Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Computer running very slow. Possible worm?
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2
 
LinkBack Thread Tools
Old 05-01-2007, 03:41 PM   #1 (permalink)
Registered User
 
Join Date: Mar 2007
Posts: 17
OS: xp


Computer running very slow. Possible worm?
Hi im currently running windows XP and am having major problems with something going on with my computer. If someone can please take a look at my hijack this file and help me! Thank you

Logfile of HijackThis v1.99.1
Scan saved at 6:40:06 PM, on 5/1/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Mikey\Desktop\Exec\hijackthis\HijackThis.exe
C:\WINDOWS\System32\svchost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [drvdiag] C:\WINDOWS\System32\drvconf.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\o.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\o.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\o.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\o.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\o.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\o.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\o.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\o.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\o.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\o.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\o.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\o.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\o.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\o.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\o.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\o.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\o.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\o.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\o.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\o.dll
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://quartz.atkinson.yorku.ca/qp2.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/06d8536b...p/RdxIE601.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {8CE3BAE6-AB66-40B6-9019-41E5282FF1E2} (QuickBooks Online Edition Utilities Class v8) - https://accounting.quickbooks.com/c1/v15.582/qboax8.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://blacks.pnimedia.com/upload/ac...pv2.0.0.9.cab?
O20 - AppInit_DLLs: confdrv.dll drvstat.dll
O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - C:\WINDOWS\System32\xziex.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
exviper99 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Sponsored Links
Old 05-04-2007, 09:32 AM   #2 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,246
OS: N/A


Re: Computer running very slow. Possible worm?
1. Download this file -> http://download.bleepingcomputer.com...a/ComboFix.exe

2. Double click on combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
__________________
Last edited by sUBs; 05-04-2007 at 09:34 AM.
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-04-2007, 11:43 AM   #3 (permalink)
Registered User
 
Join Date: Mar 2007
Posts: 17
OS: xp


Re: Computer running very slow. Possible worm?
First off thank you so much for your reply i really appreciate your time!
already my mouse stopped constantly showing the hourglass loading.

here is the combofix log, and below that the hijackthis log!

ComboFix 07-05.04.3.V - Running from: "C:\Program Files\Mozilla Firefox\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\cicpvscm.dll
C:\WINDOWS\system32\dqvnnxio.dll
C:\WINDOWS\system32\ebctffjb.dll
C:\WINDOWS\system32\frikucev.dll
C:\WINDOWS\system32\hmfcgjdk.dll
C:\WINDOWS\system32\iekxiiai.dll
C:\WINDOWS\system32\lqdpfddm.dll
C:\WINDOWS\system32\osafpjfe.dll
C:\WINDOWS\system32\piweapeb.dll
C:\WINDOWS\system32\qdimnyln.dll
C:\WINDOWS\system32\ttbahyvf.dll
C:\WINDOWS\system32\tuvnaeie.dll
C:\WINDOWS\system32\wrxqmpbe.dll
C:\WINDOWS\system32\vecukirf.ini
C:\WINDOWS\system32\fvyhabtt.ini
C:\WINDOWS\system32\stutv.bak1
C:\WINDOWS\system32\stutv.bak2
C:\WINDOWS\system32\stutv.ini
C:\WINDOWS\system32\stutv.ini2
C:\WINDOWS\system32\stutv.tmp
C:\WINDOWS\system32\dkkbdkk.dll
C:\WINDOWS\system32\vtuts.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\5_exception.nls
C:\WINDOWS\system32\RunOnce2.tm_
C:\WINDOWS\system32\RunOnce2.t__
C:\WINDOWS\system32\winupd_KB44105752.exe
C:\WINDOWS\system32\winupd_KB57455861.exe
C:\WINDOWS\system32\winupd_KB80286011.exe
C:\WINDOWS\system32\winupd_KB90188820.exe
C:\WINDOWS\system32\winupd_KB91028387.exe
C:\WINDOWS\system32\winupd_KB92380205.exe
C:\WINDOWS\system32\xziex.dll
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Program Files\install.log
C:\WINDOWS\system32\ksys.sys
C:\WINDOWS\winhp32.exe
C:\WINDOWS\system32\irzzhnt.dll
C:\WINDOWS\system32\l.dll
C:\WINDOWS\system32\qlf.dll
C:\WINDOWS\system32\xujig.dll
C:\Documents and Settings\All Users.\documents\settings
C:\WINDOWS\system32\rpcc1.dll
C:\WINDOWS\system32\drivers\gqbrirkr.sys
C:\WINDOWS\system32\dkkbdkk.dll
C:\WINDOWS\system32\dkkbdkk.dll.bak
C:\cp1041.nls

Infected copy of C:\WINDOWS\system32\drivers\ndis.sys was found & disinfected
Restored copy from - "C:\WINDOWS\system32\dllcache\ndis.sys"

Infected copy of C:\WINDOWS\system32\winlogon.exe was found & disinfected
Restored copy from - "C:\WINDOWS\system32\dllcache\winlogon.exe"


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_EXAMPLE
-------\LEGACY_IMRJYXZE
-------\LEGACY_NDNET1
-------\LEGACY_NTLDR.SYS
-------\LEGACY_RUNTIME
-------\LEGACY_XEVYDFQC
-------\EXAMPLE
-------\imrjyxze
-------\NDnet1
-------\Runtime
-------\xevydfqc


((((((((((((((((((((((((((((((( Files Created from 2007-04-04 to 2007-05-04 ))))))))))))))))))))))))))))))))))


