Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Virus help

Started by Yathu , Nov 06 2009 09:21 PM

Please log in to reply

#1
Yathu

Posted 06 November 2009 - 09:21 PM

Member

Member
46 posts

hi, i have a virus that close my anti virus program in less than 10 sec

#2
kahdah

Posted 07 November 2009 - 04:35 PM

GeekU Teacher

Retired Staff
15,822 posts

Hello Yathu

Welcome to G2Go.

=====================

Download OTL to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Under the Standard Registry box change it to All.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

===========
Download This file. Note its name and save it to your root folder, such as C:\.

Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
Click on this link to see a list of programs that should be disabled.
Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
Allow the driver to load if asked.
You may be prompted to scan immediately if it detects rootkit activity.
If you are prompted to scan your system click "Yes" to begin the scan.
If not prompted, click the "Rootkit/Malware" tab.
On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
Select all drives that are connected to your system to be scanned.
Click the Scan button to begin. (Please be patient as it can take some time to complete)
When the scan is finished, click Save to save the scan results to your Desktop.
Save the file as Results.log and copy/paste the contents in your next reply.
Exit the program and re-enable all active protection when done.

#3
Yathu

Posted 08 November 2009 - 11:45 AM

Member

Topic Starter
Member
46 posts

Hi, when i scan with otl the program closes in less than 20 seconds. I followed everything you said about otl but it still closed.

Edited by Yathu, 08 November 2009 - 11:47 AM.

#4
kahdah

Posted 08 November 2009 - 12:37 PM

GeekU Teacher

Retired Staff
15,822 posts

Did you try the second program?
If so don't run it yet but just tell me the name of it please.

#5
Yathu

Posted 09 November 2009 - 07:52 PM

Member

Topic Starter
Member
46 posts

Sorry to ask but the name of?

#6
kahdah

Posted 10 November 2009 - 06:13 AM

GeekU Teacher

Retired Staff
15,822 posts

The second program I asked you to download?

#7
Yathu

Posted 10 November 2009 - 02:40 PM

Member

Topic Starter
Member
46 posts

its called mxhijf3r.exe

#8
kahdah

Posted 10 November 2009 - 07:22 PM

GeekU Teacher

Retired Staff
15,822 posts

Make sure that that file is on the C:\ drive then do the following.
Go to Start then run then copy and paste in the following text in bold below then hit ok.
C:\mxhijf3r.exe -protect

This will make this program start follow my previous instructions for saving the log.

#9
Yathu

Posted 10 November 2009 - 08:41 PM

Member

Topic Starter
Member
46 posts

k cool i'll try it tommorow

#10
Yathu

Posted 11 November 2009 - 04:28 PM

Member

Topic Starter
Member
46 posts

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-11 17:22:38
Windows 5.1.2600 Service Pack 3
Running: mxhijf3r.exe; Driver: C:\DOCUME~1\Yathu8\LOCALS~1\Temp\kwaiqfow.sys

---- System - GMER 1.0.15 ----

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF7625D72] <-- ROOTKIT !!!
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF76069A6] <-- ROOTKIT !!!
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF7606B98] <-- ROOTKIT !!!
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF7626568] <-- ROOTKIT !!!
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF7626820] <-- ROOTKIT !!!
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF7624A80] <-- ROOTKIT !!!
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF7626C8A] <-- ROOTKIT !!!
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF7626036] <-- ROOTKIT !!!
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF7606656] <-- ROOTKIT !!!

---- Kernel code sections - GMER 1.0.15 ----

? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !
? System32\Drivers\hiber_WMILIB.SYS The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

? C:\Documents and Settings\Yathu8\Application Data\Microsoft\svchost.exe[2228] image checksum mismatch; number of sections mismatch; time/date stamp mismatch; unknown module: oleaut32.dllunknown module: wsock32.dllunknown module: oleaut32.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\2C29F5DA.x86.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [236] 0x35670000
Library \\?\globalroot\Device\__max++>\2C29F5DA.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [312] 0x35670000
Library \\?\globalroot\Device\__max++>\2C29F5DA.x86.dll (*** hidden *** ) @ C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe [604] 0x35670000
Library \\?\globalroot\Device\__max++>\2C29F5DA.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1412] 0x35670000
Library \\?\globalroot\Device\__max++>\2C29F5DA.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1556] 0x35670000
Library \\?\globalroot\Device\__max++>\2C29F5DA.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1652] 0x35670000
Library \\?\globalroot\Device\__max++>\2C29F5DA.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [1732] 0x35670000
Library \\?\globalroot\Device\__max++>\2C29F5DA.x86.dll (*** hidden *** ) @ C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [1832] 0x35670000
Library \\?\globalroot\Device\__max++>\2C29F5DA.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1840] 0x35670000
Library \\?\globalroot\Device\__max++>\2C29F5DA.x86.dll (*** hidden *** ) @ C:\Documents and Settings\Yathu8\Application Data\Microsoft\svchost.exe [2228] 0x35670000

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [SYSTEM] kbiwkmaqoiocnj <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmaqoiocnj@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmaqoiocnj@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmaqoiocnj@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmaqoiocnj\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmaqoiocnj\main@aid 10002
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmaqoiocnj\main@sid 1
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmaqoiocnj\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmaqoiocnj\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmaqoiocnj\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmaqoiocnj\main\injector@* kbiwkmwsp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmaqoiocnj\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmaqoiocnj\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmaqoiocnj\[email protected] \systemroot\system32\drivers\kbiwkmcyjrwrrs.sys
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmaqoiocnj\[email protected] \systemroot\system32\kbiwkmwappkruc.dll
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmaqoiocnj\[email protected] \systemroot\system32\kbiwkmmwfgfeps.dat
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmaqoiocnj\[email protected] \systemroot\system32\kbiwkmxsuatfko.dll
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmaqoiocnj\[email protected] \systemroot\system32\kbiwkmwuyardym.dat
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmaqoiocnj@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmaqoiocnj@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmaqoiocnj@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmaqoiocnj\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmaqoiocnj\main@aid 10002
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmaqoiocnj\main@sid 1
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmaqoiocnj\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmaqoiocnj\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmaqoiocnj\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmaqoiocnj\main\injector@* kbiwkmwsp8.dll
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmaqoiocnj\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmaqoiocnj\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmaqoiocnj\[email protected] \systemroot\system32\drivers\kbiwkmcyjrwrrs.sys
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmaqoiocnj\[email protected] \systemroot\system32\kbiwkmwappkruc.dll
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmaqoiocnj\[email protected] \systemroot\system32\kbiwkmmwfgfeps.dat
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmaqoiocnj\[email protected] \systemroot\system32\kbiwkmxsuatfko.dll
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmaqoiocnj\[email protected] \systemroot\system32\kbiwkmwuyardym.dat
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmaqoiocnj\[email protected] \systemroot\system32\kbiwkmwuxvkbiw.dll
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmaqoiocnj@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmaqoiocnj@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmaqoiocnj@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmaqoiocnj\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmaqoiocnj\main@aid 10002
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmaqoiocnj\main@sid 1
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmaqoiocnj\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmaqoiocnj\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmaqoiocnj\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmaqoiocnj\main\injector@* kbiwkmwsp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmaqoiocnj\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmaqoiocnj\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmaqoiocnj\[email protected] \systemroot\system32\drivers\kbiwkmcyjrwrrs.sys
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmaqoiocnj\[email protected] \systemroot\system32\kbiwkmwappkruc.dll
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmaqoiocnj\[email protected] \systemroot\system32\kbiwkmmwfgfeps.dat
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmaqoiocnj\[email protected] \systemroot\system32\kbiwkmxsuatfko.dll
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmaqoiocnj\[email protected] \systemroot\system32\kbiwkmwuyardym.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmaqoiocnj@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmaqoiocnj@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmaqoiocnj@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmaqoiocnj\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmaqoiocnj\main@aid 10002
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmaqoiocnj\main@sid 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmaqoiocnj\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmaqoiocnj\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmaqoiocnj\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmaqoiocnj\main\injector@* kbiwkmwsp8.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmaqoiocnj\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmaqoiocnj\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmaqoiocnj\[email protected] \systemroot\system32\drivers\kbiwkmcyjrwrrs.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmaqoiocnj\[email protected] \systemroot\system32\kbiwkmwappkruc.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmaqoiocnj\[email protected] \systemroot\system32\kbiwkmmwfgfeps.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmaqoiocnj\[email protected] \systemroot\system32\kbiwkmxsuatfko.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmaqoiocnj\[email protected] \systemroot\system32\kbiwkmwuyardym.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmaqoiocnj\[email protected] \systemroot\system32\kbiwkmwuxvkbiw.dll
Reg HKLM\SYSTEM\ControlSet005\Services\kbiwkmaqoiocnj@start 1
Reg HKLM\SYSTEM\ControlSet005\Services\kbiwkmaqoiocnj@type 1
Reg HKLM\SYSTEM\ControlSet005\Services\kbiwkmaqoiocnj@group file system
Reg HKLM\SYSTEM\ControlSet005\Services\kbiwkmaqoiocnj\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\kbiwkmaqoiocnj\main@aid 10002
Reg HKLM\SYSTEM\ControlSet005\Services\kbiwkmaqoiocnj\main@sid 1
Reg HKLM\SYSTEM\ControlSet005\Services\kbiwkmaqoiocnj\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet005\Services\kbiwkmaqoiocnj\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\kbiwkmaqoiocnj\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\kbiwkmaqoiocnj\main\injector@* kbiwkmwsp8.dll
Reg HKLM\SYSTEM\ControlSet005\Services\kbiwkmaqoiocnj\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\kbiwkmaqoiocnj\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\kbiwkmaqoiocnj\[email protected] \systemroot\system32\drivers\kbiwkmcyjrwrrs.sys
Reg HKLM\SYSTEM\ControlSet005\Services\kbiwkmaqoiocnj\[email protected] \systemroot\system32\kbiwkmwappkruc.dll
Reg HKLM\SYSTEM\ControlSet005\Services\kbiwkmaqoiocnj\[email protected] \systemroot\system32\kbiwkmmwfgfeps.dat
Reg HKLM\SYSTEM\ControlSet005\Services\kbiwkmaqoiocnj\[email protected] \systemroot\system32\kbiwkmxsuatfko.dll
Reg HKLM\SYSTEM\ControlSet005\Services\kbiwkmaqoiocnj\[email protected] \systemroot\system32\kbiwkmwuyardym.dat
Reg HKLM\SYSTEM\ControlSet005\Services\kbiwkmaqoiocnj\[email protected] \systemroot\system32\kbiwkmwuxvkbiw.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- Files - GMER 1.0.15 ----

ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP455\A0248699.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP457\A0249699.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP458\A0250700.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP458\A0251699.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP459\A0252714.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP459\A0252699.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP460\A0253714.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP461\A0253930.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP462\A0254930.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP462\A0255930.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP463\A0256935.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP463\A0256948.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP463\A0257948.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP463\A0258948.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP463\A0259021.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP463\A0259034.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP463\A0260034.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP463\A0261035.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP463\A0261045.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP463\A0261053.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP463\A0261061.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP463\A0261069.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP463\A0262069.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP463\A0262077.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP463\A0263077.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP463\A0263085.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP463\A0263093.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP463\A0263101.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP463\A0264101.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP463\A0265101.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP464\A0265110.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP464\A0266110.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP464\A0266118.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP464\A0267118.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP464\A0268118.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP464\A0268126.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP464\A0268134.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP464\A0269134.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP464\A0269142.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP464\A0270142.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP464\A0270151.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP465\A0270222.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP465\A0271222.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP465\A0271230.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP465\A0272230.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP465\A0272237.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP465\A0272246.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP465\A0272254.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP465\A0272300.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP465\A0272263.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP465\A0272268.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP465\A0272276.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP465\A0272292.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP466\A0273300.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP466\A0274300.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP466\A0274308.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP466\A0274316.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP466\A0274325.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP466\A0275325.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP466\A0275333.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP466\A0275341.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP466\A0275349.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP467\A0276349.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP467\A0277349.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP467\A0277357.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP467\A0277365.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP467\A0277373.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP467\A0277381.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP468\A0278381.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP468\A0278389.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP468\A0278396.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP468\A0279396.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP468\A0279403.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP469\A0279412.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP469\A0279420.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP469\A0279490.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP469\A0279498.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP469\A0279505.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP469\A0279513.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP469\A0280601.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP469\A0282694.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP469\A0279521.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP469\A0280521.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP469\A0280531.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP469\A0280538.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP469\A0280546.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP469\A0280554.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP469\A0280563.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP469\A0280570.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP469\A0280578.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP469\A0280586.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP469\A0280594.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP469\A0280610.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP469\A0280618.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP469\A0280626.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP469\A0280633.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP469\A0280642.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP469\A0281642.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP469\A0281651.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP469\A0281659.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP469\A0281670.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP469\A0282670.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP469\A0282678.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP469\A0282686.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP469\A0282708.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP469\A0283708.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP469\A0284708.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP469\A0284717.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP470\A0284725.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP470\A0284733.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP470\A0284741.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP470\A0284748.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP470\A0284756.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP470\A0284763.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP470\A0284830.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP470\A0285828.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP470\A0285842.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP470\A0285847.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP471\A0287862.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP471\A0285852.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP471\A0286852.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP471\A0287852.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP471\A0287857.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP471\A0287867.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP471\A0287873.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP471\A0287878.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP472\A0287883.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP472\A0288883.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP472\A0288888.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP472\A0288893.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP472\A0288899.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP472\A0288904.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP472\A0288909.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP472\A0288915.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP472\A0288920.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP472\A0288925.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP472\A0288930.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP472\A0288936.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP472\A0288983.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP473\A0289243.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP473\A0289151.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP473\A0289174.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP473\A0289179.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP473\A0289238.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP474\A0289248.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP474\A0289253.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP474\A0289258.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP475\A0289268.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP475\A0289278.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP475\A0289284.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP476\A0289428.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP476\A0289434.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP476\A0289442.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP476\A0289455.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP476\A0291648.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP476\A0289577.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP476\A0289601.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP476\A0289608.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP476\A0290635.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP476\A0290641.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP476\A0290648.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP476\A0289635.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP476\A0291658.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP478\A0291668.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP478\A0292668.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP478\A0292676.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP454\A0247699.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP451\A0245673.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP451\A0245689.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP452\A0245699.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{B9BBCF2E-7F29-4906-92F0-7E24607B611B}\RP453\A0246699.sys:1 8704 bytes executable

---- EOF - GMER 1.0.15 ----

Edited by Yathu, 11 November 2009 - 04:32 PM.

#11
kahdah

Posted 12 November 2009 - 06:18 AM

GeekU Teacher

Retired Staff
15,822 posts

One or more of the identified infections is a backdoor trojan or rootkit.

This can allow hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information,
please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions
to apprise them of your situation.

Please read this for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
===============
Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with Combofix.

Then run ComboFix using these instructions:

Click the Windows 'Start' button > Select 'Run' - then copy/paste the following bolded text into the run box & click OK.

"%userprofile%\desktop\combofix.exe" /killall

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

#12
Yathu

Posted 12 November 2009 - 04:19 PM

Member

Topic Starter
Member
46 posts

So this what i got for C:\ComboFix.txt.

ComboFix 09-11-13.04 - Yathu8 11/12/2009 16:49.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.398 [GMT -5:00]
Running from: c:\documents and settings\Yathu8\desktop\combofix.exe
Command switches used :: /killall
AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Windows\delself.bat
c:\documents and settings\Yathu8\Application Data\Microsoft\svchost.exe
c:\program files\Common Files\pyqymury.bat
c:\program files\Common Files\tibavakor.reg
c:\program files\PC-Antispy
c:\program files\Perfect Optimizer
c:\program files\Perfect Optimizer\License.ini
c:\program files\Perfect Optimizer\PerfectOptimizer.ini
c:\windows\gawumaty.exe
c:\windows\hosts
c:\windows\iexplorer.exe
c:\windows\mslagent
c:\windows\osor.reg
c:\windows\ovugu.reg
c:\windows\system32\_000110_.tmp.dll
c:\windows\system32\smp
c:\windows\Sysvxd.exe
c:\windows\ucirizapo.reg
D:\install.exe

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

c:\windows\system32\accwiz.exe . . . is infected!!

c:\windows\system32\actmovie.exe . . . is infected!!

c:\windows\system32\ahui.exe . . . is infected!!

c:\windows\system32\alg.exe . . . is infected!!

c:\windows\system32\asr_fmt.exe . . . is infected!!

c:\windows\system32\asr_pfu.exe . . . is infected!!

c:\windows\system32\at.exe . . . is infected!!

c:\windows\system32\atmadm.exe . . . is infected!!

c:\windows\system32\attrib.exe . . . is infected!!

c:\windows\system32\auditusr.exe . . . is infected!!

c:\windows\system32\blastcln.exe . . . is infected!!

c:\windows\system32\bootcfg.exe . . . is infected!!

c:\windows\system32\cacls.exe . . . is infected!!

c:\windows\system32\cipher.exe . . . is infected!!

c:\windows\system32\cisvc.exe . . . is infected!!

c:\windows\system32\cleanmgr.exe . . . is infected!!

c:\windows\system32\clipbrd.exe . . . is infected!!

c:\windows\system32\clipsrv.exe . . . is infected!!

