWS\system32\drivers\down\113453.exe
C:\WINDOWS\system32\drivers\down\113765.exe
C:\WINDOWS\system32\drivers\down\115343.exe
C:\WINDOWS\system32\drivers\down\116459484.exe
C:\WINDOWS\system32\drivers\down\116462546.exe
C:\WINDOWS\system32\drivers\down\116464156.exe
C:\WINDOWS\system32\drivers\down\116465921.exe
C:\WINDOWS\system32\drivers\down\116500890.exe
C:\WINDOWS\system32\drivers\down\116500906.exe
C:\WINDOWS\system32\drivers\down\116505078.exe
C:\WINDOWS\system32\drivers\down\116506015.exe
C:\WINDOWS\system32\drivers\down\116507640.exe
C:\WINDOWS\system32\drivers\down\116510390.exe
C:\WINDOWS\system32\drivers\down\116515781.exe
C:\WINDOWS\system32\drivers\down\116517578.exe
C:\WINDOWS\system32\drivers\down\116518109.exe
C:\WINDOWS\system32\drivers\down\116518359.exe
C:\WINDOWS\system32\drivers\down\116518625.exe
C:\WINDOWS\system32\drivers\down\116520890.exe
C:\WINDOWS\system32\drivers\down\116521796.exe
C:\WINDOWS\system32\drivers\down\116531.exe
C:\WINDOWS\system32\drivers\down\116548140.exe
C:\WINDOWS\system32\drivers\down\116549906.exe
C:\WINDOWS\system32\drivers\down\116593.exe
C:\WINDOWS\system32\drivers\down\117734.exe
C:\WINDOWS\system32\drivers\down\118156.exe
C:\WINDOWS\system32\drivers\down\118750.exe
C:\WINDOWS\system32\drivers\down\119625.exe
C:\WINDOWS\system32\drivers\down\119656.exe
C:\WINDOWS\system32\drivers\down\121093.exe
C:\WINDOWS\system32\drivers\down\122828.exe
C:\WINDOWS\system32\drivers\down\123093.exe
C:\WINDOWS\system32\drivers\down\124640.exe
C:\WINDOWS\system32\drivers\down\124921.exe
C:\WINDOWS\system32\drivers\down\125156.exe
C:\WINDOWS\system32\drivers\down\125656.exe
C:\WINDOWS\system32\drivers\down\126906.exe
C:\WINDOWS\system32\drivers\down\127500.exe
C:\WINDOWS\system32\drivers\down\127718.exe
C:\WINDOWS\system32\drivers\down\127796.exe
C:\WINDOWS\system32\drivers\down\128546.exe
C:\WINDOWS\system32\drivers\down\129703.exe
C:\WINDOWS\system32\drivers\down\130960062.exe
C:\WINDOWS\system32\drivers\down\130961406.exe
C:\WINDOWS\system32\drivers\down\130962953.exe
C:\WINDOWS\system32\drivers\down\130964750.exe
C:\WINDOWS\system32\drivers\down\130997859.exe
C:\WINDOWS\system32\drivers\down\131000453.exe
C:\WINDOWS\system32\drivers\down\131001390.exe
C:\WINDOWS\system32\drivers\down\131003625.exe
C:\WINDOWS\system32\drivers\down\131007531.exe
C:\WINDOWS\system32\drivers\down\131011812.exe
C:\WINDOWS\system32\drivers\down\131013328.exe
C:\WINDOWS\system32\drivers\down\131013671.exe
C:\WINDOWS\system32\drivers\down\131013937.exe
C:\WINDOWS\system32\drivers\down\131017468.exe
C:\WINDOWS\system32\drivers\down\131018890.exe
C:\WINDOWS\system32\drivers\down\131019812.exe
C:\WINDOWS\system32\drivers\down\131076953.exe
C:\WINDOWS\system32\drivers\down\131984.exe
C:\WINDOWS\system32\drivers\down\133812.exe
C:\WINDOWS\system32\drivers\down\135390.exe
C:\WINDOWS\system32\drivers\down\135656.exe
C:\WINDOWS\system32\drivers\down\135906.exe
C:\WINDOWS\system32\drivers\down\138875.exe
C:\WINDOWS\system32\drivers\down\140484.exe
C:\WINDOWS\system32\drivers\down\140984.exe
C:\WINDOWS\system32\drivers\down\142343.exe
C:\WINDOWS\system32\drivers\down\142484.exe
C:\WINDOWS\system32\drivers\down\143203.exe
C:\WINDOWS\system32\drivers\down\143921.exe
C:\WINDOWS\system32\drivers\down\144031.exe
C:\WINDOWS\system32\drivers\down\144750.exe
C:\WINDOWS\system32\drivers\down\145491906.exe
C:\WINDOWS\system32\drivers\down\145496031.exe
C:\WINDOWS\system32\drivers\down\145498296.exe
C:\WINDOWS\system32\drivers\down\145505187.exe
C:\WINDOWS\system32\drivers\down\145531453.exe
C:\WINDOWS\system32\drivers\down\145532187.exe
C:\WINDOWS\system32\drivers\down\145545421.exe
C:\WINDOWS\system32\drivers\down\145549640.exe
C:\WINDOWS\system32\drivers\down\145553343.exe
C:\WINDOWS\system32\drivers\down\145556828.exe
C:\WINDOWS\system32\drivers\down\145565156.exe
C:\WINDOWS\system32\drivers\down\145572281.exe
C:\WINDOWS\system32\drivers\down\145573265.exe
C:\WINDOWS\system32\drivers\down\145586671.exe
C:\WINDOWS\system32\drivers\down\145591703.exe
C:\WINDOWS\system32\drivers\down\145594484.exe
C:\WINDOWS\system32\drivers\down\145597031.exe
C:\WINDOWS\system32\drivers\down\145625031.exe
C:\WINDOWS\system32\drivers\down\145641593.exe
C:\WINDOWS\system32\drivers\down\145687.exe
C:\WINDOWS\system32\drivers\down\14579125.exe
C:\WINDOWS\system32\drivers\down\14607421.exe
C:\WINDOWS\system32\drivers\down\14631734.exe
C:\WINDOWS\system32\drivers\down\14632328.exe
C:\WINDOWS\system32\drivers\down\146390.exe
C:\WINDOWS\system32\drivers\down\14640843.exe
C:\WINDOWS\system32\drivers\down\14644671.exe
C:\WINDOWS\system32\drivers\down\14648328.exe
C:\WINDOWS\system32\drivers\down\14652203.exe
C:\WINDOWS\system32\drivers\down\14660531.exe
C:\WINDOWS\system32\drivers\down\14665375.exe
C:\WINDOWS\system32\drivers\down\14666546.exe
C:\WINDOWS\system32\drivers\down\14668265.exe
C:\WINDOWS\system32\drivers\down\14672984.exe
C:\WINDOWS\system32\drivers\down\14677671.exe
C:\WINDOWS\system32\drivers\down\14680515.exe
C:\WINDOWS\system32\drivers\down\147078.exe
C:\WINDOWS\system32\drivers\down\14710406.exe
C:\WINDOWS\system32\drivers\down\14715203.exe
C:\WINDOWS\system32\drivers\down\147500.exe
C:\WINDOWS\system32\drivers\down\148250.exe
C:\WINDOWS\system32\drivers\down\148781.exe
C:\WINDOWS\system32\drivers\down\149843.exe
C:\WINDOWS\system32\drivers\down\150078.exe
C:\WINDOWS\system32\drivers\down\151828.exe
C:\WINDOWS\system32\drivers\down\152031.exe
C:\WINDOWS\system32\drivers\down\152593.exe
C:\WINDOWS\system32\drivers\down\153328.exe
C:\WINDOWS\system32\drivers\down\153687.exe
C:\WINDOWS\system32\drivers\down\154078.exe
C:\WINDOWS\system32\drivers\down\156578.exe
C:\WINDOWS\system32\drivers\down\157281.exe
C:\WINDOWS\system32\drivers\down\158218.exe
C:\WINDOWS\system32\drivers\down\158406.exe
C:\WINDOWS\system32\drivers\down\160065562.exe
C:\WINDOWS\system32\drivers\down\160070921.exe
C:\WINDOWS\system32\drivers\down\160072765.exe
C:\WINDOWS\system32\drivers\down\160073671.exe
C:\WINDOWS\system32\drivers\down\160125875.exe
C:\WINDOWS\system32\drivers\down\160125906.exe
C:\WINDOWS\system32\drivers\down\160134687.exe
C:\WINDOWS\system32\drivers\down\160138062.exe
C:\WINDOWS\system32\drivers\down\160144453.exe
C:\WINDOWS\system32\drivers\down\160147828.exe
C:\WINDOWS\system32\drivers\down\160156421.exe
C:\WINDOWS\system32\drivers\down\160160343.exe
C:\WINDOWS\system32\drivers\down\160161500.exe
C:\WINDOWS\system32\drivers\down\160165390.exe
C:\WINDOWS\system32\drivers\down\160166875.exe
C:\WINDOWS\system32\drivers\down\160172156.exe
C:\WINDOWS\system32\drivers\down\160174437.exe
C:\WINDOWS\system32\drivers\down\160205468.exe
C:\WINDOWS\system32\drivers\down\160230859.exe
C:\WINDOWS\system32\drivers\down\173875.exe
