View Full Version : Srosa.sys &
ToroLoco
2008-01-22, 11:13
Hello,
I have been infected with Win32.Bagle trogan and with a rootkit SROSA.SYS. Below is the Hijackthis report and the report from Kaspersky.
Hijack
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:21:26 μμ, on 21/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Sharp\Sharpdesk\SharpTray.exe
C:\Program Files\Sharp\Sharpdesk\FtpServer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Sharp\Sharpdesk\nsapp.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe
C:\DOCUME~1\michalis\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\michalis\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0.*;127.0.0.*
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IndexTray] "C:\Program Files\Sharp\Sharpdesk\IndexTray.exe" /n
O4 - HKLM\..\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe"
O4 - HKLM\..\Run: [TypeRegChecker] "C:\Program Files\Sharp\Sharpdesk\TypeRegChecker.exe"
O4 - HKLM\..\Run: [FtpServer.exe] "C:\Program Files\Sharp\Sharpdesk\FtpServer.exe" -usedefault
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.quest.gr
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {361E6B79-4A69-4376-B0F2-3D1EBEE9D7E2} (RtspVaPgCtrl Class) - http://192.168.0.107/RtspVaPgDec.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://mpapado.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163748485393
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A6250FD-F2CB-4384-A7C9-ED6CEC289E35}: NameServer = 194.30.220.114,194.30.220.117
O17 - HKLM\System\CCS\Services\Tcpip\..\{697D0050-D592-4AF0-9232-7ACEE69887B5}: NameServer = 194.30.220.114,194.30.220.117
O17 - HKLM\System\CS1\Services\Tcpip\..\{4A6250FD-F2CB-4384-A7C9-ED6CEC289E35}: NameServer = 194.30.220.114,194.30.220.117
O17 - HKLM\System\CS2\Services\Tcpip\..\{4A6250FD-F2CB-4384-A7C9-ED6CEC289E35}: NameServer = 194.30.220.114,194.30.220.117
O17 - HKLM\System\CS3\Services\Tcpip\..\{4A6250FD-F2CB-4384-A7C9-ED6CEC289E35}: NameServer = 194.30.220.114,194.30.220.117
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Unknown owner - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe (file missing)
--
End of file - 11495 bytes
continue in a second post.
ToroLoco
2008-01-22, 11:17
Kaspersky
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, January 22, 2008 9:19:44 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/01/2008
Kaspersky Anti-Virus database records: 525617
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
L:\
P:\
Z:\
Scan Statistics:
Total number of scanned objects: 208607
Number of viruses found: 11
Number of infected objects: 192
Number of suspicious objects: 0
Duration of the scan process: 14:13:36
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.24.Crwl Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.24.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSStmp.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010008.ci Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010008.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010008.wsb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010009.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000C.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010011.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010016.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010021.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010023.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010027.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010029.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001002F.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010032.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010033.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010035.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\Used0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk1.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk2.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy277.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\tmp.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Windows.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf3.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf4.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Perflib_Perfdata_65c.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Sharp\NST\3.2\FTPLogger.txt Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\michalis\Application Data\Adobe\Acrobat\7.0\Michalis_XP.err Object is locked skipped
C:\Documents and Settings\michalis\Application Data\Adobe\Acrobat\7.0\Updater\udlog.txt Object is locked skipped
C:\Documents and Settings\michalis\Application Data\Microsoft\Outlook\Michael.NK2 Object is locked skipped
C:\Documents and Settings\michalis\Application Data\Microsoft\Outlook\Michael.srs Object is locked skipped
C:\Documents and Settings\michalis\Application Data\Microsoft\Templates\NormalEmail.dotm Object is locked skipped
C:\Documents and Settings\michalis\Application Data\Mozilla\Firefox\Profiles\aswcihg2.default\cert8.db Object is locked skipped
C:\Documents and Settings\michalis\Application Data\Mozilla\Firefox\Profiles\aswcihg2.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\michalis\Application Data\Mozilla\Firefox\Profiles\aswcihg2.default\history.dat Object is locked skipped
C:\Documents and Settings\michalis\Application Data\Mozilla\Firefox\Profiles\aswcihg2.default\key3.db Object is locked skipped
C:\Documents and Settings\michalis\Application Data\Mozilla\Firefox\Profiles\aswcihg2.default\parent.lock Object is locked skipped
C:\Documents and Settings\michalis\Application Data\Mozilla\Firefox\Profiles\aswcihg2.default\search.sqlite Object is locked skipped
C:\Documents and Settings\michalis\Application Data\Mozilla\Firefox\Profiles\aswcihg2.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\michalis\Application Data\Skype\michael_papado\call256.dbb Object is locked skipped
C:\Documents and Settings\michalis\Application Data\Skype\michael_papado\callmember256.dbb Object is locked skipped
C:\Documents and Settings\michalis\Application Data\Skype\michael_papado\chat256.dbb Object is locked skipped
C:\Documents and Settings\michalis\Application Data\Skype\michael_papado\chat512.dbb Object is locked skipped
C:\Documents and Settings\michalis\Application Data\Skype\michael_papado\chatmember256.dbb Object is locked skipped
C:\Documents and Settings\michalis\Application Data\Skype\michael_papado\chatmsg1024.dbb Object is locked skipped
C:\Documents and Settings\michalis\Application Data\Skype\michael_papado\chatmsg256.dbb Object is locked skipped
C:\Documents and Settings\michalis\Application Data\Skype\michael_papado\chatmsg512.dbb Object is locked skipped
C:\Documents and Settings\michalis\Application Data\Skype\michael_papado\chatsync\35\355e8f531882ee6a.dat Object is locked skipped
C:\Documents and Settings\michalis\Application Data\Skype\michael_papado\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\michalis\Application Data\Skype\michael_papado\dyncontent\bundle.dat Object is locked skipped
C:\Documents and Settings\michalis\Application Data\Skype\michael_papado\index2.dat Object is locked skipped
C:\Documents and Settings\michalis\Application Data\Skype\michael_papado\profile16384.dbb Object is locked skipped
C:\Documents and Settings\michalis\Application Data\Skype\michael_papado\transfer512.dbb Object is locked skipped
C:\Documents and Settings\michalis\Application Data\Skype\michael_papado\user1024.dbb Object is locked skipped
C:\Documents and Settings\michalis\Application Data\Skype\michael_papado\user16384.dbb Object is locked skipped
C:\Documents and Settings\michalis\Application Data\Skype\michael_papado\user256.dbb Object is locked skipped
C:\Documents and Settings\michalis\Application Data\Skype\michael_papado\user4096.dbb Object is locked skipped
C:\Documents and Settings\michalis\Application Data\Skype\michael_papado\voicemail256.dbb Object is locked skipped