c:\windows\system32\cmd.exe . . . is infected!!

c:\windows\system32\cmdl32.exe . . . is infected!!

c:\windows\system32\cmmon32.exe . . . is infected!!

c:\windows\system32\cmstp.exe . . . is infected!!

c:\windows\system32\conime.exe . . . is infected!!

c:\windows\system32\ctfmon.exe . . . is infected!!

c:\windows\system32\dcomcnfg.exe . . . is infected!!

c:\windows\system32\ddeshare.exe . . . is infected!!

c:\windows\system32\defrag.exe . . . is infected!!

c:\windows\system32\dfrgfat.exe . . . is infected!!

c:\windows\system32\dfrgntfs.exe . . . is infected!!

c:\windows\system32\diantz.exe . . . is infected!!

c:\windows\system32\diskpart.exe . . . is infected!!

c:\windows\system32\dllhost.exe . . . is infected!!

c:\windows\system32\dmadmin.exe . . . is infected!!

c:\windows\system32\dmremote.exe . . . is infected!!

c:\windows\system32\dplaysvr.exe . . . is infected!!

c:\windows\system32\dpnsvr.exe . . . is infected!!

c:\windows\system32\dpvsetup.exe . . . is infected!!

c:\windows\system32\driverquery.exe . . . is infected!!

c:\windows\system32\dvdupgrd.exe . . . is infected!!

c:\windows\system32\dwwin.exe . . . is infected!!

c:\windows\system32\dxdiag.exe . . . is infected!!

c:\windows\system32\eudcedit.exe . . . is infected!!

c:\windows\system32\eventcreate.exe . . . is infected!!

c:\windows\system32\eventtriggers.exe . . . is infected!!

c:\windows\system32\extrac32.exe . . . is infected!!

c:\windows\system32\findstr.exe . . . is infected!!

c:\windows\system32\fltmc.exe . . . is infected!!

c:\windows\system32\fontview.exe . . . is infected!!

c:\windows\system32\forcedos.exe . . . is infected!!

c:\windows\system32\ftp.exe . . . is infected!!

c:\windows\system32\getmac.exe . . . is infected!!

c:\windows\system32\gpresult.exe . . . is infected!!

c:\windows\system32\grpconv.exe . . . is infected!!

c:\windows\system32\help.exe . . . is infected!!

c:\windows\system32\ie4uinit.exe . . . is infected!!

c:\windows\system32\iexpress.exe . . . is infected!!

c:\windows\system32\imapi.exe . . . is infected!!

c:\windows\system32\ipconfig.exe . . . is infected!!

c:\windows\system32\ipv6.exe . . . is infected!!

c:\windows\system32\ipxroute.exe . . . is infected!!

c:\windows\system32\locator.exe . . . is infected!!

c:\windows\system32\logman.exe . . . is infected!!

c:\windows\system32\logonui.exe . . . is infected!!

c:\windows\system32\magnify.exe . . . is infected!!

c:\windows\system32\makecab.exe . . . is infected!!

c:\windows\system32\mmc.exe . . . is infected!!

c:\windows\system32\mmcperf.exe . . . is infected!!

c:\windows\system32\mnmsrvc.exe . . . is infected!!

c:\windows\system32\mobsync.exe . . . is infected!!

c:\windows\system32\mqbkup.exe . . . is infected!!

c:\windows\system32\mqtgsvc.exe . . . is infected!!

c:\windows\system32\msdtc.exe . . . is infected!!

c:\windows\system32\mshta.exe . . . is infected!!

c:\windows\system32\mspaint.exe . . . is infected!!

c:\windows\system32\mstinit.exe . . . is infected!!

c:\windows\system32\napstat.exe . . . is infected!!

c:\windows\system32\nddeapir.exe . . . is infected!!

c:\windows\system32\net.exe . . . is infected!!

c:\windows\system32\net1.exe . . . is infected!!

c:\windows\system32\netdde.exe . . . is infected!!

c:\windows\system32\netsetup.exe . . . is infected!!

c:\windows\system32\netsh.exe . . . is infected!!

c:\windows\system32\netstat.exe . . . is infected!!

c:\windows\system32\nslookup.exe . . . is infected!!

c:\windows\system32\ntbackup.exe . . . is infected!!

c:\windows\system32\ntvdm.exe . . . is infected!!

c:\windows\system32\odbcad32.exe . . . is infected!!

c:\windows\system32\odbcconf.exe . . . is infected!!

c:\windows\system32\openfiles.exe . . . is infected!!

c:\windows\system32\osk.exe . . . is infected!!

c:\windows\system32\packager.exe . . . is infected!!

c:\windows\system32\perfmon.exe . . . is infected!!

c:\windows\system32\ping.exe . . . is infected!!

c:\windows\system32\powercfg.exe . . . is infected!!

c:\windows\system32\proquota.exe . . . is infected!!

c:\windows\system32\proxycfg.exe . . . is infected!!

c:\windows\system32\qprocess.exe . . . is infected!!

c:\windows\system32\rasphone.exe . . . is infected!!

c:\windows\system32\rcimlby.exe . . . is infected!!

c:\windows\system32\rcp.exe . . . is infected!!

c:\windows\system32\rdpclip.exe . . . is infected!!

c:\windows\system32\rdsaddin.exe . . . is infected!!

c:\windows\system32\rdshost.exe . . . is infected!!

c:\windows\system32\reg.exe . . . is infected!!

c:\windows\system32\regsvr32.exe . . . is infected!!

c:\windows\system32\rexec.exe . . . is infected!!

c:\windows\system32\rsh.exe . . . is infected!!

c:\windows\system32\rsnotify.exe . . . is infected!!

c:\windows\system32\rtcshare.exe . . . is infected!!

c:\windows\system32\runonce.exe . . . is infected!!

c:\windows\system32\savedump.exe . . . is infected!!

c:\windows\system32\scardsvr.exe . . . is infected!!

c:\windows\system32\schtasks.exe . . . is infected!!

c:\windows\system32\sdbinst.exe . . . is infected!!

c:\windows\system32\secedit.exe . . . is infected!!

c:\windows\system32\sessmgr.exe . . . is infected!!

c:\windows\system32\sethc.exe . . . is infected!!

c:\windows\system32\setup.exe . . . is infected!!

c:\windows\system32\setupn.exe . . . is infected!!

c:\windows\system32\shmgrate.exe . . . is infected!!

c:\windows\system32\shrpubw.exe . . . is infected!!

c:\windows\system32\shutdown.exe . . . is infected!!

c:\windows\system32\sigverif.exe . . . is infected!!

c:\windows\system32\skeys.exe . . . is infected!!

c:\windows\system32\smbinst.exe . . . is infected!!

c:\windows\system32\smlogsvc.exe . . . is infected!!

c:\windows\system32\sndrec32.exe . . . is infected!!

c:\windows\system32\sort.exe . . . is infected!!

c:\windows\system32\spider.exe . . . is infected!!

c:\windows\system32\spiisupd.exe . . . is infected!!

c:\windows\system32\spnpinst.exe . . . is infected!!

c:\windows\system32\stimon.exe . . . is infected!!

c:\windows\system32\sysocmgr.exe . . . is infected!!

c:\windows\system32\systeminfo.exe . . . is infected!!

c:\windows\system32\taskkill.exe . . . is infected!!

c:\windows\system32\tasklist.exe . . . is infected!!

c:\windows\system32\taskmgr.exe . . . is infected!!

c:\windows\system32\tlntadmn.exe . . . is infected!!

c:\windows\system32\tlntsvr.exe . . . is infected!!

c:\windows\system32\tourstart.exe . . . is infected!!

c:\windows\system32\tracerpt.exe . . . is infected!!

c:\windows\system32\tracert.exe . . . is infected!!

c:\windows\system32\upnpcont.exe . . . is infected!!

c:\windows\system32\ups.exe . . . is infected!!