C:\WINDOWS\system32\drivers\down\174649328.exe
C:\WINDOWS\system32\drivers\down\174653953.exe
C:\WINDOWS\system32\drivers\down\174655750.exe
C:\WINDOWS\system32\drivers\down\174656656.exe
C:\WINDOWS\system32\drivers\down\174657687.exe
C:\WINDOWS\system32\drivers\down\174668750.exe
C:\WINDOWS\system32\drivers\down\174669015.exe
C:\WINDOWS\system32\drivers\down\174673296.exe
C:\WINDOWS\system32\drivers\down\174674625.exe
C:\WINDOWS\system32\drivers\down\174676171.exe
C:\WINDOWS\system32\drivers\down\174677828.exe
C:\WINDOWS\system32\drivers\down\174681828.exe
C:\WINDOWS\system32\drivers\down\174684015.exe
C:\WINDOWS\system32\drivers\down\174684750.exe
C:\WINDOWS\system32\drivers\down\174685406.exe
C:\WINDOWS\system32\drivers\down\174687296.exe
C:\WINDOWS\system32\drivers\down\174689187.exe
C:\WINDOWS\system32\drivers\down\174690593.exe
C:\WINDOWS\system32\drivers\down\174716953.exe
C:\WINDOWS\system32\drivers\down\174718875.exe
C:\WINDOWS\system32\drivers\down\176000.exe
C:\WINDOWS\system32\drivers\down\184546.exe
C:\WINDOWS\system32\drivers\down\186656.exe
C:\WINDOWS\system32\drivers\down\190796.exe
C:\WINDOWS\system32\drivers\down\29136109.exe
C:\WINDOWS\system32\drivers\down\29138390.exe
C:\WINDOWS\system32\drivers\down\29142093.exe
C:\WINDOWS\system32\drivers\down\29159515.exe
C:\WINDOWS\system32\drivers\down\29159546.exe
C:\WINDOWS\system32\drivers\down\29164578.exe
C:\WINDOWS\system32\drivers\down\29166062.exe
C:\WINDOWS\system32\drivers\down\29168781.exe
C:\WINDOWS\system32\drivers\down\29170718.exe
C:\WINDOWS\system32\drivers\down\29176343.exe
C:\WINDOWS\system32\drivers\down\29178687.exe
C:\WINDOWS\system32\drivers\down\29179015.exe
C:\WINDOWS\system32\drivers\down\29179921.exe
C:\WINDOWS\system32\drivers\down\29180765.exe
C:\WINDOWS\system32\drivers\down\29183000.exe
C:\WINDOWS\system32\drivers\down\29184250.exe
C:\WINDOWS\system32\drivers\down\29212203.exe
C:\WINDOWS\system32\drivers\down\29219531.exe
C:\WINDOWS\system32\drivers\down\334968.exe
C:\WINDOWS\system32\drivers\down\337156.exe
C:\WINDOWS\system32\drivers\down\338140.exe
C:\WINDOWS\system32\drivers\down\339515.exe
C:\WINDOWS\system32\drivers\down\372359.exe
C:\WINDOWS\system32\drivers\down\372640.exe
C:\WINDOWS\system32\drivers\down\375609.exe
C:\WINDOWS\system32\drivers\down\377781.exe
C:\WINDOWS\system32\drivers\down\379437.exe
C:\WINDOWS\system32\drivers\down\381484.exe
C:\WINDOWS\system32\drivers\down\387031.exe
C:\WINDOWS\system32\drivers\down\389093.exe
C:\WINDOWS\system32\drivers\down\389593.exe
C:\WINDOWS\system32\drivers\down\390296.exe
C:\WINDOWS\system32\drivers\down\390828.exe
C:\WINDOWS\system32\drivers\down\392765.exe
C:\WINDOWS\system32\drivers\down\421312.exe
C:\WINDOWS\system32\drivers\down\43635859.exe
C:\WINDOWS\system32\drivers\down\43641546.exe
C:\WINDOWS\system32\drivers\down\43644093.exe
C:\WINDOWS\system32\drivers\down\43652781.exe
C:\WINDOWS\system32\drivers\down\43731109.exe
C:\WINDOWS\system32\drivers\down\43731625.exe
C:\WINDOWS\system32\drivers\down\43742296.exe
C:\WINDOWS\system32\drivers\down\43745468.exe
C:\WINDOWS\system32\drivers\down\43749500.exe
C:\WINDOWS\system32\drivers\down\43754078.exe
C:\WINDOWS\system32\drivers\down\43762468.exe
C:\WINDOWS\system32\drivers\down\43767937.exe
C:\WINDOWS\system32\drivers\down\43768984.exe
C:\WINDOWS\system32\drivers\down\43770125.exe
C:\WINDOWS\system32\drivers\down\43771906.exe
C:\WINDOWS\system32\drivers\down\43778046.exe
C:\WINDOWS\system32\drivers\down\43780015.exe
C:\WINDOWS\system32\drivers\down\43810109.exe
C:\WINDOWS\system32\drivers\down\43814515.exe
C:\WINDOWS\system32\drivers\down\447843.exe
C:\WINDOWS\system32\drivers\down\454421.exe
C:\WINDOWS\system32\drivers\down\58245890.exe
C:\WINDOWS\system32\drivers\down\58254609.exe
C:\WINDOWS\system32\drivers\down\58269015.exe
C:\WINDOWS\system32\drivers\down\58288390.exe
C:\WINDOWS\system32\drivers\down\58289171.exe
C:\WINDOWS\system32\drivers\down\58297640.exe
C:\WINDOWS\system32\drivers\down\58301265.exe
C:\WINDOWS\system32\drivers\down\58307406.exe
C:\WINDOWS\system32\drivers\down\58310937.exe
C:\WINDOWS\system32\drivers\down\58321671.exe
C:\WINDOWS\system32\drivers\down\58348500.exe
C:\WINDOWS\system32\drivers\down\58349531.exe
C:\WINDOWS\system32\drivers\down\58351187.exe
C:\WINDOWS\system32\drivers\down\58358359.exe
C:\WINDOWS\system32\drivers\down\58363000.exe
C:\WINDOWS\system32\drivers\down\58419515.exe
C:\WINDOWS\system32\drivers\down\67359.exe
C:\WINDOWS\system32\drivers\down\72854062.exe
C:\WINDOWS\system32\drivers\down\72859765.exe
C:\WINDOWS\system32\drivers\down\72885859.exe
C:\WINDOWS\system32\drivers\down\72886265.exe
C:\WINDOWS\system32\drivers\down\72896500.exe
C:\WINDOWS\system32\drivers\down\72900562.exe
C:\WINDOWS\system32\drivers\down\72904640.exe
C:\WINDOWS\system32\drivers\down\72908484.exe
C:\WINDOWS\system32\drivers\down\72919984.exe
C:\WINDOWS\system32\drivers\down\72924906.exe
C:\WINDOWS\system32\drivers\down\72927750.exe
C:\WINDOWS\system32\drivers\down\72930187.exe
C:\WINDOWS\system32\drivers\down\72931593.exe
C:\WINDOWS\system32\drivers\down\72937921.exe
C:\WINDOWS\system32\drivers\down\72950109.exe
C:\WINDOWS\system32\drivers\down\72989578.exe
C:\WINDOWS\system32\drivers\down\73023640.exe
C:\WINDOWS\system32\drivers\down\76968.exe
C:\WINDOWS\system32\drivers\down\77421.exe
C:\WINDOWS\system32\drivers\down\86859.exe
C:\WINDOWS\system32\drivers\down\87447125.exe
C:\WINDOWS\system32\drivers\down\87450687.exe
C:\WINDOWS\system32\drivers\down\87454796.exe
C:\WINDOWS\system32\drivers\down\87475625.exe
C:\WINDOWS\system32\drivers\down\87476078.exe
C:\WINDOWS\system32\drivers\down\87484515.exe
C:\WINDOWS\system32\drivers\down\87487875.exe
C:\WINDOWS\system32\drivers\down\87491312.exe
C:\WINDOWS\system32\drivers\down\87495890.exe
C:\WINDOWS\system32\drivers\down\87505437.exe
C:\WINDOWS\system32\drivers\down\87510062.exe
C:\WINDOWS\system32\drivers\down\87510703.exe
C:\WINDOWS\system32\drivers\down\87511906.exe
C:\WINDOWS\system32\drivers\down\87513421.exe
C:\WINDOWS\system32\drivers\down\87517625.exe
C:\WINDOWS\system32\drivers\down\87519750.exe
C:\WINDOWS\system32\drivers\down\87549812.exe
C:\WINDOWS\system32\drivers\down\87554218.exe
C:\WINDOWS\system32\drivers\down\88625.exe
C:\WINDOWS\system32\drivers\down\91218.exe
C:\WINDOWS\system32\drivers\down\91281.exe
C:\WINDOWS\system32\drivers\down\96531.exe
C:\WINDOWS\system32\drivers\down\97406.exe
C:\WINDOWS\system32\drivers\down\97968.exe
C:\WINDOWS\system32\drivers\down\99625.exe
C:\WINDOWS\system32\drivers\down\99656.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mdelk.exe
C:\WINDOWS\system32\wintems.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SROSA
-------\srosa


