Worm.Anilogo.f(RESOLVED)

zerozone · #1 (**permalink**) 22-01-2008, 10:52 PM

is this a new kind of virus? i try google it but found nothing. Everytime i open a exe the avg anti-spyware will popup about this C:\WINDOWS\Fonts\syn00-0F-DB-CB-ED-F9\system\smss.exe is a Worm.Anilogo.f . so i put it in the quarantined. so i do a complete scan on the disk and here the report

Quote:

AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:36:36 AM 1/22/2008

+ Scan result:

C:\WINDOWS\Fonts\syn00-0F-DB-CB-ED-F9\system\inudhya.dll -> Trojan.Agent.diq : Cleaned with backup (quarantined).
C:\WINDOWS\Fonts\syn00-0F-DB-CB-ED-F9\system\smss.exe -> Worm.Anilogo.f : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3C251E10-6E50-4A43-8132-B5F122A37B6C}\RP2\A0000026.exe -> Worm.Anilogo.f : No action taken.
C:\System Volume Information\_restore{3C251E10-6E50-4A43-8132-B5F122A37B6C}\RP5\A0000069.exe -> Worm.Anilogo.f : No action taken.

::Report end

i also found something weird that the C and D local disk. everytime i click it it open in a new window. i saw this happen before in there a file call autorun.inf
and a exe call ntldr.exe that a Worm.Anilogo.f after i use avg anti-spyware to scan it but the autorun seem to have no virus because avg didnt put it in the quarantined. But the ntldr.exe keep coming back just like the smss.exe

the autorun.inf inside is this

Quote:

[AutoRun]
OPEN=ntldr.exe
shellexecute=ntldr.exe
shell\open(&O)\command=ntldr.exe

Neal · #2 (**permalink**) 23-01-2008, 07:13 PM

Welcome,

Please download and install the latest version of HijackThis v2.0.2:Delete the old version you have

CLICK HERE to download the HijackThis Installer:http://www.trendsecure.com/portal/en...HJTInstall.exe

1. Save HJTInstall.exe to your desktop.
2. Double-click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit -> Select All" then click on "Edit -> Copy" to copy the entire contents of the log.
8. Come back here to this thread and paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

zerozone · #3 (**permalink**) 24-01-2008, 12:18 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:13:36 PM, on 1/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-1004336348-706699826-839522115-1003\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: DfLogon - C:\WINDOWS\SYSTEM32\LogonDll.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: DF5Serv - Faronics Corporation - C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe

--
End of file - 2608 bytes

Neal · #4 (**permalink**) 24-01-2008, 06:40 AM

If you have previously downloaded ComboFix,please delete that version now.

Now download ComboFix and save to your desktop:

Note:

It is IMPORTANT that it is saved directly to your desktop

Close any open browsers.

Disconnect from the Internet.

Please do not re-connect your machine back to the Internet until Combofix has completely finished.

Disable your antivirus program and any realtime malware scanners now

Double click on combofix.exe and follow the prompts.

When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Note:
Do not mouseclick combofix's window while it's running.

That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Re-enable your anti-virus and re-connect back to the internet and post the combofix log.

*Note*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

New hijackthis log also please.

zerozone · #5 (**permalink**) 24-01-2008, 07:38 AM

i cant find the text in the C:\ but it seem to make two folder ComboFix and QooBox, within the ComboFix i found ComboFix.txt is that the one you want?

Quote:

ComboFix 08-01-23.2 - user 2008-01-23 22:26:54.1 - NTFSx86

Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-24 to 2008-01-24 )))))))))))))))))))))))))))))))
.

2008-01-23 22:25 . 2008-01-23 22:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-23 22:25 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-22 12:32 . 2008-01-21 16:52 211 --a------ C:\boot.ini.comodofirewall
2008-01-21 22:37 . 2008-01-21 22:44 <DIR> d-------- C:\Program Files\rising(2)
2008-01-21 21:59 . 2008-01-21 21:59 <DIR> d-------- C:\WINDOWS\system32\FinePointLib
2008-01-21 21:59 . 2008-01-21 22:33 <DIR> d-------- C:\Program Files\Common Files\Verizon Online
2008-01-21 21:59 . 2004-09-22 21:17 282,624 --a------ C:\WINDOWS\system32\VerizonUninstaller.exe
2008-01-21 21:59 . 2003-08-27 01:29 135,168 -ra------ C:\WINDOWS\system32\WestCoIn.dll
2008-01-21 21:59 . 2004-09-22 21:16 122,880 --a------ C:\WINDOWS\system32\VZGUninstall.dll
2008-01-21 21:59 . 2003-05-29 20:05 49,210 --a------ C:\WINDOWS\system32\vzServices.dll
2008-01-21 17:24 . 2008-01-21 17:24 12,104,143 --------- C:\$Persi0.sys
2008-01-21 17:24 . 2007-03-07 01:39 65,536 --a------ C:\WINDOWS\system32\LogonDll.dll
2008-01-21 17:23 . 2008-01-21 17:23 <DIR> d-------- C:\Program Files\Faronics
2008-01-21 17:16 . 2008-01-21 17:16 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-01-21 17:16 . 2004-04-30 09:37 160,640 --a------ C:\WINDOWS\system32\drivers\a347bus.sys
2008-01-21 17:16 . 2004-04-30 09:33 5,248 --a------ C:\WINDOWS\system32\drivers\a347scsi.sys
2008-01-21 17:13 . 2006-09-05 08:03 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-21 17:10 . 2008-01-21 17:10 <DIR> d--h----- C:\Program Files\Uninstall Information
2008-01-21 17:08 . 2008-01-21 17:08 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-01-21 17:08 . 2008-01-21 17:08 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2008-01-21 17:07 . 2008-01-21 17:20 2,048 --a-s---- C:\WINDOWS\bootstet.dat
2008-01-21 17:05 . 2004-08-03 17:07 221,696 --a--c--- C:\WINDOWS\system32\dllcache\seo.dll
2008-01-21 17:04 . 2003-03-24 16:52 618,605 --a--c--- C:\WINDOWS\system32\dllcache\fp4autl.dll
2008-01-21 17:03 . 2004-08-03 17:07 514,587 --a--c--- C:\WINDOWS\system32\dllcache\edb500.dll
2008-01-21 17:02 . 2008-01-21 17:02 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-01-21 17:02 . 2008-01-21 17:02 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-01-21 17:01 . 2008-01-21 17:01 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2008-01-21 17:01 . 2008-01-21 17:01 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-01-21 17:01 . 2008-01-21 17:01 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-01-21 17:01 . 2008-01-21 17:01 2,577 --a------ C:\WINDOWS\system32\CONFIG.NT
2008-01-21 17:01 . 2008-01-21 17:01 0 --a------ C:\WINDOWS\control.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-01-22 01:24 12,104,143 ------w C:\$Persi0.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 17:07 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.e xe" [2004-08-03 17:07 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT \TINTSETP.exe" [2004-08-03 17:07 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TIN TSETP.exe" [2004-08-03 17:07 455168]
"!AVG Anti-Spyware"="D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2008-01-21 22:04 6731312]
"COMODO Firewall Pro"="D:\Program Files\Comodo\Firewall\CPF.exe" [2008-01-22 12:32 1115728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 17:07 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DfLogon]
LogonDll.dll 2007-03-07 01:39 65536 C:\WINDOWS\system32\LogonDll.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ACKWIN32.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ANTI-TROJAN.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\APVXDWIN.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AUTODOWN.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVE32.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVGCTRL.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVKSERV.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVNT.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVP32.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVPCC.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVPDOS32.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVPM.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVPTC32.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVPUPD.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVSCHED32.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVWIN95.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVWUPD32.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\BLACKD.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\BLACKICE.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CFIADMIN.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CFIAUDIT.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CFINET.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CFINET32.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CLAW95.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CLAW95CF.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CLEANER.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CLEANER3.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DVP95.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DVP95_0.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ECENGINE.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ESAFE.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\EXPWATCH.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\F-AGNT95.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\F-PROT.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\F-PROT95.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\F-STOPW.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FESCUE.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FINDVIRU.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FP-WIN.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FPROT.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FRW.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\IAMAPP.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\IAMSERV.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\IBMASN.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\IBMAVSP.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ICLOAD95.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ICLOADNT.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ICMON.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ICSUPP95.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ICSUPPNT.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\IFACE.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\IOMON98.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\JEDI.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVsvc.exe]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVSvcUI.exe]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVFW.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVMonXP.exe]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KWatchUI.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\LOCKDOWN2000.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Logo1_.exe]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Logo_1.exe]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\LOOKOUT.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\LUALL.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MAILMON.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MOOLIVE.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MPFTRAY.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\N32SCANW.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NAVLU32.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NAVNT.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\navw32.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NAVWNT.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NISUM.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NMain.exe]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NORMIST.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NUPGRADE.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NVC95.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PAVCL.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PAVSCHED.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PAVW.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PCCWIN98.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PCFWALLICON.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PERSFW.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RAV7.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RAV7WIN.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RAVtimer.exe]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Rising.exe]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SAFEWEB.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SCAN95.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SCANPM.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SCRSCAN.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SERV95.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SMC.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SPHINX.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SWEEP95.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TBSCAN.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TCA.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TDS2-98.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TDS2-NT.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\THGUARD.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TrojanHunter.exe]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\VET95.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\VETTRAY.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\VSCAN40.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\VSECOMR.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\VSHWIN32.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\WFINDV32.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ZONEALARM.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\_AVP32.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\_AVPCC.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\_AVPM.EXE]
Debugger=net

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DT?′1¤??.exe]
Debugger=net

*Newly Created Service* - PROCEXP90
.
************************************************** ************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-23 22:29:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\LogonDll.dll
.

here the hijackthis log

Quote:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:30, on 2008-01-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-1004336348-706699826-839522115-1003\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: DfLogon - C:\WINDOWS\SYSTEM32\LogonDll.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: DF5Serv - Faronics Corporation - C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe

--
End of file - 2504 bytes

Neal · #6 (**permalink**) 24-01-2008, 04:43 PM

Go here to learn how to show hidden files/folders:

http://www.xtra.co.nz/help/0,,4155-1916458,00.html#5

Re-hide after we are done

Go to next site:
http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\REGLOCS.OLD

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.

If that one is to busy here is another option:

http://virusscan.jotti.org

And

http://www.kaspersky.com/scanforvirus.html

[b]Do the same for this one:C:\WINDOWS\bootstet.dat

Go here BitDefender and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and grab a coffee.

When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export scan". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit - Select All then copy/paste that log back here. Post back and let us know what it found (post the log).

And post a new HJT log also..

zerozone · #7 (**permalink**) 24-01-2008, 07:14 PM

here the report i got for the REGLOCS.OLD

Quote:

File REGLOCS.OLD received on 01.24.2008 18:51:22 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/31 (0%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 41 and 59 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.1.25.10 2008.01.24 -
AntiVir 7.6.0.48 2008.01.24 -
Authentium 4.93.8 2008.01.24 -
Avast 4.7.1098.0 2008.01.23 -
AVG 7.5.0.516 2008.01.24 -
BitDefender 7.2 2008.01.24 -
CAT-QuickHeal 9.00 2008.01.23 -
ClamAV 0.91.2 2008.01.24 -
DrWeb 4.44.0.09170 2008.01.24 -
eSafe 7.0.15.0 2008.01.16 -
eTrust-Vet 31.3.5482 2008.01.24 -
Ewido 4.0 2008.01.24 -
FileAdvisor 1 2008.01.24 -
Fortinet 3.14.0.0 2008.01.24 -
F-Prot 4.4.2.54 2008.01.24 -
F-Secure 6.70.13260.0 2008.01.24 -
Ikarus T3.1.1.20 2008.01.24 -
Kaspersky 7.0.0.125 2008.01.24 -
McAfee 5214 2008.01.23 -
Microsoft 1.3109 2008.01.24 -
NOD32v2 2819 2008.01.24 -
Norman 5.80.02 2008.01.23 -
Panda 9.0.0.4 2008.01.23 -
Prevx1 V2 2008.01.24 -
Rising 20.28.31.00 2008.01.24 -
Sophos 4.24.0 2008.01.24 -
Sunbelt 2.2.907.0 2008.01.23 -
Symantec 10 2008.01.24 -
TheHacker 6.2.9.196 2008.01.23 -
VBA32 3.12.2.5 2008.01.21 -
VirusBuster 4.3.26:9 2008.01.23 -
Additional information
File size: 8192 bytes
MD5: 46d61f2c368314244d4fd3d78f3a4b1a
SHA1: fbfc5ba6e3061eba31410aa0e4d82be531c0be91
PEiD: -

since i got no virus for the first site i try the other two, they the same and got nothing.

Quote:

Service load: 0% 100%

File: REGLOCS.OLD
Status: OK
MD5: 46d61f2c368314244d4fd3d78f3a4b1a
Packers detected: -
Bit9 reports: File not found

Scanner results
Scan taken on 24 Jan 2008 17:57:01 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Quote:

You're clean!
Kaspersky Anti-Virus has not detected any viruses at this time in the file you submitted.

However, only a fully-functional antivirus solution with regularly updated virus definitions can ensure comprehensive protection against malware. If you do not have an antivirus solution installed, you may wish to consider purchasing one today.

Download a trial version of Kaspersky Anti-Virus
Purchase Kaspersky Anti-Virus in our E-Store
Purchase Kaspersky Anti-Virus from a certified partner

Scanned file: REGLOCS.OLD

Statistics:
Known viruses: 531323 Updated: 24-01-2008
File size (Kb): 8 Virus bodies: 0
Files: 1 Warnings: 0
Archives: 0 Suspicious: 0

here another report for the bootstet.dat

Quote:

File bootstet.dat received on 01.24.2008 19:02:28 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/31 (0%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 44 and 63 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.1.25.10 2008.01.24 -
AntiVir 7.6.0.48 2008.01.24 -
Authentium 4.93.8 2008.01.24 -
Avast 4.7.1098.0 2008.01.23 -
AVG 7.5.0.516 2008.01.24 -
BitDefender 7.2 2008.01.24 -
CAT-QuickHeal 9.00 2008.01.23 -
ClamAV 0.91.2 2008.01.24 -
DrWeb 4.44.0.09170 2008.01.24 -
eSafe 7.0.15.0 2008.01.16 -
eTrust-Vet 31.3.5482 2008.01.24 -
Ewido 4.0 2008.01.24 -
FileAdvisor 1 2008.01.24 -
Fortinet 3.14.0.0 2008.01.24 -
F-Prot 4.4.2.54 2008.01.24 -
F-Secure 6.70.13260.0 2008.01.24 -
Ikarus T3.1.1.20 2008.01.24 -
Kaspersky 7.0.0.125 2008.01.24 -
McAfee 5214 2008.01.23 -
Microsoft 1.3109 2008.01.24 -
NOD32v2 2820 2008.01.24 -
Norman 5.80.02 2008.01.23 -
Panda 9.0.0.4 2008.01.24 -
Prevx1 V2 2008.01.24 -
Rising 20.28.31.00 2008.01.24 -
Sophos 4.24.0 2008.01.24 -
Sunbelt 2.2.907.0 2008.01.23 -
Symantec 10 2008.01.24 -
TheHacker 6.2.9.196 2008.01.23 -
VBA32 3.12.2.5 2008.01.21 -
VirusBuster 4.3.26:9 2008.01.24 -
Additional information
File size: 2048 bytes
MD5: 6a2cb42966136854f4464516fbb4ae72
SHA1: 8895ff16d9470572b773836e7ceaa6224a54551f
PEiD: -

Quote:

Service load: 0% 100%

File: bootstet.dat
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 6a2cb42966136854f4464516fbb4ae72
Packers detected: -
Bit9 reports: No threat detected (more info)

Scanner results
Scan taken on 24 Jan 2008 18:09:45 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Quote:

You're clean!
Kaspersky Anti-Virus has not detected any viruses at this time in the file you submitted.

However, only a fully-functional antivirus solution with regularly updated virus definitions can ensure comprehensive protection against malware. If you do not have an antivirus solution installed, you may wish to consider purchasing one today.

Download a trial version of Kaspersky Anti-Virus
Purchase Kaspersky Anti-Virus in our E-Store
Purchase Kaspersky Anti-Virus from a certified partner

Scanned file: bootstet.dat

Statistics:
Known viruses: 531323 Updated: 24-01-2008
File size (Kb): 2 Virus bodies: 0
Files: 1 Warnings: 0
Archives: 0 Suspicious: 0

the online scan said it will take over 24 hour so can i download the version and scan on mine pc?

Neal · #8 (**permalink**) 24-01-2008, 08:37 PM

Never mind the BitDefender scan if it is going to take that long.

I just noticed you do not have an anti-virus program, you have AVG anti-spyware and Comodo firewall.

You need to get an anti-virus program immediately before infection sets in.

If you want BitDefender it is a good one or:

AVG

AVG is free if you want it to be.

Update which ever you choose and run a scan with it and come back and tell me how things are now please.

zerozone · #9 (**permalink**) 25-01-2008, 02:28 AM

i download the BitDefender trail version dam found so many thing

Quote:

BitDefender Log File !!!!!
Product : BitDefender Total Security 2008
Version : BitDefender UIScanner v.11
Log date : 17:51:04 24/01/2008
Log path : C:\Documents and Settings\user\Application

Data\BitDefender\Desktop\Profiles\Logs\contextual\ 120121

5064_1_02.xml

Scan Paths:Path0000: C:\
Path0001: D:\

Scan Options:Scan for viruses : Yes
Scan for adware : Yes
Scan for spyware : Yes
Scan for applications : Yes
Scan for dialers : Yes
Scan for rootkits : No

Target selection options:Scan registry keys : No
Scan cookies : No
Scan boot sectors : No
Scan memory processes : No
Scan archives : Yes
Scan runtime packers : Yes
Scan emails : Yes
Scan all files : Yes
Heuristic Scan : Yes
Scanned extensions :
Excluded extensions :

Target ProcessingDefault action for infected objects :

Disinfect
Default action for suspicious objects : None
Default action for hidden objects : None

Scan engines summaryNumber of virus signatures : 976923
Archive plugins : 41
Email plugins : 6
Scan plugins : 12
Archive plugins : 41
System plugins : 4
Unpack plugins : 7

Overall scan summaryScanned items : 300042
Infected items : 159
Suspicious items : 1
Resolved items : 128
Individual viruses found : 33
Scanned directories : 1983
Scanned boot sectors : 0
Scanned archives : 10043
Input-output errors : 28
Scan time : 00:03:55:02
Files per second : 21

Scanned processes summaryScanned : 0
Infected : 0

Scanned registry keys summaryScanned : 0
Infected : 0

Scanned cookies summaryScanned : 0
Infected : 0

D:\qwe\New Folder\getright.exe=]wise0088 Adware.Gator.AD

Delete Failed (file was in an archive)
D:\System Volume Information\_restore{7BC99C4C-760E-

4A10-ABDA-0C86E98FEB48}\RP12\A0001547.exe=](VISE

Installer o)=]Gain_Trickler.exe Adware.Gator.C Delete

Failed (file was in an archive)
D:\System Volume Information\_restore{7BC99C4C-760E-

4A10-ABDA-0C86E98FEB48}\RP12\A0001593.exe=](VISE

Installer o)=]Gain_Trickler.exe Adware.Gator.C Delete

Failed (file was in an archive)
D:\qwe\New Folder\serv-u.zip=]Serv-U3.0.19.exe=](ZIP Sfx

o)=]SERVUDAEMON.EXE Backdoor.Servudoor.B Delete Failed

(file was in an archive)
D:\qwe\New Folder\AD Kill.zip=]akiller.exe=](Instyler

o)=](Instyler Module 1) BehavesLike:Win32.Keylogger

Delete Failed (file was in an archive)
D:\game\gb_digimon_cn.zip=]gb_digimon_cn.gbc Password-

Protected Items No action was possible
D:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad

-Aware SE default.ask=]Ad-Aware SE Default.skn Password

-Protected Items No action was possible
D:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad

-Aware SE default.ask=]arrow1.bmp Password-Protected

Items No action was possible
D:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad

-Aware SE default.ask=]arrow2.bmp Password-Protected

Items No action was possible
D:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad

-Aware SE default.ask=]bck1.bmp Password-Protected Items

No action was possible
D:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad

-Aware SE default.ask=]bt11.bmp Password-Protected Items

No action was possible
D:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad

-Aware SE default.ask=]bt12.bmp Password-Protected Items

No action was possible
D:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad

-Aware SE default.ask=]bt13.bmp Password-Protected Items

No action was possible
D:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad

-Aware SE default.ask=]bt21.bmp Password-Protected Items

No action was possible
D:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad

-Aware SE default.ask=]bt22.bmp Password-Protected Items

No action was possible
D:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad

-Aware SE default.ask=]bt23.bmp Password-Protected Items

No action was possible
D:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad

-Aware SE default.ask=]bt31.bmp Password-Protected Items

No action was possible
D:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad

-Aware SE default.ask=]bt32.bmp Password-Protected Items

No action was possible
D:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad

-Aware SE default.ask=]bt33.bmp Password-Protected Items

No action was possible
D:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad

-Aware SE default.ask=]bt41.bmp Password-Protected Items

No action was possible
D:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad

-Aware SE default.ask=]bt42.bmp Password-Protected Items

No action was possible
D:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad

-Aware SE default.ask=]bt43.bmp Password-Protected Items

No action was possible
D:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad

-Aware SE default.ask=]bt51.bmp Password-Protected Items

No action was possible
D:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad

-Aware SE default.ask=]bt52.bmp Password-Protected Items

No action was possible
D:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad

-Aware SE default.ask=]bt53.bmp Password-Protected Items

No action was possible
D:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad

-Aware SE default.ask=]bt61.bmp Password-Protected Items

No action was possible
D:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad

-Aware SE default.ask=]bt62.bmp Password-Protected Items

No action was possible
D:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad

-Aware SE default.ask=]checkbox1.bmp Password-Protected

Items No action was possible
D:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad

-Aware SE default.ask=]checkbox2.bmp Password-Protected

Items No action was possible
D:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad

-Aware SE default.ask=]checkbox3.bmp Password-Protected

Items No action was possible
D:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad

-Aware SE default.ask=]checkbox4.bmp Password-Protected

Items No action was possible
D:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad

-Aware SE default.ask=]defbtn1.bmp Password-Protected

Items No action was possible
D:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad

-Aware SE default.ask=]defbtn2.bmp Password-Protected

Items No action was possible
D:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad

-Aware SE default.ask=]defbtn3.bmp Password-Protected

Items No action was possible
D:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad

-Aware SE default.ask=]glyph1.bmp Password-Protected

Items No action was possible
D:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad

-Aware SE default.ask=]glyph2.bmp Password-Protected

Items No action was possible
D:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad

-Aware SE default.ask=]glyph3.bmp Password-Protected

Items No action was possible
D:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad

-Aware SE default.ask=]glyph4.bmp Password-Protected

Items No action was possible
D:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad

-Aware SE default.ask=]glyph5.bmp Password-Protected

Items No action was possible
D:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad

-Aware SE default.ask=]glyph6.bmp Password-Protected

Items No action was possible
D:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad

-Aware SE default.ask=]glyph7.bmp Password-Protected

Items No action was possible
D:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad

-Aware SE default.ask=]main.bmp Password-Protected Items

No action was possible
D:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad

-Aware SE default.ask=]preview.bmp Password-Protected

Items No action was possible
D:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad

-Aware SE default.ask=]sprite1.bmp Password-Protected

Items No action was possible
D:\qwe\New Folder\Hero-2001XP.rar=]Bkbmp\START.WAV

Password-Protected Items No action was possible
D:\qwe\New Folder\Hero-2001XP.rar=]Bkbmp\setup01.bmp

Password-Protected Items No action was possible
D:\qwe\New Folder\Hero-2001XP.rar=]Bkbmp\setup02.bmp

Password-Protected Items No action was possible
D:\qwe\New Folder\Hero-2001XP.rar=]Bkbmp\setup03.bmp

Password-Protected Items No action was possible
D:\qwe\New Folder\Hero-2001XP.rar=]Bkbmp\setup04.bmp

Password-Protected Items No action was possible
D:\qwe\New Folder\Hero-2001XP.rar=]Bkbmp\setup05.bmp

Password-Protected Items No action was possible
D:\qwe\New Folder\Hero-2001XP.rar=]Bkbmp\setup06.bmp

Password-Protected Items No action was possible
D:\qwe\New Folder\Hero-2001XP.rar=]Bkbmp\setup07.bmp

Password-Protected Items No action was possible
D:\qwe\New Folder\Hero-2001XP.rar=]Bkbmp\setup08.bmp

Password-Protected Items No action was possible
D:\qwe\New Folder\Hero-2001XP.rar=]Bkbmp\setup09.bmp

Password-Protected Items No action was possible
D:\qwe\New Folder\Hero-2001XP.rar=]Bkbmp\setup10.bmp

Password-Protected Items No action was possible
D:\qwe\New Folder\Hero-2001XP.rar=]Mpeg4\INSTMPG4.EXE

Password-Protected Items No action was possible
D:\qwe\New Folder\Hero-2001XP.rar=]AUTORUN.INF Password

-Protected Items No action was possible
D:\qwe\New Folder\Hero-2001XP.rar=]CHINA.INI Password-

Protected Items No action was possible
D:\qwe\New Folder\Hero-2001XP.rar=]DATA.DAT Password-

Protected Items No action was possible
D:\qwe\New Folder\Hero-2001XP.rar=]ENGLISH.INI Password

-Protected Items No action was possible
D:\qwe\New Folder\Hero-2001XP.rar=]FILELIST.INI

Password-Protected Items No action was possible
D:\qwe\New Folder\Hero-2001XP.rar=]herosoft.url

Password-Protected Items No action was possible
D:\qwe\New Folder\Hero-2001XP.rar=]SETUP.EXE Password-

Protected Items No action was possible
D:\qwe\New Folder\Hero-2001XP.rar=]SETUP.INI Password-

Protected Items No action was possible
D:\qwe\New Folder\Hero-2001XP.rar=]SETUP936.DLL

Password-Protected Items No action was possible
D:\qwe\New Folder\Hero-2001XP.rar=]SETUPLUG.DLL

Password-Protected Items No action was possible
D:\qwe\New Folder\Hero-2001XP.rar=]????????.txt

Password-Protected Items No action was possible
D:\qwe\New Folder\Hero-2001XP.rar=]????????.txt

Password-Protected Items No action was possible
D:\qwe\New Folder\Hero-2001XP.rar=]????????????.url

Password-Protected Items No action was possible
D:\qwe\New Folder\hotmailhack.zip=]Hotmail hack.exe

Password-Protected Items No action was possible
D:\qwe\New Folder\hotmailhack.zip=]001.txt Password-

Protected Items No action was possible
D:\qwe\New Folder\hotmailhack.zip=]002.txt Password-

Protected Items No action was possible
D:\qwe\New Folder\hotmailhack.zip=]003.txt Password-

Protected Items No action was possible
D:\qwe\New Folder\hotmailhack.zip=]004.txt Password-

Protected Items No action was possible
D:\qwe\New Folder\hotmailhack.zip=]005.txt Password-

Protected Items No action was possible
D:\qwe\New Folder\hotmailhack.zip=]006.txt Password-

Protected Items No action was possible

Resolved issues:Object Name Threat Name Final Status
D:\ntldr.exe Generic.Malware.SP!BdldPk!g.C2058CB7 Moved

to Quarantine
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP7\A0002385.exe

Generic.Malware.SP!BdldPk!g.C2058CB7 Moved to Quarantine
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP7\A0003392.exe

Generic.Malware.SP!BdldPk!g.C2058CB7 Moved to Quarantine
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP7\A0003395.exe

Generic.Malware.SP!BdldPk!g.C2058CB7 Moved to Quarantine
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP7\A0004394.exe

Generic.Malware.SP!BdldPk!g.C2058CB7 Moved to Quarantine
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP8\A0003405.exe

Generic.Malware.SP!BdldPk!g.C2058CB7 Moved to Quarantine
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP9\A0003427.exe

Generic.Malware.SP!BdldPk!g.C2058CB7 Moved to Quarantine
D:\qwe\New Folder\Boom21.zip=]Boom21/Boom.exe

Trojan.DoS.Lanxue.21 Deleted
D:\Program Files\Tencent\QQ\QQexternal.exe

Trojan.Dropper.Agent.AJW Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004520.exe

Trojan.Dropper.Agent.AJW Deleted
D:\Program Files\Tencent\QQ\QQPet\QQPetDazzle.exe

Trojan.Dropper.Agent.BCT Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004521.exe

Trojan.Dropper.Agent.BCT Deleted
D:\qwe\New Folder\ipcscan.zip=]ipcscan/IpcScan.exe

Trojan.IpcScan.1.50 Deleted
C:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP2\A0000027.inf

Win32.Worm.Autorun.GN Moved to Quarantine
D:\autorun.inf Win32.Worm.Autorun.GN Moved to Quarantine
D:\Documents and Setting\Ash\zzz.txt

Win32.Worm.Autorun.GN Moved to Quarantine
D:\RECYCLER\S-1-5-21-1757981266-1682526488-1060284298-

1003\Dd1.inf Win32.Worm.Autorun.GN Moved to Quarantine
D:\RECYCLER\S-1-5-21-1757981266-1682526488-1060284298-

1003\Dd7.inf Win32.Worm.Autorun.GN Moved to Quarantine
D:\RECYCLER\S-1-5-21-2025429265-854245398-1957994488-

1003\Dd3.inf Win32.Worm.Autorun.GN Moved to Quarantine
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP4\A0000055.inf

Win32.Worm.Autorun.GN Moved to Quarantine
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP4\A0000056.inf

Win32.Worm.Autorun.GN Moved to Quarantine
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP5\A0000091.inf

Win32.Worm.Autorun.GN Moved to Quarantine
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP7\A0001384.inf

Win32.Worm.Autorun.GN Moved to Quarantine
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP7\A0001387.inf

Win32.Worm.Autorun.GN Moved to Quarantine
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP7\A0002384.inf

Win32.Worm.Autorun.GN Moved to Quarantine
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP7\A0003391.inf

Win32.Worm.Autorun.GN Moved to Quarantine
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP7\A0003394.inf

Win32.Worm.Autorun.GN Moved to Quarantine
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP7\A0004393.inf

Win32.Worm.Autorun.GN Moved to Quarantine
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP8\A0003404.inf

Win32.Worm.Autorun.GN Moved to Quarantine
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP9\A0003426.inf

Win32.Worm.Autorun.GN Moved to Quarantine
D:\Documents and Setting\Ash\game\New Folder\New

Folder\BasicBoy202\BasicBoy202.exe Win32.Worm.Cekar.A

Moved to Quarantine
D:\Documents and Setting\Ash\game\New Folder\New Folder

(2)\kigb.exe Win32.Worm.Cekar.A Moved to Quarantine
D:\Documents and Setting\Ash\game\New Folder\New Folder

(3)\PlayGuy+.exe Win32.Worm.Cekar.A Moved to Quarantine
D:\Documents and Setting\Ash\game\New Folder\New Folder

(4)\kigb.exe Win32.Worm.Cekar.A Moved to Quarantine
D:\Documents and Setting\Ash\game\New Folder (5)

\VisualBoyAdvance.exe Win32.Worm.Cekar.A Moved to

Quarantine
D:\Documents and Setting\Ash\qwe.exe Win32.Worm.Cekar.A

Moved to Quarantine
D:\Documents and Setting\Ash\sea.exe Win32.Worm.Cekar.A

Moved to Quarantine
D:\Documents and Setting\Ash\soft\ATF-Cleaner.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Documents and Setting\Ash\soft\Chessmaster

Challenge\engine\TheKing.exe Win32.Worm.Cekar.A Moved to

Quarantine
D:\Documents and Setting\Ash\soft\ha\ipscan.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Documents and Setting\Ash\soft\HijackThis.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Documents and Setting\Ash\soft\hijackthis_sfx.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Documents and Setting\Ash\soft\index\IDSuite.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Documents and Setting\Ash\soft\Magnifying Glass.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Documents and Setting\Ash\soft\need\jinstall.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Documents and Setting\Ash\soft\netsupport\nsmdos.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Documents and Setting\Ash\untitled folder 1

\NJWIN\NJWIN32.EXE Win32.Worm.Cekar.A Moved to

Quarantine
D:\Documents and Setting\Ash\untitled folder 1\Program

Files\AIM95\aimauto.exe Win32.Worm.Cekar.A Moved to

Quarantine
D:\Documents and Setting\Ash\untitled folder 1\Program

Files\AIM95\unwise32.exe Win32.Worm.Cekar.A Moved to

Quarantine
D:\Documents and Setting\Ash\untitled folder 1\Program

Files\ICW-Internet Connection Wizard\ICWCONN1.EXE

Win32.Worm.Cekar.A Moved to Quarantine
D:\Documents and Setting\Ash\untitled folder 1\Program

Files\ICW-Internet Connection Wizard\ICWCONN2.EXE

Win32.Worm.Cekar.A Moved to Quarantine
D:\Documents and Setting\Ash\untitled folder 1\Program

Files\Microsoft Office\Office\BINDER.EXE

Win32.Worm.Cekar.A Moved to Quarantine
D:\Documents and Setting\Ash\untitled folder 1\Program

Files\Microsoft Office\Office\GRAFLINK.EXE

Win32.Worm.Cekar.A Moved to Quarantine
D:\Documents and Setting\Ash\untitled folder 1\Program

Files\Microsoft Office\Office\MSOFFICE.EXE

Win32.Worm.Cekar.A Moved to Quarantine
D:\Documents and Setting\Ash\untitled folder 1\Program

Files\Virtual Cop2\PPJ2DD.EXE Win32.Worm.Cekar.A Moved

to Quarantine
D:\Documents and Setting\Ash\untitled folder 1\Program

Files\Websters World Encyclopedia 98\IUPDATE.EXE

Win32.Worm.Cekar.A Moved to Quarantine
D:\Documents and Setting\Ash\untitled folder 1\Program

Files\Websters World Encyclopedia 98\REGO32.EXE

Win32.Worm.Cekar.A Moved to Quarantine
D:\Documents and Setting\Ash\untitled folder 1\Program

Files\Websters World Encyclopedia 98\WebWorld.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Documents and Setting\Ash\untitled folder 1\Program

Files\xmplayer\XMPLAYER.EXE Win32.Worm.Cekar.A Moved to

Quarantine
D:\Documents and Setting\Ash\workig\haqq\New Folder (2)

\to\TCPOptimizer.exe Win32.Worm.Cekar.A Moved to

Quarantine
D:\Documents and Setting\Ash\workig\haqq\New Folder (2)

\to\用到的工具\ASPack加壳\ASPACK.EXE Win32.Worm.Cekar.A

Moved to Quarantine
D:\Documents and Setting\Ash\workig\ms\New

Folder\MapleAidV1.01.exe Win32.Worm.Cekar.A Moved to

Quarantine
D:\Documents and Setting\Ash\workig\ms\New Folder (2)

\Vicious Engine(fixed)\Kernelmoduleunloader.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Documents and Setting\Ash\workig\ms\New Folder (2)

\Vicious Engine(fixed)\Systemcallretriever.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Documents and Setting\Ash\workig\ms\New Folder (2)

\Vicious Engine(fixed)\Vicious Engine 5.0.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Documents and Setting\Ash\workig\qq\New

Folder\TCPlus.exe Win32.Worm.Cekar.A Moved to Quarantine
D:\Documents and Setting\Ash\workig\qq\QQ2004

\ChatRoom.exe Win32.Worm.Cekar.A Moved to Quarantine
D:\Documents and Setting\Ash\workig\qq\QQ2004

\MagicBook.exe Win32.Worm.Cekar.A Moved to Quarantine
D:\Documents and Setting\Ash\workig\qq\QQ2004

\MagicFlash.exe Win32.Worm.Cekar.A Moved to Quarantine
D:\Documents and Setting\Ash\workig\qq\QQ2004

\QQLiveUpdate.exe Win32.Worm.Cekar.A Moved to Quarantine
D:\Documents and Setting\Ash\workig\qq\QQ2004\QQMail.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Documents and Setting\Ash\workig\qq\QQ2004\showip.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Documents and Setting\Ash\workig\qq\QQ2004

\TIMPlatform.exe Win32.Worm.Cekar.A Moved to Quarantine
D:\Documents and Setting\Ash\workig\qq\QQ2004\Timwp.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Documents and Setting\Ash\workig\qq\QQ2004

\TMDLLs\QQMail.exe Win32.Worm.Cekar.A Moved to

Quarantine
D:\Documents and Setting\Ash\workig\qq\QQ2004

\TMDLLs\TIMPlatform.exe Win32.Worm.Cekar.A Moved to

Quarantine
D:\Documents and Setting\Ash\workig\qq\QQ2004

\TMDLLs\Timwp.exe Win32.Worm.Cekar.A Moved to Quarantine
D:\Documents and Setting\Ash\workig\qq\QQ2004

\TMShell.exe Win32.Worm.Cekar.A Moved to Quarantine
D:\Documents and Setting\Ash\workig\qq\qqmail\QQMail.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Documents and Setting\Ash\workig\vcd\VCD_PLAY.EXE

Win32.Worm.Cekar.A Moved to Quarantine
D:\Nexon\MapleStory\Patcher.exe Win32.Worm.Cekar.A Moved

to Quarantine
D:\Program Files\eMule\CrashReporter.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Program Files\foobar2000\foobar2000.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Program Files\iTudou\iTudou.exe Win32.Worm.Cekar.A

Moved to Quarantine
D:\Program Files\iTudou\RepairReg.exe Win32.Worm.Cekar.A

Moved to Quarantine
D:\Program Files\Kingsoft\PowerWord 2006\KSSetting.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Program Files\Kingsoft\PowerWord 2006\NewWord.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Program Files\Kingsoft\PowerWord 2006\RegDict.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Program Files\Kingsoft\PowerWord 2006\ScrollWord.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Program Files\Kingsoft\PowerWord 2006\update1.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Program Files\Kingsoft\PowerWord 2006\XDICT.EXE

Win32.Worm.Cekar.A Moved to Quarantine
D:\Program Files\Lavasoft\Ad-Aware SE

Personal\unregaaw.exe Win32.Worm.Cekar.A Moved to

Quarantine
D:\Program Files\Tencent\QQ\MagicFlash.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Program Files\Tencent\QQ\NetRepair.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Program Files\Tencent\QQ\QQ3DAVPlayer.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Program Files\Tencent\QQ\QQClubClient.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Program Files\Tencent\QQ\QQLiveUpdate.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Program Files\Tencent\QQ\QQMail.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Program Files\Tencent\QQ\TIMPlatform.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Program Files\Tencent\QQ\TIMPlatfrom.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Program Files\Tencent\QQ\Timwp.exe Win32.Worm.Cekar.A

Moved to Quarantine
D:\Program Files\Tencent\QQ\TMDLLs\QQMail.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Program Files\Tencent\QQ\TMDLLs\TIMPlatform.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Program Files\Tencent\QQ\TMShell.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Program Files\Tencent\QQ2007b\TMDLLS\QQLiveUpdate.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Program Files\Tencent\QQ2007b\TMDLLS\TIMPlatform.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Program Files\Tencent\QQ2007b\TMDLLS\Timwp.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Program Files\Tencent\QQ2007b\TMShell.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Program Files\Tencent\QQDoctor\QQDoctor.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Program Files\Tencent\QQDownload\QDAutoUpdate.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Program Files\Tencent\QQGame\CChess\CChess.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Program Files\Tencent\QQGame\CChess\UNWISE.EXE

Win32.Worm.Cekar.A Moved to Quarantine
D:\Program Files\Tencent\QQGame\Download\qqt2_dl.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Program Files\Tencent\QQGame\Go\UNWISE.EXE

Win32.Worm.Cekar.A Moved to Quarantine
D:\Program Files\Tencent\QQGame\Go\Weiqi.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Program Files\WinRAR\Rar.exe Win32.Worm.Cekar.A Moved

to Quarantine
D:\Program Files\WinRAR\RarExtLoader.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Program Files\WinRAR\Uninstall.exe Win32.Worm.Cekar.A

Moved to Quarantine
D:\Program Files\WinRAR\UnRAR.exe Win32.Worm.Cekar.A

Moved to Quarantine
D:\Program Files\WinRAR\WinRAR.exe Win32.Worm.Cekar.A

Moved to Quarantine
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP7\A0003398.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP7\A0003405.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP7\A0003406.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP7\A0003408.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP7\A0003417.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP7\A0003421.exe

Win32.Worm.Cekar.A Moved to Quarantine
D:\Program Files\Tencent\QQ\QzoneSupport.exe

Win32.Worm.Ice.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004522.exe

Win32.Worm.Ice.A Deleted

there some important exe that got infected, so i move all of the infect item to Quarantine. then i delete those that not important.then i restart and rescan System Volume Information in the D:\ here the log

Quote:

BitDefender Log File !!!!!
Product : BitDefender Total Security 2008
Version : BitDefender UIScanner v.11
Log date : 18:48:21 24/01/2008
Log path : C:\Documents and Settings\user\Application

Data\BitDefender\Desktop\Profiles\Logs\contextual\ 120121

8501_1_02.xml

Scan Paths:Path0000: D:\System Volume Information

Scan Options:Scan for viruses : Yes
Scan for adware : Yes
Scan for spyware : Yes
Scan for applications : Yes
Scan for dialers : Yes
Scan for rootkits : No

Target selection options:Scan registry keys : No
Scan cookies : No
Scan boot sectors : No
Scan memory processes : No
Scan archives : Yes
Scan runtime packers : Yes
Scan emails : Yes
Scan all files : Yes
Heuristic Scan : Yes
Scanned extensions :
Excluded extensions :

Target ProcessingDefault action for infected objects :

Disinfect
Default action for suspicious objects : None
Default action for hidden objects : None

Scan engines summaryNumber of virus signatures : 976923
Archive plugins : 41
Email plugins : 6
Scan plugins : 12
Archive plugins : 41
System plugins : 4
Unpack plugins : 7

Overall scan summaryScanned items : 16880
Infected items : 98
Suspicious items : 0
Resolved items : 95
Individual viruses found : 5
Scanned directories : 23
Scanned boot sectors : 0
Scanned archives : 216
Input-output errors : 0
Scan time : 00:00:14:57
Files per second : 18

Scanned processes summaryScanned : 0
Infected : 0

Scanned registry keys summaryScanned : 0
Infected : 0

Scanned cookies summaryScanned : 0
Infected : 0

Remaining issues:Object Name Threat Name Final Status
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004621.exe=]wise0088

Adware.Gator.AD Delete Failed (file was in an archive)
D:\System Volume Information\_restore{7BC99C4C-760E-

4A10-ABDA-0C86E98FEB48}\RP12\A0001547.exe=](VISE

Installer o)=]Gain_Trickler.exe Adware.Gator.C Delete

Failed (file was in an archive)
D:\System Volume Information\_restore{7BC99C4C-760E-

4A10-ABDA-0C86E98FEB48}\RP12\A0001593.exe=](VISE

Installer o)=]Gain_Trickler.exe Adware.Gator.C Delete

Failed (file was in an archive)

Resolved issues:Object Name Threat Name Final Status
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004617.exe

Generic.Malware.SP!BdldPk!g.C2058CB7 Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004613.inf

Win32.Worm.Autorun.GN Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004614.inf

Win32.Worm.Autorun.GN Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004615.inf

Win32.Worm.Autorun.GN Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004616.inf

Win32.Worm.Autorun.GN Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004523.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004524.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004525.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004526.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004527.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004528.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004529.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004530.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004531.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004532.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004533.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004534.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004535.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004536.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004537.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004538.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004539.EXE

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004540.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004541.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004542.EXE

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004543.EXE

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004544.EXE

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004545.EXE

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004546.EXE

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004547.EXE

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004548.EXE

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004549.EXE

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004550.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004551.EXE

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004552.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004553.EXE

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004554.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004555.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004556.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004557.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004558.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004559.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004560.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004561.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004562.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004563.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004564.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004565.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004566.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004567.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004568.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004569.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004570.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004571.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004572.EXE

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004573.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004574.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004575.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004576.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004577.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004578.EXE

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004579.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004580.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004581.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004582.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004583.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004584.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004585.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004586.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004587.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004588.EXE

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004589.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004590.EXE

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004591.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004592.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004593.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004594.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004595.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004596.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004597.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004598.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004599.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004600.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004601.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004602.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004603.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004604.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004605.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004606.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004607.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004608.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004609.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004610.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004611.exe

Win32.Worm.Cekar.A Deleted
D:\System Volume Information\_restore{3C251E10-6E50-

4A43-8132-B5F122A37B6C}\RP10\A0004612.exe

Win32.Worm.Cekar.A Deleted

there some that cant be deleted!

here the HJT log

Quote:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:19, on 2008-01-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-1004336348-706699826-839522115-1003\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: DfLogon - C:\WINDOWS\SYSTEM32\LogonDll.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: DF5Serv - Faronics Corporation - C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 3456 bytes

zerozone · #10 (**permalink**) 25-01-2008, 02:50 AM

i once have both AVG and anti-spyware both install in mine pc but then when there a virus on mine pc anti-spyware seem to be the first one to find it, so i thought anti-spyware are better than AVG so i delete it.