Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

persistant trojan in registry- hijack this log enclosed [RESOLVED]


  • This topic is locked This topic is locked

#46
desireejassel

desireejassel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
MSDOS did same thing as before, I dont know if this is normal. I searched for results.txt
and this is what it contained, Im not sure If I am doing something wrong.

log=AegisP Protocol (C:\WINDOWS\inf\AegisP.inf): Created.
log=AegisP Protocol (C:\WINDOWS\system32\drivers\AegisP.sys): Created.
log=AegisP Protocol (network component): Installed.
message=Driver install was successful
reboot=0
log=AegisP Protocol (device driver): Started - now running.
code=0
  • 0

Advertisements


#47
desireejassel

desireejassel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
I am so sorry I found what I was doing wrong...i wrote find.bat instead of Find.bat, as soon as I fixed that I got the results.

Volume in drive C has no label.
Volume Serial Number is 8843-62D2

Directory of C:\WINDOWS

08/04/2004 01:56 AM 1,034,752 explorer.exe
1 File(s) 1,034,752 bytes

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/18/2001 07:00 AM 1,000,960 explorer.exe
1 File(s) 1,000,960 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

08/04/2004 01:56 AM 1,032,192 explorer.exe
1 File(s) 1,032,192 bytes

Total Files Listed:
3 File(s) 3,067,904 bytes
0 Dir(s) 72,103,944,192 bytes free
Volume in drive C has no label.
Volume Serial Number is 8843-62D2

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/18/2001 07:00 AM 11,776 lsass.exe
1 File(s) 11,776 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

08/04/2004 01:56 AM 13,312 lsass.exe
1 File(s) 13,312 bytes

Directory of C:\WINDOWS\system32

08/04/2004 01:56 AM 14,848 lsass.exe
1 File(s) 14,848 bytes

Total Files Listed:
3 File(s) 39,936 bytes
0 Dir(s) 72,103,940,096 bytes free
Volume in drive C has no label.
Volume Serial Number is 8843-62D2

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/18/2001 07:00 AM 101,376 services.exe
1 File(s) 101,376 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

08/04/2004 01:56 AM 108,032 services.exe
1 File(s) 108,032 bytes

Directory of C:\WINDOWS\system32

08/04/2004 01:56 AM 110,592 services.exe
1 File(s) 110,592 bytes

Total Files Listed:
3 File(s) 320,000 bytes
0 Dir(s) 72,103,940,096 bytes free
Volume in drive C has no label.
Volume Serial Number is 8843-62D2

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/18/2001 07:00 AM 12,800 svchost.exe
1 File(s) 12,800 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

08/04/2004 01:56 AM 14,336 svchost.exe
1 File(s) 14,336 bytes

Directory of C:\WINDOWS\system32

04/13/2008 07:18 AM 17,408 svchost.exe
1 File(s) 17,408 bytes

Total Files Listed:
3 File(s) 44,544 bytes
0 Dir(s) 72,103,940,096 bytes free
Volume in drive C has no label.
Volume Serial Number is 8843-62D2

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/18/2001 07:00 AM 430,080 winlogon.exe
1 File(s) 430,080 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

08/04/2004 01:56 AM 502,272 winlogon.exe
1 File(s) 502,272 bytes

Directory of C:\WINDOWS\system32

08/04/2004 01:56 AM 506,368 winlogon.exe
1 File(s) 506,368 bytes

Total Files Listed:
3 File(s) 1,438,720 bytes
0 Dir(s) 72,103,940,096 bytes free
  • 0

#48
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,965 posts
Hi, desireejassel :)

Please install the Recovery Console.

You can use Combofix to do this.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System. Download this file to your desktop, next to Combofix.


Posted Image

Posted Image

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When completed, a log named CF_RC.txt will open. Please post the contents of that log.

When the Recovery Console is installed you will see a menu at startup where you can select your Windows Installation and the Recovery Console. The Recovery Console is an important tool and should be used by qualified users.

Let me know when done.
  • 0

#49
desireejassel

desireejassel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
ComboFix 08-04-22.1 - Administrator 2008-04-22 21:08:27.10 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.351 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
.

((((((((((((((((((((((((( Files Created from 2008-03-23 to 2008-04-23 )))))))))))))))))))))))))))))))
.