((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))
.

2008-02-19 21:26 . 2008-02-19 21:47 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-19 21:26 . 2008-02-19 21:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-19 21:26 . 2008-02-19 21:26 <DIR> d-------- C:\Documents and Settings\Big\Application Data\SUPERAntiSpyware.com
2008-02-19 21:26 . 2008-02-19 21:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-19 21:25 . 2008-02-19 21:26 <DIR> d-------- C:\Temp\SuperAntiSpyware
2008-02-19 21:23 . 2008-02-19 21:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-19 21:21 . 2008-02-19 21:22 <DIR> d-------- C:\Temp\AVGAntiSpyware7.5
2008-02-19 20:06 . 2008-02-19 20:06 <DIR> d-------- C:\Temp\Bagle
2008-02-19 07:49 . 2008-02-19 07:49 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-19 07:49 . 2008-02-19 07:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-17 19:49 . 2008-02-17 19:49 <DIR> d-------- C:\Program Files\Avira
2008-02-17 19:49 . 2008-02-17 19:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-02-17 19:44 . 2008-02-17 19:45 <DIR> d-------- C:\Temp\AviraAntiVir-Free
2008-02-17 16:00 . 2008-02-19 19:48 <DIR> d-------- C:\Temp\Office2CAD
2008-02-17 15:41 . 2008-02-17 15:42 <DIR> d-------- C:\Temp\VistaDriveIcon
2008-02-10 00:15 . 2008-02-10 00:15 <DIR> d-------- C:\Program Files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-18 02:37 --------- d-----w C:\Documents and Settings\Big\Application Data\Simple Sudoku
2008-02-18 00:37 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-18 00:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-17 23:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-17 22:34 --------- d-----w C:\Documents and Settings\Big\Application Data\Symantec
2008-02-17 21:58 --------- d-----w C:\Program Files\Simple Sudoku
2008-02-17 21:24 --------- d-----w C:\Program Files\MYIE2
2008-02-17 20:51 --------- d-----w C:\Program Files\eMule
2008-01-18 22:21 --------- d-----w C:\Documents and Settings\Marc\Application Data\Simple Sudoku
2007-12-31 23:31 --------- d-----w C:\Documents and Settings\Marc\Application Data\Autodesk
2007-12-29 04:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2007-12-29 03:56 --------- d-----w C:\Documents and Settings\Big\Application Data\Autodesk
2007-12-29 03:49 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2007-12-29 03:46 --------- d-----w C:\Program Files\AutoCAD MEP 2008
2007-12-23 17:53 --------- d-----w C:\Program Files\AutoCAD 2008
2007-12-23 02:11 --------- d-----w C:\Program Files\Autodesk
2007-12-23 01:10 --------- d-----w C:\Program Files\Autodesk Building Systems 2005
2007-12-23 01:05 --------- d-----w C:\Program Files\AutoCAD 2007
2007-12-23 00:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-23 00:36 --------- d-----w C:\Program Files\ASUS
2007-12-23 00:35 --------- d-----w C:\Program Files\Common Files\Acronis
2007-12-23 00:27 --------- d-----w C:\Program Files\Lavasoft
2007-12-23 00:27 --------- d-----w C:\Documents and Settings\Big\Application Data\Lavasoft
1989-12-12 14:10 840,000 --sha-r C:\WINDOWS\bak\jsgrgvfA.exe
2006-10-13 18:07 911,346 --sha-w C:\WINDOWS\system32\fgjlm.bak2
2007-05-29 01:47 1,543,908 --sha-w C:\WINDOWS\system32\rqtwa.bak1
2007-05-29 03:12 1,544,486 --sha-w C:\WINDOWS\system32\rqtwa.bak2
2007-05-29 03:12 1,544,092 --sha-w C:\WINDOWS\system32\rqtwa.ini2
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 0 2003-10-28 21:31:13 C:\Program Files\321Studios\Platinum\bak\makedir

----a-w 118,784 2005-10-26 03:48:30 C:\Program Files\Common Files\Acronis\Schedule2\bak\schedhlp.exe

----a-w 59,040 2008-02-19 15:49:58 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe

----a-w 784,896 2005-02-18 02:44:28 C:\Program Files\dvd43\bak\dvd43_tray.exe

----a-w 155,896 2006-09-19 23:47:50 C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\bak\GoogleToolbarNotifier.exe

----a-w 98,304 2004-01-24 02:58:58 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 1,142,784 2004-04-12 22:51:40 C:\Program Files\SecCopy\bak\SecCopy.exe

----a-w 290,816 2005-11-11 21:47:10 C:\Program Files\Sunbelt Software\CounterSpy\Consumer\bak\sunserver.exe

