WinReanimator

[Rhythmdoc]

Bingo:

ComboFix 08-05-07.2 - Administrator 2008-05-09 16:09:25.6 - NTFSx86 MINIMAL
Running from: C:\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\drivers\beep.sys
C:\WINDOWS\braviax.exe
C:\WINDOWS\cru629.dat
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\cru629.dat
C:\WINDOWS\system32\univrs32.dat
.
---- Previous Run -------
.
C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\drivers\beep.sys
C:\WINDOWS\braviax.exe
C:\WINDOWS\cru629.dat
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\cru629.dat
C:\WINDOWS\system32\univrs32.dat

.
((((((((((((((((((((((((( Files Created from 2008-04-09 to 2008-05-09 )))))))))))))))))))))))))))))))
.

2008-05-08 18:07 . 2003-08-01 15:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\MSN6
2008-05-08 18:07 . 2003-08-01 16:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-05-08 18:07 . 2008-05-08 18:07 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-08 18:07 . 2008-05-09 16:13 32,768 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-05-08 16:22 . 2008-05-09 16:05 1,850,852 --a------ C:\Combo-Fix.exe
2008-05-08 15:51 . 2008-05-09 16:04 206 --a------ C:\Documents and Settings\Robin\delself.bat
2008-05-08 11:29 . 2008-05-08 11:29 77,488 --a------ C:\WINDOWS\system32\mspoolg.dll
2008-05-08 11:12 . 2008-05-08 11:12 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-08 11:12 . 2008-05-08 11:12 <DIR> d-------- C:\Documents and Settings\Robin\Application Data\Malwarebytes
2008-05-08 11:12 . 2008-05-08 11:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-08 11:12 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-08 11:12 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-04-29 02:29 . 2008-04-29 02:29 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-29 01:48 . 2008-04-29 01:48 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-29 00:59 . 2008-05-09 00:39 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-29 00:26 . 2008-04-29 00:26 0 --a------ C:\winamp.ini
2008-04-29 00:22 . 2008-05-09 00:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-15 22:23 . 2008-04-15 22:23 94,208 --a------ C:\3.tmp
2008-04-15 22:23 . 2008-04-15 22:23 67,584 --a------ C:\4.tmp
2008-04-15 22:23 . 2008-04-15 22:23 30,720 --a------ C:\o9vl29.exe
2008-04-15 22:23 . 2008-04-15 22:23 4 --a------ C:\5.tmp
2008-04-13 21:24 . 2008-04-13 21:24 28,672 --a------ C:\WINDOWS\system32\ati2mdxx.exe
2008-04-13 21:24 . 2008-04-13 21:24 4,608 --a------ C:\WINDOWS\system32\carpserv.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-29 06:03 --------- d-----w C:\Documents and Settings\Robin\Application Data\Symantec
2008-04-29 05:51 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-29 05:49 --------- d-----w C:\Program Files\Symantec
2008-04-29 05:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-14 00:21 --------- d-----w C:\Program Files\QuickTime
2008-04-14 00:21 --------- d-----w C:\Program Files\Apoint
.
Files Infected - Win32.Agent.zb
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\QuickTime\qttask.exe
c:\program files\support.com\client\bin\tgcmd.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CARPService"="carpserv.exe" [2008-04-13 21:24 4608 C:\WINDOWS\system32\carpserv.exe]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2008-04-12 18:39 114688]
"HKSERV.EXE"="C:\Program Files\Sony\HotKey Utility\HKserv.exe" [2008-04-12 18:39 81920]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-04-12 18:39 77824]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 12:29 40960]
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [2008-04-12 18:39 1409024]
"ATIModeChange"="Ati2mdxx.exe" [2008-04-13 21:24 28672 C:\WINDOWS\system32\ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-04-12 18:39 323584]
"VAIO Recovery"="C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 00:08 28672]
"braviax"="braviax.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= C:\PROGRA~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

.
Contents of the 'Scheduled Tasks' folder
"2007-04-16 06:39:46 C:\WINDOWS\Tasks\Registration reminder 1.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2007-04-16 06:39:47 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2007-04-16 06:39:47 C:\WINDOWS\Tasks\Registration reminder 3.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2007-12-04 19:16:04 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-09 16:13:13
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-09 16:15:56 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-05-09 21:15:52

Pre-Run: 9,419,776,000 bytes free
Post-Run: 9,412,009,984 bytes free

115

 

[Rhythmdoc]

I also noticed this one in a folder called Qoobox:

2008-05-09 00:49 36352 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\beep.sys.vir
2008-05-09 00:49 36352 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\system32\dllcache\beep.sys.vir
2008-05-09 16:04 6656 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\univrs32.dat.vir
2008-05-09 16:08 18432 --a------ C:\Qoobox\Quarantine\C\WINDOWS\braviax.exe.vir
2008-05-09 16:08 18432 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\braviax.exe.vir
2008-05-09 16:08 6144 --a------ C:\Qoobox\Quarantine\C\WINDOWS\cru629.dat.vir
2008-05-09 16:08 6144 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\cru629.dat.vir
2008-05-09 16:11 324 --a------ C:\Qoobox\Quarantine\catchme.log

 

[Blade81]

Hi

Great to see that worked

Please turn your Windows firewall on (SP2 option). Then let's clean off other bad items.


Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Documents and Settings\Robin\delself.bat
C:\WINDOWS\system32\mspoolg.dll
C:\3.tmp
C:\4.tmp
C:\o9vl29.exe
C:\5.tmp

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"braviax"=-

Save this as
CFScript

Refering to the picture above, drag CFScript into Combo-Fix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, click Yes.

• The program will launch and start to download the latest definition files.
• Once the scanner is installed and the definitions downloaded, click Next.
• Now click on Scan Settings and select the following:

Scan using the following Anti-Virus database:​

• Extended (If available, otherwise Standard)

Scan Options:​

• Scan Archives
• Scan Mail Bases

• Click OK.
• Under
  select a target to scan
  , select My Computer.
• The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.

Once the scan is complete:

• Click on the Save as Text button.
• Save the file to your desktop.
• Copy and paste that information into your next post if the AV content will fit into one post only. Post a fresh hjt log too (without forgetting above meantioned ComboFix resultant log).

Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

If having a problme doing the above

Make sure that your Internet security settings are set to default values.

To set default security settings for Internet Explorer:

* Open Internet Explorer.
* Go to the Tools menu, then choose Internet Options.
* Click on the Security tab.
* Make sure that all four item (Internet, Local intranet, Trusted sites, and Restricted sites) are set to their default settings.

 

[Rhythmdoc]

I believe that this machine is only updated to sp1 (as I see that noted when starting in Safe Mode). Should I update windows at this point, before taking the next steps you described last.

 

[Blade81]

Hi

No, please don't update until we've finished cleaning process. That might cause problems.

 

[Rhythmdoc]

Hi ,
I ran ComboFix and it acted as it did before. I noticed this time as it was rebooting the last time, right before the windows shutting down music that I heard the sound for when you try and do something and it doesn't work. That kinda low horn sound.

Anyway here is the log and the pend file. I am going to wait for a reply before I run ATF because I suspect I should be running ComboFix is safe mode. Please advise - run ATF now or rerun ComboFix in safe mode first.

Thanks again for sticking with me on this. I would have given up a long time ago, and just done a clean install. Maybe that wouldn't even work though.

ComboFix 08-05-07.2 - Robin 2008-05-11 20:57:22.7 - NTFSx86
Running from: C:\Combo-Fix.exe
Command switches used :: E:\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\3.tmp
C:\4.tmp
C:\5.tmp
C:\Documents and Settings\Robin\delself.bat
C:\o9vl29.exe
C:\WINDOWS\system32\mspoolg.dll
.

And then the pend file:

.:\\(0!|0\\0)
C:\\WINDOWS\\system32\\(\\|0!|0\\0)
C:\\WINDOWS\\system32\\config\\(\\|0!|0\\0)
C:\\WINDOWS\\system32\\csrss.exe\\(0!|0\\0)
C:\\WINDOWS\\system32\\drivers\\(\\|0!|0\\0)
C:\\WINDOWS\\system32\\hal.dll\\(0!|0\\0)
C:\\WINDOWS\\system32\\lsass.exe\\(0!|0\\0)
C:\\WINDOWS\\system32\\ntdll.dll\\(0!|0\\0)
C:\\WINDOWS\\system32\\services.exe\\(0!|0\\0)
C:\\WINDOWS\\system32\\smss.exe\\(0!|0\\0)
C:\\WINDOWS\\system32\\svchost.exe\\(0!|0\\0)
C:\\WINDOWS\\system32\\userinit.exe\\(0!|0\\0)
C:\\WINDOWS\\system32\\wbem\\(\\|0!|0\\0)
C:\\WINDOWS\\system32\\winlogon.exe\\(0!|0\\0)
C:\\boot.ini\\(0!|0\\0)
C:\\ntdetect.com\\(0!|0\\0)
C:\\ntldr\\(0!|0\\0)
C:\\WINDOWS\\(\\|0!|0\\0)
C:\\WINDOWS\\explorer.exe\\(0!|0\\0)

 

[Blade81]

Hi

Somehow it looks again that ComboFix didn't finish correctly. Please try running ComboFix with that CFScript file in safe mode.

 

[Rhythmdoc]

Hi,
Here is the log from Combo Fix run in safe mode and rebooted in safe mode. I will run the ATF as soon as I get a chance. I have to run now though.

ComboFix 08-05-07.2 - Administrator 2008-05-12 12:42:50.8 - NTFSx86 MINIMAL
Running from: C:\Combo-Fix.exe
Command switches used :: F:\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\3.tmp
C:\4.tmp
C:\5.tmp
C:\Documents and Settings\Robin\delself.bat
C:\o9vl29.exe
C:\WINDOWS\system32\mspoolg.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\drivers\beep.sys
C:\Documents and Settings\Robin\delself.bat
C:\WINDOWS\braviax.exe
C:\WINDOWS\cru629.dat
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\cru629.dat
C:\WINDOWS\system32\univrs32.dat
.
---- Previous Run -------
.
C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\drivers\beep.sys
C:\3.tmp
C:\4.tmp
C:\5.tmp
C:\Documents and Settings\Robin\delself.bat
C:\o9vl29.exe
C:\WINDOWS\braviax.exe
C:\WINDOWS\cru629.dat
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\cru629.dat
C:\WINDOWS\system32\mspoolg.dll
C:\WINDOWS\system32\univrs32.dat

.
((((((((((((((((((((((((( Files Created from 2008-04-12 to 2008-05-12 )))))))))))))))))))))))))))))))
.

2008-05-08 18:07 . 2003-08-01 15:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\MSN6
2008-05-08 18:07 . 2003-08-01 16:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-05-08 18:07 . 2008-05-08 18:07 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-08 18:07 . 2008-05-12 12:46 24,576 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-05-08 16:22 . 2008-05-09 16:05 1,850,852 --a------ C:\Combo-Fix.exe
2008-05-08 11:12 . 2008-05-08 11:12 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-08 11:12 . 2008-05-08 11:12 <DIR> d-------- C:\Documents and Settings\Robin\Application Data\Malwarebytes
2008-05-08 11:12 . 2008-05-08 11:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-08 11:12 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-08 11:12 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-04-29 02:29 . 2008-04-29 02:29 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-29 01:48 . 2008-04-29 01:48 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-29 00:59 . 2008-05-09 00:39 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-29 00:26 . 2008-04-29 00:26 0 --a------ C:\winamp.ini
2008-04-29 00:22 . 2008-05-09 00:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-13 21:24 . 2008-04-13 21:24 28,672 --a------ C:\WINDOWS\system32\ati2mdxx.exe
2008-04-13 21:24 . 2008-04-13 21:24 4,608 --a------ C:\WINDOWS\system32\carpserv.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-29 06:03 --------- d-----w C:\Documents and Settings\Robin\Application Data\Symantec
2008-04-29 05:51 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-29 05:49 --------- d-----w C:\Program Files\Symantec
2008-04-29 05:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-14 00:21 --------- d-----w C:\Program Files\QuickTime
2008-04-14 00:21 --------- d-----w C:\Program Files\Apoint
.
Files Infected - Win32.Agent.zb
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\QuickTime\qttask.exe
c:\program files\support.com\client\bin\tgcmd.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
.

((((((((((((((((((((((((((((( snapshot@2008-05-09_16.15.32.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-09 21:12:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-12 17:45:58 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-09 05:49:36 36,352 ----a-w C:\WINDOWS\Drivers\beep.sys
+ 2008-05-12 02:00:53 36,352 ----a-w C:\WINDOWS\Drivers\beep.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CARPService"="carpserv.exe" [2008-04-13 21:24 4608 C:\WINDOWS\system32\carpserv.exe]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2008-04-12 18:39 114688]
"HKSERV.EXE"="C:\Program Files\Sony\HotKey Utility\HKserv.exe" [2008-04-12 18:39 81920]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-04-12 18:39 77824]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 12:29 40960]
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [2008-04-12 18:39 1409024]
"ATIModeChange"="Ati2mdxx.exe" [2008-04-13 21:24 28672 C:\WINDOWS\system32\ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-04-12 18:39 323584]
"VAIO Recovery"="C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 00:08 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= C:\PROGRA~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

.
Contents of the 'Scheduled Tasks' folder
"2007-04-16 06:39:46 C:\WINDOWS\Tasks\Registration reminder 1.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2007-04-16 06:39:47 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2007-04-16 06:39:47 C:\WINDOWS\Tasks\Registration reminder 3.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2007-12-04 19:16:04 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 12:46:33
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-12 12:49:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-12 17:49:08
ComboFix2.txt 2008-05-09 21:15:57

Pre-Run: 9,410,260,992 bytes free
Post-Run: 9,403,150,336 bytes free

131

 

[Blade81]

Please run Malwarebytes' anti-malware & Kaspersky online scanner too and post reports of those. Are you able to create hjt log? Post it too if possible.

 

[Rhythmdoc]

Hey is the Kaspersky log:

KASPERSKY ONLINE SCANNER REPORT
2008-05-12 22:40
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/05/2008
Kaspersky Anti-Virus database records: 763380
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
F:\
Scan Statistics
Total number of scanned objects 31498
Number of viruses found 13
Number of infected objects 147
Number of suspicious objects 0
Duration of the scan process 00:53:51

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\isat.exe Infected: Trojan-Downloader.Win32.FraudLoad.lp skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Robin\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.75512 Infected: Rootkit.Win32.Agent.jj skipped
C:\Documents and Settings\Robin\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Robin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Robin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Robin\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Robin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Robin\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Robin\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Apoint\apoint.exe Infected: Trojan.Win32.Patched.bz skipped
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe Infected: Trojan.Win32.Patched.bz skipped
C:\Program Files\QuickTime\qttask.exe Infected: Trojan.Win32.Patched.bz skipped
C:\Program Files\Sony\HotKey Utility\hkserv.exe Infected: Trojan.Win32.Patched.bz skipped
C:\Program Files\support.com\client\bin\tgcmd.exe Infected: Trojan.Win32.Patched.bz skipped
C:\QooBox\Quarantine\C\3.tmp.vir Infected: SpamTool.Win32.Agent.hu skipped
C:\QooBox\Quarantine\C\4.tmp.vir Infected: Email-Worm.Win32.Mydoom.cc skipped
C:\QooBox\Quarantine\C\o9vl29.exe.vir Infected: Backdoor.Win32.Agent.eks skipped
C:\QooBox\Quarantine\C\WINDOWS\braviax.exe.vir Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\QooBox\Quarantine\C\WINDOWS\cru629.dat.vir Infected: Backdoor.Win32.Small.cbo skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\braviax.exe.vir Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\cru629.dat.vir Infected: Backdoor.Win32.Small.cbo skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\dllcache\beep.sys.vir Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\beep.sys.vir Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mspoolg.dll.vir Infected: Trojan-Spy.Win32.BZub.cqz skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\univrs32.dat.vir Infected: not-a-virus:AdWare.Win32.Agent.zo skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP49\A0006889.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP49\A0006890.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP50\A0006902.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP50\A0006903.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP50\A0006920.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP50\A0006921.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP50\A0006931.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP50\A0006932.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP50\A0006946.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP50\A0006947.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP50\A0006958.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP50\A0006959.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP50\A0006968.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP50\A0007958.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP50\A0007959.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP50\A0007967.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP50\A0007968.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP50\A0007969.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP50\A0007972.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP50\A0007973.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP50\A0007974.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP50\A0007981.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP50\A0007983.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP50\A0007984.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP50\A0007987.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP50\A0007988.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP50\A0007989.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP50\A0007998.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP50\A0007999.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP50\A0008008.exe Infected: not-a-virus:FraudTool.Win32.RegCleanerXP.a skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP50\A0008043.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.b skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP50\A0008045.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP50\A0008046.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP51\A0008122.rbf Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP51\A0008455.rbf Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP51\A0008568.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP51\A0008569.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP51\A0008571.rbf Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP51\A0008606.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP51\A0008607.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP52\A0008628.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP52\A0008629.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP52\A0008639.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP52\A0008640.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP52\A0008644.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP52\A0008645.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP52\A0008659.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP52\A0008660.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP53\A0008682.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP53\A0008683.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP53\A0008698.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP53\A0008702.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP53\A0008703.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP53\A0008711.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP53\A0008712.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0008737.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0008743.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0008759.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0008760.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0008809.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0008810.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0008830.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0008835.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0008932.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0008933.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0008953.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0008958.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0008959.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0008977.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0008978.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0008987.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0008988.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0009025.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0009026.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0009044.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0009047.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0009048.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0009140.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0009141.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0009150.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0009151.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0009152.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0009153.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0009192.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0009193.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0009212.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0009215.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0009216.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0009229.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0009230.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0009244.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0009245.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0009256.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0009257.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0009295.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0009296.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0009359.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0009362.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP54\A0009363.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP55\A0009378.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP55\A0009379.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP56\A0009395.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP56\A0009396.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP56\A0009398.exe Infected: Backdoor.Win32.Agent.eks skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP56\A0009399.dll Infected: Trojan-Spy.Win32.BZub.cqz skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP56\A0009400.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP56\A0009401.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP56\A0009418.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP56\A0009423.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP56\A0009424.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP56\A0009437.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP56\A0009438.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP56\A0010437.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP56\A0010438.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP56\A0010478.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP56\A0010479.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP56\A0010531.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP56\A0010534.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP56\A0010535.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP56\change.log Object is locked skipped
C:\WINDOWS\braviax.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\WINDOWS\cru629.dat Infected: Backdoor.Win32.Small.cbo skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Drivers\beep.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\system32\ati2mdxx.exe Infected: Trojan.Win32.Patched.bz skipped
C:\WINDOWS\system32\braviax.exe Infected: not-virus:Hoax.Win32.Renos.bpu skipped
C:\WINDOWS\system32\carpserv.exe Infected: Trojan.Win32.Patched.bz skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\cru629.dat Infected: Backdoor.Win32.Small.cbo skipped
C:\WINDOWS\system32\dllcache\beep.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\WINDOWS\system32\drivers\beep.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\univrs32.dat Infected: not-a-virus:AdWare.Win32.Agent.zo skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP56\change.log Object is locked skipped
Scan process completed.

 

[Rhythmdoc]

HJT still will not run even in safe mode.

 

[Blade81]

Please download (using other system) Comodo Firewall Pro here and install it to this infected system. Otherwise it's possible that baddies download new malware to your system when we got some older items cleaned making this never ending process.

When firewall is installed it's time to run ComboFix in safe mode with following CFScript:


Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\isat.exe
C:\WINDOWS\braviax.exe
C:\WINDOWS\cru629.dat
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\cru629.dat
C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\drivers\beep.sys
C:\WINDOWS\system32\univrs32.dat

Folder::
C:\WINDOWS\Drivers

Save this as
CFScript

Refering to the picture above, drag CFScript into Combo-Fix.exe
Then post the resultant log. Run also Kaspersky scanner again and post its report.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

 

[Rhythmdoc]

Hi,

An interesting thing happened. I use a Memory Stick to transfer stuff from the good machine to the infected one. I downloaded Comodo Firewall and put it on the Stick. I put the Stick in the infected machine and thought I would try and install the firewall right from the Stick. The process froze. I could not "end process" with the task manager, so I unplugged the Stick. At that point the desktop went blank and then came back to life as if it had been partially rebooted. Interesting thing is, the WinReanimator icon disappeared from the notification area. I then copied the Comodo Firewall to the desktop of the infected machine and tried to install. I get an error message: "Error 0 running command.\CFP_Setup_3.0.22.349_XP_Vista_x64.exe" before it is even done unzipping.

I tried this process again to verify that the WinReanimator icon disappears. I then redownloaded Comodo Firewall and tried to install again (without trying to install it from the Stick this time and got the same error message. I was curious so I tried installing the Comodo Firewall on my good machine and got the same error. I'm not sure why that is happening?

Should I try running ComboFix after I have made the WinReanimator icon disappear as described above?

 

[Blade81]

Please run ComboFix with that CFScript in safe mode. You should also keep that machine disconnected since without a firewall risks are really high to get reinfected. By keeping system disconnected we can be sure that no extra pests are downloaded. That said copy combofix resultant log to your memory stick and from that to your clean system and then back into this topic.

Important thing is to get a firewall installed. It's possible that Comodo download was corrupted. Please try redownloading it on your clean system. Then test it there to see if packet is working. If it is install it to that infected system (don't connect it to net). If still no success try free version of Zonealarm

 

[Blade81]

You should make sure you download 32 bit version of Comodo.

 

[Rhythmdoc]

Will do, I downloaded the 64bit version of Comodo because I believe the infected machine is only updated to SP1 and the 32bit version says for XP-SP2.

And yes, I will keep the machine off the net. When I ran Kaspersky is the first time it had been on the net since we started (just so you know).

You don't think I should try and run ComboFix while that WinReanimator icon is gone?

 

[Blade81]

Hi

I believe it makes no difference running ComboFix while winreanimator icon is appearing or not. Shall wait for your input

 

[Rhythmdoc]

I am a curious sort, so I ran ComboFix at the point where WinReanimators' icon was missing. I believe ComboFix was able to do more. Also, when I rebooted the machine in regular mode the WinReanimator icon did NOT reappear.

Here is the ComboFix log:

ComboFix 08-05-07.2 - Robin 2008-05-13 17:50:44.9 - NTFSx86
Running from: C:\Combo-Fix.exe
Command switches used :: E:\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\isat.exe
C:\WINDOWS\braviax.exe
C:\WINDOWS\cru629.dat
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\cru629.dat
C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\drivers\beep.sys
C:\WINDOWS\system32\univrs32.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\isat.exe
C:\WINDOWS\braviax.exe
C:\WINDOWS\cru629.dat
C:\WINDOWS\Drivers
C:\WINDOWS\Drivers\Audio\adminchk.dll
C:\WINDOWS\Drivers\Audio\AEEnable.exe
C:\WINDOWS\Drivers\Audio\data.tag
C:\WINDOWS\Drivers\Audio\data1.cab
C:\WINDOWS\Drivers\Audio\data1.hdr
C:\WINDOWS\Drivers\Audio\data2.cab
C:\WINDOWS\Drivers\Audio\ikernel.ex_
C:\WINDOWS\Drivers\Audio\INFCACHE.1
C:\WINDOWS\Drivers\Audio\layout.bin
C:\WINDOWS\Drivers\Audio\Migrate\Migrate.dll
C:\WINDOWS\Drivers\Audio\RemADI.exe
C:\WINDOWS\Drivers\Audio\Setup.exe
C:\WINDOWS\Drivers\Audio\Setup.ini
C:\WINDOWS\Drivers\Audio\setup.inx
C:\WINDOWS\Drivers\Audio\setup.iss
C:\WINDOWS\Drivers\Audio\SMax3CP.ico
C:\WINDOWS\Drivers\Audio\SMAXWDM\SE\a3d.dll
C:\WINDOWS\Drivers\Audio\SMAXWDM\SE\ADI_RMV.EXE
C:\WINDOWS\Drivers\Audio\SMAXWDM\SE\AEAUDIO.sys
C:\WINDOWS\Drivers\Audio\SMAXWDM\SE\CBLDRM.dll
C:\WINDOWS\Drivers\Audio\SMAXWDM\SE\inst16.exe
C:\WINDOWS\Drivers\Audio\SMAXWDM\SE\migrate.dll
C:\WINDOWS\Drivers\Audio\SMAXWDM\SE\smsens.sys
C:\WINDOWS\Drivers\Audio\SMAXWDM\SE\smwdm.sys
C:\WINDOWS\Drivers\Audio\SMAXWDM\SE\smwdmALI.inf
C:\WINDOWS\Drivers\Audio\SMAXWDM\SE\smx.cat
C:\WINDOWS\Drivers\Audio\SMAXWDM\SE\WDMSTUB.sys
C:\WINDOWS\Drivers\Audio\SMAXWDM\W2K_XP\a3d.dll
C:\WINDOWS\Drivers\Audio\SMAXWDM\W2K_XP\AEAUDIO.sys
C:\WINDOWS\Drivers\Audio\SMAXWDM\W2K_XP\CBLDRM.dll
C:\WINDOWS\Drivers\Audio\SMAXWDM\W2K_XP\install.exe
C:\WINDOWS\Drivers\Audio\SMAXWDM\W2K_XP\migrate.dll
C:\WINDOWS\Drivers\Audio\SMAXWDM\W2K_XP\Remove.exe
C:\WINDOWS\Drivers\Audio\SMAXWDM\W2K_XP\smsens.sys
C:\WINDOWS\Drivers\Audio\SMAXWDM\W2K_XP\smwdm.sys
C:\WINDOWS\Drivers\Audio\SMAXWDM\W2K_XP\smwdmALI.inf
C:\WINDOWS\Drivers\Audio\SMAXWDM\W2K_XP\smx.cat
C:\WINDOWS\Drivers\Audio\SMAXWDM\W2K_XP\WDMSTUB.sys
C:\WINDOWS\Drivers\Audio\SoundMAX.bmp
C:\WINDOWS\Drivers\Audio\Sys\CleanUp.exe
C:\WINDOWS\Drivers\Audio\Sys\DSndUp.exe
C:\WINDOWS\Drivers\Audio\win256_3.bmp
C:\WINDOWS\Drivers\beep.sys
C:\WINDOWS\Drivers\Camera\INFCACHE.1
C:\WINDOWS\Drivers\Camera\snylucd4.sys
C:\WINDOWS\Drivers\Camera\snyuaud3.inf
C:\WINDOWS\Drivers\Camera\snyuaud3.PNF
C:\WINDOWS\Drivers\Camera\snyucam3.cat
C:\WINDOWS\Drivers\Camera\snyucam3.inf
C:\WINDOWS\Drivers\Camera\snyucam3.PNF
C:\WINDOWS\Drivers\Camera\snyucam4.sys
C:\WINDOWS\Drivers\Camera\snyucmp3.inf
C:\WINDOWS\Drivers\Camera\snyucmp3.PNF
C:\WINDOWS\Drivers\Camera\snyuflt4.sys
C:\WINDOWS\Drivers\LCD\INFCACHE.1
C:\WINDOWS\Drivers\LCD\Sony_l65.icm
C:\WINDOWS\Drivers\LCD\svnlcd.cat
C:\WINDOWS\Drivers\LCD\SVNLCD.inf
C:\WINDOWS\Drivers\LCD\SVNLCD.PNF
C:\WINDOWS\Drivers\Modem\CARPDLL.DLL
C:\WINDOWS\Drivers\Modem\carpserv.exe
C:\WINDOWS\Drivers\Modem\disk1
C:\WINDOWS\Drivers\Modem\HSF_CNXT.sys
C:\WINDOWS\Drivers\Modem\HSF_DP.sys
C:\WINDOWS\Drivers\Modem\HSFCI005.dll
C:\WINDOWS\Drivers\Modem\HSFHWALI.sys
C:\WINDOWS\Drivers\Modem\HXFSetup.exe
C:\WINDOWS\Drivers\Modem\INFCACHE.1
C:\WINDOWS\Drivers\Modem\MdmXSdk.dll
C:\WINDOWS\Drivers\Modem\MDMXSDK.sys
C:\WINDOWS\Drivers\Modem\Sny8158k.cat
C:\WINDOWS\Drivers\Modem\Sny8158k.inf
C:\WINDOWS\Drivers\Modem\Sny8158k.PNF
C:\WINDOWS\Drivers\Modem\Snyunif.cty
C:\WINDOWS\Drivers\Modem\STRMDISP.SYS
C:\WINDOWS\Drivers\Mouse\apfiltr.cat
C:\WINDOWS\Drivers\Mouse\Apfiltr.inf
C:\WINDOWS\Drivers\Mouse\Apfiltr.PNF
C:\WINDOWS\Drivers\Mouse\Apfiltr.sys
C:\WINDOWS\Drivers\Mouse\ApntEx.exe
C:\WINDOWS\Drivers\Mouse\Apoint.dll
C:\WINDOWS\Drivers\Mouse\Apoint.exe
C:\WINDOWS\Drivers\Mouse\APOINTCS.POP
C:\WINDOWS\Drivers\Mouse\APOINTCT.POP
C:\WINDOWS\Drivers\Mouse\APOINTFR.POP
C:\WINDOWS\Drivers\Mouse\APOINTGR.POP
C:\WINDOWS\Drivers\Mouse\APOINTIT.POP
C:\WINDOWS\Drivers\Mouse\APOINTJP.POP
C:\WINDOWS\Drivers\Mouse\APOINTKR.POP
C:\WINDOWS\Drivers\Mouse\APOINTNL.POP
C:\WINDOWS\Drivers\Mouse\APOINTSP.POP
C:\WINDOWS\Drivers\Mouse\APOINTUS.POP
C:\WINDOWS\Drivers\Mouse\ApRes.dll
C:\WINDOWS\Drivers\Mouse\Apvfb.exe
C:\WINDOWS\Drivers\Mouse\Apwheel.dll
C:\WINDOWS\Drivers\Mouse\ELProp.dll
C:\WINDOWS\Drivers\Mouse\ezauto.dll
C:\WINDOWS\Drivers\Mouse\Ezcapt.exe
C:\WINDOWS\Drivers\Mouse\EzLaunch.dll
C:\WINDOWS\Drivers\Mouse\INFCACHE.1
C:\WINDOWS\Drivers\Mouse\Uninstap.exe
C:\WINDOWS\Drivers\Mouse\Vxdif.dll
C:\WINDOWS\Drivers\Network\INFCACHE.1
C:\WINDOWS\Drivers\Network\Netrtxpo.cat
C:\WINDOWS\Drivers\Network\Netrtxpo.INF
C:\WINDOWS\Drivers\Network\Netrtxpo.PNF
C:\WINDOWS\Drivers\Network\R8139n51.sys
C:\WINDOWS\Drivers\SonyNC\INFCACHE.1
C:\WINDOWS\Drivers\SonyNC\SonyNC.cat
C:\WINDOWS\Drivers\SonyNC\SonyNC.dll
C:\WINDOWS\Drivers\SonyNC\SonyNC.inf
C:\WINDOWS\Drivers\SonyNC\SonyNC.PNF
C:\WINDOWS\Drivers\SonyNC\SonyNC.sys
C:\WINDOWS\Drivers\Stick\INFCACHE.1
C:\WINDOWS\Drivers\Stick\SonyWBMS.cat
C:\WINDOWS\Drivers\Stick\SonyWBMS.inf
C:\WINDOWS\Drivers\Stick\SonyWBMS.PNF
C:\WINDOWS\Drivers\Stick\SonyWBMS.sys
C:\WINDOWS\Drivers\USBMouse\INFCACHE.1
C:\WINDOWS\Drivers\USBMouse\ms98.cab
C:\WINDOWS\Drivers\USBMouse\MS99.CAT
C:\WINDOWS\Drivers\USBMouse\PHIDMOU.INF
C:\WINDOWS\Drivers\USBMouse\PHIDMOU.PNF
C:\WINDOWS\Drivers\USBMouse\Setup.exe
C:\WINDOWS\Drivers\USBMouse\Setup2k.ini
C:\WINDOWS\Drivers\USBMouse\SetupNT.exe
C:\WINDOWS\Drivers\Video\aticim.bin
C:\WINDOWS\Drivers\Video\BIN\aticds32.vxd
C:\WINDOWS\Drivers\Video\BIN\AtiCIM.dll
C:\WINDOWS\Drivers\Video\BIN\atiicdxx.dll
C:\WINDOWS\Drivers\Video\BIN\atiicdxx.ini
C:\WINDOWS\Drivers\Video\BIN\atiicdxx.sys
C:\WINDOWS\Drivers\Video\BIN\atiicdxx.vxd
C:\WINDOWS\Drivers\Video\BIN\atricdxx.dft
C:\WINDOWS\Drivers\Video\BIN\atricdxx.enu
C:\WINDOWS\Drivers\Video\checkver.exe
C:\WINDOWS\Drivers\Video\CPanel\10813_XP.REG
C:\WINDOWS\Drivers\Video\CPanel\CP_XP.REG
C:\WINDOWS\Drivers\Video\CPanel\CPANEL.dat
C:\WINDOWS\Drivers\Video\CPanel\CPANEL.dll
C:\WINDOWS\Drivers\Video\CPanel\data1.cab
C:\WINDOWS\Drivers\Video\CPanel\data1.hdr
C:\WINDOWS\Drivers\Video\CPanel\data2.cab
C:\WINDOWS\Drivers\Video\CPanel\ikernel.ex_
C:\WINDOWS\Drivers\Video\CPanel\install.ini
C:\WINDOWS\Drivers\Video\CPanel\layout.bin
C:\WINDOWS\Drivers\Video\CPanel\Setup.exe
C:\WINDOWS\Drivers\Video\CPanel\Setup.ini
C:\WINDOWS\Drivers\Video\CPanel\setup.inx
C:\WINDOWS\Drivers\Video\CPanel\setup.iss
C:\WINDOWS\Drivers\Video\data1.cab
C:\WINDOWS\Drivers\Video\data1.hdr
C:\WINDOWS\Drivers\Video\data2.cab
C:\WINDOWS\Drivers\Video\Driver\CX_10813.INI
C:\WINDOWS\Drivers\Video\Driver\data1.cab
C:\WINDOWS\Drivers\Video\Driver\data1.hdr
C:\WINDOWS\Drivers\Video\Driver\data2.cab
C:\WINDOWS\Drivers\Video\Driver\Driver.dat
C:\WINDOWS\Drivers\Video\Driver\Driver.DLL
C:\WINDOWS\Drivers\Video\Driver\ikernel.ex_
C:\WINDOWS\Drivers\Video\Driver\INSTALL.INI
C:\WINDOWS\Drivers\Video\Driver\layout.bin
C:\WINDOWS\Drivers\Video\Driver\setup.bmp
C:\WINDOWS\Drivers\Video\Driver\Setup.exe
C:\WINDOWS\Drivers\Video\Driver\Setup.ini
C:\WINDOWS\Drivers\Video\Driver\setup.inx
C:\WINDOWS\Drivers\Video\Driver\setup.iss
C:\WINDOWS\Drivers\Video\Driver\XP_INF\atiiseag.ini
C:\WINDOWS\Drivers\Video\Driver\XP_INF\B_10812\ati2dvag.dl_
C:\WINDOWS\Drivers\Video\Driver\XP_INF\B_10812\ati2evxx.dl_
C:\WINDOWS\Drivers\Video\Driver\XP_INF\B_10812\ati2evxx.ex_
C:\WINDOWS\Drivers\Video\Driver\XP_INF\B_10812\ati2mdxx.ex_
C:\WINDOWS\Drivers\Video\Driver\XP_INF\B_10812\ati2mtag.sy_
C:\WINDOWS\Drivers\Video\Driver\XP_INF\B_10812\ati3d1ag.dl_
C:\WINDOWS\Drivers\Video\Driver\XP_INF\B_10812\ati3d2ag.dl_
C:\WINDOWS\Drivers\Video\Driver\XP_INF\B_10812\ati3duag.dl_
C:\WINDOWS\Drivers\Video\Driver\XP_INF\B_10812\atiiiexx.dll
C:\WINDOWS\Drivers\Video\Driver\XP_INF\B_10812\atioglxx.dl_
C:\WINDOWS\Drivers\Video\Driver\XP_INF\B_10812\atipdlxx.dl_
C:\WINDOWS\Drivers\Video\Driver\XP_INF\B_10812\atitvo32.dl_
C:\WINDOWS\Drivers\Video\Driver\XP_INF\B_10812\ativcoxx.dl_
C:\WINDOWS\Drivers\Video\Driver\XP_INF\B_10812\cx_10813.cat
C:\WINDOWS\Drivers\Video\Driver\XP_INF\cx_10813.cat
C:\WINDOWS\Drivers\Video\Driver\XP_INF\CX_10813.inf
C:\WINDOWS\Drivers\Video\GARTnt\ATIGART.EXE
C:\WINDOWS\Drivers\Video\GARTnt\atiicdxx.dll
C:\WINDOWS\Drivers\Video\GARTnt\ATIICDXX.SYS
C:\WINDOWS\Drivers\Video\GARTnt\atiicdxx.vxd
C:\WINDOWS\Drivers\Video\GARTnt\ATIIIEXX.DLL
C:\WINDOWS\Drivers\Video\GARTnt\atisgkaf.cat
C:\WINDOWS\Drivers\Video\GARTnt\atisgkaf.sys
C:\WINDOWS\Drivers\Video\GARTnt\atricdxx.dft
C:\WINDOWS\Drivers\Video\GARTnt\GARTnt.dat
C:\WINDOWS\Drivers\Video\GARTnt\GARTnt.dll
C:\WINDOWS\Drivers\Video\GARTnt\GARTnt.INF
C:\WINDOWS\Drivers\Video\GARTnt\ISLAYER.DLL
C:\WINDOWS\Drivers\Video\GARTnt\Setup.dat
C:\WINDOWS\Drivers\Video\GARTnt\Setup.exe
C:\WINDOWS\Drivers\Video\ikernel.ex_
C:\WINDOWS\Drivers\Video\INFCACHE.1
C:\WINDOWS\Drivers\Video\install.ini
C:\WINDOWS\Drivers\Video\layout.bin
C:\WINDOWS\Drivers\Video\psapi.dll
C:\WINDOWS\Drivers\Video\Setup.exe
C:\WINDOWS\Drivers\Video\Setup.ini
C:\WINDOWS\Drivers\Video\setup.inx
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\cru629.dat
C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\drivers\beep.sys
C:\WINDOWS\system32\univrs32.dat

.
((((((((((((((((((((((((( Files Created from 2008-04-13 to 2008-05-13 )))))))))))))))))))))))))))))))
.

2008-05-12 13:52 . 2008-05-12 13:52 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-12 13:52 . 2008-05-12 13:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-12 12:52 . 2008-05-13 02:52 206 --a------ C:\Documents and Settings\Robin\delself.bat
2008-05-08 18:07 . 2003-08-01 15:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\MSN6
2008-05-08 18:07 . 2003-08-01 16:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-05-08 18:07 . 2008-05-08 18:07 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-08 18:07 . 2008-05-13 17:55 45,056 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-05-08 16:22 . 2008-05-09 16:05 1,850,852 --a------ C:\Combo-Fix.exe
2008-05-08 11:12 . 2008-05-08 11:12 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-08 11:12 . 2008-05-08 11:12 <DIR> d-------- C:\Documents and Settings\Robin\Application Data\Malwarebytes
2008-05-08 11:12 . 2008-05-08 11:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-08 11:12 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-08 11:12 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-04-29 02:29 . 2008-04-29 02:29 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-29 01:48 . 2008-04-29 01:48 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-29 00:59 . 2008-05-09 00:39 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-29 00:26 . 2008-04-29 00:26 0 --a------ C:\winamp.ini
2008-04-29 00:22 . 2008-05-09 00:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-13 21:24 . 2008-04-13 21:24 28,672 --a------ C:\WINDOWS\system32\ati2mdxx.exe
2008-04-13 21:24 . 2008-04-13 21:24 4,608 --a------ C:\WINDOWS\system32\carpserv.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-29 06:03 --------- d-----w C:\Documents and Settings\Robin\Application Data\Symantec
2008-04-29 05:51 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-29 05:49 --------- d-----w C:\Program Files\Symantec
2008-04-29 05:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-14 00:21 --------- d-----w C:\Program Files\QuickTime
2008-04-14 00:21 --------- d-----w C:\Program Files\Apoint
.
Files Infected - Win32.Agent.zb
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\QuickTime\qttask.exe
c:\program files\support.com\client\bin\tgcmd.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
.

((((((((((((((((((((((((((((( snapshot@2008-05-09_16.15.32.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-09 21:12:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-13 22:54:52 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CARPService"="carpserv.exe" [2008-04-13 21:24 4608 C:\WINDOWS\system32\carpserv.exe]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2008-04-12 18:39 114688]
"HKSERV.EXE"="C:\Program Files\Sony\HotKey Utility\HKserv.exe" [2008-04-12 18:39 81920]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-04-12 18:39 77824]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 12:29 40960]
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [2008-04-12 18:39 1409024]
"ATIModeChange"="Ati2mdxx.exe" [2008-04-13 21:24 28672 C:\WINDOWS\system32\ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-04-12 18:39 323584]
"VAIO Recovery"="C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 00:08 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= C:\PROGRA~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

.
Contents of the 'Scheduled Tasks' folder
"2007-04-16 06:39:46 C:\WINDOWS\Tasks\Registration reminder 1.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2007-04-16 06:39:47 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2007-04-16 06:39:47 C:\WINDOWS\Tasks\Registration reminder 3.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2007-12-04 19:16:04 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-13 17:55:33
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-13 17:58:04 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-05-13 22:57:59
ComboFix2.txt 2008-05-12 17:49:14
ComboFix3.txt 2008-05-09 21:15:57

Pre-Run: 8,450,568,192 bytes free
Post-Run: 9,252,802,560 bytes free

330


I'll get the firewall in now.

 

[Rhythmdoc]

Comodo would not install, the 32bit complained that i was only SP1 and the other one gives the same error message. I did try and download it a couple times to differant places and then move it to infected machine, but no good.

I did get ZoneAlarm to install and is now up and running.

 

[Blade81]

Hi

Since c:\windows\drivers folder contained also other files than only bad beep.sys it's better to restore those.



Open notepad and copy/paste the text in the quotebox below into it:

DeQuarantine::
C:\Qoobox\Quarantine\C\WINDOWS\Drivers

File::
C:\WINDOWS\Drivers\beep.sys

Save this as
CFScript

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log and contents of DeQuarantine_log.txt file (in c:\combofix folder or root of c: drive).


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


If you have Zonealarm up and running it's time to run Kaspersky online scanner. Post back its report, a fresh hjt log and above meantioned ComboFix related logs. Please re-download HijackThis since infection may have damaged the present version.