2008-04-18 22:53 . 2008-04-18 22:53 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-18 22:53 . 2008-04-18 22:53 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-04-18 22:53 . 2008-04-18 22:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-18 19:38 . 2008-04-18 19:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-18 19:38 . 2008-04-18 19:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-18 19:38 . 2008-04-18 19:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-04-15 19:17 . 2008-04-18 15:39 <DIR> d-------- C:\fixwareout
2008-04-14 11:26 . 2008-04-14 11:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-14 10:04 . 2008-04-14 10:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\TrojanHunter
2008-04-14 07:21 . 2008-04-14 07:22 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2008-04-13 13:33 . 2008-04-13 13:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-04-13 13:16 . 2008-04-13 13:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\MSN6
2008-04-13 08:30 . 2008-04-19 23:18 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-13 08:30 . 2008-04-22 21:07 417,792 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-13 08:02 . 2008-04-13 08:02 <DIR> d-------- C:\Program Files\Alwil Software
2008-04-13 08:02 . 2003-03-18 14:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-04-13 08:02 . 2003-03-18 13:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2008-04-13 08:02 . 2003-02-20 21:42 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2008-04-13 07:27 . 2008-04-13 07:53 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-13 07:05 . 2008-04-13 07:05 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-04-09 11:47 . 2008-04-09 11:47 <DIR> d-------- C:\Program Files\QuickTime
2008-04-09 11:47 . 2008-04-09 11:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-09 11:44 . 2008-04-13 13:33 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-09 11:44 . 2008-04-09 11:44 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-25 00:28 . 2008-03-25 00:28 <DIR> d-------- C:\Documents and Settings\Ruben\Application Data\MSN6
2008-03-25 00:28 . 2008-03-25 00:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSN6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 12:18 17,408 ----a-w C:\WINDOWS\system32\svchost.exe
2008-04-09 02:55 --------- d-----w C:\Documents and Settings\Ruben\Application Data\LimeWire
2008-03-18 04:01 --------- d-----w C:\Documents and Settings\Ruben\Application Data\Walgreens
2008-03-14 00:05 --------- d-----w C:\Program Files\Azureus
2008-03-14 00:05 --------- d-----w C:\Documents and Settings\Ruben\Application Data\Azureus
2008-03-03 22:15 --------- d-----w C:\Program Files\Motorola Phone Tools
2008-03-03 22:13 --------- d-----w C:\Program Files\Avanquest update
2008-03-03 22:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-03 22:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-03-03 22:08 --------- d-----w C:\Program Files\Common Files\Motorola Shared
2008-03-03 22:08 --------- d-----w C:\Documents and Settings\Ruben\Application Data\InstallShield
2008-03-03 19:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2008-03-01 05:38 --------- d-----w C:\Program Files\Apple Software Update
2008-03-01 05:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-03-01 05:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2008-03-01 05:30 --------- d-----w C:\Program Files\Kodak
2008-03-01 05:30 --------- d-----w C:\Program Files\Common Files\Kodak
2008-03-01 05:01 --------- d-----w C:\Documents and Settings\Ruben\Application Data\Snapfish
2008-02-23 15:58 --------- d-----w C:\Documents and Settings\Ruben\Application Data\Ahead
.

------- Sigcheck -------

2001-08-18 07:00 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
2004-08-04 01:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\ServicePackFiles\i386\svchost.exe
2008-04-13 07:18 17408 c357a9031d4c637112df2a4a8fa21ac4 C:\WINDOWS\system32\svchost.exe

2001-08-18 07:00 327168 e7774698bb0d14b0710a9a31e209f9b6 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-04 00:14 359040 1745b00fc1141404b28f4b94f69a8871 C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2004-08-04 00:14 359040 1745b00fc1141404b28f4b94f69a8871 C:\WINDOWS\system32\drivers\tcpip.sys

2001-08-18 07:00 430080 2b0e480e975ee51f2d5ce5f068fed6e2 C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2004-08-04 01:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2004-08-04 01:56 506368 b270125e1557a24f8de54857d8199dcf C:\WINDOWS\system32\winlogon.exe

2004-08-04 01:56 1034752 99641a4d634ddf0403ac065c51b365e7 C:\WINDOWS\explorer.exe
2001-08-18 07:00 1000960 5a26fc6010886d25b3e412493dd95ed8 C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-08-04 01:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\ServicePackFiles\i386\explorer.exe
.
((((((((((((((((((((((((((((( [email protected]_21.38.28.79 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-16 01:05:16 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-22 20:54:08 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:56 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-04-29 14:56 45056]
"ISBMgr.exe"="C:\Program Files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 15:12 32768]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"RTHDCPL"="RTHDCPL.EXE" [2005-06-29 13:25 14720000 C:\WINDOWS\RTHDCPL.EXE]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-29 14:33 94208]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-29 14:33 77824]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-06-29 14:33 114688]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 05:00 132496]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 12:37 79224]
"Malwarebytes Anti-Malware Reboot"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2008-04-07 20:17 1175160]
"rgpst"="C:\DOCUME~1\Ruben\LOCALS~1\Temp\dehflds.sys WLEntryPoint" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 05:33:46 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"iiiopj"= rundll32.exe "C:\WINDOWS\system32\sqanaonnae.sys" WLEntryPoint

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
VESWinlogon.dll 2005-05-20 18:42 73728 C:\WINDOWS\system32\VESWinlogon.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"22383:TCP"= 22383:TCP:@xpsp2res.dll,-22005
"20498:TCP"= 20498:TCP:@xpsp2res.dll,-22005
"62737:TCP"= 62737:TCP:@xpsp2res.dll,-22005
"8252:TCP"= 8252:TCP:@xpsp2res.dll,-22005

S1 aswsp;avast! Self Protection;C:\WINDOWS\system32\drivers\aswsp.sys [2008-03-29 12:31]
S2 aswfsblk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 12:35]
S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys [2008-04-07 20:17]
S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-02-27 15:31]
S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-23 20:03]
S3 motport;Motorola USB Diagnostic Port;C:\WINDOWS\system32\DRIVERS\motport.sys [2007-02-27 15:31]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-01 05:38:28 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-22 21:09:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-22 21:10:17
ComboFix-quarantined-files.txt 2008-04-23 02:10:15
ComboFix2.txt 2008-04-20 04:07:47
ComboFix3.txt 2008-04-18 22:06:05
ComboFix4.txt 2008-04-18 20:45:22
ComboFix5.txt 2008-04-18 04:55:12