--sha-r 840,000 1989-12-12 14:10:10 C:\WINDOWS\bak\jsgrgvfA.exe

----a-w 13,312 2003-03-31 12:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 05:56:50 C:\WINDOWS\system32\ctfmon.exe

----a-w 491,520 2005-11-24 16:12:34 C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\fppdis2a.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2005-10-22 06:03 675620]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"@"="C:\Program Files\Internet Explorer\iexplore.exe" [2007-12-06 06:01 625664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2006-10-22 11:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-01-22 16:22 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"DrvIcon"="C:\Program Files\Vista Drive Icon\DrvIcon.exe" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 11:22 7700480]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-19 22:09 249896]

C:\Documents and Settings\Big\Start Menu\Programs\Startup\
Dialog Tracker.lnk - C:\Program Files\Novatix\ExplorerPlus\Nxdlghlp.exe [2003-09-08 16:26:04 65536]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2006-11-07 10:29 50736 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2006-08-11 13:56 17920 C:\WINDOWS\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a------ 2006-08-11 13:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\system32\drivers\si3112r.sys [2006-01-12 12:56]
R0 SiWinAcc;SiWinAcc;C:\WINDOWS\system32\drivers\SiWinAcc.sys [2004-11-01 12:21]
R3 ProtoWall;ProtoWall Network Service;C:\WINDOWS\system32\DRIVERS\ProtoWall.sys [2004-08-12 10:29]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe []
S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe []
S3 K5arddlog;K5arddlog;C:\WINDOWS\System32\rdshost.exe [2004-08-04 00:56]
S3 VICESYS;VICESYS;C:\Temp\Vice\VICESYS.sys [2004-04-19 15:27]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-19 22:14:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-19 22:23:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-20 03:23:51
ComboFix2.txt 2007-06-15 02:05:44
.
2008-02-13 01:08:13 --- E O F ---
  • 0

#4
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please do not try to run anything else yet as soon as you do it will corrupt it.
Go ahead and uninstall all that has that error about not being a win 32 application
Including the Antivirus.

1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\bak\jsgrgvfA.exe
C:\WINDOWS\system32\fgjlm.bak2
C:\WINDOWS\system32\rqtwa.bak1
C:\WINDOWS\system32\rqtwa.bak2
C:\WINDOWS\system32\rqtwa.ini2
Folder::
C:\Temp\Bagle


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:Combofix.txt
================================================================================
=======
You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow the directions below to run FindAWF so we can identify the files that have been infected and the backups then restore them.

Download FindAWF.exe from here or here, and save it to your desktop.
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.

    1. Press 1 then Enter to scan for bak folders
    2. Press 2 then Enter to restore files from bak folders
    3. Press 3 then Enter to remove bak folders
    4. Press 4 then Enter to reset domain zones
    5. Press E then Enter to EXIT

  • Press 1, then press Enter
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.

  • 0

#5
tbono

tbono

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Kahdah,

Thanks again for the reply.
Unfortunately (or not) I did a spyware scan with Super ASW and was able to install Antivir Personal and did a virus scan prior to receiving your reply. I hope I didn't mess things up. Anyway, I did what you asked. Here are the logs:

Combo Fix Log:

ComboFix 08-02-20.2 - Big 2008-02-20 9:40:47.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2003 [GMT -5:00]
Running from: C:\Documents and Settings\Big\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\Big\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\bak\jsgrgvfA.exe
C:\WINDOWS\system32\fgjlm.bak2
C:\WINDOWS\system32\rqtwa.bak1
C:\WINDOWS\system32\rqtwa.bak2
C:\WINDOWS\system32\rqtwa.ini2
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\Bagle
C:\Temp\Bagle\klwk.com
C:\Temp\Bagle\klwk.zip
C:\Temp\Bagle\ReadMe.txt
C:\Temp\Bagle\ReadMeRu.txt
C:\Temp\Bagle\WhatsNew.txt
C:\WINDOWS\bak\jsgrgvfA.exe
C:\WINDOWS\system32\drivers\down
C:\WINDOWS\system32\fgjlm.bak2
C:\WINDOWS\system32\rqtwa.bak1
C:\WINDOWS\system32\rqtwa.bak2
C:\WINDOWS\system32\rqtwa.ini2

.
((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))
.

2008-02-20 07:12 . 2008-02-20 07:12 <DIR> d-------- C:\Program Files\Avira
2008-02-19 21:26 . 2008-02-19 22:35 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-19 21:26 . 2008-02-19 21:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-19 21:26 . 2008-02-19 21:26 <DIR> d-------- C:\Documents and Settings\Big\Application Data\SUPERAntiSpyware.com
2008-02-19 21:26 . 2008-02-19 21:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-19 21:25 . 2008-02-19 21:26 <DIR> d-------- C:\Temp\SuperAntiSpyware
2008-02-19 21:23 . 2008-02-19 21:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-19 21:21 . 2008-02-19 21:22 <DIR> d-------- C:\Temp\AVGAntiSpyware7.5
2008-02-19 07:49 . 2008-02-19 07:49 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-19 07:49 . 2008-02-19 07:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-17 19:49 . 2008-02-20 07:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-02-17 19:44 . 2008-02-17 19:45 <DIR> d-------- C:\Temp\AviraAntiVir-Free
2008-02-17 16:00 . 2008-02-19 19:48 <DIR> d-------- C:\Temp\Office2CAD
2008-02-17 15:41 . 2008-02-17 15:42 <DIR> d-------- C:\Temp\VistaDriveIcon
2008-02-10 00:15 . 2008-02-10 00:15 <DIR> d-------- C:\Program Files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-18 02:37 --------- d-----w C:\Documents and Settings\Big\Application Data\Simple Sudoku
2008-02-18 00:37 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-18 00:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-17 23:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-17 22:34 --------- d-----w C:\Documents and Settings\Big\Application Data\Symantec
2008-02-17 21:58 --------- d-----w C:\Program Files\Simple Sudoku
2008-02-17 21:24 --------- d-----w C:\Program Files\MYIE2
2008-02-17 20:51 --------- d-----w C:\Program Files\eMule
2008-01-18 22:21 --------- d-----w C:\Documents and Settings\Marc\Application Data\Simple Sudoku
2007-12-31 23:31 --------- d-----w C:\Documents and Settings\Marc\Application Data\Autodesk
2007-12-29 04:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2007-12-29 03:56 --------- d-----w C:\Documents and Settings\Big\Application Data\Autodesk
2007-12-29 03:49 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2007-12-29 03:46 --------- d-----w C:\Program Files\AutoCAD MEP 2008
2007-12-23 17:53 --------- d-----w C:\Program Files\AutoCAD 2008
2007-12-23 02:11 --------- d-----w C:\Program Files\Autodesk
2007-12-23 01:10 --------- d-----w C:\Program Files\Autodesk Building Systems 2005
2007-12-23 01:05 --------- d-----w C:\Program Files\AutoCAD 2007
2007-12-23 00:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-23 00:36 --------- d-----w C:\Program Files\ASUS
2007-12-23 00:35 --------- d-----w C:\Program Files\Common Files\Acronis
2007-12-23 00:27 --------- d-----w C:\Program Files\Lavasoft
2007-12-23 00:27 --------- d-----w C:\Documents and Settings\Big\Application Data\Lavasoft
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\oleaut32.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 0 2003-10-28 21:31:13 C:\Program Files\321Studios\Platinum\bak\makedir

----a-w 118,784 2005-10-26 03:48:30 C:\Program Files\Common Files\Acronis\Schedule2\bak\schedhlp.exe

----a-w 59,040 2008-02-19 15:49:58 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe

----a-w 784,896 2005-02-18 02:44:28 C:\Program Files\dvd43\bak\dvd43_tray.exe

----a-w 155,896 2006-09-19 23:47:50 C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\bak\GoogleToolbarNotifier.exe