2007-05-03 21:31 498,960 --a------ C:\WINDOWS\system32\dxmasf.dll
2007-05-03 21:31 251,904 --a------ C:\WINDOWS\system32\strmdll.dll
2007-05-03 02:04 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-03 01:55 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-02 17:51 <DIR> d-------- C:\Program Files\Symantec
2007-05-02 17:27 <DIR> d-------- C:\Program Files\CCleaner
2007-05-02 17:09 <DIR> d-------- C:\Program Files\RegistryFix
2007-05-02 16:58 89,360 --a------ C:\WINDOWS\system32\VB5DB.dll
2007-05-02 16:57 49,152 --ah----- C:\WINDOWS\system32\confdrv.dll
2007-05-02 16:57 24,576 --a------ C:\WINDOWS\system32\rsrc32.dll
2007-05-02 16:57 184,328 --ah----- C:\WINDOWS\system32\drvstat.dll
2007-05-02 16:57 <DIR> d-------- C:\Program Files\Easy Desk Utilities
2007-05-02 16:56 71,680 --a------ C:\WINDOWS\ST5UNST.EXE
2007-05-02 16:56 40,960 --a------ C:\WINDOWS\system32\VB5StKit.dll
2007-05-02 16:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-05-02 16:28 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-05-01 13:43 10,000 --a------ C:\WINDOWS\system32\ldfksdioduihj.dll
2007-05-01 06:18 53,248 --ah----- C:\WINDOWS\system32\drvprf32.dll
2007-05-01 06:17 9,728 --a------ C:\WINDOWS\system32\crypt32net.dll
2007-05-01 06:17 57,344 --a------ C:\WINDOWS\system32\system32.exe
2007-05-01 06:17 5,120 --a------ C:\WINDOWS\system32\scardrv.exe
2007-05-01 06:17 12,901 --a------ C:\DOCUME~1\Mikey\ie_updater.exe
2007-05-01 06:17 10,240 --a------ C:\WINDOWS\system32\kernel.dll
2007-05-01 05:19 73,728 --a------ C:\WINDOWS\system32\svehost.exe
2007-04-05 02:44 <DIR> d-------- C:\DOCUME~1\Mikey\APPLIC~1\Gaijin Ent
2007-04-04 23:10 <DIR> d-------- C:\Program Files\Trymedia
2007-04-04 23:10 <DIR> d-------- C:\Program Files\Anarchy
2007-04-04 23:09 <DIR> d-------- C:\Downloads
2007-04-04 22:57 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-04-04 22:54 <DIR> d-------- C:\Program Files\Age of Castles
2007-04-04 22:41 46,176 --a------ C:\WINDOWS\system32\ipv6mons.dll
2007-04-04 22:33 <DIR> d-------- C:\Program Files\ReflexiveArcade


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-03 20:25:57 124,416 ----a-w C:\WINDOWS\system32\paiqvpji.dll
2007-05-03 17:33:39 75,264 ----a-w C:\WINDOWS\system32\ws2_32.dll
2007-04-30 19:25:35 99,840 ----a-w C:\WINDOWS\system32\mujyifrj.dll
2007-04-30 19:25:33 43,520 ----a-w C:\WINDOWS\system32\xgprqjcm.dll
2007-04-15 16:11:15 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-15 15:24:52 -------- d-----w C:\DOCUME~1\Mikey\APPLIC~1.\BitTorrent
2007-04-06 15:39:40 -------- d-----w C:\DOCUME~1\Mikey\APPLIC~1.\Neo-Modus.com
2007-04-05 05:44:34 -------- d-----w C:\DOCUME~1\Mikey\APPLIC~1.\Gaijin Ent
2007-03-30 05:24:05 1,168 ----a-w C:\WINDOWS\mozver.dat
2007-03-28 16:19:15 -------- d-----w C:\Program Files\Virus Chaser
2007-03-28 07:02:12 -------- d-----w C:\Program Files\RegCleaner
2007-03-22 19:50:15 3,532 ----a-w C:\drmHeader.bin
2007-03-20 03:11:34 -------- d-----w C:\Program Files\Maxis
2007-03-19 17:19:48 146,944 ----a-w C:\WINDOWS\system32\pwiykpuo.exe
2007-03-19 11:50:53 -------- d-----w C:\DOCUME~1\Mikey\APPLIC~1.\PlayFirst
2007-03-19 08:07:33 17,144 ----a-w C:\DOCUME~1\Mikey\APPLIC~1.\GDIPFONTCACHEV1.DAT
2007-03-15 02:04:21 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-03-15 00:15:42 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-03-15 00:10:30 -------- d-----w C:\Program Files\DAEMON Tools
2007-03-15 00:07:06 646,392 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-03-10 23:53:00 -------- d-----w C:\Program Files\Yahoo!
2007-03-08 17:39:53 -------- d-----w C:\Program Files\Rapid-Pi
2007-03-05 22:03:33 -------- d-----w C:\Program Files\BFG
2007-03-04 21:28:17 -------- d-----w C:\Program Files\Electronic Arts
2007-02-16 02:39:08 306 ----a-w C:\LSL7DOS.BAT
2007-02-06 02:47:17 298 ----a-w C:\WINDOWS\EReg072.dat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_01\\bin\\jusched.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"RegistryMechanic"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll"


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32net
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\drvmgr
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrssp

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"="kdtpr.exe"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NetAssistant.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\NetAssistant.lnk"
"backup"="C:\\WINDOWS\\pss\\NetAssistant.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\NETASS~1\\bin\\matcli.exe -boot"
"item"="NetAssistant"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mikey^Start Menu^Programs^Startup^MSWin--1696782548.exe]
"path"="C:\\Documents and Settings\\Mikey\\Start Menu\\Programs\\Startup\\MSWin--1696782548.exe"
"backup"="C:\\WINDOWS\\pss\\MSWin--1696782548.exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Mikey\\Start Menu\\Programs\\Startup\\MSWin--1696782548.exe"
"item"="MSWin--1696782548"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\-2057253927.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="-2057253927"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\-2057253927.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bittorrent"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\drvdiag]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="drvconf"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\drvconf.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InfoData]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="frikucev"
"hkey"="HKLM"
"command"="rundll32.exe \"C:\\WINDOWS\\System32\\frikucev.dll\",realset"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intel system tool]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="svehost"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\svehost.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jrwqbaaa]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jrwqbaaa"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\jrwqbaaa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MotiveSB"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\NETASS~1\\SMARTB~1\\MotiveSB.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Restore Operation]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="svchots"
"hkey"="HKCU"
"command"="C:\\DOCUME~1\\Mikey\\LOCALS~1\\Temp\\svchots.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunOnce2Upd]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MSWin--1696782548"
"hkey"="HKLM"
"command"="\"C:\\Documents and Settings\\Mikey\\Start Menu\\Programs\\Startup\\MSWin--1696782548.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StandardInstall]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sysvx.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sysvx"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\sysvx.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VaCtrls]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="v7"
"hkey"="HKLM"
"command"="v7"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0

hklm\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
imrjyxze


********************************************************************

detected NTDLL code modification:
ZwQueryDirectoryFile

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-04 14:34:12
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\kdtpr.exe 69632 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1


********************************************************************

Completion time: 2007-05-04 14:37:38 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-04 14:37


and hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 2:42:24 PM, on 5/4/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Mikey\Desktop\Exec\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {8D5849A2-93F3-429D-FF34-260A2068897C} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://quartz.atkinson.yorku.ca/qp2.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/06d8536b...p/RdxIE601.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {8CE3BAE6-AB66-40B6-9019-41E5282FF1E2} (QuickBooks Online Edition Utilities Class v8) - https://accounting.quickbooks.com/c1/v15.582/qboax8.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://blacks.pnimedia.com/upload/ac...pv2.0.0.9.cab?
O20 - Winlogon Notify: crypt32net - C:\WINDOWS\SYSTEM32\crypt32net.dll
O20 - Winlogon Notify: drvmgr - drvmgr32.dll (file missing)
O20 - Winlogon Notify: ssqrssp - ssqrssp.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

thank you again Sub!! you are godly!!
exviper99 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-04-2007, 01:37 PM   #4 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,246
OS: N/A


Re: Computer running very slow. Possible worm?
Easy Desk Utilities - Is this something you installed ?



Before fixing anything, Please download the Suspicious File Packer → http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop and run it.
Paste the following list of filepaths into the Suspicious File Packer window:

C:\WINDOWS\system32\confdrv.dll
C:\WINDOWS\system32\rsrc32.dll
C:\WINDOWS\system32\drvstat.dll
C:\WINDOWS\system32\ldfksdioduihj.dll
C:\WINDOWS\system32\drvprf32.dll
C:\WINDOWS\system32\crypt32net.dll
C:\WINDOWS\system32\system32.exe
C:\WINDOWS\system32\scardrv.exe
C:\WINDOWS\system32\kernel.dll
C:\WINDOWS\system32\svehost.exe
C:\WINDOWS\system32\ipv6mons.dll
C:\WINDOWS\system32\paiqvpji.dll
C:\WINDOWS\system32\mujyifrj.dll
C:\WINDOWS\system32\xgprqjcm.dll
C:\WINDOWS\system32\pwiykpuo.exe
C:\LSL7DOS.BAT

Allow SFP to pack the files. This will generate a CAB archive on your desktop.
Please submit it to this site → http://www.bleepingcomputer.com/subm....php?channel=4
Please include a link to this topic in the message.


---------------


Open notepad and copy/paste the text in the quotebox below into it:

Code:
@echo off
@(
echo.REGEDIT4&echo.
echo.[hkey_local_machine\software\microsoft\windows\currentversion\run]
echo."registrymechanic"=-
echo.[hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon]
echo."system"=""
echo.[-hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32net]
echo.[-hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon\notify\drvmgr]
echo.[-hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrssp]
echo.[-hkey_local_machine\software\microsoft\shared tools\msconfig\startupfolder\c:^^documents and settings^^mikey^^start menu^^programs^^startup^^mswin--1696782548.exe]
echo.[-hkey_local_machine\software\microsoft\shared tools\msconfig\startupreg\-2057253927.exe]
echo.[-hkey_local_machine\software\microsoft\shared tools\msconfig\startupreg\drvdiag]
echo.[-hkey_local_machine\software\microsoft\shared tools\msconfig\startupreg\infodata]
echo.[-hkey_local_machine\software\microsoft\shared tools\msconfig\startupreg\intel system tool]
echo.[-hkey_local_machine\software\microsoft\shared tools\msconfig\startupreg\jrwqbaaa]
echo.[-hkey_local_machine\software\microsoft\shared tools\msconfig\startupreg\restore operation]
echo.[-hkey_local_machine\software\microsoft\shared tools\msconfig\startupreg\runonce2upd]
echo.[-hkey_local_machine\software\microsoft\shared tools\msconfig\startupreg\standardinstall]
echo.[-hkey_local_machine\software\microsoft\shared tools\msconfig\startupreg\sysvx.exe]
echo.[-hkey_local_machine\software\microsoft\shared tools\msconfig\startupreg\vactrls]
echo.[-hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{8d5849a2-93f3-429d-ff34-260a2068897c}]
echo.[-hkey_classes_root\clsid\{8d5849a2-93f3-429d-ff34-260a2068897c}]
echo.[-hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32net]
echo.[-hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon\notify\drvmgr]
echo.[-hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrssp]
)>fix.reg
regedit.exe /s fix.reg 
del fix.reg
for %%g in (
C:\WINDOWS\system32\system32.exe
C:\WINDOWS\system32\scardrv.exe
C:\WINDOWS\system32\svehost.exe
C:\WINDOWS\system32\pwiykpuo.exe
C:\LSL7DOS.BAT
C:\WINDOWS\System32\jrwqbaaa.exe
C:\WINDOWS\System32\sysvx.exe
C:\WINDOWS\System32\kdtpr.exe
C:\WINDOWS\System32\drvconf.exe
C:\DOCUME~1\Mikey\ie_updater.exe
) do if exist "%%~g" @(
	catchme -l \Qoobox\Quarantine\catchme.log -k "%%~g" >nul
	del /a/f "%%~g" 2>nul
	)
echo.Done !!
pause
exit
exit
Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run


------------------


1. * IMPORTANT !!! Place combofix.exe on your Desktop







2. Go to → Run → paste in the single line command & click OK

Code:
"%userprofile%\desktop\combofix.exe" /v confdrv rsrc32 drvstat ldfksdioduihj drvprf32 crypt32net. paiqvpji mujyifrj xgprqjcm rikucev ipv6mons kernel frikucev
3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
__________________
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-04-2007, 01:38 PM   #5 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,246
OS: N/A


Re: Computer running very slow. Possible worm?
This is to be performed after you have posted the required logs.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u1 - http://java.sun.com/javase/downloads/index.jsp
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.
__________________
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-04-2007, 11:45 PM   #6 (permalink)
Registered User
 
Join Date: Mar 2007
Posts: 17
OS: xp


Re: Computer running very slow. Possible worm?
you amazing again!

ComboFix 07-05.04.3.V - Running from: "C:\Documents and Settings\Mikey\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\kdtpr.exe


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-05 ))))))))))))))))))))))))))))))))))


2007-05-04 14:37 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-03 21:31 498,960 --a------ C:\WINDOWS\system32\dxmasf.dll
2007-05-03 21:31 251,904 --a------ C:\WINDOWS\system32\strmdll.dll
2007-05-03 02:04 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-03 01:55 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-02 17:51 <DIR> d-------- C:\Program Files\Symantec
2007-05-02 17:27 <DIR> d-------- C:\Program Files\CCleaner
2007-05-02 17:09 <DIR> d-------- C:\Program Files\RegistryFix
2007-05-02 16:58 89,360 --a------ C:\WINDOWS\system32\VB5DB.dll
2007-05-02 16:57 49,152 --ah----- C:\WINDOWS\system32\confdrv.dll
2007-05-02 16:57 24,576 --a------ C:\WINDOWS\system32\rsrc32.dll
2007-05-02 16:57 184,328 --ah----- C:\WINDOWS\system32\drvstat.dll
2007-05-02 16:57 <DIR> d-------- C:\Program Files\Easy Desk Utilities
2007-05-02 16:56 71,680 --a------ C:\WINDOWS\ST5UNST.EXE
2007-05-02 16:56 40,960 --a------ C:\WINDOWS\system32\VB5StKit.dll
2007-05-02 16:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-05-02 16:28 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-05-01 13:43 10,000 --a------ C:\WINDOWS\system32\ldfksdioduihj.dll
2007-05-01 06:18 53,248 --ah----- C:\WINDOWS\system32\drvprf32.dll
2007-05-01 06:17 9,728 --a------ C:\WINDOWS\system32\crypt32net.dll
2007-05-01 06:17 57,344 --a------ C:\WINDOWS\system32\system32.exe
2007-05-01 06:17 10,240 --a------ C:\WINDOWS\system32\kernel.dll
2007-04-05 02:44 <DIR> d-------- C:\DOCUME~1\Mikey\APPLIC~1\Gaijin Ent


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-03 20:25:57 124,416 ----a-w C:\WINDOWS\system32\paiqvpji.dll
2007-05-03 17:33:39 75,264 ----a-w C:\WINDOWS\system32\ws2_32.dll
2007-04-30 23:52:28 46,176 ----a-w C:\WINDOWS\system32\ipv6mons.dll
2007-04-30 19:25:35 99,840 ----a-w C:\WINDOWS\system32\mujyifrj.dll
2007-04-30 19:25:33 43,520 ----a-w C:\WINDOWS\system32\xgprqjcm.dll
2007-04-15 16:11:15 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-15 15:24:52 -------- d-----w C:\DOCUME~1\Mikey\APPLIC~1.\BitTorrent
2007-04-06 15:39:40 -------- d-----w C:\DOCUME~1\Mikey\APPLIC~1.\Neo-Modus.com
2007-04-06 05:29:13 -------- d-----w C:\Program Files\Age of Castles
2007-04-05 05:44:34 -------- d-----w C:\DOCUME~1\Mikey\APPLIC~1.\Gaijin Ent
2007-04-05 02:10:43 -------- d-----w C:\Program Files\Trymedia
2007-04-05 02:10:31 -------- d-----w C:\Program Files\Anarchy
2007-04-05 01:33:12 -------- d-----w C:\Program Files\ReflexiveArcade
2007-03-30 05:24:05 1,168 ----a-w C:\WINDOWS\mozver.dat
2007-03-28 16:19:15 -------- d-----w C:\Program Files\Virus Chaser
2007-03-28 07:02:12 -------- d-----w C:\Program Files\RegCleaner
2007-03-22 19:50:15 3,532 ----a-w C:\drmHeader.bin
2007-03-20 03:11:34 -------- d-----w C:\Program Files\Maxis
2007-03-19 11:50:53 -------- d-----w C:\DOCUME~1\Mikey\APPLIC~1.\PlayFirst
2007-03-19 08:07:33 17,144 ----a-w C:\DOCUME~1\Mikey\APPLIC~1.\GDIPFONTCACHEV1.DAT
2007-03-15 02:04:21 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-03-15 00:15:42 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-03-15 00:10:30 -------- d-----w C:\Program Files\DAEMON Tools
2007-03-15 00:07:06 646,392 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-03-10 23:53:00 -------- d-----w C:\Program Files\Yahoo!
2007-03-08 17:39:53 -------- d-----w C:\Program Files\Rapid-Pi
2007-03-05 22:03:33 -------- d-----w C:\Program Files\BFG
2007-02-06 02:47:17 298 ----a-w C:\WINDOWS\EReg072.dat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_01\\bin\\jusched.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NetAssistant.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\NetAssistant.lnk"
"backup"="C:\\WINDOWS\\pss\\NetAssistant.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\NETASS~1\\bin\\matcli.exe -boot"
"item"="NetAssistant"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bittorrent"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MotiveSB"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\NETASS~1\\SMARTB~1\\MotiveSB.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0

hklm\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
imrjyxze


********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-05 02:40:50
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-05 2:42:28 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-05 02:42
C:\ComboFix2.txt ... 2007-05-04 14:37


Logfile of HijackThis v1.99.1
Scan saved at 2:44:35 AM, on 5/5/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Mikey\Desktop\Exec\hijackthis\HijackThis.exe

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://quartz.atkinson.yorku.ca/qp2.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/06d8536b...p/RdxIE601.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {8CE3BAE6-AB66-40B6-9019-41E5282FF1E2} (QuickBooks Online Edition Utilities Class v8) - https://accounting.quickbooks.com/c1/v15.582/qboax8.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://blacks.pnimedia.com/upload/ac...pv2.0.0.9.cab?
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
exviper99 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-05-2007, 12:10 AM   #7 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,246
OS: N/A


Re: Computer running very slow. Possible worm?
Have you updated Java yet? This next bit is to be performed after Java is updated & machine rebooted.


Open notepad and copy/paste the text in the quotebox below into it:

Code:
@echo off
for %%g in (
c:\windows\system32\confdrv.dll
c:\windows\system32\rsrc32.dll
c:\windows\system32\drvstat.dll
c:\windows\system32\ldfksdioduihj.dll
c:\windows\system32\drvprf32.dll
c:\windows\system32\crypt32net..dll
c:\windows\system32\paiqvpji.dll
c:\windows\system32\mujyifrj.dll
c:\windows\system32\xgprqjcm.dll
c:\windows\system32\rikucev.dll
c:\windows\system32\ipv6mons.dll
c:\windows\system32\kernel.dll
c:\windows\system32\frikucev.dll
) do del /a/f "%%~g" >nul 2>&1
echo.Done !!
pause
exit
Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run



After that, perform an online scan using Internet Explorer at http://www.kaspersky.com/virusscanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. We only require a report from it.
    It does not provide an option to clean/disinfect.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.


---------------


In your next post, please include fresh logs from:
  1. Fresh Hijackthis log taken just before replying
  2. Online scan
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
__________________
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-05-2007, 11:01 AM   #8 (permalink)
Registered User
 
Join Date: Mar 2007
Posts: 17
OS: xp


Re: Computer running very slow. Possible worm?
Logfile of HijackThis v1.99.1
Scan saved at 1:58:00 PM, on 5/5/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Mikey\Desktop\Exec\hijackthis\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://quartz.atkinson.yorku.ca/qp2.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/06d8536b...p/RdxIE601.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {8CE3BAE6-AB66-40B6-9019-41E5282FF1E2} (QuickBooks Online Edition Utilities Class v8) - https://accounting.quickbooks.com/c1/v15.582/qboax8.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://blacks.pnimedia.com/upload/ac...pv2.0.0.9.cab?
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, May 05, 2007 1:56:34 PM
Operating System: Microsoft Windows XP Professional, (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 5/05/2007
Kaspersky Anti-Virus database records: 313377
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 76409
Number of viruses found: 35
Number of infected objects: 168 / 0
Number of suspicious objects: 0
Duration of the scan process: 02:50:23

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Leo H\Local Settings\Temporary Internet Files\Content.IE5\WTEBG163\PopularScreenSaversFWBInitialSetup1.0.0.15[1].cab/f3Setup1.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.aw skipped
C:\Documents and Settings\Leo H\Local Settings\Temporary Internet Files\Content.IE5\WTEBG163\PopularScreenSaversFWBInitialSetup1.0.0.15[1].cab CAB: infected - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mikey\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Mikey\Desktop\Exec\hijackthis\backups\backup-20070405-000156-104.dll Infected: Trojan-Spy.Win32.BZub.ik skipped
C:\Documents and Settings\Mikey\Desktop\requested-files[2007-05-05_02_21].cab/C:/WINDOWS/system32/drvstat.dll Infected: Email-Worm.Win32.Warezov.nl skipped
C:\Documents and Settings\Mikey\Desktop\requested-files[2007-05-05_02_21].cab/C:/WINDOWS/system32/ldfksdioduihj.dll Infected: Trojan-Downloader.Win32.Small.ddx skipped
C:\Documents and Settings\Mikey\Desktop\requested-files[2007-05-05_02_21].cab/C:/WINDOWS/system32/drvprf32.dll Infected: Email-Worm.Win32.Warezov.nl skipped
C:\Documents and Settings\Mikey\Desktop\requested-files[2007-05-05_02_21].cab/C:/WINDOWS/system32/svehost.exe Infected: Trojan.Win32.Agent.kq skipped
C:\Documents and Settings\Mikey\Desktop\requested-files[2007-05-05_02_21].cab/C:/WINDOWS/system32/mujyifrj.dll Infected: Trojan.Win32.Delf.zj skipped
C:\Documents and Settings\Mikey\Desktop\requested-files[2007-05-05_02_21].cab CAB: infected - 5 skipped
C:\Documents and Settings\Mikey\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Mikey\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Mikey\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mikey\Local Settings\History\History.IE5\MSHist012007050520070506\index.dat Object is locked skipped
C:\Documents and Settings\Mikey\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mikey\ntuser.dat Object is locked skipped
C:\Documents and Settings\Mikey\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mikey\UserData\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\cicpvscm.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\dqvnnxio.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\ndis.sys.vir/EXE-file Infected: SpamTool.Win32.Agent.u skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\ndis.sys.vir Embedded EXE: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ebctffjb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\frikucev.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hmfcgjdk.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\iekxiiai.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\irzzhnt.dll.vir Infected: Trojan.Win32.Agent.afg skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kdtpr.exe.vir Infected: Trojan.Win32.DNSChanger.hg skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\l.dll.vir Infected: Trojan.Win32.Agent.afg skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\lqdpfddm.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\osafpjfe.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\piweapeb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qdimnyln.dll.vir Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qlf.dll.vir Infected: Trojan.Win32.Agent.afg skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rpcc1.dll.vir Infected: Trojan-Proxy.Win32.Dlena.cp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tuvnaeie.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vtuts.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.iy skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\winlogon.exe.vir Infected: Trojan.Win32.Patched.m skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\winupd_KB44105752.exe.vir Infected: Trojan-Downloader.Win32.Agent.bnr skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\winupd_KB57455861.exe.vir Infected: SpamTool.Win32.Agent.u skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\winupd_KB80286011.exe.vir Infected: Trojan-Downloader.Win32.Agent.bnr skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\winupd_KB90188820.exe.vir/script.au3 Infected: Trojan-Downloader.Win32.AutoIt.k skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\winupd_KB90188820.exe.vir AutoIt: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\winupd_KB90188820.exe.vir UPX: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\winupd_KB90188820.exe.vir PE_Patch.UPX: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\winupd_KB91028387.exe.vir Infected: Trojan-Proxy.Win32.Agent.lp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\winupd_KB92380205.exe.vir Infected: Trojan-Proxy.Win32.Agent.lp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wrxqmpbe.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\xujig.dll.vir Infected: Trojan.Win32.Agent.afg skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\xziex.dll.vir Infected: Backdoor.Win32.Agent.adr skipped
C:\QooBox\Quarantine\catchme2007-05-04_143325.03.zip/gqbrirkr.sys Infected: Trojan.Win32.Delf.zj skipped
C:\QooBox\Quarantine\catchme2007-05-04_143325.03.zip/dkkbdkk.dll Infected: Trojan-Clicker.Win32.Delf.hi skipped
C:\QooBox\Quarantine\catchme2007-05-04_143325.03.zip ZIP: infected - 2 skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP10\A0006835.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP10\A0006848.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP11\A0006864.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP11\A0007864.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP11\A0008864.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP12\A0009462.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP12\A0009486.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP13\A0009503.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP14\A0009530.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP14\A0009543.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP15\A0010543.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP16\A0010598.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP16\A0011598.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP16\A0011604.sys Infected: Rootkit.Win32.Agent.fa skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP18\A0012629.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP18\A0012647.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP19\A0012741.dll Infected: Trojan-Spy.Win32.BZub.ik skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP20\A0012788.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP21\A0012897.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP22\A0012934.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP26\A0013114.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP27\A0013177.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP28\A0013226.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP28\A0013237.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP29\A0013261.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP30\A0013271.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP31\A0014297.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP32\A0014317.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP32\A0014327.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP32\A0016353.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP33\A0018365.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP34\A0018404.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP35\A0019413.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP36\A0020438.dll Infected: Trojan.Win32.Delf.zj skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP37\A0020450.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP38\A0021466.dll Infected: Trojan-Clicker.Win32.Delf.hi skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP40\A0024476.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP41\A0024498.dll Infected: Trojan.Win32.Delf.zj skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP41\A0024499.dll Infected: Trojan.Win32.Delf.zj skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP41\A0026532.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP42\A0026566.exe Infected: SpamTool.Win32.Agent.u skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP42\A0026571.exe Infected: Trojan.Win32.Agent.kq skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP43\A0026599.exe Infected: SpamTool.Win32.Agent.u skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP43\A0026604.exe Infected: Trojan.Win32.Agent.kq skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP43\A0027611.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP44\A0027643.exe Infected: SpamTool.Win32.Agent.u skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP44\A0027648.exe Infected: Trojan.Win32.Agent.kq skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP44\A0027662.exe Infected: not-virus:Hoax.Win32.Renos.fi skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP44\A0028655.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP44\A0028673.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP44\A0028674.dll Infected: Email-Worm.Win32.Warezov.nl skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP44\A0028675.dll Infected: Email-Worm.Win32.Warezov.nl skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP44\A0028683.exe/stream/data0001/01.exe Infected: Trojan.Win32.DNSChanger.hg skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP44\A0028683.exe/stream/data0001 Infected: Trojan.Win32.DNSChanger.hg skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP44\A0028683.exe/stream Infected: Trojan.Win32.DNSChanger.hg skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP44\A0028683.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP44\A0028684.exe Infected: not-virus:Hoax.Win32.Renos.fi skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP45\A0028731.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP45\A0029731.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP45\A0030731.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0030767.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0031767.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0032767.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0032777.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0033801.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0033811.exe Infected: Trojan-Proxy.Win32.Xorpix.ar skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0033812.exe Infected: Trojan-Proxy.Win32.Xorpix.ar skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0033813.exe Infected: Trojan-Downloader.Win32.Small.ddp skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0033814.dll Infected: Trojan-Spy.Win32.BZub.hx skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0033815.dll Infected: Trojan-Spy.Win32.BZub.hx skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0033816.exe Infected: Trojan.Win32.Pakes skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0033817.exe Infected: Trojan.Win32.Pakes skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0033818.dll Infected: Trojan.Win32.Pakes skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0033820.exe Infected: Trojan-Downloader.Win32.Agent.bnf skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0033821.exe Infected: Trojan-Downloader.Win32.Tiny.eu skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0033822.exe Infected: Trojan-Downloader.Win32.Tiny.eu skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0033823.exe Infected: Trojan-Downloader.Win32.Tiny.eu skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0033824.exe Infected: Email-Worm.Win32.Warezov.jp skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0033826.exe Infected: Trojan-Spy.Win32.BZub.hl skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0033827.exe Infected: Trojan-Downloader.Win32.Small.eio skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0033828.exe Infected: Trojan-Downloader.Win32.Small.eio skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0033829.exe Infected: Backdoor.Win32.Small.na skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0033832.exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0041877.exe Infected: Trojan-Downloader.Win32.Agent.bnr skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0041878.exe Infected: SpamTool.Win32.Agent.u skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0041879.exe Infected: Trojan-Downloader.Win32.Agent.bnr skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0041880.exe/script.au3 Infected: Trojan-Downloader.Win32.AutoIt.k skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0041880.exe AutoIt: infected - 1 skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0041880.exe UPX: infected - 1 skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0041880.exe PE_Patch.UPX: infected - 1 skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0041881.exe Infected: Trojan-Proxy.Win32.Agent.lp skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0041882.exe Infected: Trojan-Proxy.Win32.Agent.lp skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0041883.dll Infected: Backdoor.Win32.Agent.adr skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0041886.dll Infected: Trojan.Win32.Agent.afg skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0041887.dll Infected: Trojan.Win32.Agent.afg skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0041888.dll Infected: Trojan.Win32.Agent.afg skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0041889.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0041890.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0041891.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0041892.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0041893.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0041894.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0041895.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0041896.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0041897.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0041898.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0041900.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0041901.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0041907.dll Infected: Trojan-Proxy.Win32.Dlena.cp skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0041908.sys/EXE-file Infected: SpamTool.Win32.Agent.u skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0041908.sys Embedded EXE: infected - 1 skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0041910.exe Infected: Trojan.Win32.Patched.m skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP46\A0041911.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.iy skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP5\A0001348.exe Infected: Trojan.Win32.Patched.g skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP5\A0002348.exe Infected: Trojan.Win32.Patched.g skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP50\A0043131.exe Infected: Trojan.Win32.DNSChanger.hg skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP52\A0043280.dll Infected: Email-Worm.Win32.Warezov.nl skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP52\A0043282.dll Infected: Email-Worm.Win32.Warezov.nl skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP52\A0043283.dll Infected: Trojan-Downloader.Win32.Small.ddx skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP52\A0043284.dll Infected: Email-Worm.Win32.Warezov.nl skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP52\A0043286.dll Infected: Trojan.Win32.Delf.zj skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP52\change.log Object is locked skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP6\A0004348.exe Infected: Trojan.Win32.Patched.g skipped
C:\System Volume Information\_restore{038F3331-9F23-4504-808E-53FCE2E22D15}\RP7\A0006379.exe Infected: Trojan.Win32.Patched.m skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{C9499127-F7FE-46CE-8536-92037ECCE9E7}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\lpt2.lla Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\ukjka1.dll Infected: not-a-virus:AdWare.Win32.LinkOptimizer.a skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
exviper99 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-05-2007, 11:07 AM   #9 (permalink)
Registered User
 
Join Date: Mar 2007
Posts: 17
OS: xp


Re: Computer running very slow. Possible worm?
oh almost forgot system is running great so far! only problem is now in IE pictures dont load it just shows the gif or jpeg image (not sure which one)
thank you so much SUB im in your debt.
exviper99 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-05-2007, 11:12 AM   #10 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,246
OS: N/A


Re: Computer running very slow. Possible worm?
Quote:
C:\WINDOWS\ukjka1.dll
C:\WINDOWS\system32\lpt2.lla
Yucks !! Where did these crawl out from?

Let's see if we can get them with a quick kill.


Download the Gromozon rootkit removal tool & save it to Desktop:

http://pcalsicuro.phpsoft.it/FixGrom.exe

http://aknow.prevx.com/zeroL/FixGrom.exe

Double-click to run it & follow the prompts.

If an infection is found, it shall reboot your machine & produce a log at C:armada_log
__________________
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-05-2007, 11:32 AM   #11 (permalink)
Registered User
 
Join Date: Mar 2007
Posts: 17
OS: xp


Re: Computer running very slow. Possible worm?
the file wasnt under armada, but under C: gromozon_removal...

Removal tool loaded into memory
Removing ADS stream: C:\WINDOWS\System32:tiua.dll:$DATA
Gromozon rootkit component not detected - searching for other components
Scanning: C:\WINDOWS
Scanning: C:\Program Files\Common Files
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\ukjka1.dll
Removed!


Trojan.Gromozon Removed!

Logfile of HijackThis v1.99.1
Scan saved at 2:31:40 PM, on 5/5/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Mikey\Desktop\Exec\hijackthis\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://quartz.atkinson.yorku.ca/qp2.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/06d8536b...p/RdxIE601.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {8CE3BAE6-AB66-40B6-9019-41E5282FF1E2} (QuickBooks Online Edition Utilities Class v8) - https://accounting.quickbooks.com/c1/v15.582/qboax8.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://blacks.pnimedia.com/upload/ac...pv2.0.0.9.cab?
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
exviper99 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-05-2007, 11:36 AM   #12 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,246
OS: N/A


Re: Computer running very slow. Possible worm?
Quote:
C:\WINDOWS\ukjka1.dll
C:\WINDOWS\system32\lpt2.lla
Quote:
Removal tool loaded into memory
Removing ADS stream: C:\WINDOWS\System32:tiua.dll:$DATA
Gromozon rootkit component not detected - searching for other components
Scanning: C:\WINDOWS
Scanning: C:\Program Files\Common Files
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\ukjka1.dll
Removed!
Hmm ...it made no mention of C:\WINDOWS\system32\lpt2.lla.

Please check if the file still exist
__________________
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-05-2007, 11:42 AM   #13 (permalink)
Registered User
 
Join Date: Mar 2007
Posts: 17
OS: xp


Re: Computer running very slow. Possible worm?
yes it still exists
exviper99 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-05-2007, 11:44 AM   #14 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,246
OS: N/A


Re: Computer running very slow. Possible worm?
Have you tried deleting it?
__________________
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-05-2007, 11:50 AM   #15 (permalink)
Registered User
 
Join Date: Mar 2007
Posts: 17
OS: xp


Re: Computer running very slow. Possible worm?
haha!! it doesnt let me... it says cannot delete lpts.lla cannot find the specified file. make sure you specify the crrect path and filename.
exviper99 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-05-2007, 11:51 AM   #16 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,246
OS: N/A


Re: Computer running very slow. Possible worm?
Open notepad and copy/paste the text in the quotebox below into it:

Code:
@echo off
swxcacls \\?\C:\WINDOWS\system32\lpt2.lla /p /ge:f /q
del /a/f \\?\C:\WINDOWS\system32\lpt2.lla
pause
exit
Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run
__________________
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-05-2007, 11:53 AM   #17 (permalink)
Registered User
 
Join Date: Mar 2007
Posts: 17
OS: xp


Re: Computer running very slow. Possible worm?
done

Logfile of HijackThis v1.99.1
Scan saved at 2:52:31 PM, on 5/5/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Mikey\Desktop\Exec\hijackthis\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://quartz.atkinson.yorku.ca/qp2.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/06d8536b...p/RdxIE601.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {8CE3BAE6-AB66-40B6-9019-41E5282FF1E2} (QuickBooks Online Edition Utilities Class v8) - https://accounting.quickbooks.com/c1/v15.582/qboax8.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://blacks.pnimedia.com/upload/ac...pv2.0.0.9.cab?
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
exviper99 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-05-2007, 11:57 AM   #18 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,246
OS: N/A


Re: Computer running very slow. Possible worm?
Have you done a visible check to see if it's gone?

Please delete these:

C:\Documents and Settings\Leo H\Local Settings\Temporary Internet Files\Content.IE5\WTEBG163\PopularScreenSaversFWBInitialSetup1.0.0.15[1].cab
C:\Documents and Settings\Mikey\Desktop\Exec\hijackthis\backups\backup-20070405-000156-104.dll
C:\Documents and Settings\Mikey\Desktop\requested-files[2007-05-05_02_21].cab
C:\QooBox\Quarantine\
__________________
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-05-2007, 12:02 PM   #19 (permalink)
Registered User
 
Join Date: Mar 2007
Posts: 17
OS: xp


Re: Computer running very slow. Possible worm?
kk deleted them all manually
exviper99 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-05-2007, 12:10 PM   #20 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,246
OS: N/A


Re: Computer running very slow. Possible worm?
Considering the amount of nasties we uncovered so far, I feel it would be wise if you were to perform another online scan but with a different vendor.

Before doing so, let's clear the nasties that's lurking in System Restore's cache. That way the next scan wouldnt take so long.

Go to Start → Run → type control sysdm.cpl,,4 & press Enter
  • Tick on the checkbox - Turn off System Restore on all drives
  • Click Apply
Turn it back 'On' by unticking the same checkbox & click OK


When thta's done, please perform an online scan using Internet Explorer at this website - http://www.bitdefender.com/scan8/ie.html

We only need for it to scan just the C:\Windows folders.

Once finished, click on the Details button to view the results.
To the upper right of the results you will see an option saying "Click here to export the scan results" Post the log of the scan results in your next reply
__________________
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
 
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 03:23 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84