Pre-Run: 72,084,865,024 bytes free
Post-Run: 72,111,624,192 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

158
  • 0

#50
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,965 posts
Hi, desireejassel :)

As you know, we are trying to determine the location of these files in your computer, as they appear to be patched with an infection in the System32 folder:

explorer.exe
lsass.exe
services.exe
svchost.exe
winlogon.exe


These files are part of the Operating System. Without them the system will not work. Something peculiar is that there are no backup of these files in the Dllcache folder, as it usually does. The Dllcache folder is Windows protected storage for system files. That creates a problem, as the only common folder to restore from is the C:\WINDOWS\ServicePackFiles\i386 folder. I will need to consult with my colleagues if it is feasible to do so without creating a mayor problem in the computer.

Will comeback with a reply promptly.
  • 0

#51
desireejassel

desireejassel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
i appreciate all your help. thank you
  • 0

#52
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,965 posts
You are welcome.

Hopefully by tomorrow we have a fix for you.

Good night!
  • 0

#53
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,965 posts
Hi, desireejassel :)
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as Replace.bat
  • Change the Save as Type to All Files
  • and Save it on the desktop
  • Once saved, double click on the Replace.bat file and post the report it should produce..

@echo off
if exist log.txt del log.txt
Set SpFile=C:\WINDOWS\ServicePackFiles\i386
Set DllCache=C:\Windows\System32\dllcache

If not exist %DllCache% md %DllCache%
pushd %SpFile%
For %%g in (
explorer.exe
lsass.exe
services.exe
svchost.exe
winlogon.exe
) do (
attrib -h -r -s -a %%g
copy /y/b/v %%g %DllCache% >nul
)

cd %windir%
if exist explorer.exe.old del /a/f explorer.exe.old
attrib -h -r -s -a explorer.exe
move /y explorer.exe explorer.exe.old
copy /y/b/v %SpFile%\explorer.exe >nul
if exist fdsv.exe fdsv explorer.exe | Findstr 0x >"%~dp0log.txt"

cd System32
For %%g in (
lsass.exe
services.exe
svchost.exe
winlogon.exe
) do (
if exist %%g.old del /a/f %%g.old
attrib -h -r -s -a %%g
move /y %%g %%g.old
copy /y/b/v %SpFile%\%%g >nul
if exist %windir%\fdsv.exe fdsv %%g | Findstr 0x >>"%~dp0log.txt"
)

cd ..
>>"%~dp0log.txt" (
echo.
echo.===============
echo.
dir /a/s explorer.ex* lsass.exe services.ex* svchost.ex* winlogon.ex*
)

popd
start /max notepad log.txt
exit


  • 0

#54
desireejassel

desireejassel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
I apologize for the delay, my internet service provider quarantined my account since they said it was using my machine (laptop)to send spam to others. They gave me 24 hrs to fix on my own or sent it out to get fixed. So far I am avoiding reconnecting the laptop to the internet, Im using my main computer. Do I run a risk of infecting this one as well if I continue to use the usb drive back and forth? Thank you.

Enclosed is the log you requested.

0x00000000 Microsoft Windows Publisher explorer.exe

0x00000000 Microsoft Windows Publisher lsass.exe

0x00000000 Microsoft Windows Publisher services.exe

0x00000000 Microsoft Windows Publisher svchost.exe

0x00000000 Microsoft Windows Publisher winlogon.exe


===============

Volume in drive C has no label.
Volume Serial Number is 8843-62D2

Directory of C:\WINDOWS

08/04/2004 01:56 AM 1,032,192 explorer.exe
08/04/2004 01:56 AM 1,034,752 explorer.exe.old
2 File(s) 2,066,944 bytes

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/18/2001 07:00 AM 1,000,960 explorer.exe

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/18/2001 07:00 AM 11,776 lsass.exe

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/18/2001 07:00 AM 101,376 services.exe

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/18/2001 07:00 AM 12,800 svchost.exe

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/18/2001 07:00 AM 430,080 winlogon.exe
5 File(s) 1,556,992 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

08/04/2004 01:56 AM 1,032,192 explorer.exe

Directory of C:\WINDOWS\ServicePackFiles\i386

08/04/2004 01:56 AM 13,312 lsass.exe

Directory of C:\WINDOWS\ServicePackFiles\i386

08/04/2004 01:56 AM 108,032 services.exe

Directory of C:\WINDOWS\ServicePackFiles\i386

08/04/2004 01:56 AM 14,336 svchost.exe

Directory of C:\WINDOWS\ServicePackFiles\i386

08/04/2004 01:56 AM 502,272 winlogon.exe
5 File(s) 1,670,144 bytes

Directory of C:\WINDOWS\system32

08/04/2004 01:56 AM 13,312 lsass.exe

Directory of C:\WINDOWS\system32

08/04/2004 01:56 AM 108,032 services.exe
08/04/2004 01:56 AM 110,592 services.exe.old

Directory of C:\WINDOWS\system32

08/04/2004 01:56 AM 14,336 svchost.exe
04/13/2008 07:18 AM 17,408 svchost.exe.old