----a-w 98,304 2004-01-24 02:58:58 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 1,142,784 2004-04-12 22:51:40 C:\Program Files\SecCopy\bak\SecCopy.exe

----a-w 290,816 2005-11-11 21:47:10 C:\Program Files\Sunbelt Software\CounterSpy\Consumer\bak\sunserver.exe

----a-w 840,000 1989-12-12 14:10:10 C:\QooBox\Quarantine\C\WINDOWS\bak\jsgrgvfA.exe.vir

----a-w 13,312 2003-03-31 12:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 05:56:50 C:\WINDOWS\system32\ctfmon.exe

----a-w 491,520 2005-11-24 16:12:34 C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\fppdis2a.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"@"="C:\Program Files\Internet Explorer\iexplore.exe" [2007-12-06 06:01 625664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2006-10-22 11:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-01-22 16:22 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"DrvIcon"="C:\Program Files\Vista Drive Icon\DrvIcon.exe" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 11:22 7700480]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-20 07:14 249896]

C:\Documents and Settings\Big\Start Menu\Programs\Startup\
Dialog Tracker.lnk - C:\Program Files\Novatix\ExplorerPlus\Nxdlghlp.exe [2003-09-08 16:26:04 65536]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2006-11-07 10:29 50736 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2006-08-11 13:56 17920 C:\WINDOWS\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a------ 2006-08-11 13:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\system32\drivers\si3112r.sys [2006-01-12 12:56]
R0 SiWinAcc;SiWinAcc;C:\WINDOWS\system32\drivers\SiWinAcc.sys [2004-11-01 12:21]
R3 ProtoWall;ProtoWall Network Service;C:\WINDOWS\system32\DRIVERS\ProtoWall.sys [2004-08-12 10:29]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe []
S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe []
S3 K5arddlog;K5arddlog;C:\WINDOWS\System32\rdshost.exe [2004-08-04 00:56]
S3 VICESYS;VICESYS;C:\Temp\Vice\VICESYS.sys [2004-04-19 15:27]

*Newly Created Service* - ANTIVIRSCHEDULER
*Newly Created Service* - ANTIVIRSERVICE
*Newly Created Service* - AVGIO
*Newly Created Service* - AVGNTFLT
*Newly Created Service* - AVIPBB
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 09:44:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-20 9:45:36
ComboFix-quarantined-files.txt 2008-02-20 14:45:34
ComboFix2.txt 2008-02-20 03:23:54
ComboFix3.txt 2007-06-15 02:05:44
.
2008-02-13 01:08:13 --- E O F ---

HERE IS THE AWF LOG:

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: 02/20/08
The current time is: 9:46:20.21