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\usrmlnka.exe . . . is infected!!

c:\windows\system32\usrprbda.exe . . . is infected!!

c:\windows\system32\utilman.exe . . . is infected!!

c:\windows\system32\vssvc.exe . . . is infected!!

c:\windows\system32\wextract.exe . . . is infected!!

c:\windows\system32\wiaacmgr.exe . . . is infected!!

c:\windows\system32\winver.exe . . . is infected!!

c:\windows\system32\wpabaln.exe . . . is infected!!

c:\windows\system32\wpnpinst.exe . . . is infected!!

c:\windows\system32\wscntfy.exe . . . is infected!!

c:\windows\system32\wuauclt1.exe . . . is infected!!

c:\windows\system32\xcopy.exe . . . is infected!!

c:\windows\system32\Com\comrepl.exe . . . is infected!!

c:\windows\system32\Com\comrereg.exe . . . is infected!!

c:\windows\system32\npp\nppagent.exe . . . is infected!!

c:\windows\system32\oobe\msoobe.exe . . . is infected!!

c:\windows\system32\oobe\oobebaln.exe . . . is infected!!

c:\windows\system32\Restore\rstrui.exe . . . is infected!!

c:\windows\system32\usmt\migload.exe . . . is infected!!

c:\windows\system32\usmt\migwiz.exe . . . is infected!!

c:\windows\system32\usmt\migwiza.exe . . . is infected!!

c:\windows\system32\wbem\mofcomp.exe . . . is infected!!

c:\windows\system32\wbem\scrcons.exe . . . is infected!!

c:\windows\system32\wbem\wbemtest.exe . . . is infected!!

c:\windows\system32\wbem\wmiadap.exe . . . is infected!!

c:\windows\system32\wbem\wmiapsrv.exe . . . is infected!!

c:\windows\system32\wbem\wmic.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_kbiwkmaqoiocnj
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_kbiwkmaqoiocnj

((((((((((((((((((((((((( Files Created from 2009-10-12 to 2009-11-12 )))))))))))))))))))))))))))))))
.

2009-11-10 01:47 . 2009-11-10 01:47 291328 ----a-w- C:\mxhijf3r.exe
2009-11-07 01:55 . 2009-11-07 01:56 34816 ----a-w- c:\windows\system32\drivers\tatertot.scr.sys
2009-11-03 01:28 . 2009-11-03 01:28 -------- d-----w- c:\documents and settings\Yathu8\Tracing
2009-11-03 01:26 . 2009-11-03 01:26 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-11-01 15:36 . 2009-11-01 15:36 -------- d-----w- c:\documents and settings\Yathu8\Local Settings\Application Data\Yahoo!
2009-11-01 15:26 . 2006-12-08 06:06 221184 ----a-w- c:\windows\system32\TSSIWSSDK.dll
2009-11-01 15:26 . 2006-12-08 06:02 196608 ----a-w- c:\windows\system32\TSSISSLSDK.dll
2009-11-01 15:26 . 2006-12-08 06:00 155648 ----a-w- c:\windows\system32\TSSICSDK.dll
2009-11-01 15:26 . 2006-09-18 17:30 57344 ----a-w- c:\windows\system32\Base64File.dll
2009-11-01 15:26 . 2009-11-06 23:43 -------- d-----w- c:\program files\GodSW Auto Emailer
2009-11-01 15:12 . 2009-11-01 15:12 -------- d-----w- c:\documents and settings\Yathu8\Application Data\ArcSoft
2009-11-01 15:12 . 2001-08-18 03:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-11-01 15:12 . 2008-04-14 01:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-10-29 02:43 . 2009-10-29 02:43 -------- d-----w- c:\program files\Google
2009-10-28 23:27 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-28 23:27 . 2009-10-28 23:27 -------- d-----w- c:\program files\WOW
2009-10-28 23:27 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-28 23:23 . 2009-10-28 23:23 -------- d-----w- c:\program files\Trend Micro
2009-10-28 20:19 . 2009-10-28 20:19 -------- d-----w- c:\documents and settings\Yathu8\Application Data\IObit
2009-10-28 20:19 . 2009-10-28 20:19 -------- d-----w- c:\program files\IObit
2009-10-28 02:21 . 2009-10-28 02:20 208896 ---h--w- c:\documents and settings\Yathu8\Application Data\Microsoft\rundll32.exe
2009-10-28 01:47 . 2009-10-11 21:17 229376 ----a-w- c:\windows\system32\zLHan.exe
2009-10-23 00:35 . 2009-10-23 00:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-10-23 00:35 . 2009-10-23 00:35 -------- d-----w- c:\documents and settings\Yathu8\Application Data\Yahoo!
2009-10-23 00:35 . 2009-10-23 00:35 -------- d-----w- c:\program files\Yahoo!
2009-10-23 00:32 . 2009-11-12 21:49 -------- d--h--w- c:\windows\msdownld.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-12 22:04 . 2009-07-12 00:07 196 ----a-w- c:\windows\system32\drivers\ALCICH.DAT
2009-11-12 21:13 . 2008-07-25 16:18 1632 ----a-w- c:\windows\system32\d3d8caps.dat
2009-11-11 02:29 . 2008-08-15 20:48 1744 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-05 04:12 . 2009-10-04 22:19 -------- d-----w- c:\documents and settings\Yathu8\Application Data\FrostWire
2009-11-05 03:55 . 2009-01-21 21:07 -------- d-----w- c:\program files\FrostWire
2009-11-04 17:06 . 2009-09-30 23:11 -------- d-----w- c:\program files\Registry Easy
2009-11-03 01:42 . 2008-07-24 21:27 -------- d-----w- c:\program files\Windows Live
2009-10-30 22:27 . 2006-09-28 22:56 146432 -c----w- c:\windows\system32\WudfHost.exe
2009-10-30 22:27 . 2006-10-19 00:00 17408 -c----w- c:\windows\system32\wpdshextautoplay.exe
2009-10-30 22:27 . 2004-08-04 01:07 70144 ----a-w- c:\windows\system32\sigverif.exe
2009-10-30 22:27 . 2004-08-04 01:07 19456 ----a-w- c:\windows\system32\shutdown.exe
2009-10-30 22:27 . 2004-08-04 01:07 77824 ----a-w- c:\windows\system32\shrpubw.exe
2009-10-30 22:27 . 2004-08-04 01:07 31232 ----a-w- c:\windows\system32\sethc.exe
2009-10-30 22:27 . 2004-08-04 01:07 18944 ----a-w- c:\windows\system32\secedit.exe
2009-10-30 22:27 . 2004-08-04 01:07 77312 ----a-w- c:\windows\system32\sdbinst.exe
2009-10-30 22:27 . 2004-08-04 01:07 121856 ----a-w- c:\windows\system32\schtasks.exe
2009-10-30 22:27 . 2004-08-04 01:07 50176 ----a-w- c:\windows\system32\reg.exe
2009-10-30 22:27 . 2008-07-24 20:55 62976 ----a-w- c:\windows\system32\rdpclip.exe
2009-10-30 22:25 . 2004-08-04 01:07 163840 ----a-w- c:\windows\system32\diskpart.exe
2009-10-30 22:25 . 2004-08-04 01:07 82944 ----a-w- c:\windows\system32\dfrgfat.exe
2009-10-30 22:25 . 2008-07-24 20:55 6144 ----a-w- c:\windows\system32\dcomcnfg.exe
2009-10-30 22:25 . 2004-08-04 01:07 15360 ----a-w- c:\windows\system32\ctfmon.exe
2009-10-30 22:25 . 2004-08-04 01:07 63488 ----a-w- c:\windows\system32\cmstp.exe
2009-10-30 22:25 . 2004-08-04 01:07 39936 ----a-w- c:\windows\system32\cmmon32.exe
2009-10-30 22:25 . 2004-08-04 01:07 25600 ----a-w- c:\windows\system32\cmdl32.exe
2009-10-30 22:25 . 2004-08-04 01:07 56832 ----a-w- c:\windows\system32\cipher.exe
2009-10-30 22:25 . 2004-08-04 01:07 19968 ----a-w- c:\windows\system32\cacls.exe
2009-10-30 22:25 . 2004-08-04 01:07 142848 ----a-w- c:\windows\system32\bootcfg.exe