C:\Documents and Settings\michalis\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Application Data\Microsoft\Feeds\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Application Data\Microsoft\Messenger\michael_papado@yahoo.gr\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Application Data\Microsoft\Messenger\michael_papado@yahoo.gr\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Application Data\Microsoft\Messenger\michael_papado@yahoo.gr\SharingMetadata\Working\database_B6D0_CFB0_D0CF_7561\dfsr.db Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Application Data\Microsoft\Messenger\michael_papado@yahoo.gr\SharingMetadata\Working\database_B6D0_CFB0_D0CF_7561\fsr.log Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Application Data\Microsoft\Messenger\michael_papado@yahoo.gr\SharingMetadata\Working\database_B6D0_CFB0_D0CF_7561\fsrtmp.log Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Application Data\Microsoft\Messenger\michael_papado@yahoo.gr\SharingMetadata\Working\database_B6D0_CFB0_D0CF_7561\tmp.edb Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Application Data\Microsoft\Outlook\Outlook1.pst Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Application Data\Microsoft\Outlook\~Outlook1.pst.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Application Data\Microsoft\Windows Live Contacts\michael_papado@yahoo.gr\real\members.stg Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Application Data\Microsoft\Windows Live Contacts\michael_papado@yahoo.gr\shadow\members.stg Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Application Data\Mozilla\Firefox\Profiles\aswcihg2.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Application Data\Mozilla\Firefox\Profiles\aswcihg2.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Application Data\Mozilla\Firefox\Profiles\aswcihg2.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Application Data\Mozilla\Firefox\Profiles\aswcihg2.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\History\History.IE5\MSHist012008012120080122\index.dat Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp11.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp12.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp13.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp14.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp15.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp16.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp17.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp18.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp19.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp1C.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp1E.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp1F.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp2A.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp2B.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp2C.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp38.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp39.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp3A.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp48.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp49.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp4A.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp4B.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp51.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp63.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp64.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp65.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp66.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp67.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp68.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp69.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp6A.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp6B.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp6C.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp6D.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp6E.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp6F.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp70.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp71.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp72.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp73.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp74.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp75.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp77.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp78.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp79.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp7A.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp7B.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp7C.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmp7D.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\tmpD.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\~DF2A0B.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\~DF2A16.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\~DF2BF2.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\~DF2C15.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\~DF54EE.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\~DF8627.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\~DFE50A.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temp\~DFFEF8.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.IE5\67CTU25Q\b64_1[1].jpg Infected: Trojan-PSW.Win32.LdPinch.ewq skipped
Continue in third post.
ToroLoco
2008-01-22, 11:23
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.IE5\67CTU25Q\b64_1[2].jpg Infected: Trojan-PSW.Win32.LdPinch.ewq skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.IE5\67CTU25Q\b64_1[3].jpg Infected: Trojan-PSW.Win32.LdPinch.ewq skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.IE5\67CTU25Q\b64_2[1].jpg Infected: Trojan.Win32.Pakes.bwy skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.IE5\67CTU25Q\b64_2[2].jpg Infected: Trojan.Win32.Pakes.bwy skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.IE5\67CTU25Q\b64_2[3].jpg Infected: Trojan.Win32.Pakes.bwy skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.IE5\67CTU25Q\b64_2[4].jpg Infected: Trojan.Win32.Pakes.bwy skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.IE5\67CTU25Q\b64_2[5].jpg Infected: Trojan.Win32.Pakes.bwy skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.IE5\67CTU25Q\b64_2[6].jpg Infected: Trojan.Win32.Pakes.bwy skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.IE5\67CTU25Q\mxd[1].jpg Infected: Trojan-Downloader.Win32.Bagle.ia skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.IE5\DTU7YYEI\b64[1].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.IE5\DTU7YYEI\b64_1[1].jpg Infected: Trojan-PSW.Win32.LdPinch.ewq skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.IE5\DTU7YYEI\b64_1[2].jpg Infected: Trojan-PSW.Win32.LdPinch.ewq skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.IE5\DTU7YYEI\b64_2[1].jpg Infected: Trojan.Win32.Pakes.bwy skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.IE5\DTU7YYEI\b64_2[2].jpg Infected: Trojan.Win32.Pakes.bwy skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.IE5\DTU7YYEI\b64_2[3].jpg Infected: Trojan.Win32.Pakes.bwy skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.IE5\DTU7YYEI\b64_2[4].jpg Infected: Trojan.Win32.Pakes.bwy skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.IE5\DTU7YYEI\b64_2[5].jpg Infected: Trojan.Win32.Pakes.bwy skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.IE5\DTU7YYEI\b64_3[1].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.IE5\DTU7YYEI\b64_3[8].jpg Infected: Trojan-Downloader.Win32.Bagle.ho skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.IE5\PSG8XJL4\b64_1[1].jpg Infected: Trojan-PSW.Win32.LdPinch.ewq skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.IE5\PSG8XJL4\b64_1[2].jpg Infected: Trojan-PSW.Win32.LdPinch.ewq skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.IE5\PSG8XJL4\b64_1[3].jpg Infected: Trojan-PSW.Win32.LdPinch.ewq skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.IE5\PSG8XJL4\b64_2[1].jpg Infected: Trojan.Win32.Pakes.bwy skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.IE5\PSG8XJL4\b64_2[2].jpg Infected: Trojan.Win32.Pakes.bwy skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.IE5\PSG8XJL4\b64_2[3].jpg Infected: Trojan.Win32.Pakes.bwy skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.IE5\PSG8XJL4\b64_2[4].jpg Infected: Trojan.Win32.Pakes.bwy skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.IE5\PSG8XJL4\b64_2[5].jpg Infected: Trojan.Win32.Pakes.bwy skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.IE5\PSG8XJL4\b64_2[6].jpg Infected: Trojan.Win32.Pakes.bwy skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.IE5\PSG8XJL4\b64_3[1].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.IE5\PSG8XJL4\b64_3[3].jpg Infected: Trojan-Downloader.Win32.Bagle.ho skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.IE5\YXV7ZF6B\b64_1[10].jpg Infected: Trojan-PSW.Win32.LdPinch.ewq skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.IE5\YXV7ZF6B\b64_1[2].jpg Infected: Trojan-PSW.Win32.LdPinch.ewq skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.IE5\YXV7ZF6B\b64_2[1].jpg Infected: Trojan.Win32.Pakes.bwy skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.IE5\YXV7ZF6B\b64_2[2].jpg Infected: Trojan.Win32.Pakes.bwy skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.IE5\YXV7ZF6B\b64_2[3].jpg Infected: Trojan.Win32.Pakes.bwy skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.IE5\YXV7ZF6B\b64_2[4].jpg Infected: Trojan.Win32.Pakes.bwy skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.IE5\YXV7ZF6B\b64_2[5].jpg Infected: Trojan.Win32.Pakes.bwy skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.IE5\YXV7ZF6B\b64_2[6].jpg Infected: Trojan.Win32.Pakes.bwy skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.IE5\YXV7ZF6B\b64_2[7].jpg Infected: Trojan.Win32.Pakes.bwy skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.IE5\YXV7ZF6B\b64_2[8].jpg Infected: Trojan.Win32.Pakes.bwy skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.IE5\YXV7ZF6B\b64_2[9].jpg Infected: Trojan.Win32.Pakes.bwy skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.Word\~WRF{8498D481-24F8-429C-9008-8A0C29B25C5B}.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.Word\~WRS{0D454750-7DD1-4409-8639-59DDE4980504}.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.Word\~WRS{1BEF87A5-2143-40CC-8938-410CC85EBA81}.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.Word\~WRS{22F6353E-4EE0-427F-95CF-A4C049233FA8}.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.Word\~WRS{5F3AE57A-C469-47D5-817F-A9B47D8CB9EB}.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.Word\~WRS{74508F81-05AA-42AE-A3F2-8D8108528037}.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.Word\~WRS{836DDD19-5BBC-4BDB-A449-46482397FD46}.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.Word\~WRS{AEA34D94-77CA-4AAC-8C27-195F0D618992}.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.Word\~WRS{E0E59DD2-0CC8-4FAA-8B26-7F80D58F446F}.tmp Object is locked skipped
C:\Documents and Settings\michalis\Local Settings\Temporary Internet Files\Content.Word\~WRS{F44A2FB5-DF6F-4611-9445-DA8112116FD2}.tmp Object is locked skipped
C:\Documents and Settings\michalis\My Documents\Forms\Epistoli_en.dot Object is locked skipped
C:\Documents and Settings\michalis\My Documents\H&M\H&M SWIMWEAR LIST Season7.xls Object is locked skipped
C:\Documents and Settings\michalis\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\michalis\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe Infected: Trojan-Downloader.Win32.Bagle.ht skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP101\A0073363.exe Infected: Trojan-Downloader.Win32.Bagle.ht skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP101\A0073365.sys Infected: Trojan-Downloader.Win32.Bagle.hw skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP103\A0073393.exe Infected: Trojan.Win32.Pakes.bwy skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP103\A0073394.exe Infected: Trojan.Win32.Pakes.bwy skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP103\A0073395.exe Infected: Trojan-Downloader.Win32.Bagle.ht skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP104\A0073504.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP104\A0073505.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP104\A0073508.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP104\A0073509.exe Infected: Trojan-Downloader.Win32.Bagle.ho skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP104\A0073511.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP104\A0073515.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP104\A0073566.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP104\A0073586.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP104\A0073589.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP104\A0073625.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP104\A0073662.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP104\A0073664.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP104\A0073700.exe Infected: Trojan-Downloader.Win32.Bagle.ho skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP104\A0073702.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP104\A0073706.exe Infected: Trojan-Downloader.Win32.Bagle.ho skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP104\A0073738.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP104\A0073739.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP104\A0073742.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP104\A0073744.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP104\A0073778.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP104\A0073779.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP104\A0073782.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP104\A0073819.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP104\A0073822.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP104\A0073861.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP104\A0073864.exe Infected: Trojan-Downloader.Win32.Bagle.gi skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP104\A0073865.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP104\A0073899.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP104\A0073901.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP104\A0073940.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP104\A0073977.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP104\A0073979.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP104\A0073997.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP104\A0074020.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP104\A0074024.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP104\A0074056.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP104\A0074059.exe Infected: Trojan-Downloader.Win32.Bagle.ho skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP104\A0074060.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP104\A0074062.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP104\A0074093.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP104\A0074097.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP104\A0074135.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP104\A0074136.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP107\A0074237.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP107\A0074238.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP107\A0074239.exe Infected: Trojan.Win32.Pakes.bwy skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP107\A0074244.exe Infected: Trojan-Downloader.Win32.Bagle.ho skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP109\A0074534.sys Infected: Trojan-Downloader.Win32.Bagle.hw skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP109\A0074539.exe Infected: Trojan-Downloader.Win32.Bagle.ht skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP110\A0074543.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP110\A0074547.exe Infected: Trojan-Downloader.Win32.Bagle.ho skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP110\A0074548.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP110\A0074553.exe Infected: Trojan-Downloader.Win32.Bagle.ht skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP110\A0074555.sys Infected: Trojan-Downloader.Win32.Bagle.hw skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP110\A0074556.sys Infected: Trojan-Downloader.Win32.Bagle.hw skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP114\A0074621.exe Infected: Trojan-Downloader.Win32.Bagle.ht skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP114\A0074623.sys Infected: Trojan-Downloader.Win32.Bagle.hw skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP116\A0074648.exe Infected: Trojan-Downloader.Win32.Bagle.ht skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP116\A0074650.sys Infected: Trojan-Downloader.Win32.Bagle.hw skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP116\A0074651.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP116\A0074703.exe Infected: Trojan-Downloader.Win32.Bagle.ht skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP116\A0074705.sys Infected: Trojan-Downloader.Win32.Bagle.hw skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP116\A0074706.sys Infected: Trojan-Downloader.Win32.Bagle.hw skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP116\A0074707.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP116\A0074708.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP117\A0074782.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP117\A0074783.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP118\A0074831.exe Infected: Trojan-Downloader.Win32.Bagle.ht skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP118\A0074833.sys Infected: Trojan-Downloader.Win32.Bagle.hw skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP118\A0074834.sys Infected: Trojan-Downloader.Win32.Bagle.hw skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP118\A0074835.exe Infected: Email-Worm.Win32.Bagle.of skipped
Continue in forth post.
ToroLoco
2008-01-22, 11:24
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP118\A0074836.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP118\A0075230.sys Infected: Trojan-Downloader.Win32.Bagle.hw skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP118\A0075231.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP118\A0075232.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP118\A0075257.exe Infected: Trojan-Downloader.Win32.Bagle.ht skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP118\A0075259.sys Infected: Trojan-Downloader.Win32.Bagle.hw skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP118\A0075260.sys Infected: Trojan-Downloader.Win32.Bagle.hw skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP118\A0075261.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP118\A0075263.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP118\A0075292.exe Infected: Trojan-Downloader.Win32.Bagle.ht skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP118\A0075294.sys Infected: Trojan-Downloader.Win32.Bagle.hw skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP118\A0075295.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP118\A0075296.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP118\A0077305.exe Infected: Trojan-Downloader.Win32.Bagle.ht skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP118\A0077306.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP118\A0077307.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP118\A0077308.sys Infected: Trojan-Downloader.Win32.Bagle.hw skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP118\A0077401.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP119\A0077481.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP119\A0078331.exe Infected: Trojan-Downloader.Win32.Bagle.ht skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP119\A0078332.exe Infected: Trojan-Downloader.Win32.Bagle.ht skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP119\A0078333.sys Infected: Trojan-Downloader.Win32.Bagle.hw skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP119\A0078334.sys Infected: Trojan-Downloader.Win32.Bagle.hw skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP119\A0078644.exe Infected: Trojan-Downloader.Win32.Bagle.ht skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP119\A0078645.sys Infected: Trojan-Downloader.Win32.Bagle.hw skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP120\A0078900.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP122\A0078915.exe Infected: Trojan-Downloader.Win32.Bagle.ht skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP122\A0078916.sys Infected: Trojan-Downloader.Win32.Bagle.hw skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP122\A0078933.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP122\A0078934.exe Infected: Trojan-Downloader.Win32.Bagle.ht skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP122\A0078935.exe Infected: Trojan-Downloader.Win32.Bagle.ht skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP122\A0078936.sys Infected: Trojan-Downloader.Win32.Bagle.hw skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP122\A0078937.sys Infected: Trojan-Downloader.Win32.Bagle.hw skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP122\A0078941.exe Infected: Trojan-Downloader.Win32.Bagle.ht skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP122\A0078944.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP122\A0078945.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP122\A0078964.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP122\A0078975.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP122\A0078986.exe Infected: Trojan.Win32.Pakes.bwy skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP122\A0078988.sys Infected: Trojan-Downloader.Win32.Bagle.hw skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP122\A0078989.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP122\A0078990.exe Infected: Trojan-Downloader.Win32.Bagle.ht skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP122\A0078997.exe Infected: Trojan-Downloader.Win32.Bagle.ht skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP122\A0078998.sys Infected: Trojan-Downloader.Win32.Bagle.hw skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP122\A0078999.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP122\A0079000.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP123\A0079055.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP124\A0080083.sys Infected: Trojan-Downloader.Win32.Bagle.hw skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP124\change.log Object is locked skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP72\A0063425.exe Infected: not-a-virus:RemoteAdmin.Win32.NetCat skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP72\A0063427.exe Infected: not-a-virus:RemoteAdmin.Win32.NetCat skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP72\A0063429.exe Infected: not-a-virus:RemoteAdmin.Win32.NetCat skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP94\A0073068.exe Infected: Trojan-Downloader.Win32.Bagle.ht skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP94\A0073076.sys Infected: Trojan-Downloader.Win32.Bagle.hw skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP98\A0073196.exe Infected: Trojan-Downloader.Win32.Bagle.ht skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP98\A0073198.sys Infected: Trojan-Downloader.Win32.Bagle.hw skipped
C:\System Volume Information\_restore{64197F99-0410-40E8-901A-04BB1607DF83}\RP98\A0073199.sys Infected: Trojan-Downloader.Win32.Bagle.hw skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\RTacDbg.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\down\100843.exe Infected: Trojan.Win32.Pakes.bwy skipped
C:\WINDOWS\system32\drivers\down\116406.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\WINDOWS\system32\drivers\down\14819859.exe Infected: Trojan.Win32.Pakes.bwy skipped
C:\WINDOWS\system32\drivers\down\14836312.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\WINDOWS\system32\drivers\down\29366390.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\WINDOWS\system32\drivers\down\29389328.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\WINDOWS\system32\drivers\down\43918859.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\WINDOWS\system32\drivers\down\43939562.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\WINDOWS\system32\drivers\down\97140.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\WINDOWS\system32\drivers\SROSA.SYS.del Infected: Trojan-Downloader.Win32.Bagle.hw skipped
C:\WINDOWS\system32\drivers\srosa.sy_ Infected: Trojan-Downloader.Win32.Bagle.hw skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_540.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
I can't execute Spybot SD since I can't install it through safe mode and when installing from normal windows mode the files are instantly deleted.
Please I really need your help to remove the trojan - rootkit virus, because this is my work pc and I can't format it.
Thank you
Michael
Hi
Download GMER (http://www.gmer.net/gmer.zip) and save it your desktop:
Extract it to your desktop and double-click GMER.exe
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log in your reply (you can upload it to http://rapidshare.com if it doesn't fit in your post).
ToroLoco
2008-01-22, 13:36
Hello,
the log was big so I have uploaded to rapidshare. The link is this (http://rapidshare.com/files/85665327/gmer.log.html)
ToroLoco
2008-01-22, 13:41
Don't use the previous log. I will post a new one in a while since the scan was not complete.
ToroLoco
2008-01-22, 15:27
Hi,
I have upload the correct and full report from gmer to rapidshare. this is the link (http://rapidshare.com/files/85685459/gmer.log.html)
Hi again
Disable Spybot's TeaTimer
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer
1. Download this file -
combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your desktop.
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log & a fresh hjt log in your
next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause
it to stall
ToroLoco
2008-01-23, 10:46
Combofix
ComboFix 08-01-23.2 - michalis 2008-01-23 10:12:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1253.1.1033.18.404 [GMT 2:00]
Running from: C:\Documents and Settings\michalis\My Documents\Post\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\wintems.exe
----- BITS: Possible infected sites -----
hxxp://javadl.sun.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_SROSA
-------\srosa
((((((((((((((((((((((((( Files Created from 2007-12-23 to 2008-01-23 )))))))))))))))))))))))))))))))
.
2008-01-23 10:11 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-23 09:35 . 2006-06-13 02:02 629,046 --------- C:\WINDOWS\system32\drivers\hldrrr.exe
2008-01-23 09:35 . 2008-01-23 09:36 70,660 --a------ C:\WINDOWS\system32\mdelk.exe
2008-01-23 09:27 . 2008-01-23 09:43 <DIR> d-------- C:\WINDOWS\system32\drivers\down
2008-01-22 13:14 . 2008-01-22 13:14 250 --a------ C:\WINDOWS\gmer.ini
2008-01-21 12:21 . 2008-01-21 12:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-18 10:13 . 2007-01-18 14:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-01-14 13:09 . C:\WINDOWS\(2) C:\ComboFix\winstart.bat
2008-01-14 12:56 . 2008-01-14 12:55 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-11 13:26 . 2008-01-11 13:26 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-03 14:33 . 2008-01-03 14:33 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-01-03 14:33 . 2008-01-03 14:33 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2008-01-03 14:33 . 2008-01-03 14:33 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-01-03 14:32 . 2008-01-03 14:32 <DIR> d-------- C:\Program Files\Logitech
2008-01-03 14:32 . 2008-01-14 14:07 <DIR> d-------- C:\Program Files\Common Files\Logishrd
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-14 12:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-20 11:01 --------- d-----w C:\Program Files\Orban
2007-12-13 07:48 --------- d-----w C:\Program Files\Windows Desktop Search
2007-12-05 12:55 --------- d-----w C:\Program Files\Skype
2007-12-05 12:55 --------- d-----w C:\Program Files\Common Files\Skype
2007-11-23 13:11 --------- d-----w C:\Program Files\MSBuild
2007-11-23 13:11 --------- d-----w C:\Program Files\Microsoft Works
2007-11-23 13:10 --------- d-----w C:\Program Files\Microsoft.NET
2007-11-23 13:04 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2006-05-09 12:38 4,263 --sh--w C:\WINDOWS\system32\Win33b.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 13:31 22880040]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2006-06-13 02:02 629046]
"german.exe"="C:\WINDOWS\system32\wintems.exe" [ ]
"mule_st_key"="C:\Documents and Settings\michalis\Application Data\m\flec006.exe" [2008-01-23 09:36 96260]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 04:15 106496]
"SiS Windows KeyHook"="C:\WINDOWS\system32\keyhook.exe" [2004-05-13 01:22 249856]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2006-06-13 02:02 629046]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 16:38 221184]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 19:52 483328]
"SoundMan"="SOUNDMAN.EXE" [2005-05-17 12:48 77824 C:\WINDOWS\soundman.exe]
"IndexTray"="C:\Program Files\Sharp\Sharpdesk\IndexTray.exe" [2006-04-17 00:08 106496]
"SharpTray"="C:\Program Files\Sharp\Sharpdesk\SharpTray.exe" [2006-04-17 00:16 32768]
"TypeRegChecker"="C:\Program Files\Sharp\Sharpdesk\TypeRegChecker.exe" [2006-04-17 00:09 57344]
"FtpServer.exe"="C:\Program Files\Sharp\Sharpdesk\FtpServer.exe" [2006-04-18 10:10 692224]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-06-13 13:22:36 25214]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 08:05:26 29696]
NETGEAR WG111v2 Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111v2\WG111v2.exe [2006-05-17 16:05:52 2297856]
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2005-09-03 01:36:30 335872]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46 118784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]
SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]
--a------ 2003-10-14 11:52 2301952 C:\WINDOWS\CMICNFG.CPL
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
--a------ 2007-09-21 03:10 55824 C:\WINDOWS\KHALMNPR.Exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MDM"=2 (0x2)
"AVGEMS"=3 (0x3)
"AvgClean"=3 (0x3)
R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\cinemsup.sys [2002-07-19 08:10]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-04-05 10:55]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys [2006-03-27 17:53]
S0 ProtectON;ProtectON;C:\WINDOWS\system32\drivers\dksdrv2k.sys []
S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys []
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS []
S3 se44bus;Sony Ericsson Device 068 driver (WDM);C:\WINDOWS\system32\DRIVERS\se44bus.sys [2006-11-30 13:58]
S3 se44mdfl;Sony Ericsson Device 068 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se44mdfl.sys [2006-11-30 13:58]
S3 se44mdm;Sony Ericsson Device 068 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se44mdm.sys [2006-11-30 13:58]
S3 se44mgmt;Sony Ericsson Device 068 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se44mgmt.sys [2006-11-30 13:58]
S3 se44nd5;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (NDIS);C:\WINDOWS\system32\DRIVERS\se44nd5.sys [2006-11-30 13:58]
S3 se44obex;Sony Ericsson Device 068 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se44obex.sys [2006-11-30 13:58]
S3 se44unic;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (WDM);C:\WINDOWS\system32\DRIVERS\se44unic.sys [2006-11-30 13:58]
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys [2005-10-10 10:50]
S3 USRSp50;USRSp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\USRSp50.sys [2005-09-28 14:53]
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-23 10:25:26
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\RtlGina2.dll
.
ToroLoco
2008-01-23, 10:47
Hijackthis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:50, on 2008-01-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Sharp\Sharpdesk\SharpTray.exe
C:\Program Files\Sharp\Sharpdesk\FtpServer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Sharp\Sharpdesk\nsapp.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\michalis\Application Data\m\flec006.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0.*;127.0.0.*
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IndexTray] "C:\Program Files\Sharp\Sharpdesk\IndexTray.exe" /n
O4 - HKLM\..\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe"
O4 - HKLM\..\Run: [TypeRegChecker] "C:\Program Files\Sharp\Sharpdesk\TypeRegChecker.exe"
O4 - HKLM\..\Run: [FtpServer.exe] "C:\Program Files\Sharp\Sharpdesk\FtpServer.exe" -usedefault
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.quest.gr
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {361E6B79-4A69-4376-B0F2-3D1EBEE9D7E2} (RtspVaPgCtrl Class) - http://192.168.0.107/RtspVaPgDec.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://mpapado.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163748485393
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A6250FD-F2CB-4384-A7C9-ED6CEC289E35}: NameServer = 194.30.220.114,194.30.220.117
O17 - HKLM\System\CCS\Services\Tcpip\..\{697D0050-D592-4AF0-9232-7ACEE69887B5}: NameServer = 194.30.220.114,194.30.220.117
O17 - HKLM\System\CS1\Services\Tcpip\..\{4A6250FD-F2CB-4384-A7C9-ED6CEC289E35}: NameServer = 194.30.220.114,194.30.220.117
O17 - HKLM\System\CS2\Services\Tcpip\..\{4A6250FD-F2CB-4384-A7C9-ED6CEC289E35}: NameServer = 194.30.220.114,194.30.220.117
O17 - HKLM\System\CS3\Services\Tcpip\..\{4A6250FD-F2CB-4384-A7C9-ED6CEC289E35}: NameServer = 194.30.220.114,194.30.220.117
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Unknown owner - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe (file missing)
--
End of file - 11128 bytes
Hi
You have to keep system disconnected until it's clean again. That requires posting logs thru other non-infected system.
Before disconnect let's download something that will be used later.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop. Don't run yet!
Please download SafeBootKeyRepair.exe by sUBs to repair Safe Mode.
Download HERE (http://www.techsupportforum.com/sectools/sUBs/SafeBootKeyRepair.exe). Don't run yet!
You need also antivirus program and firewall. See here (http://www.freebyte.com/antivirus/#scanners) to choose one av program. Then see here (http://www.freebyte.com/antivirus/#firewalls) to choose one firewall. Don't install those yet since Bagle would most likely delete av program exe file.
Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Upload following file to http://www.virustotal.com or http://virusscan.jotti.org and post back the results:
C:\WINDOWS\system32\Win33b.sys
At this point it's advisable to disconnect from the web. Ensure also that TeaTimer is still disabled.
Start hjt, do a system scan, check:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
Close browsers & click 'fix checked'.
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\mdelk.exe
Folder::
C:\WINDOWS\system32\drivers\down
C:\Documents and Settings\michalis\Application Data\m
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"german.exe"=-
"mule_st_key"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
Save this as
CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh hjt log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
ToroLoco
2008-01-23, 12:50
the results from the virustotal are the below:
Antivirus Version Last Update Result
AhnLab-V3 2008.1.23.11 2008.01.23 -
AntiVir 7.6.0.48 2008.01.23 -
Authentium 4.93.8 2008.01.22 -
Avast 4.7.1098.0 2008.01.23 -
AVG 7.5.0.516 2008.01.22 -
BitDefender 7.2 2008.01.23 -
CAT-QuickHeal 9.00 2008.01.22 -
ClamAV 0.91.2 2008.01.23 -
DrWeb 4.44.0.09170 2008.01.23 -
eSafe 7.0.15.0 2008.01.16 -
eTrust-Vet 31.3.5479 2008.01.23 -
Ewido 4.0 2008.01.22 -
FileAdvisor 1 2008.01.23 -
Fortinet 3.14.0.0 2008.01.23 -
F-Prot 4.4.2.54 2008.01.23 -
F-Secure 6.70.13260.0 2008.01.23 -
Ikarus T3.1.1.20 2008.01.23 -
Kaspersky 7.0.0.125 2008.01.23 -
McAfee 5213 2008.01.22 -
Microsoft 1.3109 2008.01.23 -
NOD32v2 2816 2008.01.23 -
Norman 5.80.02 2008.01.22 -
Panda 9.0.0.4 2008.01.22 -
Prevx1 V2 2008.01.23 -
Rising 20.28.22.00 2008.01.23 -
Sophos 4.24.0 2008.01.23 -
Sunbelt 2.2.907.0 2008.01.17 -
Symantec 10 2008.01.23 -
TheHacker 6.2.9.195 2008.01.23 -
VBA32 3.12.2.5 2008.01.21 -
VirusBuster 4.3.26:9 2008.01.22 -
Webwasher-Gateway 6.6.2 2008.01.23 -
Additional information
File size: 4263 bytes
MD5: c463c6b291ea09596b26cf917fe3be05
SHA1: cec160116912b15bf2e1b55ba46275f7fe604ea0
PEiD: -
ToroLoco
2008-01-23, 14:00
Hi,
when ever combofix runs with the CFScript at the next start of Windows a windows open and writes open file to crack. And again all the deleted files are back to their initial position...:sad:
Below is the combofix log.
ComboFix 08-01-23.2 - michalis 2008-01-23 13:43:36.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1253.1.1033.18.526 [GMT 2:00]
Running from: C:\Documents and Settings\michalis\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\michalis\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\mdelk.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\drivers\down
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\srosa.sys
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\michalis\Application Data\m\data.oct
C:\Documents and Settings\michalis\Application Data\m\list.oct
C:\Documents and Settings\michalis\Application Data\m\srvlist.oct
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\drivers\down
C:\WINDOWS\system32\drivers\down\100359.exe
C:\WINDOWS\system32\drivers\down\100875.exe
C:\WINDOWS\system32\drivers\down\101937.exe
C:\WINDOWS\system32\drivers\down\118390.exe
C:\WINDOWS\system32\drivers\down\122859.exe
C:\WINDOWS\system32\drivers\down\125390.exe
C:\WINDOWS\system32\drivers\down\126093.exe
C:\WINDOWS\system32\drivers\down\129984.exe
C:\WINDOWS\system32\drivers\down\135000.exe
C:\WINDOWS\system32\drivers\down\141578.exe
C:\WINDOWS\system32\drivers\down\148859.exe
C:\WINDOWS\system32\drivers\down\157296.exe
C:\WINDOWS\system32\drivers\down\163750.exe
C:\WINDOWS\system32\drivers\down\164406.exe
C:\WINDOWS\system32\drivers\down\170984.exe
C:\WINDOWS\system32\drivers\down\173500.exe
C:\WINDOWS\system32\drivers\down\189921.exe
C:\WINDOWS\system32\drivers\down\191593.exe
C:\WINDOWS\system32\drivers\down\193468.exe
C:\WINDOWS\system32\drivers\down\204390.exe
C:\WINDOWS\system32\drivers\down\208046.exe
C:\WINDOWS\system32\drivers\down\208515.exe
C:\WINDOWS\system32\drivers\down\211437.exe
C:\WINDOWS\system32\drivers\down\212593.exe
C:\WINDOWS\system32\drivers\down\213484.exe
C:\WINDOWS\system32\drivers\down\215546.exe
C:\WINDOWS\system32\drivers\down\222984.exe
C:\WINDOWS\system32\drivers\down\225984.exe
C:\WINDOWS\system32\drivers\down\228578.exe
C:\WINDOWS\system32\drivers\down\249953.exe
C:\WINDOWS\system32\drivers\down\253281.exe
C:\WINDOWS\system32\drivers\down\256093.exe
C:\WINDOWS\system32\drivers\down\261046.exe
C:\WINDOWS\system32\drivers\down\279687.exe
C:\WINDOWS\system32\drivers\down\306062.exe
C:\WINDOWS\system32\drivers\down\312593.exe
C:\WINDOWS\system32\drivers\down\324468.exe
C:\WINDOWS\system32\drivers\down\406343.exe
C:\WINDOWS\system32\drivers\down\421843.exe
C:\WINDOWS\system32\drivers\down\424187.exe
C:\WINDOWS\system32\drivers\down\426593.exe
C:\WINDOWS\system32\drivers\down\429156.exe
C:\WINDOWS\system32\drivers\down\442015.exe
C:\WINDOWS\system32\drivers\down\463906.exe
C:\WINDOWS\system32\drivers\down\514656.exe
C:\WINDOWS\system32\drivers\down\540265.exe
C:\WINDOWS\system32\drivers\down\567781.exe
C:\WINDOWS\system32\drivers\down\65093.exe
C:\WINDOWS\system32\drivers\down\71421.exe
C:\WINDOWS\system32\drivers\down\92078.exe
C:\WINDOWS\system32\drivers\down\98125.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\mdelk.exe
C:\WINDOWS\system32\wintems.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_SROSA
-------\srosa
-------\LEGACY_SROSA
-------\srosa
-------\LEGACY_SROSA
-------\srosa
((((((((((((((((((((((((( Files Created from 2007-12-23 to 2008-01-23 )))))))))))))))))))))))))))))))
.
2008-01-23 13:50 . 2008-01-23 13:50 <DIR> d-------- C:\WINDOWS\system32\drivers\down
2008-01-23 10:11 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-22 13:14 . 2008-01-22 13:14 250 --a------ C:\WINDOWS\gmer.ini
2008-01-21 12:21 . 2008-01-21 12:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-18 10:13 . 2007-01-18 14:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-01-14 13:09 . C:\WINDOWS\(2) C:\ComboFix\winstart.bat
2008-01-14 12:56 . 2008-01-14 12:55 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-11 13:26 . 2008-01-11 13:26 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-03 14:33 . 2008-01-03 14:33 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-01-03 14:33 . 2008-01-03 14:33 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2008-01-03 14:33 . 2008-01-03 14:33 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-01-03 14:32 . 2008-01-03 14:32 <DIR> d-------- C:\Program Files\Logitech
2008-01-03 14:32 . 2008-01-14 14:07 <DIR> d-------- C:\Program Files\Common Files\Logishrd
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-14 12:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-20 11:01 --------- d-----w C:\Program Files\Orban
2007-12-13 07:48 --------- d-----w C:\Program Files\Windows Desktop Search
2007-12-05 12:55 --------- d-----w C:\Program Files\Skype
2007-12-05 12:55 --------- d-----w C:\Program Files\Common Files\Skype
2007-11-23 13:11 --------- d-----w C:\Program Files\MSBuild
2007-11-23 13:11 --------- d-----w C:\Program Files\Microsoft Works
2007-11-23 13:10 --------- d-----w C:\Program Files\Microsoft.NET
2007-11-23 13:04 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2006-05-09 12:38 4,263 --sh--w C:\WINDOWS\system32\Win33b.sys
.
((((((((((((((((((((((((((((( snapshot@2008-01-23_10.20.48.58 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-23 08:11:55 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-23 11:42:54 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-23 08:11:55 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-23 11:42:54 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-23 08:11:55 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-23 11:42:54 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-23 08:11:55 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-23 11:42:54 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-23 08:11:56 7,729,152 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-23 11:42:54 7,729,152 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-23 08:11:56 180,224 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-23 11:42:54 180,224 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-23 11:47:07 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_45c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 13:31 22880040]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2006-06-13 02:02 629046]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 04:15 106496]
"SiS Windows KeyHook"="C:\WINDOWS\system32\keyhook.exe" [2004-05-13 01:22 249856]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2006-06-13 02:02 629046]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 16:38 221184]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 19:52 483328]
"SoundMan"="SOUNDMAN.EXE" [2005-05-17 12:48 77824 C:\WINDOWS\soundman.exe]
"IndexTray"="C:\Program Files\Sharp\Sharpdesk\IndexTray.exe" [2006-04-17 00:08 106496]
"SharpTray"="C:\Program Files\Sharp\Sharpdesk\SharpTray.exe" [2006-04-17 00:16 32768]
"TypeRegChecker"="C:\Program Files\Sharp\Sharpdesk\TypeRegChecker.exe" [2006-04-17 00:09 57344]
"FtpServer.exe"="C:\Program Files\Sharp\Sharpdesk\FtpServer.exe" [2006-04-18 10:10 692224]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-06-13 13:22:36 25214]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 08:05:26 29696]
NETGEAR WG111v2 Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111v2\WG111v2.exe [2006-05-17 16:05:52 2297856]
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2005-09-03 01:36:30 335872]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46 118784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]
--a------ 2003-10-14 11:52 2301952 C:\WINDOWS\CMICNFG.CPL
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
--a------ 2007-09-21 03:10 55824 C:\WINDOWS\KHALMNPR.Exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MDM"=2 (0x2)
"AVGEMS"=3 (0x3)
"AvgClean"=3 (0x3)
R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\cinemsup.sys [2002-07-19 08:10]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-04-05 10:55]
S0 ProtectON;ProtectON;C:\WINDOWS\system32\drivers\dksdrv2k.sys []
S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys []
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS []
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys [2006-03-27 17:53]
S3 se44bus;Sony Ericsson Device 068 driver (WDM);C:\WINDOWS\system32\DRIVERS\se44bus.sys [2006-11-30 13:58]
S3 se44mdfl;Sony Ericsson Device 068 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se44mdfl.sys [2006-11-30 13:58]
S3 se44mdm;Sony Ericsson Device 068 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se44mdm.sys [2006-11-30 13:58]
S3 se44mgmt;Sony Ericsson Device 068 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se44mgmt.sys [2006-11-30 13:58]
S3 se44nd5;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (NDIS);C:\WINDOWS\system32\DRIVERS\se44nd5.sys [2006-11-30 13:58]
S3 se44obex;Sony Ericsson Device 068 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se44obex.sys [2006-11-30 13:58]
S3 se44unic;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (WDM);C:\WINDOWS\system32\DRIVERS\se44unic.sys [2006-11-30 13:58]
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys [2005-10-10 10:50]
S3 USRSp50;USRSp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\USRSp50.sys [2005-09-28 14:53]
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-23 13:50:55
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\RtlGina2.dll
.
ToroLoco
2008-01-23, 14:00
Hijackthis report
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:39, on 2008-01-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Sharp\Sharpdesk\SharpTray.exe
C:\Program Files\Sharp\Sharpdesk\FtpServer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Sharp\Sharpdesk\nsapp.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0.*;127.0.0.*
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IndexTray] "C:\Program Files\Sharp\Sharpdesk\IndexTray.exe" /n
O4 - HKLM\..\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe"
O4 - HKLM\..\Run: [TypeRegChecker] "C:\Program Files\Sharp\Sharpdesk\TypeRegChecker.exe"
O4 - HKLM\..\Run: [FtpServer.exe] "C:\Program Files\Sharp\Sharpdesk\FtpServer.exe" -usedefault
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.quest.gr
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {361E6B79-4A69-4376-B0F2-3D1EBEE9D7E2} (RtspVaPgCtrl Class) - http://192.168.0.107/RtspVaPgDec.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://mpapado.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163748485393
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A6250FD-F2CB-4384-A7C9-ED6CEC289E35}: NameServer = 194.30.220.114,194.30.220.117
O17 - HKLM\System\CCS\Services\Tcpip\..\{697D0050-D592-4AF0-9232-7ACEE69887B5}: NameServer = 194.30.220.114,194.30.220.117
O17 - HKLM\System\CS1\Services\Tcpip\..\{4A6250FD-F2CB-4384-A7C9-ED6CEC289E35}: NameServer = 194.30.220.114,194.30.220.117
O17 - HKLM\System\CS2\Services\Tcpip\..\{4A6250FD-F2CB-4384-A7C9-ED6CEC289E35}: NameServer = 194.30.220.114,194.30.220.117
O17 - HKLM\System\CS3\Services\Tcpip\..\{4A6250FD-F2CB-4384-A7C9-ED6CEC289E35}: NameServer = 194.30.220.114,194.30.220.117
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Unknown owner - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe (file missing)
--
End of file - 10830 bytes
ToroLoco
2008-01-23, 14:03
I can be online after 16:30 Finland local time and do all tests necessary. Since the pc is infected each time windows starts.
Hi
As I said you have to disconnect from the web until all cleaning is done. If you keep connected infection comes back and cleaning is useless.
ToroLoco
2008-01-23, 22:10
I am not getting connected. I have disabled my lan connection and I don't have access to internet (neither LAN), I am writting from another pc now. But each time that I disinfect the pc with combofix on the restart a window opens and then all the deleted files are back to their initial location.
It must have put the start program that installs the virus to a hidden location that none of the programs (hijackthis, combofix, AVG anti-rootkit, spybot etc) can't find and delete.
I have noticed on the registry that it has some entries with LEGACY_SROSA that whenever I try to delete it doesn't let me. And all the details ofthe keys are for srosa megadrv.
Hi
Let's see if Bootlog reveals something.
Make a Bootlog
A bootlog is a file where windows writes down which drivers are loaded and which not during startup.
Using Windows explorer, see if you find c:\windows\ntbtlog.txt - If it exists, delete the file.
Click Start then Run and type in msconfig in the edit box and hit Enter or click Ok.
Windows will prompt. Click Continue.
Select the Boot tab.
Check (tick) Boot log box.
Restart computer.
Click Start then Run and type in msconfig in the edit box and hit Enter or click Ok.
Windows will prompt. Click Continue.
Select the Boot tab.
Uncheck Boot log box.
This time you don't have to reboot.
Using Windows Explorer, locate c:\windows\ntbtlog.txt and post the content of the file.
Due to inactivity, this thread will now be closed.
Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.