Directory of C:\WINDOWS\system32

08/04/2004 01:56 AM 502,272 winlogon.exe
08/04/2004 01:56 AM 506,368 winlogon.exe.old
7 File(s) 1,272,320 bytes

Directory of C:\WINDOWS\system32\dllcache

08/04/2004 01:56 AM 1,032,192 explorer.exe

Directory of C:\WINDOWS\system32\dllcache

08/04/2004 01:56 AM 13,312 lsass.exe

Directory of C:\WINDOWS\system32\dllcache

08/04/2004 01:56 AM 108,032 services.exe

Directory of C:\WINDOWS\system32\dllcache

08/04/2004 01:56 AM 14,336 svchost.exe

Directory of C:\WINDOWS\system32\dllcache

08/04/2004 01:56 AM 502,272 winlogon.exe
5 File(s) 1,670,144 bytes

Total Files Listed:
24 File(s) 8,236,544 bytes
0 Dir(s) 72,129,179,648 bytes free
  • 0

#55
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,965 posts
Hi, desireejassel :)

The process seems to have worked. Lets scan the computer once again to confirm:

Please do an online scan with Kaspersky WebScanner (Use internet Explorer)

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

Advertisements


#56
desireejassel

desireejassel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, April 25, 2008 10:26:34 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 26/04/2008
Kaspersky Anti-Virus database records: 725983
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
F:\

Scan Statistics:
Total number of scanned objects: 43678
Number of viruses found: 55
Number of infected objects: 236
Number of suspicious objects: 0
Duration of the scan process: 00:27:35

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012008042520080426\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\A0.tmp.vir Infected: Trojan-Spy.Win32.Zbot.avh skipped
C:\QooBox\Quarantine\C\Documents and Settings\LocalService\cftmon.exe.vir Infected: Worm.Win32.Socks.bn skipped
C:\QooBox\Quarantine\C\Documents and Settings\Ruben\cftmon.exe.vir Infected: Worm.Win32.Socks.bn skipped
C:\QooBox\Quarantine\C\Documents and Settings\Ruben\Local Settings\temp\bllqdjimmpr.nls.vir Infected: Email-Worm.Win32.Locksky.cm skipped
C:\QooBox\Quarantine\C\Documents and Settings\Ruben\Local Settings\temp\dehflds.sys.vir Infected: Email-Worm.Win32.Locksky.cm skipped
C:\QooBox\Quarantine\C\Documents and Settings\Ruben\Local Settings\temp\lkbdppiffp.dll.vir Infected: Email-Worm.Win32.Locksky.cm skipped
C:\QooBox\Quarantine\C\gavurjjf.exe.vir Infected: Trojan.Win32.Agent.kcj skipped
C:\QooBox\Quarantine\C\gjtxc.exe.vir Infected: Worm.Win32.Socks.by skipped
C:\QooBox\Quarantine\C\lilsesn.exe.vir Infected: Trojan-Clicker.Win32.Costrat.fl skipped
C:\QooBox\Quarantine\C\pOXJ.exe.vir Infected: Worm.Win32.Socks.bn skipped
C:\QooBox\Quarantine\C\Program Files\Bat\Bat.dll.vir Infected: not-a-virus:AdWare.Win32.Rabio.m skipped
C:\QooBox\Quarantine\C\Program Files\Bat\Info.dll.vir Infected: not-a-virus:AdWare.Win32.Rabio.m skipped
C:\QooBox\Quarantine\C\Program Files\BraveSentry\BraveSentry.exe.vir Infected: not-a-virus:FraudTool.Win32.BraveSentry.m skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1552OinUninstaller.exe.vir/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1552OinUninstaller.exe.vir NSIS: infected - 1 skipped
C:\QooBox\Quarantine\C\Program Files\Helper\1208089291.dll.vir Infected: not-a-virus:AdWare.Win32.E404.f skipped
C:\QooBox\Quarantine\C\Program Files\NetProject\sbmdl.dll.vir Infected: Trojan-Downloader.Win32.Zlob.leb skipped
C:\QooBox\Quarantine\C\Program Files\NetProject\sbmntr.exe.vir Infected: Trojan-Downloader.Win32.Zlob.ldk skipped
C:\QooBox\Quarantine\C\Program Files\NetProject\sbsm.exe.vir Infected: Trojan-Downloader.Win32.Zlob.lda skipped
C:\QooBox\Quarantine\C\Program Files\NetProject\scit.exe.vir Infected: Trojan-Downloader.Win32.Zlob.ldc skipped
C:\QooBox\Quarantine\C\Program Files\NetProject\scm.exe.vir Infected: Trojan-Downloader.Win32.Zlob.ldf skipped
C:\QooBox\Quarantine\C\Program Files\NetProject\waun.exe.vir Infected: Trojan-Downloader.Win32.Zlob.lde skipped
C:\QooBox\Quarantine\C\Program Files\Outerinfo\FF\components\FF.dll.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\QooBox\Quarantine\C\Program Files\QdrModule\QdrModule15.exe.vir Infected: not-a-virus:AdWare.Win32.AdBand.w skipped
C:\QooBox\Quarantine\C\Program Files\QdrPack\QdrPack15.exe.vir Infected: not-a-virus:AdWare.Win32.AdBand.x skipped
C:\QooBox\Quarantine\C\Program Files\SCURIT~1\svchost.exe.vir Infected: Trojan-Downloader.Win32.Agent.kwg skipped
C:\QooBox\Quarantine\C\WINDOWS\Installer\{7021957c-9195-4357-84c1-f696a7614968}\DrvSys.dll.vir Infected: Trojan-Dropper.Win32.Agent.qfy skipped
C:\QooBox\Quarantine\C\WINDOWS\kavir.exe.vir Infected: Email-Worm.Win32.Zhelatin.xh skipped
C:\QooBox\Quarantine\C\WINDOWS\lfn.exe.vir Infected: not-virus:Hoax.Win32.Renos.bqi skipped
C:\QooBox\Quarantine\C\WINDOWS\mrofinu27.exe.vir Infected: Trojan-Downloader.Win32.Homles.bf skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\000090.exe.vir/stream/data0004 Infected: not-a-virus:AdWare.Win32.AdBand.w skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\000090.exe.vir/stream Infected: not-a-virus:AdWare.Win32.AdBand.w skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\000090.exe.vir NSIS: infected - 2 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\215651\215651.dll.vir Infected: not-a-virus:AdWare.Win32.E404.x skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\3532924907m.exe.vir Infected: Backdoor.Win32.IRCBot.clv skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\accesse.dll.vir Infected: Backdoor.Win32.Agent.frr skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\admparses.exe.vir Infected: Backdoor.Win32.IRCBot.clv skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\advpacku.exe.vir Infected: Backdoor.Win32.IRCBot.clv skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\alt.exe.exe.vir Infected: Trojan.Win32.Agent.jdn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\byXPJCvt.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.pki skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\dllgh8jkd1q1.exe.vir Infected: Trojan-Downloader.Win32.Tibs.yn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\dllgh8jkd1q2.exe.vir Infected: Trojan-Downloader.Win32.Tibs.yn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\dllgh8jkd1q5.exe.vir Infected: Trojan-Downloader.Win32.Tibs.yn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\dllgh8jkd1q6.exe.vir Infected: Trojan-Downloader.Win32.Tibs.yn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\dllgh8jkd1q7.exe.vir Infected: Trojan-Downloader.Win32.Tibs.yn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\asc3550p.sys.vir Infected: Trojan.Win32.Pakes.cly skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\spools.exe.vir Infected: Worm.Win32.Socks.bn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gavurjjf.exe.vir Infected: Trojan.Win32.Agent.kcj skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gnernqairjp.sys.vir Infected: Email-Worm.Win32.Locksky.cm skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ilsbelknidg.sys.vir Infected: Email-Worm.Win32.Locksky.cm skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\japojatkrap.dll.vir Infected: Email-Worm.Win32.Locksky.cm skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jfiehayd.dll.vir Infected: Trojan-Downloader.Win32.Agent.lxt skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\lrkjod.dll.vir Infected: Email-Worm.Win32.Locksky.cm skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\luapvs.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.ank skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\maxpaynow1.exe.vir Infected: Trojan-Downloader.Win32.Tibs.yn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\maxpaynowti1.exe.vir Infected: Trojan-Downloader.Win32.Tibs.yn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mjrei.nls.vir Infected: Email-Worm.Win32.Locksky.cm skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\msdefender.exe.vir Infected: Trojan.Win32.Pakes.cmd skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ntos.exe.vir Infected: Trojan-Spy.Win32.Zbot.avh skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pgbitgbilsfal.dll.vir Infected: Email-Worm.Win32.Locksky.cm skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\psegkrlfrgt.dll.vir Infected: Email-Worm.Win32.Locksky.cm skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rkvdr.dll.vir Infected: not-virus:Hoax.Win32.Agent.bv skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rqRhIYpM.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.npx skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\shift.exe.exe.vir Infected: Email-Worm.Win32.Zhelatin.xh skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\sqanaonnae.sys.vir Infected: Email-Worm.Win32.Locksky.cm skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tuvVOEwx.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.npx skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vedxg4am1et2.exe.vir Infected: Trojan-Downloader.Win32.Tibs.yn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vedxg6ame4.exe.vir Infected: Trojan-Downloader.Win32.Tibs.yn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vedxga1me4t1.exe.vir Infected: Trojan-Downloader.Win32.Tibs.yn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vedxga3me2.exe.vir Infected: Trojan-Downloader.Win32.VB.dql skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wind32.exe.vir Infected: Email-Worm.Win32.Zhelatin.wu skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\WLCtrl32.dll.vir Infected: Trojan-Downloader.Win32.Mutant.nb skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\WLCtrl32.dl_.vir Infected: Trojan-Downloader.Win32.Mutant.nb skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wmsdkns.exe.vir Infected: not-virus:Hoax.Win32.Renos.bqi skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\WNSXS~1\tаskmgr.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.hl skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\xkpisxen.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.okj skipped
C:\QooBox\Quarantine\C\WINDOWS\taskmon.exe.vir Infected: Trojan-Downloader.Win32.Tibs.ym skipped
C:\QooBox\Quarantine\C\WINDOWS\Temp\1396886080.exe.vir Infected: Backdoor.Win32.Agent.gjd skipped
C:\QooBox\Quarantine\C\WINDOWS\zeqbqwp.sys.vir Infected: Trojan-Clicker.Win32.Costrat.fn skipped
C:\QooBox\Quarantine\catchme2008-04-15_213618.20.zip/Documents and Settings/Administrator/Desktop/catchme.zip/Wfn08.sys Infected: Trojan-Downloader.Win32.Agent.lxa skipped
C:\QooBox\Quarantine\catchme2008-04-15_213618.20.zip/Documents and Settings/Administrator/Desktop/catchme.zip/ddcYsRHB.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mcg skipped
C:\QooBox\Quarantine\catchme2008-04-15_213618.20.zip/Documents and Settings/Administrator/Desktop/catchme.zip Infected: not-a-virus:AdWare.Win32.Virtumonde.mcg skipped
C:\QooBox\Quarantine\catchme2008-04-15_213618.20.zip ZIP: infected - 3 skipped
C:\QooBox\Quarantine\catchme2008-04-22_210921.81.zip/explorer.exe Infected: Trojan.Win32.Patched.aa skipped
C:\QooBox\Quarantine\catchme2008-04-22_210921.81.zip/lsass.exe Infected: Trojan.Win32.Patched.aa skipped
C:\QooBox\Quarantine\catchme2008-04-22_210921.81.zip/services.exe Infected: Trojan.Win32.Patched.aa skipped
C:\QooBox\Quarantine\catchme2008-04-22_210921.81.zip/svchost.exe Infected: Trojan.Win32.Patched.aa skipped
C:\QooBox\Quarantine\catchme2008-04-22_210921.81.zip/winlogon.exe Infected: Trojan.Win32.Patched.aa skipped
C:\QooBox\Quarantine\catchme2008-04-22_210921.81.zip/explorer.exe.1 Infected: Trojan.Win32.Patched.aa skipped
C:\QooBox\Quarantine\catchme2008-04-22_210921.81.zip/lsass.exe.1 Infected: Trojan.Win32.Patched.aa skipped
C:\QooBox\Quarantine\catchme2008-04-22_210921.81.zip/services.exe.1 Infected: Trojan.Win32.Patched.aa skipped
C:\QooBox\Quarantine\catchme2008-04-22_210921.81.zip/svchost.exe.1 Infected: Trojan.Win32.Patched.aa skipped
C:\QooBox\Quarantine\catchme2008-04-22_210921.81.zip/winlogon.exe.1 Infected: Trojan.Win32.Patched.aa skipped
C:\QooBox\Quarantine\catchme2008-04-22_210921.81.zip ZIP: infected - 10 skipped
C:\QooBox\Quarantine\F\[4][email protected]/lrkjod.dll Infected: Email-Worm.Win32.Locksky.cm skipped
C:\QooBox\Quarantine\F\[4][email protected]/tesrssn.nls Infected: Email-Worm.Win32.Locksky.cm skipped
C:\QooBox\Quarantine\F\[4][email protected] ZIP: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP63\A0005855.exe:exe.exe:$DATA Infected: Trojan.Win32.Obfuscated.xf skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP64\A0005865.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.mcg skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP64\A0005868.exe Infected: Trojan-Downloader.Win32.Agent.lxt skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP64\A0005870.exe Infected: Trojan-Downloader.Win32.Agent.nqw skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0009848.dll Infected: Trojan-Downloader.Win32.Mutant.iz skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0009849.sys Infected: Trojan.Win32.Pakes.cly skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0009853.exe Infected: Trojan-Downloader.Win32.Zlob.ldf skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0009854.dll Infected: Trojan-Downloader.Win32.Zlob.leb skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0009855.exe Infected: Trojan-Downloader.Win32.Zlob.lda skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0009857.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0010848.dll Infected: Trojan-Downloader.Win32.Mutant.iz skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0010860.dll Infected: Trojan-Downloader.Win32.Mutant.iz skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0010861.sys Infected: Trojan.Win32.Pakes.cly skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0010865.exe Infected: Trojan-Downloader.Win32.Zlob.ldf skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0010866.dll Infected: Trojan-Downloader.Win32.Zlob.leb skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0010867.exe Infected: Trojan-Downloader.Win32.Zlob.lda skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0011860.dll Infected: Trojan-Downloader.Win32.Mutant.iz skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0012860.dll Infected: Trojan-Downloader.Win32.Mutant.iz skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0013860.dll Infected: Trojan-Downloader.Win32.Mutant.iz skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0014860.dll Infected: Trojan-Downloader.Win32.Mutant.iz skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0014869.exe Infected: not-a-virus:FraudTool.Win32.AntiVirPro.k skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0014870.dll Infected: not-a-virus:FraudTool.Win32.AntiVirPro.k skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0014883.dll Infected: Trojan-Downloader.Win32.Mutant.iz skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0014886.dll Infected: not-a-virus:AdWare.Win32.BHO.ajw skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0015882.dll Infected: Trojan-Downloader.Win32.Mutant.iz skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0015895.dll Infected: Trojan-Downloader.Win32.Mutant.iz skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0015896.sys Infected: Trojan.Win32.Pakes.cly skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0015900.exe Infected: Trojan-Downloader.Win32.Zlob.ldf skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0015901.dll Infected: Trojan-Downloader.Win32.Zlob.leb skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0015902.exe Infected: Trojan-Downloader.Win32.Zlob.lda skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0016895.dll Infected: Trojan-Downloader.Win32.Mutant.iz skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0016902.exe Infected: Trojan-Downloader.Win32.Zlob.ldf skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0016903.dll Infected: Trojan-Downloader.Win32.Zlob.leb skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0016904.exe Infected: Trojan-Downloader.Win32.Zlob.lda skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0017895.dll Infected: Trojan-Downloader.Win32.Mutant.iz skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0017902.exe Infected: Trojan-Downloader.Win32.Zlob.ldf skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0017903.dll Infected: Trojan-Downloader.Win32.Zlob.leb skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0017904.exe Infected: Trojan-Downloader.Win32.Zlob.lda skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0018895.dll Infected: Trojan-Downloader.Win32.Mutant.iz skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0018902.dll Infected: Trojan-Downloader.Win32.Mutant.iz skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0018903.sys Infected: Trojan.Win32.Pakes.cly skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0018912.sys Infected: Trojan-Downloader.Win32.Agent.lxa skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019902.dll Infected: Trojan-Downloader.Win32.Mutant.iz skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019906.sys Infected: Trojan-Downloader.Win32.Agent.lxa skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019912.exe Infected: Trojan-Downloader.Win32.Tibs.yn skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019923.exe Infected: Trojan.Win32.Patched.aa skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019923.exe:exe.exe:$DATA Infected: Trojan.Win32.Obfuscated.xf skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019925.dll Infected: Trojan-Downloader.Win32.Zlob.leb skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019926.exe Infected: Trojan-Downloader.Win32.Zlob.ldk skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019927.exe Infected: Trojan-Downloader.Win32.Zlob.lda skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019928.exe Infected: Trojan-Downloader.Win32.Zlob.ldc skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019929.exe Infected: Trojan-Downloader.Win32.Zlob.ldf skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019931.exe Infected: Trojan-Downloader.Win32.Zlob.lde skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019932.exe Infected: not-a-virus:FraudTool.Win32.BraveSentry.m skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019935.dll Infected: not-a-virus:AdWare.Win32.E404.f skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019939.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019942.exe Infected: not-a-virus:AdWare.Win32.AdBand.w skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019943.exe Infected: not-a-virus:AdWare.Win32.AdBand.x skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019944.exe Infected: Trojan-Downloader.Win32.Agent.kwg skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019947.exe Infected: not-a-virus:AdWare.Win32.PurityScan.hl skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019950.exe Infected: Worm.Win32.Socks.bn skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019951.exe Infected: Email-Worm.Win32.Zhelatin.wu skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019952.exe Infected: Trojan-Downloader.Win32.Tibs.ym skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019953.exe Infected: Trojan.Win32.Pakes.cmd skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019956.exe Infected: Email-Worm.Win32.Zhelatin.xh skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019959.exe Infected: not-virus:Hoax.Win32.Renos.bqi skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019960.exe Infected: not-virus:Hoax.Win32.Renos.bqi skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019961.dll Infected: not-virus:Hoax.Win32.Agent.bv skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019962.dll Infected: Trojan-Dropper.Win32.Agent.qfy skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019965.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.AdBand.w skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019965.exe/stream Infected: not-a-virus:AdWare.Win32.AdBand.w skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019965.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019967.dll Infected: not-a-virus:AdWare.Win32.E404.x skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019968.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.npx skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019969.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.npx skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019970.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.okj skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019985.exe Infected: Trojan-Downloader.Win32.Agent.lfo skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0021045.exe Infected: Trojan-Spy.Win32.Zbot.avh skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0021046.exe Infected: Worm.Win32.Socks.bn skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022127.exe Infected: Worm.Win32.Socks.bn skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022181.exe Infected: Worm.Win32.Socks.bn skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022322.dll Infected: not-a-virus:AdWare.Win32.Rabio.m skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022325.dll Infected: not-a-virus:AdWare.Win32.Rabio.m skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022329.exe Infected: Worm.Win32.Socks.bn skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022330.exe Infected: Trojan.Win32.Agent.kcj skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022331.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022332.exe Infected: Trojan-Clicker.Win32.Costrat.fl skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022333.exe Infected: Worm.Win32.Socks.bn skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022335.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022335.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022339.exe Infected: Trojan-Downloader.Win32.Homles.bf skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022342.exe Infected: Backdoor.Win32.IRCBot.clv skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022343.dll Infected: Backdoor.Win32.Agent.frr skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022344.exe Infected: Backdoor.Win32.IRCBot.clv skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022345.exe Infected: Backdoor.Win32.IRCBot.clv skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022346.exe Infected: Trojan.Win32.Agent.jdn skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022347.exe Infected: Trojan-Downloader.Win32.Tibs.yn skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022348.exe Infected: Trojan-Downloader.Win32.Tibs.yn skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022349.exe Infected: Trojan-Downloader.Win32.Tibs.yn skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022350.exe Infected: Trojan-Downloader.Win32.Tibs.yn skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022351.exe Infected: Trojan-Downloader.Win32.Tibs.yn skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022353.exe Infected: Trojan.Win32.Agent.kcj skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022355.sys Infected: Email-Worm.Win32.Locksky.cm skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022356.dll Infected: Email-Worm.Win32.Locksky.cm skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022357.dll Infected: Trojan-Downloader.Win32.Agent.lxt skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022358.dll Infected: not-a-virus:AdWare.Win32.BHO.ank skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022359.exe Infected: Trojan-Downloader.Win32.Tibs.yn skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022360.exe Infected: Trojan-Downloader.Win32.Tibs.yn skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022361.dll Infected: Email-Worm.Win32.Locksky.cm skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022362.exe Infected: Email-Worm.Win32.Zhelatin.xh skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022363.exe Infected: Trojan-Downloader.Win32.Tibs.yn skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022364.exe Infected: Trojan-Downloader.Win32.Tibs.yn skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022365.exe Infected: Trojan-Downloader.Win32.Tibs.yn skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022366.exe Infected: Trojan-Downloader.Win32.VB.dql skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022368.sys Infected: Trojan-Clicker.Win32.Costrat.fn skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022481.sys Infected: Email-Worm.Win32.Locksky.cm skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022593.dll Infected: Email-Worm.Win32.Locksky.cm skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022601.exe Infected: Trojan.Win32.Agent.jol skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022605.sys Infected: Email-Worm.Win32.Locksky.cm skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0026648.dll Infected: Email-Worm.Win32.Locksky.cm skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0026649.sys Infected: Email-Worm.Win32.Locksky.cm skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0027818.old Infected: Trojan.Win32.Patched.aa skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0027819.old Infected: Trojan.Win32.Patched.aa skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0027820.old Infected: Trojan.Win32.Patched.aa skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0027821.old Infected: Trojan.Win32.Patched.aa skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0027822.old Infected: Trojan.Win32.Patched.aa skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0027823.old Infected: Trojan.Win32.Patched.aa skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0027824.old Infected: Trojan.Win32.Patched.aa skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0027825.old Infected: Trojan.Win32.Patched.aa skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0027826.old Infected: Trojan.Win32.Patched.aa skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0027827.old Infected: Trojan.Win32.Patched.aa skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\explorer.exe.old Infected: Trojan.Win32.Patched.aa skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\lsass.exe.old Infected: Trojan.Win32.Patched.aa skipped
C:\WINDOWS\system32\services.exe.old Infected: Trojan.Win32.Patched.aa skipped
C:\WINDOWS\system32\svchost.exe.old Infected: Trojan.Win32.Patched.aa skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\winlogon.exe.old Infected: Trojan.Win32.Patched.aa skipped
F:\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
F:\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
F:\SmitfraudFix.exe RarSFX: infected - 2 skipped