bak folders found
~~~~~~~~~~~


Directory of C:\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\DVD43\BAK

02/17/05 09:44 PM 784,896 dvd43_tray.exe
1 File(s) 784,896 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

01/23/04 09:58 PM 98,304 qttask.exe
1 File(s) 98,304 bytes

Directory of C:\PROGRA~1\SECCOPY\BAK

04/12/04 05:51 PM 1,142,784 SecCopy.exe
1 File(s) 1,142,784 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

03/31/03 07:00 AM 13,312 ctfmon.exe
1 File(s) 13,312 bytes

Directory of C:\PROGRA~1\321STU~1\PLATINUM\BAK

10/28/03 04:31 PM 0 makedir
1 File(s) 0 bytes

Directory of C:\PROGRA~1\ACRONIS\TRUEIM~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

02/19/08 10:49 AM 59,040 ccApp.exe
1 File(s) 59,040 bytes

Directory of C:\PROGRA~1\COMMON~1\ACRONIS\SCHEDU~1\BAK

10/25/05 10:48 PM 118,784 schedhlp.exe
1 File(s) 118,784 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~2\10720~1.364\BAK

09/19/06 06:47 PM 155,896 GoogleToolbarNotifier.exe
1 File(s) 155,896 bytes

Directory of C:\PROGRA~1\SUNBEL~1\COUNTE~2\CONSUMER\BAK

11/11/05 04:47 PM 290,816 sunserver.exe
1 File(s) 290,816 bytes

Directory of C:\QOOBOX\QUARAN~1\C\WINDOWS\BAK

12/12/89 09:10 AM 840,000 jsgrgvfA.exe.vir
1 File(s) 840,000 bytes

Directory of C:\PROGRA~1\ULEADS~1\ULEADV~1.0\PLAYER\UVS8~1.0_O\RUNTIM~1.BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

11/24/05 11:12 AM 491,520 fppdis2a.exe
1 File(s) 491,520 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

543269 Apr 30 2005 "C:\Temp\DVD43Free\DVD43_3-5-2_Setup.exe"
784896 Feb 17 2005 "C:\Program Files\dvd43\bak\dvd43_tray.exe"
526018 May 25 2007 "C:\Temp\DVD43Free\v3.9.0\DVD43_3-9-0_Setup.exe"
543269 Apr 30 2005 "G:\LocalBackup\Temp\DVD43Free\DVD43_3-5-2_Setup.exe"
98304 Jan 23 2004 "C:\Program Files\QuickTime\bak\qttask.exe"
1134080 Sep 7 2001 "C:\Program Files\SecCopy\BACKUP\SecCopy.exe"
1142784 Apr 12 2004 "C:\Program Files\SecCopy\bak\SecCopy.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
13312 Mar 31 2003 "C:\WINDOWS\system32\bak\ctfmon.exe"
0 Oct 28 2003 "C:\Program Files\321Studios\Platinum\bak\makedir"
0 Oct 28 2003 "C:\Program Files\321Studios\Platinum\tdf\makedir.dir"
59040 Feb 19 2008 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
118784 Oct 25 2005 "C:\Program Files\Common Files\Acronis\Schedule2\bak\schedhlp.exe"
831552 Oct 5 2006 "C:\Documents and Settings\Marc\Desktop\GoogleToolbarInstaller.exe"
3739648 Jan 1 2007 "C:\Program Files\Google\Google Talk\googletalk.exe"
1581768 Dec 17 2006 "C:\Program Files\Google\Google Talk\googletalk-1.0.0.100\googletalk-setup-upgrade.exe"
1606064 Mar 6 2007 "C:\Program Files\Google\Google Talk\googletalk-1.0.0.104\googletalk-setup-upgrade.exe"
1531784 Aug 16 2006 "C:\Program Files\Google\Google Talk\googletalk-1.0.0.96\googletalk-setup-upgrade.exe"
155896 Sep 19 2006 "C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\bak\GoogleToolbarNotifier.exe"
290816 Nov 11 2005 "C:\Program Files\Sunbelt Software\CounterSpy\Consumer\bak\sunserver.exe"
840000 Dec 12 1989 "C:\QooBox\Quarantine\C\WINDOWS\bak\jsgrgvfA.exe.vir"
47 Jun 9 2003 "C:\Program Files\BCMSetup\AutoRun.inf"
39 Jul 18 2002 "C:\Program Files\NewTech Infosystems\NTI CD-Maker\autorun.inf"
31 Mar 15 2004 "C:\Program Files\Ulead Systems\Ulead VideoStudio 8.0\Player\AUTORUN.INF"
46 Nov 2 2004 "C:\Temp\BartPEBuilder\3.1.10a\BartPE\autorun.inf"
110 Aug 23 2001 "C:\Temp\BartPEBuilder\3.1.10a\win-slipstreamed\AUTORUN.INF"
31 Mar 15 2004 "C:\Program Files\Ulead Systems\Ulead VideoStudio 8.0\Player\RunTimePlayer2.0\AUTORUN.INF"
490 Feb 17 2006 "C:\Temp\BartPEBuilder\3.1.10a\plugin\autorun\autorun.inf"
49 Sep 19 2003 "C:\Program Files\Ulead Systems\Ulead VideoStudio 8.0\Player\UVS8.0_Other_BakUp\RunTimePlayer2.0.20040309\AUTORUN.INF"
49 Sep 19 2003 "C:\Program Files\Ulead Systems\Ulead VideoStudio 8.0\Player\UVS8.0_Other_BakUp\RunTimePlayer2.0.bak\ALL\AUTORUN.INF"
46 Nov 2 2004 "G:\LocalBackup\Temp\BartPEBuilder\3.1.10a\BartPE\autorun.inf"
110 Aug 23 2001 "G:\LocalBackup\Temp\BartPEBuilder\3.1.10a\win-slipstreamed\AUTORUN.INF"
490 Feb 17 2006 "G:\LocalBackup\Temp\BartPEBuilder\3.1.10a\plugin\autorun\autorun.inf"
491520 Nov 24 2005 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\fppdis2a.exe"


end of report

FOR WHAT IT'S WORTH, HERE IS THE LOG OF THE ANTIVIR SCAN:



AntiVir PersonalEdition Classic
Report file date: February 20, 2008 07:22

Scanning for 1117786 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: Big
Computer name: AWESOME3450

Version information:
BUILD.DAT : 270 15603 Bytes 09/19/07 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 08/23/07 19:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 08/16/07 18:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 08/14/07 21:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 08/21/07 18:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 07/18/07 20:27:15
ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 12/14/07 12:14:18
ANTIVIR2.VDF : 7.0.2.113 1673728 Bytes 02/08/08 12:14:18
ANTIVIR3.VDF : 7.0.2.165 300032 Bytes 02/20/08 12:14:18
AVEWIN32.DLL : 7.6.0.67 3293696 Bytes 02/20/08 12:14:18
AVWINLL.DLL : 1.0.0.7 14376 Bytes 02/26/07 16:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 07/18/07 13:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 04/16/07 19:16:24
AVPACK32.DLL : 7.6.0.3 360488 Bytes 02/20/08 12:14:18
AVREG.DLL : 7.0.1.6 30760 Bytes 07/18/07 13:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 08/28/07 18:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 07/18/07 13:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 03/08/07 17:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 08/07/07 18:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 08/21/07 18:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 07/23/07 15:37:21

Configuration settings for the scan:
Jobname..........................: ShlExt
Configuration file...............: C:\DOCUME~1\Big\LOCALS~1\Temp\dad51bc8.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: off
Scan registry....................: off
Search for rootkits..............: off
Scan all files...................: All files
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: February 20, 2008 07:22

Starting the file scan:

Begin scan in 'C:\'
C:\ecri.exe~
[DETECTION] Contains detection pattern of the worm WORM/Locksky.AW.10
[INFO] The file was moved to '482e1be3.qua'!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\inst.exe
[DETECTION] Contains detection pattern of a probably damaged sample CC/Agent.CZ
[INFO] The file was moved to '482f1c5e.qua'!
C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\INFECTED\482e1be3.qua
[DETECTION] Contains detection pattern of the worm WORM/Locksky.AW.10
[INFO] The file was moved to '47ee1d12.qua'!
C:\Documents and Settings\Marc\Application Data\Sun\Java\Deployment\cache\6.0\57\1ce176f9-1a7fbed8
[0] Archive type: ZIP
--> HiPointInstallShield.class
[DETECTION] Is the Trojan horse TR/Spy.Agent.RK
[INFO] The file was moved to '48211e8e.qua'!
C:\Documents and Settings\Marc\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\n.jar-ff1ac49-6eb7903b.zip
[0] Archive type: ZIP
--> HiPointInstallShield.class
[DETECTION] Is the Trojan horse TR/Spy.Agent.RK
[INFO] The file was moved to '48261ea4.qua'!
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[DETECTION] Is the Trojan horse TR/Dldr.Bagle.JW
[INFO] The file was moved to '482b2a81.qua'!
C:\QooBox\Quarantine\catchme2008-02-19_221434.76.zip
[0] Archive type: ZIP
--> srosa.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
--> wintems.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
--> mdelk.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
--> hldrrr.exe
[DETECTION] Is the Trojan horse TR/Dldr.Bagle.JW
[INFO] The file was moved to '48302e08.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\mdelk.exe.vir
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was moved to '48212e0b.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\wintems.exe.vir
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was moved to '482a2e10.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\xpdx.sys.vir
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was moved to '48202e18.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\hldrrr.exe.vir
[DETECTION] Is the Trojan horse TR/Killav.28714
[INFO] The file was moved to '48202e14.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\101975343.exe.vir
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
[INFO] The file was moved to '47ed2dd9.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\101978828.exe.vir
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was moved to '466cb9a2.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\111750.exe.vir
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
[INFO] The file was moved to '47ed2ddb.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\116459484.exe.vir
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
[INFO] The file was moved to '47f22ddb.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\116462546.exe.vir
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was moved to '47f22ddc.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\116531.exe.vir
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was moved to '47f22ddd.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\130960062.exe.vir
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
[INFO] The file was moved to '47ec2ddf.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\130961406.exe.vir
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was moved to '47ec2de0.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\145491906.exe.vir
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was moved to '47f12de2.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\14579125.exe.vir
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
[INFO] The file was moved to '47f12de3.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\160065562.exe.vir
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was moved to '47ec2de6.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\174649328.exe.vir
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
[INFO] The file was moved to '47f02de8.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\174653953.exe.vir
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was moved to '4671b991.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\29136109.exe.vir
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was moved to '47ed2deb.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\334968.exe.vir
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was moved to '47f02de6.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\43635859.exe.vir
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
[INFO] The file was moved to '47f22de7.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\43641546.exe.vir
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was moved to '4673b990.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\58245890.exe.vir
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
[INFO] The file was moved to '47ee2dec.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\67359.exe.vir
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
[INFO] The file was moved to '47ef2dec.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\76968.exe.vir
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
[INFO] The file was moved to '47f52dec.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\77421.exe.vir
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
[INFO] The file was moved to '47f02ded.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\86859.exe.vir
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was moved to '47f42ded.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\87447125.exe.vir
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was moved to '47f02dee.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\91218.exe.vir
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
[INFO] The file was moved to '47ee2de9.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\96531.exe.vir
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was moved to '47f12dee.qua'!
C:\RECYCLER\NPROTECT\00103823.DLL
[WARNING] The file could not be opened!
C:\RECYCLER\NPROTECT\00103826.SYS
[WARNING] The file could not be opened!
C:\RECYCLER\NPROTECT\00103828.DLL
[WARNING] The file could not be opened!
C:\RECYCLER\NPROTECT\00103830.SYS
[WARNING] The file could not be opened!
C:\RECYCLER\NPROTECT\00103832.DLL
[WARNING] The file could not be opened!
C:\RECYCLER\NPROTECT\00104202.DLL
[WARNING] The file could not be opened!
C:\RECYCLER\NPROTECT\00104203.SYS
[WARNING] The file could not be opened!
C:\WINDOWS\system32\ActiveScan\pskavs.dll
[DETECTION] Contains detection pattern of the Windows virus W95/Blumblebee.1738
[INFO] The file was moved to '482734b2.qua'!


End of the scan: February 20, 2008 09:09
Used time: 1:47:07 min

The scan has been done completely.

13439 Scanning directories
966005 Files were scanned
60 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
55 files were moved to quarantine
0 files were renamed
8 Files cannot be scanned
965945 Files not concerned
10965 Archives were scanned
8 Warnings
101 Notes

You guys are the greatest!

Tom
  • 0

#6
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Ok but please no more scans unless instructed.
As some might get rid of tools that we need to delete the infections assome scans delete for example Combofix of find awf.
=================================

  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    "C:\Program Files\dvd43\bak\dvd43_tray.exe"
    "C:\Program Files\QuickTime\bak\qttask.exe"
    "C:\Program Files\SecCopy\bak\SecCopy.exe"
    "C:\WINDOWS\system32\bak\ctfmon.exe"
    "C:\Program Files\321Studios\Platinum\bak\makedir"
    "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
    "C:\Program Files\Common Files\Acronis\Schedule2\bak\schedhlp.exe"
    "C:\Program Files\Sunbelt Software\CounterSpy\Consumer\bak\sunserver.exe"
    "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\fppdis2a.exe"


  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.

    1. Press 1 then Enter to scan for bak folders
    2. Press 2 then Enter to restore files from bak folders
    3. Press 3 then Enter to remove bak folders
    4. Press 4 then Enter to reset domain zones
    5. Press E then Enter to EXIT

  • Press 2, then press Enter.
  • Press any key to continue.
  • A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of files to be restored.
  • Right click below this line and select Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
  • The program will proceed to move the legit files and will perform another scan for .bak folder
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.

  • 0

#7
tbono

tbono

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
kahdah,

Here is the AWF Log file. Thanks.


Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: 02/20/08
The current time is: 10:45:18.37


bak folders found
~~~~~~~~~~~


Directory of C:\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\DVD43\BAK

02/17/05 09:44 PM 784,896 dvd43_tray.exe
1 File(s) 784,896 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

01/23/04 09:58 PM 98,304 qttask.exe
1 File(s) 98,304 bytes

Directory of C:\PROGRA~1\SECCOPY\BAK

04/12/04 05:51 PM 1,142,784 SecCopy.exe
1 File(s) 1,142,784 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

03/31/03 07:00 AM 13,312 ctfmon.exe
1 File(s) 13,312 bytes

Directory of C:\PROGRA~1\321STU~1\PLATINUM\BAK

10/28/03 04:31 PM 0 makedir
1 File(s) 0 bytes

Directory of C:\PROGRA~1\ACRONIS\TRUEIM~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

02/19/08 10:49 AM 59,040 ccApp.exe
1 File(s) 59,040 bytes

Directory of C:\PROGRA~1\COMMON~1\ACRONIS\SCHEDU~1\BAK

10/25/05 10:48 PM 118,784 schedhlp.exe
1 File(s) 118,784 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~2\10720~1.364\BAK

09/19/06 06:47 PM 155,896 GoogleToolbarNotifier.exe
1 File(s) 155,896 bytes

Directory of C:\PROGRA~1\SUNBEL~1\COUNTE~2\CONSUMER\BAK

11/11/05 04:47 PM 290,816 sunserver.exe
1 File(s) 290,816 bytes

Directory of C:\QOOBOX\QUARAN~1\C\WINDOWS\BAK

12/12/89 09:10 AM 840,000 jsgrgvfA.exe.vir
1 File(s) 840,000 bytes

Directory of C:\PROGRA~1\ULEADS~1\ULEADV~1.0\PLAYER\UVS8~1.0_O\RUNTIM~1.BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

11/24/05 11:12 AM 491,520 fppdis2a.exe
1 File(s) 491,520 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

784896 Feb 17 2005 "C:\Program Files\dvd43\dvd43_tray.exe"
543269 Apr 30 2005 "C:\Temp\DVD43Free\DVD43_3-5-2_Setup.exe"
784896 Feb 17 2005 "C:\Program Files\dvd43\bak\dvd43_tray.exe"
526018 May 25 2007 "C:\Temp\DVD43Free\v3.9.0\DVD43_3-9-0_Setup.exe"
543269 Apr 30 2005 "G:\LocalBackup\Temp\DVD43Free\DVD43_3-5-2_Setup.exe"
98304 Jan 23 2004 "C:\Program Files\QuickTime\qttask.exe"
98304 Jan 23 2004 "C:\Program Files\QuickTime\bak\qttask.exe"
1142784 Apr 12 2004 "C:\Program Files\SecCopy\SecCopy.exe"
1134080 Sep 7 2001 "C:\Program Files\SecCopy\BACKUP\SecCopy.exe"
1142784 Apr 12 2004 "C:\Program Files\SecCopy\bak\SecCopy.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
13312 Mar 31 2003 "C:\WINDOWS\LastGood\system32\ctfmon.exe"
13312 Mar 31 2003 "C:\WINDOWS\system32\bak\ctfmon.exe"
0 Oct 28 2003 "C:\Program Files\321Studios\Platinum\makedir"
0 Oct 28 2003 "C:\Program Files\321Studios\Platinum\bak\makedir"
0 Oct 28 2003 "C:\Program Files\321Studios\Platinum\tdf\makedir.dir"
59040 Feb 19 2008 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
59040 Feb 19 2008 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
118784 Oct 25 2005 "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
118784 Oct 25 2005 "C:\Program Files\Common Files\Acronis\Schedule2\bak\schedhlp.exe"
831552 Oct 5 2006 "C:\Documents and Settings\Marc\Desktop\GoogleToolbarInstaller.exe"
3739648 Jan 1 2007 "C:\Program Files\Google\Google Talk\googletalk.exe"
1581768 Dec 17 2006 "C:\Program Files\Google\Google Talk\googletalk-1.0.0.100\googletalk-setup-upgrade.exe"
1606064 Mar 6 2007 "C:\Program Files\Google\Google Talk\googletalk-1.0.0.104\googletalk-setup-upgrade.exe"
1531784 Aug 16 2006 "C:\Program Files\Google\Google Talk\googletalk-1.0.0.96\googletalk-setup-upgrade.exe"
155896 Sep 19 2006 "C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\bak\GoogleToolbarNotifier.exe"
290816 Nov 11 2005 "C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe"
290816 Nov 11 2005 "C:\Program Files\Sunbelt Software\CounterSpy\Consumer\bak\sunserver.exe"
840000 Dec 12 1989 "C:\QooBox\Quarantine\C\WINDOWS\bak\jsgrgvfA.exe.vir"
47 Jun 9 2003 "C:\Program Files\BCMSetup\AutoRun.inf"
39 Jul 18 2002 "C:\Program Files\NewTech Infosystems\NTI CD-Maker\autorun.inf"
31 Mar 15 2004 "C:\Program Files\Ulead Systems\Ulead VideoStudio 8.0\Player\AUTORUN.INF"
46 Nov 2 2004 "C:\Temp\BartPEBuilder\3.1.10a\BartPE\autorun.inf"
110 Aug 23 2001 "C:\Temp\BartPEBuilder\3.1.10a\win-slipstreamed\AUTORUN.INF"
31 Mar 15 2004 "C:\Program Files\Ulead Systems\Ulead VideoStudio 8.0\Player\RunTimePlayer2.0\AUTORUN.INF"
490 Feb 17 2006 "C:\Temp\BartPEBuilder\3.1.10a\plugin\autorun\autorun.inf"
49 Sep 19 2003 "C:\Program Files\Ulead Systems\Ulead VideoStudio 8.0\Player\UVS8.0_Other_BakUp\RunTimePlayer2.0.20040309\AUTORUN.INF"
49 Sep 19 2003 "C:\Program Files\Ulead Systems\Ulead VideoStudio 8.0\Player\UVS8.0_Other_BakUp\RunTimePlayer2.0.bak\ALL\AUTORUN.INF"
46 Nov 2 2004 "G:\LocalBackup\Temp\BartPEBuilder\3.1.10a\BartPE\autorun.inf"
110 Aug 23 2001 "G:\LocalBackup\Temp\BartPEBuilder\3.1.10a\win-slipstreamed\AUTORUN.INF"
490 Feb 17 2006 "G:\LocalBackup\Temp\BartPEBuilder\3.1.10a\plugin\autorun\autorun.inf"
491520 Nov 24 2005 "C:\WINDOWS\system32\spool\drivers\w32x86\3\fppdis2a.exe"
491520 Nov 24 2005 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\fppdis2a.exe"


end of report
  • 0

#8
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Program Files\dvd43\bak
    C:\Program Files\QuickTime\bak
    C:\Program Files\SecCopy\bak
    C:\WINDOWS\system32\bak
    C:\WINDOWS\bak
    C:\Program Files\321Studios\Platinum\bak
    C:\Program Files\Common Files\Symantec Shared\bak
    C:\Program Files\Common Files\Acronis\Schedule2\bak
    C:\Program Files\Sunbelt Software\CounterSpy\Consumer\bak
    C:\WINDOWS\system32\spool\drivers\w32x86\3\bak
    C:\BAK
    C:\Program Files\Messenger\Bak
    C:\Program Files\Acroinis True Image\Bak
    C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\bak


  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.

