Kagri
2008-04-13, 00:13
Hello!
I would greatly apprecciate it if you could help me clean my bf parents' computer that's apparently full of malware. My main problem is that it won't let me install any of the anti-spyware software correctly, so I can't even start removing it.
This computer didn't have SP2 installed. I see constantly a message popping up saying "Your computer is infected!", and from what I understood this actually IS malware.
I tried to install Spybot but every time SpybotSD.exe is missing, so I cannot even run it.
Then I tried to install Windows Defender, it also didn't install correctly... I also had to install SP2 before I could try installing Windows Defender. Q: should I just remove SP2 now? I read that first the computer has to be completely clean, which it obviously isn't...
There is Avira AntiVir installed which finds a troyan horse every time but cannot do anything about it apparently (after I choose "delete" or "move to quarantine" it just appares again the next time computer is started).
The Task Manager also doesn't work, it says that it's disabled by the administrator while it's 100% sure nobody disabled it... I guess it's the malware's doing, too.
This is HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:10:58, on 12-4-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\khooker.exe
C:\Apps\ActivBoard\MMKeybd.exe
C:\apps\ActivSurf\4448364\Program\backweb-4448364.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\hp deskjet 460 series\Toolbox\HPWRTBX.exe
C:\Program Files\Orange\GLOBAL\Mnu\igomnu.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.nl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Orange
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar1.dll
O3 - Toolbar: MSTBR - {10CA15EA-C0A5-7CAF-B9E9-B8B2A87EFE11} - C:\PROGRA~1
\Wanadoo\GLOBAL\Mstbr\mstbr.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [ActivSurf] C:\apps\ActivSurf\4448364\Program\backweb-4448364.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software
Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HPWRTOOLBOX] C:\Program Files\Hewlett-Packard\hp deskjet 460
series\Toolbox\HPWRTBX.exe "-i"
O4 - HKLM\..\Run: [mnu] C:\Program Files\Orange\GLOBAL\Mnu\igomnu.exe /S:T
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - HKCU\..\Run: [mnu] C:\Program Files\Orange\GLOBAL\Mnu\igomnu.exe /S:T
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [braviax] C:\WINDOWS\System32\braviax.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.google.nl/
O16 - DPF: AEP App Component 3.4 - https://www.vwblk.nl/tarantella/java/ttaC-du.cab
O16 - DPF: Netilla App Component 3.4 - https://www.vwblk.nl/tarantella/java/ttaC-du.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?
1207936918375
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - http://82.94.95.81/activex/AMC.cab
O16 - DPF: {91F52A42-C10D-49A7-B941-882C657C604F} (Installation Helper Object) -
http://kitcentral.wanadoo.nl/download/install/win32/nl/instwact/instwact.dll
O20 - AppInit_DLLs: cru629.dat
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program
Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program
Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
Updater\GoogleUpdaterService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia
Shared\Service\Macromedia Licensing.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec
Shared\Security Center\SymWSC.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH -
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
--
End of file - 6743 bytes
This is Kaspersky's log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, April 12, 2008 11:10:05 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/04/2008
Kaspersky Anti-Virus database records: 700383
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
Q:\
Scan Statistics:
Total number of scanned objects: 71694
Number of viruses found: 10
Number of infected objects: 70
Number of suspicious objects: 0
Duration of the scan process: 01:42:18
Infected Object Name / Virus Name / Last Action
C:\APPS\ActivBoard\mmkeybd.ex_ Infected: Trojan.Win32.Patched.bz skipped
C:\APPS\ActivSurf\4448364\Program\backweb-4448364.ex_ Infected: Trojan.Win32.Patched.bz skipped
C:\APPS\ActivSurf\4448364\Users\Default\Data\chandir.dat Object is locked skipped
C:\APPS\ActivSurf\4448364\Users\Default\Data\chandir.idx Object is locked skipped
C:\APPS\ActivSurf\4448364\Users\Default\Data\chn.dat Object is locked skipped
C:\APPS\ActivSurf\4448364\Users\Default\Data\chn.idx Object is locked skipped
C:\APPS\ActivSurf\4448364\Users\Default\Data\D0000000.FCS Object is locked skipped
C:\APPS\ActivSurf\4448364\Users\Default\Data\inuse.txt Object is locked skipped
C:\APPS\ActivSurf\4448364\Users\Default\Data\L0000009.FCS Object is locked skipped
C:\APPS\ActivSurf\4448364\Users\Default\Data\main.log Object is locked skipped
C:\APPS\ActivSurf\4448364\Users\Default\Data\prs.dat Object is locked skipped
C:\APPS\ActivSurf\4448364\Users\Default\Data\prs.idx Object is locked skipped
C:\APPS\ActivSurf\4448364\Users\Default\Data\prs_die.dat Object is locked skipped
C:\APPS\ActivSurf\4448364\Users\Default\Data\prs_die.idx Object is locked skipped
C:\APPS\ActivSurf\4448364\Users\Default\Data\prs_dnd.dat Object is locked skipped
C:\APPS\ActivSurf\4448364\Users\Default\Data\prs_dnd.idx Object is locked skipped
C:\APPS\ActivSurf\4448364\Users\Default\Data\prs_ext.dat Object is locked skipped
C:\APPS\ActivSurf\4448364\Users\Default\Data\prs_ext.idx Object is locked skipped
C:\APPS\ActivSurf\4448364\Users\Default\Data\prs_rcv.dat Object is locked skipped
C:\APPS\ActivSurf\4448364\Users\Default\Data\prs_rcv.idx Object is locked skipped
C:\APPS\ActivSurf\4448364\Users\Default\Data\storydb.dat Object is locked skipped
C:\APPS\ActivSurf\4448364\Users\Default\Data\storydb.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Kees\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Kees\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Kees\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Kees\Local Settings\Geschiedenis\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kees\Local Settings\Geschiedenis\History.IE5\MSHist012008041220080413\index.dat Object is locked skipped
C:\Documents and Settings\Kees\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kees\Local Settings\Temporary Internet Files\Content.IE5\U3O1CPQ1\Installer2[1].exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\Documents and Settings\Kees\ntuser.dat Object is locked skipped
C:\Documents and Settings\Kees\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Kees\UserData\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Geschiedenis\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\OEMCUST\TOOLS\WIN32\PSKILL.EXE Infected: not-a-virus:NetTool.Win32.PsKill.a skipped
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.ex_ Infected: Trojan.Win32.Patched.bz skipped
C:\Program Files\Hewlett-Packard\hp deskjet 460 series\Toolbox\hpwrtbx.ex_ Infected: Trojan.Win32.Patched.bz skipped
C:\Program Files\Hewlett-Packard\HP Software Update\hpwuschd.ex_ Infected: Trojan.Win32.Patched.bz skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmpmgr.ex_ Infected: Trojan.Win32.Patched.bz skipped
C:\Program Files\MouseWare\system\em_exec.ex_ Infected: Trojan.Win32.Patched.bz skipped
C:\Program Files\MSN Messenger\msnmsgr.ex_ Infected: Trojan.Win32.Patched.bz skipped
C:\Program Files\Orange\GLOBAL\Mnu\igomnu.ex_ Infected: Trojan.Win32.Patched.bz skipped
C:\Program Files\QuickTime\qttask.ex_ Infected: Trojan.Win32.Patched.bz skipped
C:\Program Files\Virtual CD v4 SDK\System\vcsplay.ex_ Infected: Trojan.Win32.Patched.bz skipped
C:\sysbkvb.exe Infected: not-virus:Hoax.Win32.Renos.bmr skipped
C:\sysrvwg.exe Infected: Trojan.Win32.Inject.api skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP485\A0088171.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP485\A0088172.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP485\A0088186.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP485\A0088187.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP485\A0088201.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP485\A0088202.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP486\A0088229.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP486\A0088230.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP486\A0088254.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP486\A0088255.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP486\A0088269.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP486\A0088270.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP487\A0088284.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP487\A0088285.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP489\A0088304.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP489\A0088305.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP491\A0089304.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP491\A0089305.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP492\A0089319.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP492\A0089320.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP492\A0089364.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP492\A0089365.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP494\A0089386.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP494\A0089387.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP494\A0089403.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP495\A0089408.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP495\A0089409.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP495\A0089423.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP495\A0089424.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP495\A0089432.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP497\A0090935.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP497\A0090936.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP497\A0091317.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP498\A0091479.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP498\A0091480.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP498\A0091512.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP499\A0091516.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP499\A0091547.EXE Infected: not-a-virus:NetTool.Win32.PsKill.a skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP499\A0091565.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP499\A0091567.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP499\A0091579.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP500\A0091659.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP500\change.log Object is locked skipped
C:\WINDOWS\braviax.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\WINDOWS\cru629.dat Infected: Backdoor.Win32.Small.cyb skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\RESTORE.INS/C:/OEMCUST/TOOLS/WIN32/PSKILL.EXE Infected: not-a-virus:NetTool.Win32.PsKill.a skipped
C:\WINDOWS\RESTORE.INS ARJ: infected - 1 skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{12956B80-A5B9-4530-A65A-CCA8400B0120}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system\RESTORE.INS/C:/OEMCUST/TOOLS/WIN32/PSKILL.EXE Infected: not-a-virus:NetTool.Win32.PsKill.a skipped
C:\WINDOWS\system\RESTORE.INS ARJ: infected - 1 skipped
C:\WINDOWS\system32\braviax.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\cru629.dat Infected: Backdoor.Win32.Small.cyb skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\khooker.ex_ Infected: Trojan.Win32.Patched.bz skipped
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.ex_ Infected: Trojan.Win32.Patched.bz skipped
C:\WINDOWS\system32\univrs32.dat Infected: not-a-virus:AdWare.Win32.Agent.zo skipped
C:\WINDOWS\system32\users32.dat Infected: Trojan.Win32.Agent.dyu skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\winivstr.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Thank you very much for your time and I so hope this computer can be saved! :)
I would greatly apprecciate it if you could help me clean my bf parents' computer that's apparently full of malware. My main problem is that it won't let me install any of the anti-spyware software correctly, so I can't even start removing it.
This computer didn't have SP2 installed. I see constantly a message popping up saying "Your computer is infected!", and from what I understood this actually IS malware.
I tried to install Spybot but every time SpybotSD.exe is missing, so I cannot even run it.
Then I tried to install Windows Defender, it also didn't install correctly... I also had to install SP2 before I could try installing Windows Defender. Q: should I just remove SP2 now? I read that first the computer has to be completely clean, which it obviously isn't...
There is Avira AntiVir installed which finds a troyan horse every time but cannot do anything about it apparently (after I choose "delete" or "move to quarantine" it just appares again the next time computer is started).
The Task Manager also doesn't work, it says that it's disabled by the administrator while it's 100% sure nobody disabled it... I guess it's the malware's doing, too.
This is HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:10:58, on 12-4-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\khooker.exe
C:\Apps\ActivBoard\MMKeybd.exe
C:\apps\ActivSurf\4448364\Program\backweb-4448364.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\hp deskjet 460 series\Toolbox\HPWRTBX.exe
C:\Program Files\Orange\GLOBAL\Mnu\igomnu.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.nl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Orange
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar1.dll
O3 - Toolbar: MSTBR - {10CA15EA-C0A5-7CAF-B9E9-B8B2A87EFE11} - C:\PROGRA~1
\Wanadoo\GLOBAL\Mstbr\mstbr.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [ActivSurf] C:\apps\ActivSurf\4448364\Program\backweb-4448364.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software
Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HPWRTOOLBOX] C:\Program Files\Hewlett-Packard\hp deskjet 460
series\Toolbox\HPWRTBX.exe "-i"
O4 - HKLM\..\Run: [mnu] C:\Program Files\Orange\GLOBAL\Mnu\igomnu.exe /S:T
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - HKCU\..\Run: [mnu] C:\Program Files\Orange\GLOBAL\Mnu\igomnu.exe /S:T
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [braviax] C:\WINDOWS\System32\braviax.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.google.nl/
O16 - DPF: AEP App Component 3.4 - https://www.vwblk.nl/tarantella/java/ttaC-du.cab
O16 - DPF: Netilla App Component 3.4 - https://www.vwblk.nl/tarantella/java/ttaC-du.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?
1207936918375
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - http://82.94.95.81/activex/AMC.cab
O16 - DPF: {91F52A42-C10D-49A7-B941-882C657C604F} (Installation Helper Object) -
http://kitcentral.wanadoo.nl/download/install/win32/nl/instwact/instwact.dll
O20 - AppInit_DLLs: cru629.dat
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program
Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program
Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
Updater\GoogleUpdaterService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia
Shared\Service\Macromedia Licensing.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec
Shared\Security Center\SymWSC.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH -
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
--
End of file - 6743 bytes
This is Kaspersky's log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, April 12, 2008 11:10:05 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/04/2008
Kaspersky Anti-Virus database records: 700383
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
Q:\
Scan Statistics:
Total number of scanned objects: 71694
Number of viruses found: 10
Number of infected objects: 70
Number of suspicious objects: 0
Duration of the scan process: 01:42:18
Infected Object Name / Virus Name / Last Action
C:\APPS\ActivBoard\mmkeybd.ex_ Infected: Trojan.Win32.Patched.bz skipped
C:\APPS\ActivSurf\4448364\Program\backweb-4448364.ex_ Infected: Trojan.Win32.Patched.bz skipped
C:\APPS\ActivSurf\4448364\Users\Default\Data\chandir.dat Object is locked skipped
C:\APPS\ActivSurf\4448364\Users\Default\Data\chandir.idx Object is locked skipped
C:\APPS\ActivSurf\4448364\Users\Default\Data\chn.dat Object is locked skipped
C:\APPS\ActivSurf\4448364\Users\Default\Data\chn.idx Object is locked skipped
C:\APPS\ActivSurf\4448364\Users\Default\Data\D0000000.FCS Object is locked skipped
C:\APPS\ActivSurf\4448364\Users\Default\Data\inuse.txt Object is locked skipped
C:\APPS\ActivSurf\4448364\Users\Default\Data\L0000009.FCS Object is locked skipped
C:\APPS\ActivSurf\4448364\Users\Default\Data\main.log Object is locked skipped
C:\APPS\ActivSurf\4448364\Users\Default\Data\prs.dat Object is locked skipped
C:\APPS\ActivSurf\4448364\Users\Default\Data\prs.idx Object is locked skipped
C:\APPS\ActivSurf\4448364\Users\Default\Data\prs_die.dat Object is locked skipped
C:\APPS\ActivSurf\4448364\Users\Default\Data\prs_die.idx Object is locked skipped
C:\APPS\ActivSurf\4448364\Users\Default\Data\prs_dnd.dat Object is locked skipped
C:\APPS\ActivSurf\4448364\Users\Default\Data\prs_dnd.idx Object is locked skipped
C:\APPS\ActivSurf\4448364\Users\Default\Data\prs_ext.dat Object is locked skipped
C:\APPS\ActivSurf\4448364\Users\Default\Data\prs_ext.idx Object is locked skipped
C:\APPS\ActivSurf\4448364\Users\Default\Data\prs_rcv.dat Object is locked skipped
C:\APPS\ActivSurf\4448364\Users\Default\Data\prs_rcv.idx Object is locked skipped
C:\APPS\ActivSurf\4448364\Users\Default\Data\storydb.dat Object is locked skipped
C:\APPS\ActivSurf\4448364\Users\Default\Data\storydb.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Kees\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Kees\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Kees\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Kees\Local Settings\Geschiedenis\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kees\Local Settings\Geschiedenis\History.IE5\MSHist012008041220080413\index.dat Object is locked skipped
C:\Documents and Settings\Kees\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kees\Local Settings\Temporary Internet Files\Content.IE5\U3O1CPQ1\Installer2[1].exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\Documents and Settings\Kees\ntuser.dat Object is locked skipped
C:\Documents and Settings\Kees\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Kees\UserData\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Geschiedenis\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\OEMCUST\TOOLS\WIN32\PSKILL.EXE Infected: not-a-virus:NetTool.Win32.PsKill.a skipped
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.ex_ Infected: Trojan.Win32.Patched.bz skipped
C:\Program Files\Hewlett-Packard\hp deskjet 460 series\Toolbox\hpwrtbx.ex_ Infected: Trojan.Win32.Patched.bz skipped
C:\Program Files\Hewlett-Packard\HP Software Update\hpwuschd.ex_ Infected: Trojan.Win32.Patched.bz skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmpmgr.ex_ Infected: Trojan.Win32.Patched.bz skipped
C:\Program Files\MouseWare\system\em_exec.ex_ Infected: Trojan.Win32.Patched.bz skipped
C:\Program Files\MSN Messenger\msnmsgr.ex_ Infected: Trojan.Win32.Patched.bz skipped
C:\Program Files\Orange\GLOBAL\Mnu\igomnu.ex_ Infected: Trojan.Win32.Patched.bz skipped
C:\Program Files\QuickTime\qttask.ex_ Infected: Trojan.Win32.Patched.bz skipped
C:\Program Files\Virtual CD v4 SDK\System\vcsplay.ex_ Infected: Trojan.Win32.Patched.bz skipped
C:\sysbkvb.exe Infected: not-virus:Hoax.Win32.Renos.bmr skipped
C:\sysrvwg.exe Infected: Trojan.Win32.Inject.api skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP485\A0088171.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP485\A0088172.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP485\A0088186.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP485\A0088187.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP485\A0088201.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP485\A0088202.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP486\A0088229.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP486\A0088230.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP486\A0088254.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP486\A0088255.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP486\A0088269.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP486\A0088270.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP487\A0088284.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP487\A0088285.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP489\A0088304.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP489\A0088305.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP491\A0089304.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP491\A0089305.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP492\A0089319.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP492\A0089320.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP492\A0089364.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP492\A0089365.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP494\A0089386.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP494\A0089387.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP494\A0089403.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP495\A0089408.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP495\A0089409.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP495\A0089423.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP495\A0089424.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP495\A0089432.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP497\A0090935.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP497\A0090936.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP497\A0091317.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP498\A0091479.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP498\A0091480.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP498\A0091512.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP499\A0091516.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP499\A0091547.EXE Infected: not-a-virus:NetTool.Win32.PsKill.a skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP499\A0091565.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP499\A0091567.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP499\A0091579.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP500\A0091659.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{43998A11-46B5-49E5-A241-3E03FA1E4E98}\RP500\change.log Object is locked skipped
C:\WINDOWS\braviax.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\WINDOWS\cru629.dat Infected: Backdoor.Win32.Small.cyb skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\RESTORE.INS/C:/OEMCUST/TOOLS/WIN32/PSKILL.EXE Infected: not-a-virus:NetTool.Win32.PsKill.a skipped
C:\WINDOWS\RESTORE.INS ARJ: infected - 1 skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{12956B80-A5B9-4530-A65A-CCA8400B0120}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system\RESTORE.INS/C:/OEMCUST/TOOLS/WIN32/PSKILL.EXE Infected: not-a-virus:NetTool.Win32.PsKill.a skipped
C:\WINDOWS\system\RESTORE.INS ARJ: infected - 1 skipped
C:\WINDOWS\system32\braviax.exe Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\cru629.dat Infected: Backdoor.Win32.Small.cyb skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\khooker.ex_ Infected: Trojan.Win32.Patched.bz skipped
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.ex_ Infected: Trojan.Win32.Patched.bz skipped
C:\WINDOWS\system32\univrs32.dat Infected: not-a-virus:AdWare.Win32.Agent.zo skipped
C:\WINDOWS\system32\users32.dat Infected: Trojan.Win32.Agent.dyu skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\winivstr.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Thank you very much for your time and I so hope this computer can be saved! :)