2009-10-30 22:25 . 2004-08-04 01:07 25088 ----a-w- c:\windows\system32\at.exe
2009-10-28 21:00 . 2008-07-28 16:55 -------- d-----w- c:\documents and settings\All Users\Application Data\WLInstaller
2009-10-28 21:00 . 2008-10-27 21:34 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-28 20:41 . 2009-06-06 17:26 -------- d-----w- c:\program files\AvRack
2009-10-20 22:17 . 2004-08-04 01:07 29184 ----a-w- c:\windows\system32\mshta.exe
2009-10-04 22:26 . 2009-10-04 22:26 0 ----a-w- c:\documents and settings\Yathu8\Application Data\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
2009-10-02 22:56 . 2009-06-06 17:26 124416 ----a-w- c:\windows\soundman.exe
2009-10-02 22:56 . 2004-08-04 01:07 1200640 ----a-w- c:\windows\system32\ntbackup.exe
2009-10-02 22:56 . 2008-07-24 20:55 131584 ----a-w- c:\windows\system32\sndrec32.exe
2009-10-02 22:56 . 2008-07-24 20:55 184320 ----a-w- c:\windows\system32\accwiz.exe
2009-10-02 22:55 . 2004-08-04 01:07 143360 ----a-w- c:\windows\system32\mobsync.exe
2009-10-02 22:55 . 2004-08-04 01:07 150528 ----a-w- c:\windows\system32\imapi.exe
2009-10-02 22:55 . 2004-08-04 01:07 35840 ----a-w- c:\windows\system32\rcimlby.exe
2009-10-02 22:19 . 2008-11-24 23:48 -------- d-----w- c:\program files\Microsoft
2009-10-02 21:41 . 2008-11-08 17:04 -------- d-----w- c:\program files\Viewpoint
2009-10-02 11:39 . 2004-08-04 01:07 215552 ----a-w- c:\windows\system32\osk.exe
2009-10-02 11:39 . 2004-08-04 01:07 72704 ----a-w- c:\windows\system32\magnify.exe
2009-10-02 11:38 . 2004-08-04 01:07 32768 ----a-w- c:\windows\system32\odbcad32.exe
2009-10-02 11:38 . 2004-08-04 01:07 64000 ----a-w- c:\windows\system32\cleanmgr.exe
2009-10-02 02:23 . 2004-08-04 01:07 17920 ----a-w- c:\windows\system32\ping.exe
2009-10-02 02:23 . 2004-08-04 01:07 12288 ----a-w- c:\windows\system32\attrib.exe
2009-10-02 02:23 . 2004-08-04 01:07 27136 ----a-w- c:\windows\system32\findstr.exe
2009-10-02 02:21 . 2004-08-04 01:07 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-10-02 02:21 . 2004-08-04 01:07 14336 ----a-w- c:\windows\system32\runonce.exe
2009-10-01 21:49 . 2009-10-01 21:41 -------- d-----w- c:\program files\Spyware Doctor
2009-10-01 21:28 . 2009-09-04 19:22 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-01 21:19 . 2009-10-01 21:19 -------- d-----w- c:\documents and settings\Yathu8\Application Data\AVG8
2009-10-01 20:41 . 2004-08-04 01:07 180224 ----a-w- c:\windows\system32\dwwin.exe
2009-09-30 22:54 . 2009-09-30 22:52 -------- d-----w- c:\program files\jv16 PowerTools 2009
2009-09-30 20:05 . 2008-07-24 20:55 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-09-30 02:57 . 2004-08-04 01:07 347136 ----a-w- c:\windows\system32\tourstart.exe
2009-09-30 02:54 . 2006-03-17 00:38 28672 ----a-w- c:\windows\system32\verclsid.exe
2009-09-30 02:52 . 2006-12-22 11:25 255456 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Photoshop Elements\5.0\Flash Galleries\GeoWeb Gallery\gallery\resources\AuthSWF.exe
2009-09-30 02:52 . 2006-12-22 11:24 1758682 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Photoshop Elements\5.0\Flash Galleries\Dynamic\flashplayer\windows\SAFlashPlayer.exe
2009-09-30 01:53 . 2008-10-24 01:16 -------- d-----w- c:\program files\Common Files\Apple
2009-09-30 01:40 . 2009-09-30 01:40 23 --sha-w- c:\windows\system32\edacded0.dat
2009-09-30 01:33 . 2009-09-30 01:33 -------- d-----w- c:\documents and settings\Yathu8\Application Data\Malwarebytes
2009-09-30 01:33 . 2004-08-04 01:07 11776 ----a-w- c:\windows\system32\regsvr32.exe
2009-09-30 01:20 . 2004-08-04 01:07 1414656 ----a-w- c:\windows\system32\mmc.exe
2009-09-29 23:02 . 2004-08-04 01:07 389120 ----a-w- c:\windows\system32\cmd.exe
2009-09-29 22:43 . 2004-08-04 01:07 24576 ----a-w- c:\windows\system32\sort.exe
2009-09-29 22:42 . 2004-08-04 01:07 71680 ----a-w- c:\windows\system32\systeminfo.exe
2009-09-29 22:42 . 2004-08-04 01:07 76288 ----a-w- c:\windows\system32\taskkill.exe
2009-09-29 22:42 . 2004-08-04 01:07 77824 ----a-w- c:\windows\system32\tasklist.exe
2009-09-29 22:42 . 2004-08-04 01:07 259584 ----a-w- c:\windows\system32\tracerpt.exe
2009-09-29 22:42 . 2004-08-04 01:07 12288 ----a-w- c:\windows\system32\tracert.exe
2009-09-29 22:42 . 2004-08-04 01:07 50176 ----a-w- c:\windows\system32\utilman.exe
2009-09-29 22:41 . 2004-08-04 01:07 289792 ----a-w- c:\windows\system32\vssvc.exe
2009-09-29 22:41 . 2004-08-04 01:07 65024 ----a-w- c:\windows\system32\wextract.exe
2009-09-29 22:41 . 2004-08-04 01:07 433664 ----a-w- c:\windows\system32\wiaacmgr.exe
2009-09-29 22:41 . 2004-08-04 01:07 5632 ----a-w- c:\windows\system32\winver.exe
2009-09-29 22:16 . 2008-07-30 00:35 326656 ----a-w- c:\windows\system32\PresentationHost.exe
2009-09-29 20:24 . 2004-08-04 01:07 25088 ----a-w- c:\windows\system32\defrag.exe
2009-09-29 11:55 . 2004-08-04 01:07 26112 ----a-w- c:\windows\system32\userinit.exe
2009-09-29 02:42 . 2004-08-04 01:07 514560 ----a-w- c:\windows\system32\logonui.exe
2009-09-29 02:25 . 2004-08-04 01:07 679936 ----a-w- c:\windows\system32\sstext3d.scr
2009-09-29 02:25 . 2004-08-04 01:07 9216 ----a-w- c:\windows\system32\scrnsave.scr
2009-09-29 02:17 . 2004-08-04 01:07 135680 ----a-w- c:\windows\system32\taskmgr.exe
2009-09-29 02:16 . 2004-08-04 01:07 44544 ----a-w- c:\windows\system32\alg.exe
2009-09-28 23:40 . 2009-09-28 23:40 -------- d-----w- c:\program files\Common Files\PC Tools
2009-09-28 23:40 . 2009-09-28 23:40 -------- d-----w- c:\documents and settings\Yathu8\Application Data\PC Tools
2009-09-28 23:40 . 2009-09-28 23:40 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-09-19 19:20 . 2009-09-19 17:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-19 19:20 . 2009-09-19 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-19 00:59 . 2009-09-19 00:17 -------- d-----w- c:\program files\dsd
2009-09-19 00:35 . 2009-09-13 02:01 -------- d-----w- c:\program files\Joboshare
2009-09-18 23:55 . 2009-09-18 23:55 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-15 02:36 . 2009-09-15 02:36 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-09-14 01:59 . 2009-09-14 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-14 01:37 . 2009-09-17 19:36 1390040 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgfrw.exe
2009-09-13 23:59 . 2009-09-13 23:59 2063640 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-09-13 23:59 . 2009-09-13 23:59 3675096 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
.

------- Sigcheck -------

[-] 2009-09-29 . 789E140E949FFD240A21E11E3849CAD4 . 26112 . . [5.1.2600.5512] . . c:\windows\system32\userinit.exe
[-] 2008-04-14 00:12 . !HASH: COULD NOT OPEN FILE !!!!! . 203742 . . [------] . . c:\windows\ServicePackFiles\i386\userinit.exe
[-] 2004-08-04 01:07 . !HASH: COULD NOT OPEN FILE !!!!! . 202200 . . [------] . . c:\windows\$NtServicePackUninstall$\userinit.exe

[-] 2008-04-14 00:12 . !HASH: COULD NOT OPEN FILE !!!!! . 191446 . . [------] . . c:\windows\ServicePackFiles\i386\wscntfy.exe
[-] 2008-04-14 00:12 . !HASH: COULD NOT OPEN FILE !!!!! . 191450 . . [------] . . c:\windows\system32\wscntfy.exe
[-] 2004-08-04 01:07 . !HASH: COULD NOT OPEN FILE !!!!! . 191448 . . [------] . . c:\windows\$NtServicePackUninstall$\wscntfy.exe

[-] 2009-10-30 . BE8E2DDA229907FCC5BA07EA338B2970 . 15360 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
[-] 2008-04-14 00:12 . !HASH: COULD NOT OPEN FILE !!!!! . 192978 . . [------] . . c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2004-08-04 01:07 . !HASH: COULD NOT OPEN FILE !!!!! . 192982 . . [------] . . c:\windows\$NtServicePackUninstall$\ctfmon.exe

c:\windows\system32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BWJChtVx"="c:\windows\system32\zLHan.exe" [2009-10-11 229376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-02-23 292308]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 316894]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-26 316890]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 198108]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-03-24 3309568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-03-24 46080]
"QuickTime Task"="c:\program files\Ringz Studio\Storm Codec\qttask.exe" [2009-09-14 591320]
"hSFeJ3cTRsi9"="c:\windows\system32\zLHan.exe" [2009-10-11 229376]
"SoundMan"="soundman.exe" - c:\windows\soundman.exe [2009-10-02 124416]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoThumbnailCache"= 1 (0x1)
"link"= 00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-13 23:56 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GodSW Auto Emailer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GodSW Auto Emailer.lnk
backup=c:\windows\pss\GodSW Auto Emailer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSSQL$SQLEXPRESS"=2 (0x2)
"AbyssWebServer"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57186:TCP"= 57186:TCP:Pando Media Booster
"57186:UDP"= 57186:UDP:Pando Media Booster
"57218:TCP"= 57218:TCP:Pando Media Booster
"57218:UDP"= 57218:UDP:Pando Media Booster

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [9/28/2009 6:41 PM 206256]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/13/2009 6:56 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/13/2009 6:56 PM 108552]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/8/2008 12:04 PM 24652]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/13/2009 6:56 PM 297984]
S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [10/28/2009 9:43 PM 30192]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 tatertot.scr;tatertot.scr;c:\windows\system32\drivers\tatertot.scr.sys [11/6/2009 8:55 PM 34816]
S4 AbyssWebServer;Abyss Web Server;c:\program files\Abyss Web Server\abyssws.exe --service --> c:\program files\Abyss Web Server\abyssws.exe --service [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;"c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE" --> c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [?]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 2:49 AM 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);"c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE" -i SQLEXPRESS --> c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{FUtmahws-rPXB-UobT-SJCa-jvKWQESF8cx1}]
c:\windows\system32\zLHan.exe

[HKEY_CURRENT_USER\software\microsoft\active setup\installed components\{FUtmahws-rPXB-UobT-SJCa-jvKWQESF8cx1}]
c:\windows\system32\zLHan.exe
.
Contents of the 'Scheduled Tasks' folder

2009-10-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 01:37]

2009-11-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-1604221776-725345543-1041Core.job
- c:\documents and settings\Yathu8\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-19 03:10]

2009-11-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-1604221776-725345543-1041UA.job
- c:\documents and settings\Yathu8\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-19 03:10]

2009-11-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-1604221776-725345543-500Core.job
- c:\documents and settings\Administrator.WINDOWS-7DD1DFD\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-19 02:51]

2009-11-04 c:\windows\Tasks\Schedule Task Weekly.job
- c:\program files\Registry Easy\RE.exe [2009-09-30 20:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
mSearch Bar =
uInternet Connection Wizard,ShellNext = hxxp://youtube.com/
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxp://secure.gopetslive.com/dev/GoPetsWeb.cab
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
BHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-svchost.exe - c:\documents and settings\Yathu8\Application Data\Microsoft\svchost.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-12 17:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\AppEvents\Schemes\Apps\Explorer\BlockedPopup\.current]
@DACL=(02 0000)
@="c:\\WINDOWS\\media\\Windows XP Pop-up Blocked.wav"

[HKEY_USERS\.Default\AppEvents\Schemes\Apps\Explorer\BlockedPopup\.default]
@DACL=(02 0000)
@="c:\\WINDOWS\\media\\Windows XP Pop-up Blocked.wav"

[HKEY_USERS\S-1-5-20\Software\Microsoft\Multimedia\Audio Compression Manager\MSACM]
@DACL=(02 0000)

[HKEY_USERS\S-1-5-20\Software\Microsoft\Multimedia\Audio Compression Manager\Priority v4.00]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Viewpoint\Viewpoint Manager]
@DACL=(02 0000)
"UninstallDate"="0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4044)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2009-11-12 17:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-12 22:11

Pre-Run: 81,481,363,456 bytes free
Post-Run: 87,011,532,800 bytes free

Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 2D92680D4091D8877EDFB753379905D4

Edited by Yathu, 12 November 2009 - 04:24 PM.

#13
kahdah

Posted 13 November 2009 - 07:31 AM

GeekU Teacher

Retired Staff
15,822 posts

I would like for you to submit a file for me to analyze.

I will need to you show hidden files\folders so we can find the files.
To Set:

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK

Now: using Windows Explorer (to get there right-click your Start button and go to "Explore")
Then navigate to this location and upload the following file.

c:\windows\system32\zLHan.exe

Click Here to upload the files please.
============================
Please submit the following files to one of these online file scanners.
(All you have to do is copy and paste the file path into the box when you click on Browse then once you have done that click on the open button then submit)

c:\windows\system32\actmovie.exe
c:\windows\system32\attrib.exe
c:\windows\system32\cmd.exe
c:\windows\system32\ftp.exe

Jotti File Scan
VirusTotal File Scan

This will produce a report after the scan is complete, please copy and paste those results in your next post.

#14
Yathu

Posted 13 November 2009 - 06:13 PM

Member

Topic Starter
Member
46 posts

Hi, it wouldn't let me scan the actmovie.exe file but i got everything else

File attrib.exe received on 2009.11.14 00:00:05 (UTC)
Current status: finished
Result: 0/41 (0.00%)

Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.11.13 -
AhnLab-V3 5.0.0.2 2009.11.13 -
AntiVir 7.9.1.65 2009.11.13 -
Antiy-AVL 2.0.3.7 2009.11.13 -
Authentium 5.2.0.5 2009.11.13 -
Avast 4.8.1351.0 2009.11.13 -
AVG 8.5.0.425 2009.11.13 -
BitDefender 7.2 2009.11.14 -
CAT-QuickHeal 10.00 2009.11.13 -
ClamAV 0.94.1 2009.11.13 -
Comodo 2945 2009.11.14 -
DrWeb 5.0.0.12182 2009.11.13 -
eSafe 7.0.17.0 2009.11.12 -
eTrust-Vet 35.1.7120 2009.11.13 -
F-Prot 4.5.1.85 2009.11.13 -
F-Secure 9.0.15370.0 2009.11.11 -
Fortinet 3.120.0.0 2009.11.13 -
GData 19 2009.11.14 -
Ikarus T3.1.1.74.0 2009.11.13 -
Jiangmin 11.0.800 2009.11.12 -
K7AntiVirus 7.10.896 2009.11.13 -
Kaspersky 7.0.0.125 2009.11.13 -
McAfee 5801 2009.11.13 -
McAfee+Artemis 5801 2009.11.13 -
McAfee-GW-Edition 6.8.5 2009.11.13 -
Microsoft 1.5202 2009.11.13 -
NOD32 4605 2009.11.13 -
Norman 6.03.02 2009.11.13 -
nProtect 2009.1.8.0 2009.11.13 -
Panda 10.0.2.2 2009.11.13 -
PCTools 7.0.3.5 2009.11.13 -
Prevx 3.0 2009.11.14 -
Rising 22.21.04.09 2009.11.13 -
Sophos 4.47.0 2009.11.13 -
Sunbelt 3.2.1858.2 2009.11.12 -
Symantec 1.4.4.12 2009.11.14 -
TheHacker 6.5.0.2.069 2009.11.13 -
TrendMicro 9.0.0.1003 2009.11.13 -
VBA32 3.12.10.11 2009.11.13 -
ViRobot 2009.11.13.2035 2009.11.13 -
VirusBuster 4.6.5.0 2009.11.13 -
Additional information
File size: 12288 bytes
MD5 : ad0637dce598813b358484b641e7cfea
SHA1 : 840174f51e194ac5b2c01351d81e8dcfa966baf5
SHA256: 00c9a6b16c2f28f4a77387b03e29c2b916660f2988314a435edc410b57ae18f7
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x2653
timedatestamp.....: 0x48025203 (Sun Apr 13 20:33:39 2008)
machinetype.......: 0x14C (Intel I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2584 0x2600 6.27 1a529b5fa9681115211ef3437c926c62
.data 0x4000 0x40 0x200 0.20 abcea224b48dbda377dc35315cac920b
.rsrc 0x5000 0x3D8 0x400 3.31 0460dfcc9a102a549a68c6cf57fd8b86

( 4 imports )

> kernel32.dll: SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, SetFileAttributesW, GetLastError, GetModuleHandleA
> msvcrt.dll: _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, __initenv, exit, _cexit, _XcptFilter, _exit, _c_exit
> ntdll.dll: wcschr, RtlFreeHeap, RtlAllocateHeap, swprintf
> ulib.dll: _Get_Standard_Output_Stream@@YGPAVSTREAM@@XZ, __0DSTRING@@QAE@XZ, __0PATH@@QAE@XZ, __0STRING_ARGUMENT@@QAE@XZ, __0ARRAY@@QAE@XZ, __0ARGUMENT_LEXEMIZER@@QAE@XZ, _QueryFsnodeArray@FSN_DIRECTORY@@QBEPAVARRAY@@PAVFSN_FILTER@@@Z, __1PROGRAM@@UAE@XZ, __1PATH_ARGUMENT@@UAE@XZ, __1FSN_FILTER@@UAE@XZ, __1STREAM_MESSAGE@@UAE@XZ, _ValidateVersion@PROGRAM@@UBEXKK@Z, _Usage@PROGRAM@@UBEXXZ, _GetStandardError@PROGRAM@@UAEPAVSTREAM@@XZ, _Get_Standard_Input_Stream@@YGPAVSTREAM@@XZ, _GetStandardInput@PROGRAM@@UAEPAVSTREAM@@XZ, _Fatal@PROGRAM@@UBEXXZ, _Fatal@PROGRAM@@UBAXKKPADZZ, _DisplayMessage@PROGRAM@@UBEEKW4MESSAGE_TYPE@@@Z, _DisplayMessage@PROGRAM@@UBAEKW4MESSAGE_TYPE@@PADZZ, _Compare@OBJECT@@UBEJPBV1@@Z, __0STREAM_MESSAGE@@QAE@XZ, __0FSN_FILTER@@QAE@XZ, __0PATH_ARGUMENT@@QAE@XZ, __0FLAG_ARGUMENT@@QAE@XZ, __0PROGRAM@@IAE@XZ, _Initialize@CLASS_DESCRIPTOR@@QAEEXZ, __0CLASS_DESCRIPTOR@@QAE@XZ, _Initialize@STREAM_MESSAGE@@QAEEPAVSTREAM@@00@Z, _Initialize@WSTRING@@QAEEPBGK@Z, _Initialize@ARRAY@@QAEEKK@Z, _PutSwitches@ARGUMENT_LEXEMIZER@@QAEXPBD@Z, _Initialize@ARGUMENT_LEXEMIZER@@QAEEPAVARRAY@@@Z, _SetCaseSensitive@ARGUMENT_LEXEMIZER@@QAEXE@Z, _PutSeparators@ARGUMENT_LEXEMIZER@@QAEXPBD@Z, _PrepareToParse@ARGUMENT_LEXEMIZER@@QAEEPAVWSTRING@@@Z, _Initialize@STRING_ARGUMENT@@QAEEPAD@Z, _Initialize@FLAG_ARGUMENT@@QAEEPAD@Z, _Initialize@PATH_ARGUMENT@@QAEEPADE@Z, _Put@ARRAY@@UAEEPAVOBJECT@@@Z, _DoParsing@ARGUMENT_LEXEMIZER@@QAEEPAVARRAY@@@Z, _IsValueSet@ARGUMENT@@QAEEXZ, _Initialize@PATH@@QAEEPBGE@Z, _Initialize@PATH@@QAEEPBVWSTRING@@E@Z, _IsDrive@PATH@@QBEEXZ, _Initialize@WSTRING@@QAEEPBV1@KK@Z, _Strcat@WSTRING@@QAEEPBV1@@Z, _Initialize@PATH@@QAEEPBV1@E@Z, _QueryDirectory@SYSTEM@@SGPAVFSN_DIRECTORY@@PBVPATH@@E@Z, _SetFileName@FSN_FILTER@@QAEEPBD@Z, _Initialize@FSN_FILTER@@QAEEXZ, _SetAttributes@FSN_FILTER@@QAEEKKK@Z, _SetFileName@FSN_FILTER@@QAEEPBVWSTRING@@@Z, _DeleteAllMembers@ARRAY@@UAEEXZ, __1STRING_ARGUMENT@@UAE@XZ, __1PATH@@UAE@XZ, __1ARRAY@@UAE@XZ, __1ARGUMENT_LEXEMIZER@@UAE@XZ, __1DSTRING@@UAE@XZ, __1OBJECT@@UAE@XZ, _Display@MESSAGE@@QAAEPBDZZ, _Initialize@WSTRING@@QAEEPBDK@Z, _GetStandardOutput@PROGRAM@@UAEPAVSTREAM@@XZ, _QueryString@WSTRING@@QBEPAV1@KK@Z

( 0 exports )
TrID : File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ssdeep: 192:kQZgZNuzcPXWlI6wvCQQaLS4Twv6ujZ1rAgwc4A35gMnvmAIwW0FtW:kQswzcQI6IS4TwtWA35gqmyW0FtW
PEiD : -
RDS : NSRL Reference Data Set
-

File cmd.exe received on 2009.11.14 00:01:34 (UTC)
Current status: finished
Result: 0/41 (0.00%)

ntivirus Version Last Update Result
a-squared 4.5.0.41 2009.11.13 -
AhnLab-V3 5.0.0.2 2009.11.13 -
AntiVir 7.9.1.65 2009.11.13 -
Antiy-AVL 2.0.3.7 2009.11.13 -
Authentium 5.2.0.5 2009.11.13 -
Avast 4.8.1351.0 2009.11.13 -
AVG 8.5.0.425 2009.11.13 -
BitDefender 7.2 2009.11.14 -
CAT-QuickHeal 10.00 2009.11.13 -
ClamAV 0.94.1 2009.11.13 -
Comodo 2945 2009.11.14 -
DrWeb 5.0.0.12182 2009.11.13 -
eSafe 7.0.17.0 2009.11.12 -
eTrust-Vet 35.1.7120 2009.11.13 -
F-Prot 4.5.1.85 2009.11.13 -
F-Secure 9.0.15370.0 2009.11.11 -
Fortinet 3.120.0.0 2009.11.13 -
GData 19 2009.11.14 -
Ikarus T3.1.1.74.0 2009.11.13 -
Jiangmin 11.0.800 2009.11.12 -
K7AntiVirus 7.10.896 2009.11.13 -
Kaspersky 7.0.0.125 2009.11.13 -
McAfee 5801 2009.11.13 -
McAfee+Artemis 5801 2009.11.13 -
McAfee-GW-Edition 6.8.5 2009.11.13 -
Microsoft 1.5202 2009.11.13 -
NOD32 4605 2009.11.13 -
Norman 6.03.02 2009.11.13 -
nProtect 2009.1.8.0 2009.11.13 -
Panda 10.0.2.2 2009.11.13 -
PCTools 7.0.3.5 2009.11.13 -
Prevx 3.0 2009.11.14 -
Rising 22.21.04.09 2009.11.13 -
Sophos 4.47.0 2009.11.13 -
Sunbelt 3.2.1858.2 2009.11.12 -
Symantec 1.4.4.12 2009.11.14 -
TheHacker 6.5.0.2.069 2009.11.13 -
TrendMicro 9.0.0.1003 2009.11.13 -
VBA32 3.12.10.11 2009.11.13 -
ViRobot 2009.11.13.2035 2009.11.13 -
VirusBuster 4.6.5.0 2009.11.13 -
Additional information
File size: 389120 bytes
MD5 : be03917e883af09a0d1e04ce79c7f8ae
SHA1 : 7da3182cf8c2eb4dbe2a0ded686f24f902a15b4d
SHA256: 9446bc8f31256f80e9a5429387d663925cc55ad5b626cc4866b111d400d65fb3
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x5046
timedatestamp.....: 0x48025BAF (Sun Apr 13 21:14:55 2008)
machinetype.......: 0x14C (Intel I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1F620 0x1F800 6.58 0dba298d132e7df23b222f453be6c8d4
.data 0x21000 0x1CA24 0x1CA00 0.17 ac08e12c2ca9c0b872b354378edde336
.rsrc 0x3E000 0x228A0 0x22A00 3.83 1586a8d471cd77b625c608210b6f5e5f

( 3 imports )

> kernel32.dll: FlushConsoleInputBuffer, LoadLibraryA, InterlockedExchange, FreeLibrary, LocalAlloc, GetVDMCurrentDirectories, CmdBatNotification, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetTickCount, QueryPerformanceCounter, GetThreadLocale, GetDiskFreeSpaceExW, CompareFileTime, RemoveDirectoryW, GetCurrentDirectoryW, SetCurrentDirectoryW, TerminateProcess, WaitForSingleObject, GetExitCodeProcess, CopyFileW, SetFileAttributesW, DeleteFileW, SetFileTime, CreateDirectoryW, FillConsoleOutputAttribute, SetConsoleTextAttribute, ScrollConsoleScreenBufferW, FormatMessageW, DuplicateHandle, FlushFileBuffers, HeapReAlloc, HeapSize, GetFileAttributesExW, LocalFree, GetDriveTypeW, InitializeCriticalSection, SetConsoleCtrlHandler, GetWindowsDirectoryW, GetConsoleTitleW, GetModuleFileNameW, GetVersion, EnterCriticalSection, LeaveCriticalSection, ExpandEnvironmentStringsW, SearchPathW, WriteFile, GetVolumeInformationW, SetLastError, MoveFileW, SetConsoleTitleW, MoveFileExW, GetBinaryTypeW, GetFileAttributesW, GetCurrentThreadId, CreateProcessW, LoadLibraryW, ReadProcessMemory, SetErrorMode, GetConsoleMode, SetConsoleMode, VirtualAlloc, VirtualFree, SetEnvironmentVariableW, GetEnvironmentVariableW, GetCommandLineW, GetEnvironmentStringsW, GetLocalTime, GetTimeFormatW, FileTimeToLocalFileTime, GetDateFormatW, GetLastError, CloseHandle, SetThreadLocale, GetProcAddress, GetModuleHandleW, SetFilePointer, lstrcmpW, lstrcmpiW, HeapAlloc, GetProcessHeap, HeapFree, MultiByteToWideChar, ReadFile, WriteConsoleW, FillConsoleOutputCharacterW, SetConsoleCursorPosition, ReadConsoleW, GetConsoleScreenBufferInfo, GetStdHandle, GetFileType, VirtualQuery, RaiseException, GetCPInfo, GetConsoleOutputCP, WideCharToMultiByte, GetFileSize, CreateFileW, FindClose, FindNextFileW, FindFirstFileW, GetFullPathNameW, GetUserDefaultLCID, GetLocaleInfoW, SetLocalTime, SystemTimeToFileTime, GetSystemTime, FileTimeToSystemTime
> msvcrt.dll: __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, __initenv, _cexit, _XcptFilter, _exit, _c_exit, calloc, _wcslwr, qsort, _vsnwprintf, wcsstr, _dup2, _dup, _open_osfhandle, _close, swscanf, _ultoa, _pipe, _seh_longjmp_unwind, _setmode, wcsncmp, iswxdigit, fflush, exit, _wtol, time, srand, __set_app_type, wcsrchr, malloc, free, wcstoul, _errno, iswalpha, printf, rand, swprintf, _iob, fprintf, towlower, realloc, setlocale, _snwprintf, wcscat, _wcsupr, wcsncpy, _wpopen, fgets, _pclose, memmove, wcschr, iswspace, _tell, longjmp, wcscmp, _wcsnicmp, _wcsicmp, wcstol, iswdigit, _getch, _get_osfhandle, _controlfp, _setjmp3, _except_handler3, wcscpy, wcslen, wcsspn, towupper
> user32.dll: GetUserObjectInformationW, GetThreadDesktop, MessageBeep, GetProcessWindowStation

( 0 exports )
TrID : File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
ssdeep: 3072:WhRx1q315oF8opcnD1hOOrWGzN2lcR2u8JnxIdU+e3sFFCcll3H3rH3XD7Inm+Fj:8UF5oXpcFb5DRsNxIdU
PEiD : -
RDS : NSRL Reference Data Set
-

File ftp.exe received on 2009.11.14 00:02:35 (UTC)
Current status: finished
Result: 0/41 (0.00%)

Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.11.13 -
AhnLab-V3 5.0.0.2 2009.11.13 -
AntiVir 7.9.1.65 2009.11.13 -
Antiy-AVL 2.0.3.7 2009.11.13 -
Authentium 5.2.0.5 2009.11.13 -
Avast 4.8.1351.0 2009.11.13 -
AVG 8.5.0.425 2009.11.13 -
BitDefender 7.2 2009.11.14 -
CAT-QuickHeal 10.00 2009.11.13 -
ClamAV 0.94.1 2009.11.13 -
Comodo 2945 2009.11.14 -
DrWeb 5.0.0.12182 2009.11.13 -
eSafe 7.0.17.0 2009.11.12 -
eTrust-Vet 35.1.7120 2009.11.13 -
F-Prot 4.5.1.85 2009.11.13 -
F-Secure 9.0.15370.0 2009.11.11 -
Fortinet 3.120.0.0 2009.11.13 -
GData 19 2009.11.14 -
Ikarus T3.1.1.74.0 2009.11.13 -
Jiangmin 11.0.800 2009.11.12 -
K7AntiVirus 7.10.896 2009.11.13 -
Kaspersky 7.0.0.125 2009.11.13 -
McAfee 5801 2009.11.13 -
McAfee+Artemis 5801 2009.11.13 -
McAfee-GW-Edition 6.8.5 2009.11.13 -
Microsoft 1.5202 2009.11.13 -
NOD32 4605 2009.11.13 -
Norman 6.03.02 2009.11.13 -
nProtect 2009.1.8.0 2009.11.13 -
Panda 10.0.2.2 2009.11.13 -
PCTools 7.0.3.5 2009.11.13 -
Prevx 3.0 2009.11.14 -
Rising 22.21.04.09 2009.11.13 -
Sophos 4.47.0 2009.11.13 -
Sunbelt 3.2.1858.2 2009.11.12 -
Symantec 1.4.4.12 2009.11.14 -
TheHacker 6.5.0.2.069 2009.11.13 -
TrendMicro 9.0.0.1003 2009.11.13 -
VBA32 3.12.10.11 2009.11.13 -
ViRobot 2009.11.13.2035 2009.11.13 -
VirusBuster 4.6.5.0 2009.11.13 -
Additional information
File size: 42496 bytes
MD5 : f22f228dd4323a375b1b32bb32564662
SHA1 : eba2ee48565587b8e8b11d8946d8688fcc352c46
SHA256: 839005da19c943005c1181c8a16945f3d0c9930f817228d90d44aac72e486714
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x62AA
timedatestamp.....: 0x48025814 (Sun Apr 13 20:59:32 2008)
machinetype.......: 0x14C (Intel I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x6196 0x6200 6.31 b2b1ac1abd370f49bcaceae5c562cf84
.data 0x8000 0x4DB0 0x400 3.71 170ae855435a86f8689f96fbee741276
.rsrc 0xD000 0x3B10 0x3C00 3.40 61d71dc0a1acaacd8f1a630a58d4ea38

( 6 imports )

> advapi32.dll: GetUserNameA, RegOpenKeyExA, RegQueryValueExA, RegCloseKey
> kernel32.dll: ReadFile, GetConsoleMode, CreateFileA, Sleep, WriteFile, SetConsoleMode, HeapFree, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, InterlockedCompareExchange, HeapAlloc, FindFirstFileA, FindNextFileA, InterlockedExchange, IsDBCSLeadByteEx, GetEnvironmentVariableA, CreateProcessA, WaitForSingleObject, CloseHandle, LoadLibraryExA, GetLastError, GetCurrentDirectoryA, SetConsoleCtrlHandler, GetFileAttributesA, LocalFree, LocalAlloc, FormatMessageA, GetProcessHeap
> msvcrt.dll: isdigit, sprintf, _write, strchr, _setjmp3, _isatty, clearerr, putchar, tolower, longjmp, exit, islower, toupper, _chdrive, fprintf, _errno, _getcwd, fflush, _mbslen, _mbsnbcnt, _mbsnbcat, printf, getenv, _tempnam, tmpnam, _mbsnbcpy, free, fopen, _unlink, vsprintf, vfprintf, _read, clock, _fstat, _fsopen, _c_exit, _exit, _XcptFilter, _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, __initenv, _chdir, _cexit, fclose, _mbscmp, _mbscpy, _mbscat, _mbstrlen, _iob, fgets, _mbschr, atoi
> mswsock.dll: s_perror
> user32.dll: CharToOemBuffA, OemToCharBuffA, CharNextExA
> ws2_32.dll: getnameinfo, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, getaddrinfo, freeaddrinfo, -

( 0 exports )
TrID : File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
ssdeep: 768:kU6R3c3OePgOC9SVpb9Re1yJud4BkwhWghy7VvEHsKC:TEc3Og5CkDWY8NEHsKC
PEiD : -
RDS : NSRL Reference Data Set
-

Edited by Yathu, 13 November 2009 - 06:16 PM.

#15
kahdah

Posted 14 November 2009 - 05:37 AM

GeekU Teacher

Retired Staff
15,822 posts

Please uninstall Mcafee and also disable AVG resident shield be fore doing the below.

1. Please open Notepad

Click Start , then Run
type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KILLALL::

File::
c:\windows\system32\zLHan.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\active setup\installed components\{FUtmahws-rPXB-UobT-SJCa-jvKWQESF8cx1}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{FUtmahws-rPXB-UobT-SJCa-jvKWQESF8cx1}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hSFeJ3cTRsi9"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BWJChtVx"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image