Scan process completed.
  • 0

#57
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,965 posts
Hi, desireejassel :)

That log detected what expected, and that is good news.

Set Explorer to view Hidden Files and Folders:
  • Right-click your Start button and go to "Explore".
  • Select Tools from the menu
  • Select Folder Options
  • Select the View tab
  • Click on Show all Files and Folders
  • Remove the checkmark from Hide extensions for known file types
  • Remove the checkmark from Hide protected operating System files
  • Select Apply to All Folders | Yes | Apply | OK.
Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

C:\WINDOWS\explorer.exe.old
C:\WINDOWS\system32\lsass.exe.old
C:\WINDOWS\system32\services.exe.old
C:\WINDOWS\system32\svchost.exe.old
C:\WINDOWS\system32\winlogon.exe.old


Set Explorer to Defaults:
  • Right-click your Start button and go to "Explore".
  • Select Tools from the menu
  • Select Folder Options
  • Select the View tab
  • Click on Restore Defaults
  • Select Apply to All Folders | Yes | Apply | OK.
Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image
Download OTCleanIT to your desktop. Run the program and follow the prompts. A restart will be necessary to complete this process.

Create a Restore point (If the above process fails):
  • Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  • In the System Restore dialog box, click Create a restore point, and then click Next.
  • Type a description for your restore point, such as "After Cleanup", then click Create.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • ZonedOut + IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  • Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.
  • Read and follow the suggestions given at this web site by Miekiemoes http://users.telenet...prevention.html .
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

Let me know how is the computer doing.
  • 0

#58
desireejassel

desireejassel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
I turned system restore off in safe mode, rebooted machine in regular I immediately get these popups

Error loading C: Docume~1\Ruben\LOCALS~1\Temp\dehflds.sys
The specified module could not be found.

Error loading C: \WINDOWS\system32\squanaonnae.sys
The specified module could not be found.


I tried to switch to administrator but i get the following message anytime I try to access system restore, control panel, task bar...

This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.

Task manager has been disabled by your administrator.
  • 0

#59
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,965 posts
Hi, desireejassel :)

Posted ImageDownload Deckard's System Scanner (DSS) from here or here to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of both, the main.txt and the extra.txt in your next reply.
If the files are too long, attach them to a reply:
  • Scroll down and click the [Manage Attachments] button
  • Browse to the following folder:
    • C:\Deckard\System Scanner
  • Click Upload to upload these files one by one
  • Submit your reply

  • 0

#60
desireejassel

desireejassel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
can i do this in safe mode? As this is the only way i have administrator privileges.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP