View Full Version : ctv*****.exe criptograhed malware. Need Help Pls!
Damn_VCT-exe
2009-10-20, 06:36
Hello tech people :)
Since a week ago my PC with OS Win XP Pro SP3 is slowing and web service using Firefox 3.5 / Opera 9 is revealing performance decrease. Just discovered two days ago on Task Manager (image follows) the constant presence of various ctv*****.exe always replicating with five digits, randomly. Even after deleted them on the C:\Documents and Settings\[user]\Local Settings\temp\ directory folder the cvt files remains. Antivirus Avast 4.x and SpyBot even running on Safe Mode didn't detected these files in order to fix the problem.
Hjthis log file follows as ... :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:06:16, on 20-10-2009
Platform: Windows XP SP3, v.5857 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\UnsignedThemesSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ALCXMNTR.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\DOCUME~1\BFERRY~1\LOCALS~1\Temp\ctv16991.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com (http://www.google.com)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1255038252750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1255716346265
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Unsigned Themes (UnsignedThemes) - The Within Network, LLC - C:\WINDOWS\UnsignedThemesSvc.exe
O24 - Desktop Component 0: (no name) - (no file)
GMER log file as follows:
GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-19 19:25:55
Windows 5.1.2600 Service Pack 3, v.5857
Running: 33y9tx84.exe; Driver: C:\DOCUME~1\BFERRY~1\LOCALS~1\Temp\kxldapob.sys
---- System - GMER 1.0.15 ----
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwAssignProcessToJobObject [0xB031CA60]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB022C6B8]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwConnectPort [0xB031E920]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateFile [0xB02FDF60]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB022C574]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateProcess [0xB03152B0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateProcessEx [0xB0315BB0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateSection [0xB02FCD10]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateSymbolicLinkObject [0xB0308E40]
SSDT B9F5878C ZwCreateThread
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwDebugActiveProcess [0xB0321F30]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwDeleteFile [0xB0307B20]
SSDT B9F5879B ZwDeleteKey
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB022CA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB022C14C]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwLoadDriver [0xB0312BB0]
SSDT B9F587AA ZwLoadKey
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwMakeTemporaryObject [0xB03086B0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenFile [0xB0300C10]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB022C64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB022C08C]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenSection [0xB02FD580]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB022C0F0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwProtectVirtualMemory [0xB031DDA0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueryDirectoryFile [0xB03028A0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueryKey [0xB030C750]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB022C76E]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueueApcThread [0xB031BED0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRenameKey [0xB0310590]
SSDT B9F587B4 ZwReplaceKey
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRequestPort [0xB0320A50]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRequestWaitReplyPort [0xB0320D70]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB022C72E]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSaveKey [0xB030EC80]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSaveKeyEx [0xB030F4D0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSecureConnectPort [0xB031F480]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetContextThread [0xB031B440]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetInformationDebugObject [0xB0322520]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetInformationFile [0xB0303BF0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetSystemInformation [0xB03121C0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB022C8AE]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSuspendProcess [0xB031A190]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSuspendThread [0xB031AAC0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSystemDebugControl [0xB0321770]
SSDT B9F58787 ZwTerminateProcess
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwTerminateThread [0xB0319620]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwUnloadDriver [0xB0313530]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwWriteVirtualMemory [0xB031D2B0]
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!_abnormal_termination + C8 804E2724 4 Bytes JMP A040D75A
.text ntoskrnl.exe!_abnormal_termination + 394 804E29F0 1 Byte [80]
.text ntoskrnl.exe!_abnormal_termination + 440 804E2A9C 12 Bytes [90, A1, 31, B0, C0, AA, 31, ...] {NOP ; MOV EAX, [0xaac0b031]; XOR [EAX-0x4fcde890], ESI}
---- User code sections - GMER 1.0.15 ----
.text C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe[184] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 00522570 C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe (Agnitum Outpost Service/Agnitum Ltd.)
.text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[2180] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0059EB4C C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
.text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[2180] kernel32.dll!LoadResource 7C80A055 5 Bytes JMP 0059E828 C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
.text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[2180] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 0059EA88 C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
.text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[2180] USER32.dll!EnableWindow 7E41BE69 5 Bytes JMP 0116944C C:\PROGRA~1\Agnitum\OUTPOS~1\op_cmn.dll (Outpost Common Controls Library/Agnitum Ltd.)
.text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[2180] USER32.dll!SetWindowsHookExW 7E42DFFE 5 Bytes JMP 0059EB20 C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
.text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[2180] USER32.dll!SetWindowsHookExA 7E431221 5 Bytes JMP 0059EAF4 C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [B9880906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [B9880906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B9880906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [B9880906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [B9880906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [B9880906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [B0312190] \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [B02FF130] \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.)
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\WINDOWS\system32\services.exe[872] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003A0002
IAT C:\WINDOWS\system32\services.exe[872] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003A0000
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
Device \Driver\Tcpip \Device\Ip afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
Device \Driver\Tcpip \Device\Tcp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs@start 4
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs@imagepath \systemroot\system32\drivers\gasfkywafaqhou.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main@aid 20188
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main@sid 0
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main\injector@svchost.exe gasfkyconu.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkywafaqhou.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfkycmd.dll \systemroot\system32\gasfkyltouorpl.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfkylog.dat \systemroot\system32\gasfkytylswgqd.dat
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfkywsp.dll \systemroot\system32\gasfkykejfuuwk.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfky.dat \systemroot\system32\gasfkyofyaacup.dat
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfkywsp8.dll \systemroot\system32\gasfkysjmutwvp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfkycony.dll \systemroot\system32\gasfkyofdwqnqe.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfkyconu.dll \systemroot\system32\gasfkythoptnkp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs@start 4
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs@imagepath \systemroot\system32\drivers\gasfkywafaqhou.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main@aid 20188
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main\injector@svchost.exe gasfkyconu.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkywafaqhou.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfkycmd.dll \systemroot\system32\gasfkyltouorpl.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfkylog.dat \systemroot\system32\gasfkytylswgqd.dat
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfkywsp.dll \systemroot\system32\gasfkykejfuuwk.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfky.dat \systemroot\system32\gasfkyofyaacup.dat
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfkywsp8.dll \systemroot\system32\gasfkysjmutwvp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfkycony.dll \systemroot\system32\gasfkyofdwqnqe.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfkyconu.dll \systemroot\system32\gasfkythoptnkp.dll
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG11.00.00.01WORKSTATION 88AC12D0D1B72D6A66F421C03202A9A37A23F63DCB493BC00933435
B8ADCBFCB05A47301ABAD8120B88C8CDDE6BFD306F2EC952632F6CA1D5
AE395A68DA3780FBA289B23E3ECC51B6D53578674FED0F15382C76559975
CD858BCF2CCFEBC9E127BECC74CFEBC9E127BECC74
CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74
CFEBC9E127BECC74CA6A0AC4980AC7933C038D530D6EB34528
EDD5E5BE2F6E667FEBC9E127BECC74C2CAD362A5080C0BCD0FB007
AEE282B063BC7F03F82D08BE29CDEFC19C17DCF85675FEF9F51
FEDCCE4BBA6B0C48D8C622C58E622CC6809B82BC462C2DA06
CBD07338D29B58E69CD98839A744E7651A982ACBC2496C27
DF05436461FD0C8982013993AFD3BBEBC3F3542587E3442
DA9A781E6D84B56EFA0A0138F6AB2104C64FC4691A6ECF1D
68805699E6D303F7B300EA08EE349647A5884030258B8E9FAE
464D34965BEB68D085C05AED1ED6658BE7D0A0C64897CD
9932E15652DD5DEC78A46D4FCE0F57E2CDE7CA1CC6F01EE
009843ADE2A3C6C06E871C7A332A426C3C52B7DD69232B053
AA6061BA003D1C40C22845FD07EC9E781BD368D42E46567
A294369A667D6E804A7D00655DCDE67DEC74E2800FB1
A08B2290C4DE8618DAE712875AFE388ED4744F9BC4C4E530
FE91D18112EA85CE959C5026E16A81D28C3083F7264
F0E1D06466C8CC5B4E8DF064DE2A3433FE2FE59
--
End of file - 6871 bytes
[B]Would appreciate kind help ASAP :thanks:
Hi,
Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
Damn_VCT-exe
2009-10-22, 17:35
DDS.com log files attached.
Thanks for your help :bigthumb:
Hello tech people :)
Since a week ago my PC with OS Win XP Pro SP3 is slowing and web service using Firefox 3.5 / Opera 9 is revealing performance decrease. Just discovered two days ago on Task Manager (image follows) the constant presence of various ctv*****.exe always replicating with five digits, randomly. Even after deleted them on the C:\Documents and Settings\[user]\Local Settings\temp\ directory folder the cvt files remains. Antivirus Avast 4.x and SpyBot even running on Safe Mode didn't detected these files in order to fix the problem.
Hjthis log file follows as ... :
DDS.com log files attached
Thanks for your help
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:06:16, on 20-10-2009
Platform: Windows XP SP3, v.5857 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\UnsignedThemesSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ALCXMNTR.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\DOCUME~1\BFERRY~1\LOCALS~1\Temp\ctv16991.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com (http://www.google.com)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1255038252750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1255716346265
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Unsigned Themes (UnsignedThemes) - The Within Network, LLC - C:\WINDOWS\UnsignedThemesSvc.exe
O24 - Desktop Component 0: (no name) - (no file)
GMER log file as follows:
GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-19 19:25:55
Windows 5.1.2600 Service Pack 3, v.5857
Running: 33y9tx84.exe; Driver: C:\DOCUME~1\BFERRY~1\LOCALS~1\Temp\kxldapob.sys
---- System - GMER 1.0.15 ----
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwAssignProcessToJobObject [0xB031CA60]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB022C6B8]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwConnectPort [0xB031E920]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateFile [0xB02FDF60]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB022C574]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateProcess [0xB03152B0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateProcessEx [0xB0315BB0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateSection [0xB02FCD10]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateSymbolicLinkObject [0xB0308E40]
SSDT B9F5878C ZwCreateThread
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwDebugActiveProcess [0xB0321F30]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwDeleteFile [0xB0307B20]
SSDT B9F5879B ZwDeleteKey
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB022CA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB022C14C]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwLoadDriver [0xB0312BB0]
SSDT B9F587AA ZwLoadKey
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwMakeTemporaryObject [0xB03086B0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenFile [0xB0300C10]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB022C64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB022C08C]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenSection [0xB02FD580]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB022C0F0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwProtectVirtualMemory [0xB031DDA0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueryDirectoryFile [0xB03028A0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueryKey [0xB030C750]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB022C76E]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueueApcThread [0xB031BED0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRenameKey [0xB0310590]
SSDT B9F587B4 ZwReplaceKey
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRequestPort [0xB0320A50]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRequestWaitReplyPort [0xB0320D70]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB022C72E]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSaveKey [0xB030EC80]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSaveKeyEx [0xB030F4D0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSecureConnectPort [0xB031F480]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetContextThread [0xB031B440]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetInformationDebugObject [0xB0322520]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetInformationFile [0xB0303BF0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetSystemInformation [0xB03121C0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB022C8AE]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSuspendProcess [0xB031A190]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSuspendThread [0xB031AAC0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSystemDebugControl [0xB0321770]
SSDT B9F58787 ZwTerminateProcess
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwTerminateThread [0xB0319620]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwUnloadDriver [0xB0313530]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwWriteVirtualMemory [0xB031D2B0]
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!_abnormal_termination + C8 804E2724 4 Bytes JMP A040D75A
.text ntoskrnl.exe!_abnormal_termination + 394 804E29F0 1 Byte [80]
.text ntoskrnl.exe!_abnormal_termination + 440 804E2A9C 12 Bytes [90, A1, 31, B0, C0, AA, 31, ...] {NOP ; MOV EAX, [0xaac0b031]; XOR [EAX-0x4fcde890], ESI}
---- User code sections - GMER 1.0.15 ----
.text C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe[184] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 00522570 C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe (Agnitum Outpost Service/Agnitum Ltd.)
.text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[2180] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0059EB4C C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
.text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[2180] kernel32.dll!LoadResource 7C80A055 5 Bytes JMP 0059E828 C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
.text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[2180] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 0059EA88 C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
.text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[2180] USER32.dll!EnableWindow 7E41BE69 5 Bytes JMP 0116944C C:\PROGRA~1\Agnitum\OUTPOS~1\op_cmn.dll (Outpost Common Controls Library/Agnitum Ltd.)
.text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[2180] USER32.dll!SetWindowsHookExW 7E42DFFE 5 Bytes JMP 0059EB20 C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
.text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[2180] USER32.dll!SetWindowsHookExA 7E431221 5 Bytes JMP 0059EAF4 C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [B9880906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [B9880906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B9880906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [B9880906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [B9880906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [B9880906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [B0312190] \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [B02FF130] \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.)
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\WINDOWS\system32\services.exe[872] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003A0002
IAT C:\WINDOWS\system32\services.exe[872] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003A0000
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
Device \Driver\Tcpip \Device\Ip afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
Device \Driver\Tcpip \Device\Tcp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs@start 4
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs@imagepath \systemroot\system32\drivers\gasfkywafaqhou.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main@aid 20188
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main@sid 0
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main\injector@svchost.exe gasfkyconu.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkywafaqhou.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfkycmd.dll \systemroot\system32\gasfkyltouorpl.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfkylog.dat \systemroot\system32\gasfkytylswgqd.dat
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfkywsp.dll \systemroot\system32\gasfkykejfuuwk.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfky.dat \systemroot\system32\gasfkyofyaacup.dat
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfkywsp8.dll \systemroot\system32\gasfkysjmutwvp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfkycony.dll \systemroot\system32\gasfkyofdwqnqe.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfkyconu.dll \systemroot\system32\gasfkythoptnkp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs@start 4
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs@imagepath \systemroot\system32\drivers\gasfkywafaqhou.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main@aid 20188
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main\injector@svchost.exe gasfkyconu.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkywafaqhou.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfkycmd.dll \systemroot\system32\gasfkyltouorpl.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfkylog.dat \systemroot\system32\gasfkytylswgqd.dat
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfkywsp.dll \systemroot\system32\gasfkykejfuuwk.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfky.dat \systemroot\system32\gasfkyofyaacup.dat
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfkywsp8.dll \systemroot\system32\gasfkysjmutwvp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfkycony.dll \systemroot\system32\gasfkyofdwqnqe.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfkyconu.dll \systemroot\system32\gasfkythoptnkp.dll
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG11.00.00.01WORKSTATION 88AC12D0D1B72D6A66F421C03202A9A37A23F63DCB493BC00933435
B8ADCBFCB05A47301ABAD8120B88C8CDDE6BFD306F2EC952632F6CA1D5
AE395A68DA3780FBA289B23E3ECC51B6D53578674FED0F15382C76559975
CD858BCF2CCFEBC9E127BECC74CFEBC9E127BECC74
CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74
CFEBC9E127BECC74CA6A0AC4980AC7933C038D530D6EB34528
EDD5E5BE2F6E667FEBC9E127BECC74C2CAD362A5080C0BCD0FB007
AEE282B063BC7F03F82D08BE29CDEFC19C17DCF85675FEF9F51
FEDCCE4BBA6B0C48D8C622C58E622CC6809B82BC462C2DA06
CBD07338D29B58E69CD98839A744E7651A982ACBC2496C27
DF05436461FD0C8982013993AFD3BBEBC3F3542587E3442
DA9A781E6D84B56EFA0A0138F6AB2104C64FC4691A6ECF1D
68805699E6D303F7B300EA08EE349647A5884030258B8E9FAE
464D34965BEB68D085C05AED1ED6658BE7D0A0C64897CD
9932E15652DD5DEC78A46D4FCE0F57E2CDE7CA1CC6F01EE
009843ADE2A3C6C06E871C7A332A426C3C52B7DD69232B053
AA6061BA003D1C40C22845FD07EC9E781BD368D42E46567
A294369A667D6E804A7D00655DCDE67DEC74E2800FB1
A08B2290C4DE8618DAE712875AFE388ED4744F9BC4C4E530
FE91D18112EA85CE959C5026E16A81D28C3083F7264
F0E1D06466C8CC5B4E8DF064DE2A3433FE2FE59
--
End of file - 6871 bytes
[B]Would appreciate kind help ASAP :thanks:
Hi again :)
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
µTorrent
I'd like you to read this thread (http://forums.spybot.info/showthread.php?t=282).
Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
You seem to have run ComboFix there (not recommended without trained helper's supervision!). Post contents of c:\combofix.txt log, please.
Damn_VCT-exe
2009-10-23, 11:53
Hi again :)
Combofix log file zipped and attached
Thanks :thanks:
Hi again :)
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
µTorrent
I'd like you to read this thread (http://forums.spybot.info/showthread.php?t=282).
Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
You seem to have run ComboFix there (not recommended without trained helper's supervision!). Post contents of c:\combofix.txt log, please.
Hi,
Open MBAM and update its definitions. Then run a full scan with it. Post back the report.
Damn_VCT-exe
2009-10-25, 02:45
MBAM log attached. Trojans deleted and quarentined although has already done this and files are always replicating randomly
Thanks
Hi,
Open MBAM and update its definitions. Then run a full scan with it. Post back the report.
Hi,
Upload these files to http://www.virustotal.com and post back the results:
c:\windows\system32\oodtray.exe
c:\windows\system32\taskswitch.exe
Open notepad and copy/paste the text in the quotebox below into it:
http://forums.spybot.info/showthread.php?p=343681#post343681
Suspect::
c:\documents and settings\bferry_pt\alcxmntr.exe
c:\documents and settings\bferry_pt\alcxmntr .exe
c:\windows\system32\l3fmoeusvvbr.dll
c:\windows\system32\l3fmoetsvvsr.exe70
c:\windows\system32\l3fmoetsvvsr.exe112
c:\windows\system32\l3fmoetsvvsr.exe
Driver::
NPHJLURBWVFY
UQRYGVQ
File::
c:\docume~1\BFERRY~1\LOCALS~1\Temp\NPHJLURBWVFY.exe
c:\docume~1\BFERRY~1\LOCALS~1\Temp\UQRYGVQ.exe
Folder::
c:\documents and settings\BFERRY_PT\Application Data\uTorrent
c:\program files\uTorrent
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe. Keep network connection enabled and follow given instructions to submit some file samples.
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).
Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
Damn_VCT-exe
2009-10-25, 22:05
Virus Total scan results for oodtray.exe (2 files with same name and extension ... ) and taskswitch.exe (2 files either):
Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.25 Trojan-Downloader.Win32.Small!IK
AhnLab-V3 5.0.0.2 2009.10.23 -
AntiVir 7.9.1.44 2009.10.23 TR/Dldr.Small.anvz
Antiy-AVL 2.0.3.7 2009.10.23 Trojan/Win32.Small.gen
Authentium 5.1.2.4 2009.10.25 -
Avast 4.8.1351.0 2009.10.25 -
AVG 8.5.0.423 2009.10.25 Worm/Koobface.K
BitDefender 7.2 2009.10.25 -
CAT-QuickHeal 10.00 2009.10.24 TrojanDownloader.Small.anvz
ClamAV 0.94.1 2009.10.25 Trojan.Downloader-80685
Comodo 2729 2009.10.25 UnclassifiedMalware
DrWeb 5.0.0.12182 2009.10.25 -
eSafe 7.0.17.0 2009.10.25 Win32.Adclicker
eTrust-Vet 35.1.7082 2009.10.23 Win32/Donloz.ADF
F-Prot 4.5.1.85 2009.10.25 -
F-Secure 9.0.15370.0 2009.10.22 -
Fortinet 3.120.0.0 2009.10.25 W32/Small.ANVZ!tr.dldr
GData 19 2009.10.25 -
Ikarus T3.1.1.72.0 2009.10.25 Trojan-Downloader.Win32.Small
Jiangmin 11.0.800 2009.10.24 TrojanDownloader.Small.aokk
K7AntiVirus 7.10.879 2009.10.24 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2009.10.25 Trojan-Downloader.Win32.Small.anvz
McAfee 5782 2009.10.25 -
McAfee+Artemis 5782 2009.10.25 Artemis!EC3170C08663
McAfee-GW-Edition 6.8.5 2009.10.25 Heuristic.BehavesLike.Win32.PasswordStealer.H
Microsoft 1.5202 2009.10.25 Trojan:Win32/Meredrop
NOD32 4541 2009.10.25 Win32/TrojanDownloader.Unruy.AA
Norman 6.03.02 2009.10.23 -
nProtect 2009.1.8.0 2009.10.25 Trojan-Downloader/W32.Small.30720.O
Panda 10.0.2.2 2009.10.25 Trj/Downloader.MDW
PCTools 4.4.2.0 2009.10.19 -
Prevx 3.0 2009.10.25 -
Rising 21.52.62.00 2009.10.25 -
Sophos 4.46.0 2009.10.25 Mal/Generic-A
Sunbelt 3.2.1858.2 2009.10.25 -
Symantec 1.4.4.12 2009.10.25 Trojan.Adclicker
TheHacker 6.5.0.2.053 2009.10.24 -
TrendMicro 8.950.0.1094 2009.10.25 -
VBA32 3.12.10.11 2009.10.23 -
ViRobot 2009.10.23.2003 2009.10.23 -
VirusBuster 4.6.5.0 2009.10.25 -
Additional information
File size: 30720 bytes
MD5...: ec3170c08663951a14a20d4981790521
SHA1..: 23c7ec2432f55d59537b84dc011f6bbcfa6638f9
SHA256: 2ef4cbc616d5574120ef15d118e11c1e213b7a69adf6baaf6b074f136a473352
ssdeep: 768:KtJNldbYDMdwnIkmJFustctrUhQFyP+LDkfboboW9Y:KtJJA2cDkfbQoW+
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x3a9f
timedatestamp.....: 0x4acbfd72 (Wed Oct 07 02:31:14 2009)
machinetype.......: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2b7e 0x2c00 5.86 327a07d66b104d0284f499a4dc2756ca
.rdata 0x4000 0x2c6 0x400 3.68 273c9b096c2382ba84e7db5be3659569
.data 0x5000 0x10af0 0x4400 6.81 6c70b9c9059b2bbb018f92303ade017e
( 1 imports )
> KERNEL32.dll: GetFileAttributesExA, HeapDestroy, Sleep, HeapFree, QueryPerformanceCounter, HeapCreate, HeapAlloc, GetProcessHeap, CloseHandle, GetTickCount, ReadFile, SetFilePointer, CreateFileA, ExitProcess, GetModuleFileNameA, VirtualAlloc, VirtualProtect, VirtualFree, GetProcAddress, LoadLibraryA, IsBadReadPtr, lstrcmpiA, FreeLibrary, HeapReAlloc, GetModuleHandleA, GetStartupInfoA, GetCommandLineA
( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
....
File oodtray.exe received on 2009.10.25 19:48:44 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 22/41 (53.66%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 40 and 57 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.25 Trojan-Downloader.Win32.Small!IK
AhnLab-V3 5.0.0.2 2009.10.23 -
AntiVir 7.9.1.44 2009.10.23 TR/Dldr.Small.anvz
Antiy-AVL 2.0.3.7 2009.10.23 Trojan/Win32.Small.gen
Authentium 5.1.2.4 2009.10.25 -
Avast 4.8.1351.0 2009.10.25 -
AVG 8.5.0.423 2009.10.25 Worm/Koobface.K
BitDefender 7.2 2009.10.25 -
CAT-QuickHeal 10.00 2009.10.24 TrojanDownloader.Small.anvz
ClamAV 0.94.1 2009.10.25 Trojan.Downloader-80685
Comodo 2729 2009.10.25 UnclassifiedMalware
DrWeb 5.0.0.12182 2009.10.25 -
eSafe 7.0.17.0 2009.10.25 Win32.Adclicker
eTrust-Vet 35.1.7082 2009.10.23 Win32/Donloz.ADF
F-Prot 4.5.1.85 2009.10.25 -
F-Secure 9.0.15370.0 2009.10.22 -
Fortinet 3.120.0.0 2009.10.25 W32/Small.ANVZ!tr.dldr
GData 19 2009.10.25 -
Ikarus T3.1.1.72.0 2009.10.25 Trojan-Downloader.Win32.Small
Jiangmin 11.0.800 2009.10.24 TrojanDownloader.Small.aokk
K7AntiVirus 7.10.879 2009.10.24 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2009.10.25 Trojan-Downloader.Win32.Small.anvz
McAfee 5782 2009.10.25 -
McAfee+Artemis 5782 2009.10.25 Artemis!EC3170C08663
McAfee-GW-Edition 6.8.5 2009.10.25 Heuristic.BehavesLike.Win32.PasswordStealer.H
Microsoft 1.5202 2009.10.25 Trojan:Win32/Meredrop
NOD32 4541 2009.10.25 Win32/TrojanDownloader.Unruy.AA
Norman 6.03.02 2009.10.23 -
nProtect 2009.1.8.0 2009.10.25 Trojan-Downloader/W32.Small.30720.O
Panda 10.0.2.2 2009.10.25 Trj/Downloader.MDW
PCTools 4.4.2.0 2009.10.19 -
Prevx 3.0 2009.10.25 -
Rising 21.52.62.00 2009.10.25 -
Sophos 4.46.0 2009.10.25 Mal/Generic-A
Sunbelt 3.2.1858.2 2009.10.25 -
Symantec 1.4.4.12 2009.10.25 Trojan.Adclicker
TheHacker 6.5.0.2.053 2009.10.24 -
TrendMicro 8.950.0.1094 2009.10.25 -
VBA32 3.12.10.11 2009.10.23 -
ViRobot 2009.10.23.2003 2009.10.23 -
VirusBuster 4.6.5.0 2009.10.25 -
Additional information
File size: 30720 bytes
MD5...: ec3170c08663951a14a20d4981790521
SHA1..: 23c7ec2432f55d59537b84dc011f6bbcfa6638f9
SHA256: 2ef4cbc616d5574120ef15d118e11c1e213b7a69adf6baaf6b074f136a473352
ssdeep: 768:KtJNldbYDMdwnIkmJFustctrUhQFyP+LDkfboboW9Y:KtJJA2cDkfbQoW+
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x3a9f
timedatestamp.....: 0x4acbfd72 (Wed Oct 07 02:31:14 2009)
machinetype.......: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2b7e 0x2c00 5.86 327a07d66b104d0284f499a4dc2756ca
.rdata 0x4000 0x2c6 0x400 3.68 273c9b096c2382ba84e7db5be3659569
.data 0x5000 0x10af0 0x4400 6.81 6c70b9c9059b2bbb018f92303ade017e
( 1 imports )
> KERNEL32.dll: GetFileAttributesExA, HeapDestroy, Sleep, HeapFree, QueryPerformanceCounter, HeapCreate, HeapAlloc, GetProcessHeap, CloseHandle, GetTickCount, ReadFile, SetFilePointer, CreateFileA, ExitProcess, GetModuleFileNameA, VirtualAlloc, VirtualProtect, VirtualFree, GetProcAddress, LoadLibraryA, IsBadReadPtr, lstrcmpiA, FreeLibrary, HeapReAlloc, GetModuleHandleA, GetStartupInfoA, GetCommandLineA
( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
----------------------
File taskswitch_.exe received on 2009.10.25 19:59:29 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 22/41 (53.66%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.25 Trojan-Downloader.Win32.Small!IK
AhnLab-V3 5.0.0.2 2009.10.23 -
AntiVir 7.9.1.44 2009.10.23 TR/Dldr.Small.anvz
Antiy-AVL 2.0.3.7 2009.10.23 Trojan/Win32.Small.gen
Authentium 5.1.2.4 2009.10.25 -
Avast 4.8.1351.0 2009.10.25 -
AVG 8.5.0.423 2009.10.25 Worm/Koobface.K
BitDefender 7.2 2009.10.25 -
CAT-QuickHeal 10.00 2009.10.24 TrojanDownloader.Small.anvz
ClamAV 0.94.1 2009.10.25 Trojan.Downloader-80685
Comodo 2729 2009.10.25 UnclassifiedMalware
DrWeb 5.0.0.12182 2009.10.25 -
eSafe 7.0.17.0 2009.10.25 Win32.Adclicker
eTrust-Vet 35.1.7082 2009.10.23 Win32/Donloz.ADF
F-Prot 4.5.1.85 2009.10.25 -
F-Secure 9.0.15370.0 2009.10.22 -
Fortinet 3.120.0.0 2009.10.25 W32/Small.ANVZ!tr.dldr
GData 19 2009.10.25 -
Ikarus T3.1.1.72.0 2009.10.25 Trojan-Downloader.Win32.Small
Jiangmin 11.0.800 2009.10.24 TrojanDownloader.Small.aokk
K7AntiVirus 7.10.879 2009.10.24 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2009.10.25 Trojan-Downloader.Win32.Small.anvz
McAfee 5782 2009.10.25 -
McAfee+Artemis 5782 2009.10.25 Artemis!EC3170C08663
McAfee-GW-Edition 6.8.5 2009.10.25 Heuristic.BehavesLike.Win32.PasswordStealer.H
Microsoft 1.5202 2009.10.25 Trojan:Win32/Meredrop
NOD32 4541 2009.10.25 Win32/TrojanDownloader.Unruy.AA
Norman 6.03.02 2009.10.23 -
nProtect 2009.1.8.0 2009.10.25 Trojan-Downloader/W32.Small.30720.O
Panda 10.0.2.2 2009.10.25 Trj/Downloader.MDW
PCTools 4.4.2.0 2009.10.19 -
Prevx 3.0 2009.10.25 -
Rising 21.52.62.00 2009.10.25 -
Sophos 4.46.0 2009.10.25 Mal/Generic-A
Sunbelt 3.2.1858.2 2009.10.25 -
Symantec 1.4.4.12 2009.10.25 Trojan.Adclicker
TheHacker 6.5.0.2.053 2009.10.24 -
TrendMicro 8.950.0.1094 2009.10.25 -
VBA32 3.12.10.11 2009.10.23 -
ViRobot 2009.10.23.2003 2009.10.23 -
VirusBuster 4.6.5.0 2009.10.25 -
Additional information
File size: 30720 bytes
MD5...: ec3170c08663951a14a20d4981790521
SHA1..: 23c7ec2432f55d59537b84dc011f6bbcfa6638f9
SHA256: 2ef4cbc616d5574120ef15d118e11c1e213b7a69adf6baaf6b074f136a473352
ssdeep: 768:KtJNldbYDMdwnIkmJFustctrUhQFyP+LDkfboboW9Y:KtJJA2cDkfbQoW+
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x3a9f
timedatestamp.....: 0x4acbfd72 (Wed Oct 07 02:31:14 2009)
machinetype.......: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2b7e 0x2c00 5.86 327a07d66b104d0284f499a4dc2756ca
.rdata 0x4000 0x2c6 0x400 3.68 273c9b096c2382ba84e7db5be3659569
.data 0x5000 0x10af0 0x4400 6.81 6c70b9c9059b2bbb018f92303ade017e
( 1 imports )
> KERNEL32.dll: GetFileAttributesExA, HeapDestroy, Sleep, HeapFree, QueryPerformanceCounter, HeapCreate, HeapAlloc, GetProcessHeap, CloseHandle, GetTickCount, ReadFile, SetFilePointer, CreateFileA, ExitProcess, GetModuleFileNameA, VirtualAlloc, VirtualProtect, VirtualFree, GetProcAddress, LoadLibraryA, IsBadReadPtr, lstrcmpiA, FreeLibrary, HeapReAlloc, GetModuleHandleA, GetStartupInfoA, GetCommandLineA
( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
-----------------------
File taskswitch.exe received on 2009.10.25 20:01:43 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 22/41 (53.66%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 40 and 57 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.25 Trojan-Downloader.Win32.Small!IK
AhnLab-V3 5.0.0.2 2009.10.23 -
AntiVir 7.9.1.44 2009.10.23 TR/Dldr.Small.anvz
Antiy-AVL 2.0.3.7 2009.10.23 Trojan/Win32.Small.gen
Authentium 5.1.2.4 2009.10.25 -
Avast 4.8.1351.0 2009.10.25 -
AVG 8.5.0.423 2009.10.25 Worm/Koobface.K
BitDefender 7.2 2009.10.25 -
CAT-QuickHeal 10.00 2009.10.24 TrojanDownloader.Small.anvz
ClamAV 0.94.1 2009.10.25 Trojan.Downloader-80685
Comodo 2729 2009.10.25 UnclassifiedMalware
DrWeb 5.0.0.12182 2009.10.25 -
eSafe 7.0.17.0 2009.10.25 Win32.Adclicker
eTrust-Vet 35.1.7082 2009.10.23 Win32/Donloz.ADF
F-Prot 4.5.1.85 2009.10.25 -
F-Secure 9.0.15370.0 2009.10.22 -
Fortinet 3.120.0.0 2009.10.25 W32/Small.ANVZ!tr.dldr
GData 19 2009.10.25 -
Ikarus T3.1.1.72.0 2009.10.25 Trojan-Downloader.Win32.Small
Jiangmin 11.0.800 2009.10.24 TrojanDownloader.Small.aokk
K7AntiVirus 7.10.879 2009.10.24 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2009.10.25 Trojan-Downloader.Win32.Small.anvz
McAfee 5782 2009.10.25 -
McAfee+Artemis 5782 2009.10.25 Artemis!EC3170C08663
McAfee-GW-Edition 6.8.5 2009.10.25 Heuristic.BehavesLike.Win32.PasswordStealer.H
Microsoft 1.5202 2009.10.25 Trojan:Win32/Meredrop
NOD32 4541 2009.10.25 Win32/TrojanDownloader.Unruy.AA
Norman 6.03.02 2009.10.23 -
nProtect 2009.1.8.0 2009.10.25 Trojan-Downloader/W32.Small.30720.O
Panda 10.0.2.2 2009.10.25 Trj/Downloader.MDW
PCTools 4.4.2.0 2009.10.19 -
Prevx 3.0 2009.10.25 -
Rising 21.52.62.00 2009.10.25 -
Sophos 4.46.0 2009.10.25 Mal/Generic-A
Sunbelt 3.2.1858.2 2009.10.25 -
Symantec 1.4.4.12 2009.10.25 Trojan.Adclicker
TheHacker 6.5.0.2.053 2009.10.24 -
TrendMicro 8.950.0.1094 2009.10.25 -
VBA32 3.12.10.11 2009.10.23 -
ViRobot 2009.10.23.2003 2009.10.23 -
VirusBuster 4.6.5.0 2009.10.25 -
Additional information
File size: 30720 bytes
MD5...: ec3170c08663951a14a20d4981790521
SHA1..: 23c7ec2432f55d59537b84dc011f6bbcfa6638f9
SHA256: 2ef4cbc616d5574120ef15d118e11c1e213b7a69adf6baaf6b074f136a473352
ssdeep: 768:KtJNldbYDMdwnIkmJFustctrUhQFyP+LDkfboboW9Y:KtJJA2cDkfbQoW+
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x3a9f
timedatestamp.....: 0x4acbfd72 (Wed Oct 07 02:31:14 2009)
machinetype.......: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2b7e 0x2c00 5.86 327a07d66b104d0284f499a4dc2756ca
.rdata 0x4000 0x2c6 0x400 3.68 273c9b096c2382ba84e7db5be3659569
.data 0x5000 0x10af0 0x4400 6.81 6c70b9c9059b2bbb018f92303ade017e
( 1 imports )
> KERNEL32.dll: GetFileAttributesExA, HeapDestroy, Sleep, HeapFree, QueryPerformanceCounter, HeapCreate, HeapAlloc, GetProcessHeap, CloseHandle, GetTickCount, ReadFile, SetFilePointer, CreateFileA, ExitProcess, GetModuleFileNameA, VirtualAlloc, VirtualProtect, VirtualFree, GetProcAddress, LoadLibraryA, IsBadReadPtr, lstrcmpiA, FreeLibrary, HeapReAlloc, GetModuleHandleA, GetStartupInfoA, GetCommandLineA
( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
Hi,
Upload these files to http://www.virustotal.com and post back the results:
c:\windows\system32\oodtray.exe
c:\windows\system32\taskswitch.exe
Open notepad and copy/paste the text in the quotebox below into it:
http://forums.spybot.info/showthread.php?p=343681#post343681
Suspect::
c:\documents and settings\bferry_pt\alcxmntr.exe
c:\documents and settings\bferry_pt\alcxmntr .exe
c:\windows\system32\l3fmoeusvvbr.dll
c:\windows\system32\l3fmoetsvvsr.exe70
c:\windows\system32\l3fmoetsvvsr.exe112
c:\windows\system32\l3fmoetsvvsr.exe
Driver::
NPHJLURBWVFY
UQRYGVQ
File::
c:\docume~1\BFERRY~1\LOCALS~1\Temp\NPHJLURBWVFY.exe
c:\docume~1\BFERRY~1\LOCALS~1\Temp\UQRYGVQ.exe
Folder::
c:\documents and settings\BFERRY_PT\Application Data\uTorrent
c:\program files\uTorrent
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe. Keep network connection enabled and follow given instructions to submit some file samples.
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).
Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
Thanks for the results. Shall see for further steps after those other things are done :)
Damn_VCT-exe
2009-10-26, 20:43
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, October 26, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3, v.5857 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, October 25, 2009 21:14:38
Records in database: 3073285
Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes
Scan area My Computer
A:\
C:\
D:\
G:\
H:\
Scan statistics
Objects scanned 81203
Threats found 5
Infected objects found 251
Suspicious objects found 0
Scan duration 19:49:51
File name Threat Threats count
C:\WINDOWS\system32\ALCXMNTR.EXE/C:\WINDOWS\system32\ALCXMNTR.EXE Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\DOCUME~1\BFERRY~1\LOCALS~1\Temp\ctv5835.exe/C:\DOCUME~1\BFERRY~1\LOCALS~1\Temp\ctv5835.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\Documents and Settings\BFERRY_PT\alcxmntr .exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\Documents and Settings\BFERRY_PT\alcxmntr.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\Documents and Settings\BFERRY_PT\Local Settings\temp\ctv1205.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\Documents and Settings\BFERRY_PT\Local Settings\temp\ctv2127.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\Documents and Settings\BFERRY_PT\Local Settings\temp\ctv279.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\Documents and Settings\BFERRY_PT\Local Settings\temp\ctv3054.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\Documents and Settings\BFERRY_PT\Local Settings\temp\ctv3975.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\Documents and Settings\BFERRY_PT\Local Settings\temp\ctv4900.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\Documents and Settings\BFERRY_PT\Local Settings\temp\ctv5835.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\Documents and Settings\BFERRY_PT\Local Settings\temp\ctv6762.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\Program Files\Adobe\acrotray .exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\Program Files\PowerISO\pwrisovm.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\Qoobox\Quarantine\C\Documents and Settings\BFERRY_PT\alcxmntr .exe.vir Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\alcxmntr .exe.vir Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\l3fmoetsvvsr .exe.vir Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\oodtray .exe.vir Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\taskswitch .exe.vir Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\Qoobox\Quarantine\[4]-Submit_2009-10-25_20.16.20.zip Infected: Trojan-Downloader.Win32.Small.anvz 3
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP43\A0002374.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP43\A0002375.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP43\A0002376.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP44\A0003400.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP44\A0003402.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP44\A0003403.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP44\A0003488.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP44\A0004449.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP44\A0004451.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP44\A0004452.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP45\A0005449.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP45\A0005451.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP45\A0005452.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP46\A0005762.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP46\A0005764.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP46\A0005765.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP46\A0007779.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP46\A0007781.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP46\A0007782.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP46\A0007783.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP46\A0007793.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP46\A0007795.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP46\A0007796.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP46\A0009810.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP46\A0009811.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP46\A0009812.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP46\A0012387.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP46\A0012390.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP46\A0012392.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP47\A0012876.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP47\A0012877.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP47\A0012878.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP48\A0014944.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP48\A0014946.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP48\A0014948.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP48\A0015472.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP48\A0015473.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP48\A0015474.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP48\A0015843.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP48\A0015844.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP48\A0015846.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP50\A0015973.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP50\A0015975.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP50\A0015976.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP50\A0015998.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP50\A0016000.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP50\A0016001.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP51\A0017009.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP51\A0017011.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP51\A0017012.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP53\A0017244.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP53\A0017245.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP53\A0017246.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP56\A0018389.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP56\A0018391.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP56\A0018392.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP57\A0018423.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP57\A0018424.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP57\A0018425.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP57\A0018466.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP57\A0018467.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP57\A0018469.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP61\A0019461.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP61\A0019463.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP61\A0019464.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP62\A0019926.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP62\A0019928.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP62\A0019929.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP65\A0020346.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP65\A0020347.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP65\A0020348.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP66\A0020475.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP66\A0020477.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP66\A0020478.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP66\A0020555.dll Infected: Trojan.Win32.Monder.gen 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP66\A0020586.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP66\A0020587.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP66\A0020589.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP69\A0020677.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP69\A0020679.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP69\A0020680.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020751.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020752.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020754.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020776.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020777.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020831.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020832.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020859.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020860.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020861.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020886.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020888.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020889.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020983.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020984.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020985.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020986.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020987.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020988.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020989.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020990.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020991.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020992.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020993.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020994.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020995.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020996.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020997.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020998.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020999.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021000.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021001.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021002.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021003.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021004.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021005.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021006.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021007.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021008.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021009.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021010.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021011.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021012.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021013.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021014.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021015.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021016.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021017.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021018.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021019.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021020.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021021.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021022.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021023.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021024.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021025.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021026.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021027.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021028.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021029.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021030.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021033.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021035.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021036.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021037.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021056.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021059.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021060.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP72\A0021349.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP72\A0021350.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP72\A0021351.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP72\A0021361.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP72\A0021363.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP72\A0021364.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP72\A0021392.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP72\A0021393.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP72\A0021404.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP72\A0021406.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP72\A0021407.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP72\A0021423.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP72\A0021425.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP72\A0021426.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP74\A0021640.exe Infected: Trojan-Spy.Win32.FlyStudio.dvw 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP74\A0021656.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP74\A0021657.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP74\A0021658.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP74\A0021736.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP74\A0021737.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP74\A0021739.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP78\A0021980.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP78\A0021982.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP78\A0021983.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP79\A0022135.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP79\A0022136.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP79\A0022137.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP79\A0022403.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP79\A0022406.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP79\A0022407.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP79\A0022558.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP79\A0022560.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP79\A0022561.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\7SP_Files\LS Patch\LS Patch.exe Infected: not-a-virus:RiskTool.Win32.CloseApp.e 1
C:\WINDOWS\system32\alcxmntr.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\ctfmon.exe.tmp Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\l3fmoetsvvsr.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\l3fmoetsvvsr.exe112 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\l3fmoetsvvsr.exe70 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\oodtray .exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\oodtray.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\oodtray.exe113 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\oodtray.exe119 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\oodtray.exe133 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\oodtray.exe161 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\oodtray.exe163 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\oodtray.exe187 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\oodtray.exe189 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\oodtray.exe204 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\oodtray.exe2135 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\oodtray.exe239 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\oodtray.exe356 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\oodtray.exe64 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\oodtray.exe690 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\oodtray.exe79 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\taskswitch .exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\taskswitch.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\taskswitch.exe111 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\taskswitch.exe117 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\taskswitch.exe131 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\taskswitch.exe144 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\taskswitch.exe145 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\taskswitch.exe159 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\taskswitch.exe160 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\taskswitch.exe162 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\taskswitch.exe186 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\taskswitch.exe187 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\taskswitch.exe202 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\taskswitch.exe2133 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\taskswitch.exe238 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\taskswitch.exe243 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\taskswitch.exe354 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\taskswitch.exe63 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\taskswitch.exe78 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\taskswitch.exe780 Infected: Trojan-Downloader.Win32.Small.anvz 1
Selected area has been scanned.
Thanks for the results. Shall see for further steps after those other things are done :)
Damn_VCT-exe
2009-10-26, 20:50
NOTE : Although I have removed ( Revo's utility tool) previous AVira AntiVir Desktop from the system it seems Combofix detects it. I've already checked services.msc and it appears as disabled. So I don't know why Combofix stilll detects it ...
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, October 26, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3, v.5857 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, October 25, 2009 21:14:38
Records in database: 3073285
Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes
Scan area My Computer
A:\
C:\
D:\
G:\
H:\
Scan statistics
Objects scanned 81203
Threats found 5
Infected objects found 251
Suspicious objects found 0
Scan duration 19:49:51
File name Threat Threats count
C:\WINDOWS\system32\ALCXMNTR.EXE/C:\WINDOWS\system32\ALCXMNTR.EXE Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\DOCUME~1\BFERRY~1\LOCALS~1\Temp\ctv5835.exe/C:\DOCUME~1\BFERRY~1\LOCALS~1\Temp\ctv5835.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\Documents and Settings\BFERRY_PT\alcxmntr .exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\Documents and Settings\BFERRY_PT\alcxmntr.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\Documents and Settings\BFERRY_PT\Local Settings\temp\ctv1205.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\Documents and Settings\BFERRY_PT\Local Settings\temp\ctv2127.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\Documents and Settings\BFERRY_PT\Local Settings\temp\ctv279.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\Documents and Settings\BFERRY_PT\Local Settings\temp\ctv3054.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\Documents and Settings\BFERRY_PT\Local Settings\temp\ctv3975.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\Documents and Settings\BFERRY_PT\Local Settings\temp\ctv4900.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\Documents and Settings\BFERRY_PT\Local Settings\temp\ctv5835.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\Documents and Settings\BFERRY_PT\Local Settings\temp\ctv6762.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\Program Files\Adobe\acrotray .exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\Program Files\PowerISO\pwrisovm.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\Qoobox\Quarantine\C\Documents and Settings\BFERRY_PT\alcxmntr .exe.vir Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\alcxmntr .exe.vir Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\l3fmoetsvvsr .exe.vir Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\oodtray .exe.vir Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\taskswitch .exe.vir Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\Qoobox\Quarantine\[4]-Submit_2009-10-25_20.16.20.zip Infected: Trojan-Downloader.Win32.Small.anvz 3
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP43\A0002374.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP43\A0002375.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP43\A0002376.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP44\A0003400.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP44\A0003402.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP44\A0003403.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP44\A0003488.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP44\A0004449.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP44\A0004451.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP44\A0004452.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP45\A0005449.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP45\A0005451.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP45\A0005452.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP46\A0005762.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP46\A0005764.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP46\A0005765.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP46\A0007779.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP46\A0007781.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP46\A0007782.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP46\A0007783.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP46\A0007793.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP46\A0007795.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP46\A0007796.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP46\A0009810.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP46\A0009811.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP46\A0009812.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP46\A0012387.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP46\A0012390.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP46\A0012392.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP47\A0012876.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP47\A0012877.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP47\A0012878.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP48\A0014944.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP48\A0014946.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP48\A0014948.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP48\A0015472.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP48\A0015473.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP48\A0015474.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP48\A0015843.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP48\A0015844.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP48\A0015846.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP50\A0015973.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP50\A0015975.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP50\A0015976.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP50\A0015998.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP50\A0016000.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP50\A0016001.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP51\A0017009.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP51\A0017011.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP51\A0017012.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP53\A0017244.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP53\A0017245.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP53\A0017246.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP56\A0018389.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP56\A0018391.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP56\A0018392.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP57\A0018423.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP57\A0018424.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP57\A0018425.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP57\A0018466.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP57\A0018467.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP57\A0018469.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP61\A0019461.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP61\A0019463.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP61\A0019464.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP62\A0019926.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP62\A0019928.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP62\A0019929.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP65\A0020346.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP65\A0020347.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP65\A0020348.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP66\A0020475.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP66\A0020477.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP66\A0020478.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP66\A0020555.dll Infected: Trojan.Win32.Monder.gen 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP66\A0020586.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP66\A0020587.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP66\A0020589.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP69\A0020677.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP69\A0020679.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP69\A0020680.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020751.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020752.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020754.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020776.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020777.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020831.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020832.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020859.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020860.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020861.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020886.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020888.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020889.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020983.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020984.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020985.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020986.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020987.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020988.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020989.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020990.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020991.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020992.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020993.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020994.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020995.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020996.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020997.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020998.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0020999.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021000.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021001.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021002.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021003.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021004.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021005.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021006.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021007.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021008.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021009.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021010.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021011.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021012.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021013.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021014.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021015.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021016.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021017.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021018.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021019.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021020.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021021.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021022.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021023.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021024.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021025.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021026.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021027.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021028.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021029.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021030.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021033.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021035.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021036.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021037.exe Infected: Trojan.Win32.Vilsel.ijq 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021056.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021059.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP70\A0021060.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP72\A0021349.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP72\A0021350.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP72\A0021351.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP72\A0021361.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP72\A0021363.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP72\A0021364.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP72\A0021392.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP72\A0021393.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP72\A0021404.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP72\A0021406.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP72\A0021407.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP72\A0021423.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP72\A0021425.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP72\A0021426.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP74\A0021640.exe Infected: Trojan-Spy.Win32.FlyStudio.dvw 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP74\A0021656.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP74\A0021657.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP74\A0021658.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP74\A0021736.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP74\A0021737.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP74\A0021739.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP78\A0021980.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP78\A0021982.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP78\A0021983.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP79\A0022135.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP79\A0022136.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP79\A0022137.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP79\A0022403.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP79\A0022406.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP79\A0022407.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP79\A0022558.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP79\A0022560.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\System Volume Information\_restore{BD46C379-AAED-4DCE-A590-305C4B354DE2}\RP79\A0022561.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\7SP_Files\LS Patch\LS Patch.exe Infected: not-a-virus:RiskTool.Win32.CloseApp.e 1
C:\WINDOWS\system32\alcxmntr.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\ctfmon.exe.tmp Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\l3fmoetsvvsr.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\l3fmoetsvvsr.exe112 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\l3fmoetsvvsr.exe70 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\oodtray .exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\oodtray.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\oodtray.exe113 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\oodtray.exe119 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\oodtray.exe133 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\oodtray.exe161 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\oodtray.exe163 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\oodtray.exe187 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\oodtray.exe189 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\oodtray.exe204 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\oodtray.exe2135 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\oodtray.exe239 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\oodtray.exe356 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\oodtray.exe64 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\oodtray.exe690 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\oodtray.exe79 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\taskswitch .exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\taskswitch.exe Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\taskswitch.exe111 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\taskswitch.exe117 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\taskswitch.exe131 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\taskswitch.exe144 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\taskswitch.exe145 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\taskswitch.exe159 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\taskswitch.exe160 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\taskswitch.exe162 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\taskswitch.exe186 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\taskswitch.exe187 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\taskswitch.exe202 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\taskswitch.exe2133 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\taskswitch.exe238 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\taskswitch.exe243 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\taskswitch.exe354 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\taskswitch.exe63 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\taskswitch.exe78 Infected: Trojan-Downloader.Win32.Small.anvz 1
C:\WINDOWS\system32\taskswitch.exe780 Infected: Trojan-Downloader.Win32.Small.anvz 1
Selected area has been scanned.
Damn_VCT-exe
2009-10-26, 20:53
see DDS txt log attached, pls
NOTE : Although I have removed ( Revo's utility tool) previous AVira AntiVir Desktop from the system it seems Combofix detects it. I've already checked services.msc and it appears as disabled. So I don't know why Combofix stilll detects it ...
Hi,
Do you have ComboFix log there to post too? :)
Damn_VCT-exe
2009-10-27, 04:19
ComboFix log file attached for analisys
IE popups and related iexplorer.exe processes still remain, neverless don't open it and use Firefox browser or Opera one ...
Thanks for your kind help :)
Hi,
Do you have ComboFix log there to post too? :)
Hi again,
Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer
Open notepad and copy/paste the text in the quotebox below into it:
http://forums.spybot.info/showthread.php?t=52724
Collect::
C:\WINDOWS\system32\ALCXMNTR.EXE
C:\DOCUME~1\BFERRY~1\LOCALS~1\Temp\ctv5835.exe
c:\windows\system32\oodtray.exe
c:\windows\system32\taskswitch.exe
C:\Documents and Settings\BFERRY_PT\alcxmntr .exe
C:\Documents and Settings\BFERRY_PT\alcxmntr.exe
C:\Program Files\Adobe\acrotray .exe
C:\Program Files\PowerISO\pwrisovm.exe
C:\WINDOWS\system32\alcxmntr.exe
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\oodtray .exe
C:\WINDOWS\system32\oodtray.exe
C:\WINDOWS\system32\taskswitch .exe
C:\WINDOWS\system32\taskswitch.exe
File::
C:\WINDOWS\system32\l3fmoetsvvsr.exe
C:\WINDOWS\system32\l3fmoetsvvsr.exe112
C:\WINDOWS\system32\l3fmoetsvvsr.exe70
C:\Documents and Settings\BFERRY_PT\Local Settings\temp\ctv1205.exe
C:\Documents and Settings\BFERRY_PT\Local Settings\temp\ctv2127.exe
C:\Documents and Settings\BFERRY_PT\Local Settings\temp\ctv279.exe
C:\Documents and Settings\BFERRY_PT\Local Settings\temp\ctv3054.exe
C:\Documents and Settings\BFERRY_PT\Local Settings\temp\ctv3975.exe
C:\Documents and Settings\BFERRY_PT\Local Settings\temp\ctv4900.exe
C:\Documents and Settings\BFERRY_PT\Local Settings\temp\ctv5835.exe
C:\Documents and Settings\BFERRY_PT\Local Settings\temp\ctv6762.exe
C:\WINDOWS\system32\oodtray.exe113
C:\WINDOWS\system32\oodtray.exe119
C:\WINDOWS\system32\oodtray.exe133
C:\WINDOWS\system32\oodtray.exe161
C:\WINDOWS\system32\oodtray.exe163
C:\WINDOWS\system32\oodtray.exe187
C:\WINDOWS\system32\oodtray.exe189
C:\WINDOWS\system32\oodtray.exe204
C:\WINDOWS\system32\oodtray.exe2135
C:\WINDOWS\system32\oodtray.exe239
C:\WINDOWS\system32\oodtray.exe356
C:\WINDOWS\system32\oodtray.exe64
C:\WINDOWS\system32\oodtray.exe690
C:\WINDOWS\system32\oodtray.exe79
C:\WINDOWS\system32\taskswitch.exe111
C:\WINDOWS\system32\taskswitch.exe117
C:\WINDOWS\system32\taskswitch.exe131
C:\WINDOWS\system32\taskswitch.exe144
C:\WINDOWS\system32\taskswitch.exe145
C:\WINDOWS\system32\taskswitch.exe159
C:\WINDOWS\system32\taskswitch.exe160
C:\WINDOWS\system32\taskswitch.exe162
C:\WINDOWS\system32\taskswitch.exe186
C:\WINDOWS\system32\taskswitch.exe187
C:\WINDOWS\system32\taskswitch.exe202
C:\WINDOWS\system32\taskswitch.exe2133
C:\WINDOWS\system32\taskswitch.exe238
C:\WINDOWS\system32\taskswitch.exe243
C:\WINDOWS\system32\taskswitch.exe354
C:\WINDOWS\system32\taskswitch.exe63
C:\WINDOWS\system32\taskswitch.exe78
C:\WINDOWS\system32\taskswitch.exe780
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"=-
Regnull::
[HKEY_USERS\S-1-5-21-1757981266-838170752-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C94E95CB-8326-FAAC-F478-2139F7C67C48}*]
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe. Have internet connection open so that samples can be submitted.
Then post the resultant log. Re-run Kaspersky online scanner and attach its report & fresh dds log to your post too.
Damn_VCT-exe
2009-10-28, 04:19
Hi again :)
Followed the steps you mentioned
Combofix log follows in attachment.
Hi again,
Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer
Open notepad and copy/paste the text in the quotebox below into it:
http://forums.spybot.info/showthread.php?t=52724
Collect::
C:\WINDOWS\system32\ALCXMNTR.EXE
C:\DOCUME~1\BFERRY~1\LOCALS~1\Temp\ctv5835.exe
c:\windows\system32\oodtray.exe
c:\windows\system32\taskswitch.exe
C:\Documents and Settings\BFERRY_PT\alcxmntr .exe
C:\Documents and Settings\BFERRY_PT\alcxmntr.exe
C:\Program Files\Adobe\acrotray .exe
C:\Program Files\PowerISO\pwrisovm.exe
C:\WINDOWS\system32\alcxmntr.exe
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\oodtray .exe
C:\WINDOWS\system32\oodtray.exe
C:\WINDOWS\system32\taskswitch .exe
C:\WINDOWS\system32\taskswitch.exe
File::
C:\WINDOWS\system32\l3fmoetsvvsr.exe
C:\WINDOWS\system32\l3fmoetsvvsr.exe112
C:\WINDOWS\system32\l3fmoetsvvsr.exe70
C:\Documents and Settings\BFERRY_PT\Local Settings\temp\ctv1205.exe
C:\Documents and Settings\BFERRY_PT\Local Settings\temp\ctv2127.exe
C:\Documents and Settings\BFERRY_PT\Local Settings\temp\ctv279.exe
C:\Documents and Settings\BFERRY_PT\Local Settings\temp\ctv3054.exe
C:\Documents and Settings\BFERRY_PT\Local Settings\temp\ctv3975.exe
C:\Documents and Settings\BFERRY_PT\Local Settings\temp\ctv4900.exe
C:\Documents and Settings\BFERRY_PT\Local Settings\temp\ctv5835.exe
C:\Documents and Settings\BFERRY_PT\Local Settings\temp\ctv6762.exe
C:\WINDOWS\system32\oodtray.exe113
C:\WINDOWS\system32\oodtray.exe119
C:\WINDOWS\system32\oodtray.exe133
C:\WINDOWS\system32\oodtray.exe161
C:\WINDOWS\system32\oodtray.exe163
C:\WINDOWS\system32\oodtray.exe187
C:\WINDOWS\system32\oodtray.exe189
C:\WINDOWS\system32\oodtray.exe204
C:\WINDOWS\system32\oodtray.exe2135
C:\WINDOWS\system32\oodtray.exe239
C:\WINDOWS\system32\oodtray.exe356
C:\WINDOWS\system32\oodtray.exe64
C:\WINDOWS\system32\oodtray.exe690
C:\WINDOWS\system32\oodtray.exe79
C:\WINDOWS\system32\taskswitch.exe111
C:\WINDOWS\system32\taskswitch.exe117
C:\WINDOWS\system32\taskswitch.exe131
C:\WINDOWS\system32\taskswitch.exe144
C:\WINDOWS\system32\taskswitch.exe145
C:\WINDOWS\system32\taskswitch.exe159
C:\WINDOWS\system32\taskswitch.exe160
C:\WINDOWS\system32\taskswitch.exe162
C:\WINDOWS\system32\taskswitch.exe186
C:\WINDOWS\system32\taskswitch.exe187
C:\WINDOWS\system32\taskswitch.exe202
C:\WINDOWS\system32\taskswitch.exe2133
C:\WINDOWS\system32\taskswitch.exe238
C:\WINDOWS\system32\taskswitch.exe243
C:\WINDOWS\system32\taskswitch.exe354
C:\WINDOWS\system32\taskswitch.exe63
C:\WINDOWS\system32\taskswitch.exe78
C:\WINDOWS\system32\taskswitch.exe780
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"=-
Regnull::
[HKEY_USERS\S-1-5-21-1757981266-838170752-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C94E95CB-8326-FAAC-F478-2139F7C67C48}*]
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe. Have internet connection open so that samples can be submitted.
Then post the resultant log. Re-run Kaspersky online scanner and attach its report & fresh dds log to your post too.
Hi,
Shall get back to this when those other requested reports are ready :)
What's the status with this?
Due to inactivity, this thread will now be closed.
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.