    1. Press 1 then Enter to scan for bak folders
    2. Press 2 then Enter to restore files from bak folders
    3. Press 3 then Enter to remove bak folders
    4. Press 4 then Enter to reset domain zones
    5. Press E then Enter to EXIT

  • Press 3, then press Enter.
  • Press any key to continue.
  • A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
  • Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
  • The program will proceed to remove the bad folders and will perform another scan for .bak folder
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.

  • 0

#9
tbono

tbono

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
kahdah,

Here is the current AWF log file: Scan went rather quickly this time.


Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: 02/20/08
The current time is: 11:52:20.71


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ACRONIS\TRUEIM~1\BAK

0 File(s) 0 bytes

Directory of C:\QOOBOX\QUARAN~1\C\WINDOWS\BAK

12/12/89 09:10 AM 840,000 jsgrgvfA.exe.vir
1 File(s) 840,000 bytes

Directory of C:\PROGRA~1\ULEADS~1\ULEADV~1.0\PLAYER\UVS8~1.0_O\RUNTIM~1.BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

840000 Dec 12 1989 "C:\QooBox\Quarantine\C\WINDOWS\bak\jsgrgvfA.exe.vir"
47 Jun 9 2003 "C:\Program Files\BCMSetup\AutoRun.inf"
39 Jul 18 2002 "C:\Program Files\NewTech Infosystems\NTI CD-Maker\autorun.inf"
31 Mar 15 2004 "C:\Program Files\Ulead Systems\Ulead VideoStudio 8.0\Player\AUTORUN.INF"
46 Nov 2 2004 "C:\Temp\BartPEBuilder\3.1.10a\BartPE\autorun.inf"
110 Aug 23 2001 "C:\Temp\BartPEBuilder\3.1.10a\win-slipstreamed\AUTORUN.INF"
31 Mar 15 2004 "C:\Program Files\Ulead Systems\Ulead VideoStudio 8.0\Player\RunTimePlayer2.0\AUTORUN.INF"
490 Feb 17 2006 "C:\Temp\BartPEBuilder\3.1.10a\plugin\autorun\autorun.inf"
49 Sep 19 2003 "C:\Program Files\Ulead Systems\Ulead VideoStudio 8.0\Player\UVS8.0_Other_BakUp\RunTimePlayer2.0.20040309\AUTORUN.INF"
49 Sep 19 2003 "C:\Program Files\Ulead Systems\Ulead VideoStudio 8.0\Player\UVS8.0_Other_BakUp\RunTimePlayer2.0.bak\ALL\AUTORUN.INF"
46 Nov 2 2004 "G:\LocalBackup\Temp\BartPEBuilder\3.1.10a\BartPE\autorun.inf"
110 Aug 23 2001 "G:\LocalBackup\Temp\BartPEBuilder\3.1.10a\win-slipstreamed\AUTORUN.INF"
490 Feb 17 2006 "G:\LocalBackup\Temp\BartPEBuilder\3.1.10a\plugin\autorun\autorun.inf"


end of report
  • 0

#10
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\PROGRA~1\ACRONIS\TRUEIM~1\BAK
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

=======================
After that please do a kaspersky scan again.
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#11
tbono

tbono

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
kahdah,

Ran OT Move it. Here is the log:

C:\PROGRA~1\ACRONIS\TRUEIM~1\BAK moved successfully.

OTMoveIt2 v1.0.20 log created on 02202008_120542

Here is the Kaspersky log. There were literally thousands of the Recycler NTProtect entries so i deleted most of them to shorten up the log.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
February 20, 2008 10:43 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/02/2008
Kaspersky Anti-Virus database records: 573884
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
C:\

Scan Statistics:
Total number of scanned objects: 164056
Number of viruses found: 12
Number of infected objects: 33
Number of suspicious objects: 2
Duration of the scan process: 04:52:27

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\788ddf9ec0cfa02f2c2a37a6db51bbba_c86bec6c-4647-4134-8b38-a661c7306282 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy.zip/msexreg.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Big\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\Big\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Big\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Big\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Big\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Big\Local Settings\Temp\~DFD56B.tmp Object is locked skipped
C:\Documents and Settings\Big\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Big\ntuser.dat Object is locked skipped
C:\Documents and Settings\Big\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\LOG\ERRORLOG Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\instcat.dll.vir Infected: Email-Worm.Win32.Locksky.bm skipped
C:\QooBox\Quarantine\catchme2007-06-14_220233.53.zip/xpdx.sys Infected: SpamTool.Win32.Mailbot.bc skipped
C:\QooBox\Quarantine\catchme2007-06-14_220233.53.zip ZIP: infected - 1 skipped
C:\QooBox\Quarantine\Registry_backups\LEGACY_SROSA.reg.dat Infected: Trojan-Downloader.Win32.Bagle.hp skipped
C:\QooBox\Quarantine\Registry_backups\services_srosa.reg.dat Infected: Trojan-Downloader.Win32.Bagle.hp skipped
C:\RECYCLER\NPROTECT\00102485.TXT Object is locked skipped
C:\RECYCLER\NPROTECT\00104221.isu Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{32EEDC4D-95CF-4F7D-858B-F76EA37BF772}\RP285\A0055439.sys Object is locked skipped
C:\System Volume Information\_restore{32EEDC4D-95CF-4F7D-858B-F76EA37BF772}\RP285\A0055446.sys Object is locked skipped
C:\System Volume Information\_restore{32EEDC4D-95CF-4F7D-858B-F76EA37BF772}\RP285\A0055509.sys Object is locked skipped
C:\System Volume Information\_restore{32EEDC4D-95CF-4F7D-858B-F76EA37BF772}\RP285\A0056068.sys Object is locked skipped
C:\System Volume Information\_restore{32EEDC4D-95CF-4F7D-858B-F76EA37BF772}\RP301\change.log Object is locked skipped
C:\Temp\UltimateBootCD\v3.03\UBCD4WinV303.exe RarSFX: infected - 11 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{AE65C18B-55DA-4A96-8B1E-67A7EEF473CA}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_134.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_1c0.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Thanks once again.
  • 0

#12
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
I would go ahead and delete this only because I know it contains cracked software and can be infected.
C:\Temp\UltimateBootCD\v3.03\UBCD4WinV303.exe

Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK


    • Posted Image

    The above procedure will delete and do the following:

    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Clean System Restore points.

Also delete\uninstall anything that we used that is left over.

Doing the above will remove what is left over in the Kaspersky scan
================================================================
Again anything that had the original error about win 32 has to be reinstalled.

After that Your log is clean. :)

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein ->Here
  • 0

#13
tbono

tbono

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
kahdah,

Thanks for your help. I will be sure to donate.

Tom
  • 0

#14
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
You are welcome and thanks for the donation:)


Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

#15
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP