Active win32/tenga.gen virus - it took over

tigerdistr · 2008/12/23

Directory of C:\system volume information\_restore{EF3E3770-DEBF-4738-9B04-5A708A1D6E4A}\RP301\snapshot

2008-12-10 10:24 28,672 _REGISTRY_MACHINE_SAM
2008-12-10 10:24 45,056 _REGISTRY_MACHINE_SECURITY
2008-12-10 10:24 29,425,664 _REGISTRY_MACHINE_SOFTWARE
2008-12-10 10:24 4,911,104 _REGISTRY_MACHINE_SYSTEM
2008-12-10 10:24 241,664 _REGISTRY_USER_.DEFAULT
2008-12-10 10:24 241,664 _REGISTRY_USER_NTUSER_S-1-5-18
2008-12-10 10:24 229,376 _REGISTRY_USER_NTUSER_S-1-5-19
2008-12-10 10:24 229,376 _REGISTRY_USER_NTUSER_S-1-5-20
2008-12-10 10:24 4,386,816 _REGISTRY_USER_NTUSER_S-1-5-21-527237240-413027322-682003330-1003
2008-12-10 10:24 8,192 _REGISTRY_USER_USRCLASS_S-1-5-19
2008-12-10 10:24 8,192 _REGISTRY_USER_USRCLASS_S-1-5-20
2008-12-10 10:24 909,312 _REGISTRY_USER_USRCLASS_S-1-5-21-527237240-413027322-682003330-1003

Directory of C:\system volume information\_restore{EF3E3770-DEBF-4738-9B04-5A708A1D6E4A}\RP302\snapshot

2008-12-11 13:56 28,672 _REGISTRY_MACHINE_SAM
2008-12-11 13:56 45,056 _REGISTRY_MACHINE_SECURITY
2008-12-11 13:56 29,425,664 _REGISTRY_MACHINE_SOFTWARE
2008-12-11 13:56 4,911,104 _REGISTRY_MACHINE_SYSTEM
2008-12-11 13:56 241,664 _REGISTRY_USER_.DEFAULT
2008-12-11 13:56 241,664 _REGISTRY_USER_NTUSER_S-1-5-18
2008-12-11 13:56 229,376 _REGISTRY_USER_NTUSER_S-1-5-19
2008-12-11 13:56 229,376 _REGISTRY_USER_NTUSER_S-1-5-20
2008-12-11 13:56 4,399,104 _REGISTRY_USER_NTUSER_S-1-5-21-527237240-413027322-682003330-1003
2008-12-11 13:56 8,192 _REGISTRY_USER_USRCLASS_S-1-5-19
2008-12-11 13:56 8,192 _REGISTRY_USER_USRCLASS_S-1-5-20
2008-12-11 13:56 909,312 _REGISTRY_USER_USRCLASS_S-1-5-21-527237240-413027322-682003330-1003

Directory of C:\system volume information\_restore{EF3E3770-DEBF-4738-9B04-5A708A1D6E4A}\RP303\snapshot

2008-12-12 09:52 28,672 _REGISTRY_MACHINE_SAM
2008-12-12 09:52 45,056 _REGISTRY_MACHINE_SECURITY
2008-12-12 09:52 29,425,664 _REGISTRY_MACHINE_SOFTWARE
2008-12-12 09:52 4,911,104 _REGISTRY_MACHINE_SYSTEM
2008-12-12 09:52 241,664 _REGISTRY_USER_.DEFAULT
2008-12-12 09:52 241,664 _REGISTRY_USER_NTUSER_S-1-5-18
2008-12-12 09:52 229,376 _REGISTRY_USER_NTUSER_S-1-5-19
2008-12-12 09:52 229,376 _REGISTRY_USER_NTUSER_S-1-5-20
2008-12-12 09:52 4,399,104 _REGISTRY_USER_NTUSER_S-1-5-21-527237240-413027322-682003330-1003
2008-12-12 09:52 8,192 _REGISTRY_USER_USRCLASS_S-1-5-19
2008-12-12 09:52 8,192 _REGISTRY_USER_USRCLASS_S-1-5-20
2008-12-12 09:52 909,312 _REGISTRY_USER_USRCLASS_S-1-5-21-527237240-413027322-682003330-1003

Directory of C:\system volume information\_restore{EF3E3770-DEBF-4738-9B04-5A708A1D6E4A}\RP304\snapshot

2008-12-12 09:53 28,672 _REGISTRY_MACHINE_SAM
2008-12-12 09:53 45,056 _REGISTRY_MACHINE_SECURITY
2008-12-12 09:53 29,425,664 _REGISTRY_MACHINE_SOFTWARE
2008-12-12 09:53 4,911,104 _REGISTRY_MACHINE_SYSTEM
2008-12-12 09:53 241,664 _REGISTRY_USER_.DEFAULT
2008-12-12 09:53 241,664 _REGISTRY_USER_NTUSER_S-1-5-18
2008-12-12 09:53 229,376 _REGISTRY_USER_NTUSER_S-1-5-19
2008-12-12 09:53 229,376 _REGISTRY_USER_NTUSER_S-1-5-20
2008-12-12 09:53 4,399,104 _REGISTRY_USER_NTUSER_S-1-5-21-527237240-413027322-682003330-1003
2008-12-12 09:53 8,192 _REGISTRY_USER_USRCLASS_S-1-5-19
2008-12-12 09:53 8,192 _REGISTRY_USER_USRCLASS_S-1-5-20
2008-12-12 09:53 1,060,864 _REGISTRY_USER_USRCLASS_S-1-5-21-527237240-413027322-682003330-1003

Directory of C:\system volume information\_restore{EF3E3770-DEBF-4738-9B04-5A708A1D6E4A}\RP305\snapshot

2008-12-15 10:19 28,672 _REGISTRY_MACHINE_SAM
2008-12-15 10:19 45,056 _REGISTRY_MACHINE_SECURITY
2008-12-15 10:19 29,425,664 _REGISTRY_MACHINE_SOFTWARE
2008-12-15 10:19 4,927,488 _REGISTRY_MACHINE_SYSTEM
2008-12-15 10:19 405,504 _REGISTRY_USER_.DEFAULT
2008-12-15 10:19 405,504 _REGISTRY_USER_NTUSER_S-1-5-18
2008-12-15 10:19 233,472 _REGISTRY_USER_NTUSER_S-1-5-19
2008-12-15 10:19 229,376 _REGISTRY_USER_NTUSER_S-1-5-20
2008-12-15 10:19 4,435,968 _REGISTRY_USER_NTUSER_S-1-5-21-527237240-413027322-682003330-1003
2008-12-15 10:19 8,192 _REGISTRY_USER_USRCLASS_S-1-5-19
2008-12-15 10:19 8,192 _REGISTRY_USER_USRCLASS_S-1-5-20
2008-12-15 10:19 1,060,864 _REGISTRY_USER_USRCLASS_S-1-5-21-527237240-413027322-682003330-1003

Directory of C:\system volume information\_restore{EF3E3770-DEBF-4738-9B04-5A708A1D6E4A}\RP306\snapshot

2008-12-15 17:21 28,672 _REGISTRY_MACHINE_SAM
2008-12-15 17:21 45,056 _REGISTRY_MACHINE_SECURITY
2008-12-15 17:21 29,425,664 _REGISTRY_MACHINE_SOFTWARE
2008-12-15 17:21 4,927,488 _REGISTRY_MACHINE_SYSTEM
2008-12-15 17:21 405,504 _REGISTRY_USER_.DEFAULT
2008-12-15 17:21 405,504 _REGISTRY_USER_NTUSER_S-1-5-18
2008-12-15 17:21 233,472 _REGISTRY_USER_NTUSER_S-1-5-19
2008-12-15 17:21 229,376 _REGISTRY_USER_NTUSER_S-1-5-20
2008-12-15 17:21 4,456,448 _REGISTRY_USER_NTUSER_S-1-5-21-527237240-413027322-682003330-1003
2008-12-15 17:21 8,192 _REGISTRY_USER_USRCLASS_S-1-5-19
2008-12-15 17:21 8,192 _REGISTRY_USER_USRCLASS_S-1-5-20
2008-12-15 17:21 1,060,864 _REGISTRY_USER_USRCLASS_S-1-5-21-527237240-413027322-682003330-1003

Directory of C:\system volume information\_restore{EF3E3770-DEBF-4738-9B04-5A708A1D6E4A}\RP307\snapshot

2008-12-16 13:00 28,672 _REGISTRY_MACHINE_SAM
2008-12-16 13:00 45,056 _REGISTRY_MACHINE_SECURITY
2008-12-16 13:00 29,425,664 _REGISTRY_MACHINE_SOFTWARE
2008-12-16 13:00 4,943,872 _REGISTRY_MACHINE_SYSTEM
2008-12-16 13:00 405,504 _REGISTRY_USER_.DEFAULT
2008-12-16 13:00 405,504 _REGISTRY_USER_NTUSER_S-1-5-18
2008-12-16 13:00 233,472 _REGISTRY_USER_NTUSER_S-1-5-19
2008-12-16 13:00 229,376 _REGISTRY_USER_NTUSER_S-1-5-20
2008-12-16 13:00 4,489,216 _REGISTRY_USER_NTUSER_S-1-5-21-527237240-413027322-682003330-1003
2008-12-16 13:00 8,192 _REGISTRY_USER_USRCLASS_S-1-5-19
2008-12-16 13:00 8,192 _REGISTRY_USER_USRCLASS_S-1-5-20
2008-12-16 13:00 1,060,864 _REGISTRY_USER_USRCLASS_S-1-5-21-527237240-413027322-682003330-1003

Directory of C:\system volume information\_restore{EF3E3770-DEBF-4738-9B04-5A708A1D6E4A}\RP308\snapshot

2008-12-16 16:30 28,672 _REGISTRY_MACHINE_SAM
2008-12-16 16:30 45,056 _REGISTRY_MACHINE_SECURITY
2008-12-16 16:30 29,941,760 _REGISTRY_MACHINE_SOFTWARE
2008-12-16 16:30 4,976,640 _REGISTRY_MACHINE_SYSTEM
2008-12-16 16:30 405,504 _REGISTRY_USER_.DEFAULT
2008-12-16 16:30 405,504 _REGISTRY_USER_NTUSER_S-1-5-18
2008-12-16 16:30 233,472 _REGISTRY_USER_NTUSER_S-1-5-19
2008-12-16 16:30 229,376 _REGISTRY_USER_NTUSER_S-1-5-20
2008-12-16 16:30 4,521,984 _REGISTRY_USER_NTUSER_S-1-5-21-527237240-413027322-682003330-1003
2008-12-16 16:30 8,192 _REGISTRY_USER_USRCLASS_S-1-5-19
2008-12-16 16:30 8,192 _REGISTRY_USER_USRCLASS_S-1-5-20
2008-12-16 16:30 1,060,864 _REGISTRY_USER_USRCLASS_S-1-5-21-527237240-413027322-682003330-1003

Directory of C:\system volume information\_restore{EF3E3770-DEBF-4738-9B04-5A708A1D6E4A}\RP309\snapshot

2008-12-18 15:13 28,672 _REGISTRY_MACHINE_SAM
2008-12-18 15:13 45,056 _REGISTRY_MACHINE_SECURITY
2008-12-18 15:13 29,941,760 _REGISTRY_MACHINE_SOFTWARE
2008-12-18 15:13 4,960,256 _REGISTRY_MACHINE_SYSTEM
2008-12-18 15:13 405,504 _REGISTRY_USER_.DEFAULT
2008-12-18 15:13 405,504 _REGISTRY_USER_NTUSER_S-1-5-18
2008-12-18 15:13 233,472 _REGISTRY_USER_NTUSER_S-1-5-19
2008-12-18 15:13 229,376 _REGISTRY_USER_NTUSER_S-1-5-20
2008-12-18 15:13 4,521,984 _REGISTRY_USER_NTUSER_S-1-5-21-527237240-413027322-682003330-1003
2008-12-18 15:13 8,192 _REGISTRY_USER_USRCLASS_S-1-5-19
2008-12-18 15:13 8,192 _REGISTRY_USER_USRCLASS_S-1-5-20
2008-12-18 15:13 1,060,864 _REGISTRY_USER_USRCLASS_S-1-5-21-527237240-413027322-682003330-1003

Directory of C:\system volume information\_restore{EF3E3770-DEBF-4738-9B04-5A708A1D6E4A}\RP310\snapshot

2008-12-19 19:20 28,672 _REGISTRY_MACHINE_SAM
2008-12-19 19:20 45,056 _REGISTRY_MACHINE_SECURITY
2008-12-19 19:20 29,941,760 _REGISTRY_MACHINE_SOFTWARE
2008-12-19 19:20 4,960,256 _REGISTRY_MACHINE_SYSTEM
2008-12-19 19:20 405,504 _REGISTRY_USER_.DEFAULT
2008-12-19 19:20 405,504 _REGISTRY_USER_NTUSER_S-1-5-18
2008-12-19 19:20 233,472 _REGISTRY_USER_NTUSER_S-1-5-19
2008-12-19 19:20 229,376 _REGISTRY_USER_NTUSER_S-1-5-20
2008-12-19 19:20 4,567,040 _REGISTRY_USER_NTUSER_S-1-5-21-527237240-413027322-682003330-1003
2008-12-19 19:20 8,192 _REGISTRY_USER_USRCLASS_S-1-5-19
2008-12-19 19:20 8,192 _REGISTRY_USER_USRCLASS_S-1-5-20
2008-12-19 19:20 1,060,864 _REGISTRY_USER_USRCLASS_S-1-5-21-527237240-413027322-682003330-1003

Directory of C:\system volume information\_restore{EF3E3770-DEBF-4738-9B04-5A708A1D6E4A}\RP311\snapshot

2008-12-20 20:27 28,672 _REGISTRY_MACHINE_SAM
2008-12-20 20:27 45,056 _REGISTRY_MACHINE_SECURITY
2008-12-20 20:27 29,941,760 _REGISTRY_MACHINE_SOFTWARE
2008-12-20 20:27 4,960,256 _REGISTRY_MACHINE_SYSTEM
2008-12-20 20:27 405,504 _REGISTRY_USER_.DEFAULT
2008-12-20 20:27 405,504 _REGISTRY_USER_NTUSER_S-1-5-18
2008-12-20 20:27 233,472 _REGISTRY_USER_NTUSER_S-1-5-19
2008-12-20 20:27 229,376 _REGISTRY_USER_NTUSER_S-1-5-20
2008-12-20 20:27 4,567,040 _REGISTRY_USER_NTUSER_S-1-5-21-527237240-413027322-682003330-1003
2008-12-20 20:27 8,192 _REGISTRY_USER_USRCLASS_S-1-5-19
2008-12-20 20:27 8,192 _REGISTRY_USER_USRCLASS_S-1-5-20
2008-12-20 20:27 1,060,864 _REGISTRY_USER_USRCLASS_S-1-5-21-527237240-413027322-682003330-1003

Directory of C:\system volume information\_restore{EF3E3770-DEBF-4738-9B04-5A708A1D6E4A}\RP312\snapshot

2008-12-21 21:15 28,672 _REGISTRY_MACHINE_SAM
2008-12-21 21:15 45,056 _REGISTRY_MACHINE_SECURITY
2008-12-21 21:15 29,941,760 _REGISTRY_MACHINE_SOFTWARE
2008-12-21 21:15 4,960,256 _REGISTRY_MACHINE_SYSTEM
2008-12-21 21:15 405,504 _REGISTRY_USER_.DEFAULT
2008-12-21 21:15 405,504 _REGISTRY_USER_NTUSER_S-1-5-18
2008-12-21 21:15 233,472 _REGISTRY_USER_NTUSER_S-1-5-19
2008-12-21 21:15 229,376 _REGISTRY_USER_NTUSER_S-1-5-20
2008-12-21 21:15 4,567,040 _REGISTRY_USER_NTUSER_S-1-5-21-527237240-413027322-682003330-1003
2008-12-21 21:15 8,192 _REGISTRY_USER_USRCLASS_S-1-5-19
2008-12-21 21:15 8,192 _REGISTRY_USER_USRCLASS_S-1-5-20
2008-12-21 21:15 1,060,864 _REGISTRY_USER_USRCLASS_S-1-5-21-527237240-413027322-682003330-1003

Directory of C:\system volume information\_restore{EF3E3770-DEBF-4738-9B04-5A708A1D6E4A}\RP313\snapshot

2008-12-22 23:37 28,672 _REGISTRY_MACHINE_SAM
2008-12-22 23:37 45,056 _REGISTRY_MACHINE_SECURITY
2008-12-22 23:37 29,941,760 _REGISTRY_MACHINE_SOFTWARE
2008-12-22 23:37 4,960,256 _REGISTRY_MACHINE_SYSTEM
2008-12-22 23:37 405,504 _REGISTRY_USER_.DEFAULT
2008-12-22 23:37 405,504 _REGISTRY_USER_NTUSER_S-1-5-18
2008-12-22 23:37 233,472 _REGISTRY_USER_NTUSER_S-1-5-19
2008-12-22 23:37 229,376 _REGISTRY_USER_NTUSER_S-1-5-20
2008-12-22 23:37 4,579,328 _REGISTRY_USER_NTUSER_S-1-5-21-527237240-413027322-682003330-1003
2008-12-22 23:37 507,904 _REGISTRY_USER_NTUSER_S-1-5-21-527237240-413027322-682003330-500
2008-12-22 23:37 8,192 _REGISTRY_USER_USRCLASS_S-1-5-19
2008-12-22 23:37 8,192 _REGISTRY_USER_USRCLASS_S-1-5-20
2008-12-22 23:37 1,060,864 _REGISTRY_USER_USRCLASS_S-1-5-21-527237240-413027322-682003330-1003

Directory of C:\system volume information\_restore{EF3E3770-DEBF-4738-9B04-5A708A1D6E4A}\RP314\snapshot

2008-12-22 23:43 28,672 _REGISTRY_MACHINE_SAM
2008-12-22 23:43 49,152 _REGISTRY_MACHINE_SECURITY
2008-12-22 23:43 29,941,760 _REGISTRY_MACHINE_SOFTWARE
2008-12-22 23:43 4,960,256 _REGISTRY_MACHINE_SYSTEM
2008-12-22 23:43 405,504 _REGISTRY_USER_.DEFAULT
2008-12-22 23:43 405,504 _REGISTRY_USER_NTUSER_S-1-5-18
2008-12-22 23:43 233,472 _REGISTRY_USER_NTUSER_S-1-5-19
2008-12-22 23:43 229,376 _REGISTRY_USER_NTUSER_S-1-5-20
2008-12-22 23:43 4,579,328 _REGISTRY_USER_NTUSER_S-1-5-21-527237240-413027322-682003330-1003
2008-12-22 23:43 8,192 _REGISTRY_USER_USRCLASS_S-1-5-19
2008-12-22 23:43 8,192 _REGISTRY_USER_USRCLASS_S-1-5-20
2008-12-22 23:43 1,060,864 _REGISTRY_USER_USRCLASS_S-1-5-21-527237240-413027322-682003330-1003

Directory of C:\system volume information\_restore{EF3E3770-DEBF-4738-9B04-5A708A1D6E4A}\RP315\snapshot

2008-12-23 00:29 28,672 _REGISTRY_MACHINE_SAM
2008-12-23 00:29 49,152 _REGISTRY_MACHINE_SECURITY
2008-12-23 00:29 29,941,760 _REGISTRY_MACHINE_SOFTWARE
2008-12-23 00:29 4,960,256 _REGISTRY_MACHINE_SYSTEM
2008-12-23 00:29 405,504 _REGISTRY_USER_.DEFAULT
2008-12-23 00:29 405,504 _REGISTRY_USER_NTUSER_S-1-5-18
2008-12-23 00:29 233,472 _REGISTRY_USER_NTUSER_S-1-5-19
2008-12-23 00:29 229,376 _REGISTRY_USER_NTUSER_S-1-5-20
2008-12-23 00:29 4,579,328 _REGISTRY_USER_NTUSER_S-1-5-21-527237240-413027322-682003330-1003
2008-12-23 00:29 8,192 _REGISTRY_USER_USRCLASS_S-1-5-19
2008-12-23 00:29 8,192 _REGISTRY_USER_USRCLASS_S-1-5-20
2008-12-23 00:29 1,069,056 _REGISTRY_USER_USRCLASS_S-1-5-21-527237240-413027322-682003330-1003

Directory of C:\system volume information\_restore{EF3E3770-DEBF-4738-9B04-5A708A1D6E4A}\RP316\snapshot

2008-12-23 01:07 28,672 _REGISTRY_MACHINE_SAM
2008-12-23 01:07 49,152 _REGISTRY_MACHINE_SECURITY
2008-12-23 01:07 29,941,760 _REGISTRY_MACHINE_SOFTWARE
2008-12-23 01:07 4,960,256 _REGISTRY_MACHINE_SYSTEM
2008-12-23 01:07 405,504 _REGISTRY_USER_.DEFAULT
2008-12-23 01:07 405,504 _REGISTRY_USER_NTUSER_S-1-5-18
2008-12-23 01:07 233,472 _REGISTRY_USER_NTUSER_S-1-5-19
2008-12-23 01:07 229,376 _REGISTRY_USER_NTUSER_S-1-5-20
2008-12-23 01:07 8,192 _REGISTRY_USER_USRCLASS_S-1-5-19
2008-12-23 01:07 8,192 _REGISTRY_USER_USRCLASS_S-1-5-20

Directory of C:\system volume information\_restore{EF3E3770-DEBF-4738-9B04-5A708A1D6E4A}\RP317\snapshot

2008-12-23 12:11 28,672 _REGISTRY_MACHINE_SAM
2008-12-23 12:11 49,152 _REGISTRY_MACHINE_SECURITY
2008-12-23 12:11 29,941,760 _REGISTRY_MACHINE_SOFTWARE
2008-12-23 12:11 4,976,640 _REGISTRY_MACHINE_SYSTEM
2008-12-23 12:11 405,504 _REGISTRY_USER_.DEFAULT
2008-12-23 12:11 405,504 _REGISTRY_USER_NTUSER_S-1-5-18
2008-12-23 12:11 233,472 _REGISTRY_USER_NTUSER_S-1-5-19
2008-12-23 12:11 229,376 _REGISTRY_USER_NTUSER_S-1-5-20
2008-12-23 12:11 4,599,808 _REGISTRY_USER_NTUSER_S-1-5-21-527237240-413027322-682003330-1003
2008-12-23 12:11 8,192 _REGISTRY_USER_USRCLASS_S-1-5-19
2008-12-23 12:11 8,192 _REGISTRY_USER_USRCLASS_S-1-5-20
2008-12-23 12:11 1,069,056 _REGISTRY_USER_USRCLASS_S-1-5-21-527237240-413027322-682003330-1003

Directory of C:\system volume information\_restore{EF3E3770-DEBF-4738-9B04-5A708A1D6E4A}\RP318\snapshot

2008-12-23 12:16 28,672 _REGISTRY_MACHINE_SAM
2008-12-23 12:16 49,152 _REGISTRY_MACHINE_SECURITY
2008-12-23 12:16 29,941,760 _REGISTRY_MACHINE_SOFTWARE
2008-12-23 12:16 4,960,256 _REGISTRY_MACHINE_SYSTEM
2008-12-23 12:16 405,504 _REGISTRY_USER_.DEFAULT
2008-12-23 00:29 405,504 _REGISTRY_USER_NTUSER_S-1-5-18
2008-12-23 12:16 233,472 _REGISTRY_USER_NTUSER_S-1-5-19
2008-12-23 12:16 229,376 _REGISTRY_USER_NTUSER_S-1-5-20
2008-12-23 12:16 4,579,328 _REGISTRY_USER_NTUSER_S-1-5-21-527237240-413027322-682003330-1003
2008-12-23 12:16 8,192 _REGISTRY_USER_USRCLASS_S-1-5-19
2008-12-23 12:16 8,192 _REGISTRY_USER_USRCLASS_S-1-5-20
2008-12-23 12:16 1,069,056 _REGISTRY_USER_USRCLASS_S-1-5-21-527237240-413027322-682003330-1003

tigerdistr · 2008/12/23

Volume in drive C has no label.
Volume Serial Number is A8AF-C179

Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

2008-12-16 12:43 26,112 userinit.exe
1 File(s) 26,112 bytes

Directory of C:\WINDOWS\system32

2008-12-16 12:48 24,576 olduserinit.exe
2008-12-16 12:48 24,576 userinit(2).exe
2008-12-16 12:48 24,576 userinit.exe
2008-12-15 17:21 24,576 userinit.exe.old.exe
4 File(s) 98,304 bytes

Directory of C:\WINDOWS\system32\dllcache

2008-12-16 12:48 24,576 userinit.exe
1 File(s) 24,576 bytes
Volume in drive C has no label.
Volume Serial Number is A8AF-C179

Directory of C:\WINDOWS\$hf_mig$\KB890859\SP2QFE

2008-12-16 12:28 2,056,832 ntkrnlpa.exe
1 File(s) 2,056,832 bytes

Directory of C:\WINDOWS\$hf_mig$\KB931784\SP2QFE

2008-12-16 12:30 2,059,392 ntkrnlpa.exe
1 File(s) 2,059,392 bytes

Directory of C:\WINDOWS\$hf_mig$\KB956841\SP2QFE

2008-12-16 12:32 2,062,976 ntkrnlpa.exe
1 File(s) 2,062,976 bytes

Directory of C:\WINDOWS\$hf_mig$\KB956841\SP3GDR

2008-12-16 12:32 2,066,048 ntkrnlpa.exe
1 File(s) 2,066,048 bytes

Directory of C:\WINDOWS\$hf_mig$\KB956841\SP3QFE

2008-12-16 12:32 2,066,048 ntkrnlpa.exe
1 File(s) 2,066,048 bytes

Directory of C:\WINDOWS\$NtUninstallKB890859$

2008-12-16 12:32 2,015,232 ntkrnlpa.exe
1 File(s) 2,015,232 bytes

Directory of C:\WINDOWS\$NtUninstallKB931784$

2008-12-16 12:33 2,015,232 ntkrnlpa.exe
2005-03-01 18:34 2,056,832 ntkrnlpa.exe.000
2 File(s) 4,072,064 bytes

Directory of C:\WINDOWS\$NtUninstallKB956841$

2008-12-16 12:34 2,015,744 ntkrnlpa.exe
2007-02-28 02:38 2,057,600 ntkrnlpa.exe.000
2 File(s) 4,073,344 bytes

Directory of C:\WINDOWS\Driver Cache\i386

2008-12-16 12:35 2,057,728 ntkrnlpa.exe
1 File(s) 2,057,728 bytes

Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

2008-12-16 12:41 2,065,792 ntkrnlpa.exe
1 File(s) 2,065,792 bytes

Directory of C:\WINDOWS\system32

2008-12-16 12:46 2,057,728 ntkrnlpa(2).exe
2008-12-16 12:46 2,057,728 ntkrnlpa.exe
2008-12-16 12:50 2,015,744 ntkrnlpa.exe.old.exe
2008-12-16 12:46 2,057,728 oldntkrnlpa.exe
4 File(s) 8,188,928 bytes

Directory of C:\WINDOWS\system32\dllcache

2008-12-16 12:46 2,057,728 ntkrnlpa.exe
1 File(s) 2,057,728 bytes
Volume in drive C has no label.
Volume Serial Number is A8AF-C179

Directory of C:\WINDOWS\erdnt

2008-12-22 23:42 <DIR> .
2008-12-22 23:42 <DIR> ..
2008-12-22 23:39 110 CFrecovery.bat
2008-12-23 12:16 <DIR> Hiv-backup
2008-12-22 23:39 <DIR> subs
1 File(s) 110 bytes

Directory of C:\WINDOWS\erdnt\Hiv-backup

2008-12-23 12:16 <DIR> .
2008-12-23 12:16 <DIR> ..
2008-12-23 01:04 405,504 default
2008-12-23 01:04 673 ERDNT.CON
2005-10-20 20:02 163,328 ERDNT.EXE
2008-12-23 01:04 1,241 ERDNT.INF
2000-08-31 08:00 2,815 ERDNTDOS.LOC
2000-08-31 08:00 3,275 ERDNTWIN.LOC
2008-12-23 01:04 28,672 SAM
2008-12-23 01:04 49,152 SECURITY
2008-12-23 01:04 29,941,760 software
2008-12-23 01:04 4,960,256 system
2008-12-23 12:16 <DIR> Users
10 File(s) 35,556,676 bytes

Directory of C:\WINDOWS\erdnt\Hiv-backup\Users

2008-12-23 12:16 <DIR> .
2008-12-23 12:16 <DIR> ..
2008-12-23 01:04 <DIR> 00000001
2008-12-23 01:04 <DIR> 00000002
2008-12-23 01:04 <DIR> 00000003
2008-12-23 01:04 <DIR> 00000004
2008-12-23 01:04 <DIR> 00000005
2008-12-23 01:04 <DIR> 00000006
0 File(s) 0 bytes

Directory of C:\WINDOWS\erdnt\Hiv-backup\Users\00000001

2008-12-23 01:04 <DIR> .
2008-12-23 01:04 <DIR> ..
2008-12-23 01:04 229,376 NTUSER.DAT
1 File(s) 229,376 bytes

Directory of C:\WINDOWS\erdnt\Hiv-backup\Users\00000002

2008-12-23 01:04 <DIR> .
2008-12-23 01:04 <DIR> ..
2008-12-23 01:04 8,192 UsrClass.dat
1 File(s) 8,192 bytes

Directory of C:\WINDOWS\erdnt\Hiv-backup\Users\00000003

2008-12-23 01:04 <DIR> .
2008-12-23 01:04 <DIR> ..
2008-12-23 01:04 233,472 NTUSER.DAT
1 File(s) 233,472 bytes

Directory of C:\WINDOWS\erdnt\Hiv-backup\Users\00000004

2008-12-23 01:04 <DIR> .
2008-12-23 01:04 <DIR> ..
2008-12-23 01:04 8,192 UsrClass.dat
1 File(s) 8,192 bytes

Directory of C:\WINDOWS\erdnt\Hiv-backup\Users\00000005

2008-12-23 01:04 <DIR> .
2008-12-23 01:04 <DIR> ..
2008-12-23 01:04 4,583,424 NTUSER.DAT
1 File(s) 4,583,424 bytes

Directory of C:\WINDOWS\erdnt\Hiv-backup\Users\00000006

2008-12-23 01:04 <DIR> .
2008-12-23 01:04 <DIR> ..
2008-12-23 01:04 1,069,056 UsrClass.dat
1 File(s) 1,069,056 bytes

Directory of C:\WINDOWS\erdnt\subs

2008-12-22 23:39 <DIR> .
2008-12-22 23:39 <DIR> ..
2008-12-22 23:39 405,504 default
2008-12-22 23:39 673 ERDNT.CON
2005-10-20 20:02 163,328 ERDNT.EXE
2008-12-22 23:39 460 ERDNT.INF
2000-08-31 08:00 2,815 ERDNTDOS.LOC
2000-08-31 08:00 3,275 ERDNTWIN.LOC
2008-12-22 23:39 28,672 SAM
2008-12-22 23:39 49,152 SECURITY
2008-12-22 23:39 29,941,760 software
2008-12-22 23:39 4,960,256 system
10 File(s) 35,555,895 bytes

Total Files Listed:
27 File(s) 77,244,393 bytes
29 Dir(s) 31,975,342,080 bytes free

noahdfear · 2008/12/23

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)
Code:
FCopy::
C:\WINDOWS\system32\userinit.exe.old.exe|C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\ntkrnlpa.exe.old.exe|C:\WINDOWS\system32\ntkrnlpa.exe
SCopy::
{EF3E3770-DEBF-4738-9B04-5A708A1D6E4A}\RP312\snapshot\_REGISTRY_MACHINE_SAM|C:\WINDOWS\erdnt\Hiv-backup\SAM
{EF3E3770-DEBF-4738-9B04-5A708A1D6E4A}\RP312\snapshot\_REGISTRY_MACHINE_SECURITY|C:\WINDOWS\erdnt\Hiv-backup\SECURITY
{EF3E3770-DEBF-4738-9B04-5A708A1D6E4A}\RP312\snapshot\_REGISTRY_MACHINE_SOFTWARE|C:\WINDOWS\erdnt\Hiv-backup\software
{EF3E3770-DEBF-4738-9B04-5A708A1D6E4A}\RP312\snapshot\_REGISTRY_MACHINE_SYSTEM|C:\WINDOWS\erdnt\Hiv-backup\system
Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. Force it to return to safe mode upon reboot and logon to the same account. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

tigerdistr · 2008/12/23

ComboFix 08-12-23.01 - Tigerdistrict3 2008-12-23 19:54:58.6 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1918.1524 [GMT -6:00]
Running from: c:\documents and settings\Tigerdistrict3\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tigerdistrict3\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\system32\userinit.exe.old.exe --> c:\windows\system32\userinit.exe
c:\windows\system32\ntkrnlpa.exe.old.exe --> c:\windows\system32\ntkrnlpa.exe
.
--------------- SCopy ---------------

{EF3E3770-DEBF-4738-9B04-5A708A1D6E4A}\RP312\snapshot\_REGISTRY_MACHINE_SAM --> c:\windows\erdnt\Hiv-backup\SAM
{EF3E3770-DEBF-4738-9B04-5A708A1D6E4A}\RP312\snapshot\_REGISTRY_MACHINE_SECURITY --> c:\windows\erdnt\Hiv-backup\SECURITY
{EF3E3770-DEBF-4738-9B04-5A708A1D6E4A}\RP312\snapshot\_REGISTRY_MACHINE_SOFTWARE --> c:\windows\erdnt\Hiv-backup\software
{EF3E3770-DEBF-4738-9B04-5A708A1D6E4A}\RP312\snapshot\_REGISTRY_MACHINE_SYSTEM --> c:\windows\erdnt\Hiv-backup\system
.
((((((((((((((((((((((((( Files Created from 2008-11-24 to 2008-12-24 )))))))))))))))))))))))))))))))
.

2008-12-23 14:48 . 2008-12-23 14:48 664 --a------ c:\windows\system32\d3d9caps.dat
2008-12-22 20:18 . 2008-12-22 20:18 <DIR> d-------- c:\documents and settings\Tigerdistrict3\DoctorWeb
2008-12-22 19:48 . 2008-12-22 19:48 <DIR> d-------- C:\rsit
2008-12-22 19:48 . 2008-12-23 12:34 <DIR> d-------- c:\program files\trend micro
2008-12-16 16:31 . 2008-12-16 16:31 <DIR> d-------- c:\program files\iTunes
2008-12-16 16:31 . 2008-12-16 16:31 <DIR> d-------- c:\program files\iPod
2008-12-16 16:31 . 2008-12-16 16:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-16 15:10 . 2008-12-16 15:10 <DIR> d-------- c:\program files\WinZip Self-Extractor
2008-12-16 15:10 . 2008-12-16 15:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\WinZipSE
2008-12-16 13:01 . 2008-12-16 13:17 <DIR> d-------- c:\program files\Webtools
2008-12-16 13:01 . 2008-12-16 13:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-16 13:00 . 2008-12-16 13:30 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-16 13:00 . 2008-12-16 13:00 <DIR> d-------- c:\documents and settings\Tigerdistrict3\Application Data\SUPERAntiSpyware.com
2008-12-16 12:57 . 2008-12-16 12:57 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-15 18:00 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-12-15 17:59 . 2008-12-15 17:59 <DIR> d-------- c:\program files\Panda Security
2008-12-15 17:25 . 2008-12-23 12:17 <DIR> d-------- c:\documents and settings\Administrator
2008-12-15 17:21 . 2008-12-15 17:21 <DIR> d-------- c:\program files\ESET
2008-12-15 17:21 . 2008-12-15 17:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET
2008-12-15 17:21 . 2008-01-07 14:29 352 --ah----- c:\windows\nod32fixtemdono.reg
2008-12-12 09:57 . 2008-12-12 09:56 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-12-12 09:55 . 2008-12-12 16:59 <DIR> d-------- c:\documents and settings\Tigerdistrict3\.housecall6.6
2008-12-12 09:54 . 2008-12-12 09:54 <DIR> d-------- c:\windows\Sun
2008-12-12 09:53 . 2008-12-12 09:53 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-12 09:53 . 2008-12-12 09:53 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-12 09:52 . 2008-12-12 09:52 <DIR> d-------- c:\program files\Java
2008-12-10 11:35 . 2008-12-10 11:35 <DIR> d-------- c:\program files\ClamWin
2008-12-10 11:35 . 2008-12-10 11:36 <DIR> d-------- c:\documents and settings\Tigerdistrict3\Application Data\.clamwin
2008-12-10 11:35 . 2008-12-10 11:35 <DIR> d-------- c:\documents and settings\All Users\.clamwin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-23 06:40 --------- d-----w c:\program files\Mozilla Thunderbird
2008-12-23 05:39 57,856 ----a-w c:\windows\system32\spoolsv.exe
2008-12-16 18:51 98,304 ----a-w c:\windows\system32\verifier.exe
2008-12-16 18:50 95,744 ----a-w c:\windows\system32\scardsvr.exe
2008-12-16 18:49 9,728 ----a-w c:\windows\system32\label.exe
2008-12-16 18:48 83,456 ----a-w c:\windows\system32\dpvsetup.exe
2008-12-16 18:48 81,920 ----a-w c:\windows\system32\dns-sd.exe
2008-12-16 18:48 58,368 ----a-w c:\windows\system32\driverquery.exe
2008-12-16 18:48 4,608 ----a-w c:\windows\system32\dllhst3g.exe
2008-12-16 18:48 30,208 ----a-w c:\windows\system32\dplaysvr.exe
2008-12-16 18:48 24,576 ----a-w c:\windows\system32\userinit(2).exe
2008-12-16 18:48 24,576 ----a-w c:\windows\system32\olduserinit.exe
2008-12-16 18:48 224,768 ----a-w c:\windows\system32\dmadmin.exe
2008-12-16 18:48 18,432 ----a-w c:\windows\system32\dpnsvr.exe
2008-12-16 18:48 15,872 ----a-w c:\windows\system32\dmremote.exe
2008-12-16 18:48 10,752 ----a-w c:\windows\system32\doskey.exe
2008-12-16 18:46 2,057,728 ----a-w c:\windows\system32\oldntkrnlpa.exe
2008-12-16 18:46 2,057,728 ----a-w c:\windows\system32\ntkrnlpa(2).exe
2008-12-16 18:43 98,304 ----a-w c:\windows\system32\ahui.exe
2008-12-16 18:38 99,840 ----a-w c:\windows\pchealth\helpctr\binaries\HelpHost.exe
2008-12-16 18:38 9,716,736 ----a-w c:\windows\RTLCPL.EXE
2008-12-16 18:38 768,512 ----a-w c:\windows\pchealth\helpctr\binaries\HelpCtr.exe
2008-12-16 18:38 743,936 ----a-w c:\windows\pchealth\helpctr\binaries\HelpSvc.exe
2008-12-16 18:38 69,120 ----a-w c:\windows\NOTEPAD.EXE
2008-12-16 18:38 35,328 ----a-w c:\windows\pchealth\helpctr\binaries\notiflag.exe
2008-12-16 18:38 18,944 ----a-w c:\windows\pchealth\helpctr\binaries\HscUpd.exe
2008-12-16 18:38 16,857,088 ----a-w c:\windows\RTHDCPL.EXE
2008-12-16 18:38 158,208 ----a-w c:\windows\pchealth\helpctr\binaries\msconfig.exe
2008-12-16 18:38 150,528 ----a-w c:\windows\pchealth\UploadLB\Binaries\UploadM.exe
2008-12-16 18:38 146,432 ----a-w c:\windows\regedit.exe
2008-12-16 18:38 1,826,816 ----a-w c:\windows\SkyTel.exe
2008-12-16 18:38 1,191,936 ----a-w c:\windows\RtlUpd.exe
2008-12-16 18:37 306,688 ----a-w c:\windows\IsUninst.exe
2008-12-16 18:37 2,166,784 ----a-w c:\windows\MicCal.exe
2008-12-16 18:35 376,832 ----a-w c:\windows\Help\Tours\mmTour\tour.exe
2008-12-16 18:35 315,392 ----a-w c:\windows\HideWin.exe
2008-12-16 18:35 10,752 ----a-w c:\windows\hh.exe
2008-12-16 18:34 2,810,880 ----a-w c:\windows\ALCWZRD.EXE
2008-12-16 18:22 --------- d-----w c:\program files\WinSCP
2008-12-16 18:21 --------- d-----w c:\program files\Windows Media Connect 2
2008-12-16 18:21 --------- d-----w c:\program files\SystemRequirementsLab
2008-12-16 18:21 --------- d-----w c:\program files\Safari
2008-12-16 18:20 --------- d-----w c:\program files\QuickTime
2008-12-16 18:19 --------- d-----w c:\program files\MiniRingtone
2008-12-16 18:13 --------- d-----w c:\program files\Free PDF to Word Doc Converter
2008-12-16 18:11 --------- d-----w c:\program files\Bonjour
2008-12-15 23:21 69,632 ----a-w c:\windows\ALCMTR.EXE
2008-12-15 23:21 514,560 ----a-w c:\windows\system32\logonui.exe
2008-12-15 23:21 28,672 ----a-w c:\windows\system32\verclsid.exe
2008-12-15 23:21 24,576 ----a-w c:\windows\system32\userinit.exe
2008-12-15 23:21 24,576 ------w c:\windows\system32\userinit.exe.old.exe
2008-12-15 23:21 13,824 ----a-w c:\windows\system32\wscntfy.exe
2008-12-15 23:21 1,626,112 ----a-w c:\windows\system32\nwiz.exe
2008-10-27 18:25 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-27 18:25 --------- d-----w c:\program files\Macromedia
2008-10-27 18:25 --------- d-----w c:\program files\Common Files\Macromedia
2008-10-27 18:22 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
.

------- Sigcheck -------

2008-12-16 12:28 2056832 5b797c5886f48052dde03f64e75db57d c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2008-12-16 12:30 2059392 380fe122fcc67a9267b1907d5e37e8ec c:\windows\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2008-12-16 12:32 2062976 424f5fc62babaed3d31fb092bf3f7b70 c:\windows\$hf_mig$\KB956841\SP2QFE\ntkrnlpa.exe
2008-12-16 12:32 2066048 a342760981da0cdda16a7e0ee03da9a1 c:\windows\$hf_mig$\KB956841\SP3GDR\ntkrnlpa.exe
2008-12-16 12:32 2066048 3bba442c7c119c46de872588424138c3 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
2008-12-16 12:32 2015232 0cfdbb53381e4b5a448c3e1325d85391 c:\windows\$NtUninstallKB890859$\ntkrnlpa.exe
2008-12-16 12:33 2015232 19c057e30a8e97ab9b2910b404e4a2b7 c:\windows\$NtUninstallKB931784$\ntkrnlpa.exe
2008-12-16 12:34 2015744 e5df359a53cdb413e85dabbb824b751c c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
2008-12-16 12:35 2057728 9c1e4e1677ea176ad658a253d2825de2 c:\windows\Driver Cache\i386\ntkrnlpa.exe
2008-12-16 12:41 2065792 b92fc7b561ac49c615d5326434a38906 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ntkrnlpa.exe
2008-12-16 12:50 2015744 80e62f8bfaf10bb2339a4fa607181291 c:\windows\system32\ntkrnlpa.exe
2008-12-16 12:46 2057728 9c1e4e1677ea176ad658a253d2825de2 c:\windows\system32\dllcache\ntkrnlpa.exe

2008-12-16 12:39 15360 dc518243eaa8e11df93787d3de51ef43 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ctfmon.exe
2008-12-16 12:44 15360 2cb1074f1669edc027431fe93cfeed11 c:\windows\system32\ctfmon.exe
2008-12-16 12:44 15360 2cb1074f1669edc027431fe93cfeed11 c:\windows\system32\dllcache\ctfmon.exe

2008-12-16 12:43 111104 fc402a483f8989da1079acb251701f19 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\wuauclt.exe
2008-12-16 12:52 44032 0292ee448a4a0320e7b2fd10f55e2ebc c:\windows\system32\wuauclt.exe
2008-12-16 12:48 44032 0292ee448a4a0320e7b2fd10f55e2ebc c:\windows\system32\dllcache\wuauclt.exe

2008-12-16 12:43 26112 f4d702df576bd1d5fa72a136aea55834 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
2008-12-15 17:21 24576 803a55be9692f0baae0f92861a3cb992 c:\windows\system32\userinit.exe
2008-12-16 12:48 24576 46285550f7effb78c2e7679e5b0c7670 c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((( snapshot@2008-12-22_23.42.17.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-26 07:24:28 124,928 ----a-w c:\windows\system32\advpack(2).dll
+ 2008-12-23 07:07:04 405,504 ----a-w c:\windows\system32\config\systemprofile\ntuser.dat
+ 2008-12-16 18:50:12 2,015,744 ------w c:\windows\system32\ntkrnlpa.exe.old.exe
+ 2008-12-23 18:17:17 980,964 ----a-w c:\windows\system32\Restore\rstrlog.dat
+ 2008-08-26 07:24:30 105,984 ----a-w c:\windows\system32\url(2).dll
+ 2008-08-26 07:24:31 1,159,680 ----a-w c:\windows\system32\urlmon(2).dll
+ 2008-08-26 07:24:31 826,368 ----a-w c:\windows\system32\wininet(2).dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-12-16 15360]
"SUPERAntiSpyware "= "c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-16 1809648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor "= "c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-12-16 24064]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2007-10-04 8491008]
"NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2007-10-04 81920]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-12-15 34304]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2008-12-15 413696]
"ClamWin "= "c:\program files\ClamWin\bin\ClamTray.exe" [2008-12-16 86016]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2008-12-16 131072]
"egui "= "c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 1443072]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"nwiz "= "nwiz.exe" [2008-12-15 c:\windows\system32\nwiz.exe]
"RTHDCPL "= "RTHDCPL.EXE" [2008-12-16 c:\windows\RTHDCPL.EXE]

c:\documents and settings\Tigerdistrict3\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 91648]
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-09-26 368640]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2007-12-17 1114112]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 81920]
UPS WorldShip Messaging Utility.lnk - c:\ups\WSTD\WSTDMessaging.exe [2007-12-13 65536]
UPS WorldShip PLD Reminder Utility.lnk - c:\ups\WSTD\wstdPldReminder.exe [2007-12-12 31744]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-16 13:30 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify "=dword:00000001
"AntiVirusOverride "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
"c:\\UPS\\WSTD\\MSSQL$UPSWSDBSERVER\\Binn\\sqlservr.exe "=
"c:\\WINDOWS\\system32\\spoolsv.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\WinSCP\\WinSCP.exe "=
"c:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1434:UDP "= 1434:UDP:UDP 1434

R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2007-12-21 33800]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-15 28544]
S1 dxgthkk;dxgthkk;c:\windows\system32\drivers\dxgthkk.sys []
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-05-28 8944]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-05-28 55024]
S2 ekrn;Eset Service; "c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe" [2007-12-21 468224]
S2 MSSQL$UPSWSDBSERVER;MSSQL$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe -sUPSWSDBSERVER []
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-05-28 7408]
S3 SQLAgent$UPSWSDBSERVER;SQLAgent$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE -i UPSWSDBSERVER []
.
Contents of the 'Scheduled Tasks' folder

2008-12-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-12-15 17:21]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {96BC7991-4CCF-45F0-A081-F882F6B55DD4} = 205.152.132.23
FF - ProfilePath - c:\documents and settings\Tigerdistrict3\Application Data\Mozilla\Firefox\Profiles\pj0whox7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-23 19:56:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2008-12-23 19:56:44
ComboFix-quarantined-files.txt 2008-12-24 01:56:37
ComboFix2.txt 2008-12-23 06:30:45
ComboFix3.txt 2008-12-23 05:45:05
ComboFix4.txt 2008-12-23 05:42:36

Pre-Run: 31,972,429,824 bytes free
Post-Run: 31,892,291,584 bytes free

249 --- E O F --- 2008-11-12 23:04:01

noahdfear · 2008/12/23

Great! Now, please see if the computer will boot in normal mode. If not, please reboot back to safe mode and let me know. Please do not attempt to do anything else just yet.

tigerdistr · 2008/12/23

It worked! It worked!

Now what would you like me to do?

noahdfear · 2008/12/23

Please upload the following files to my submission channel for analysis. Leave a link back to this topic.

C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\ntkrnlpa.exe

Thanks!

noahdfear · 2008/12/23

Please do an online scan with Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take several minutes.

Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.

Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

Click View scan report at the bottom.

Click the Save Report As... button.

Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs.

Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Post the Kaspersky log here.

tigerdistr · 2008/12/23

I have submitted them.

tigerdistr · 2008/12/23

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, December 23, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, December 23, 2008 23:45:14
Records in database: 1506241
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
I:\

Scan statistics:
Files scanned: 55345
Threat name: 3
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 00:48:57

File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\rsqaoldj.dll.vir Infected: Trojan.Win32.Monder.acop 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\symant.dll.vir Infected: Trojan-Downloader.Win32.BHO.aeh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\xgocppyo.dll.vir Infected: Trojan.Win32.Monder.abwi 1

The selected area was scanned.

noahdfear · 2008/12/23

Looks great! Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing any infected files there as well.
Verify the C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file.
You can delete any other tools and logs that were created/saved too.

Now, I checked the files you submitted, and though they appear OK, and the version seems correct, the fact that they fail sigcheck and their md5 does not match properly, I would recommend you install Service Pack 3 on that machine, which should update those files as well. Before doing so, I would also recommend the following procedure, which will only help to ensure there will be no conflicts while installing SP3.

This procedure is documented on the Microsoft.com website for resetting registry and system file permissions, as well as default security descriptors.

Download and install SubInACL from Microsoft.

Close out all other programs and open windows.

Highlight and copy the contents of the code box below.
Code:
cd /d  "%ProgramFiles%\Windows Resource Kits\Tools "
subinacl /subkeyreg HKEY_LOCAL_MACHINE\Software /owner=administrators /grant=administrators=f /grant=system=f /grant=RESTRICTED=r
subinacl /subkeyreg HKEY_LOCAL_MACHINE\System /owner=administrators /grant=administrators=f /grant=system=f /grant=RESTRICTED=r
subinacl /subkeyreg HKEY_CURRENT_USER /owner=administrators /grant=administrators=f /grant=system=f /grant=RESTRICTED=r
subinacl /subkeyreg HKEY_CLASSES_ROOT /owner=administrators /grant=administrators=f /grant=system=f /grant=RESTRICTED=r
subinacl /subdirectories %SystemDrive% /grant=administrators=f /grant=system=f
subinacl /subdirectories %windir%\*.* /grant=administrators=f /grant=system=f
secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose 
exit
cls
Click Start>Run and type cmd then hit enter to open a command window.
Right click in the command window and select paste.
It will take a while for the commands to process, so please be patient.
The command window should close on it's own when finished.
Reboot for the changes to take effect.

Once you have that all done, you should be good to go.

tigerdistr · 2008/12/23

Should I install Service Pack 3 before or after copying the contents of that box into the cmd?

noahdfear · 2008/12/23

Do the permissions reset (SubInACL procedure) first, then install SP3 after rebooting.

tigerdistr · 2008/12/23

"noahdfear said: ↑

Click Start>Run and type cmd then hit enter to open a command window.
Right click in the command window and select paste.
It will take a while for the commands to process, so please be patient.
The command window should close on it's own when finished.
Reboot for the changes to take effect.

Once you have that all done, you should be good to go.
Click to expand...

Is it weird that all I had to do was bring up the command window and right click, and everything started happening? I didn't have to click on paste, but just press the right click button.

Also, was there anything else I needed to do to Computer2 or is it fine?

I'm having some issues with the original computer we started with earlier (at the very beginning). Every time I try to install the Service Pack 3 for it, it shuts down in the middle and says it has to rollback everything. Any ideas?

noahdfear · 2008/12/23

Do the SubInACL procedure on that computer as well. If still having trouble, try shutting down the antivirus while installing.

The command window behavior is odd, and you're not the first I've heard of it recently. Can't say I know the cause but it does give me something to research.

I believe comp 2 was good. I'll have to look back and see. Will let you know if it is otherwise.

tigerdistr · 2008/12/24

On Computer 1, it still keeps messing up when I try to install the Service Pack 3. The screen turns blue with the message "Setup was interrupted, restoring prior configuration" with dots scrolling like a status indicator.

I did the SubInACL and shut down the antivirus. Any other thoughts?

noahdfear · 2008/12/24

Make sure ALL security software is shutdown, such as realtime monitoring (if equipped) in Spware Doctor and SuperAntiSpyware. Best to just end process on all non-essential processes too.

tigerdistr · 2008/12/24

Are there any resources I can check out to determine which processes are non-essentials?

Let me know, and I'll try this in the morning.

Thanks for everything so far!

noahdfear · 2008/12/24

For the most part, processes running as System, Local Service and Network Service are essential.

Google is your best resource

tigerdistr · 2008/12/29

I still can't get Computer 1 to install Service Pack 3. I've got through the Windows website where it determines what my computer needs, and I've downloaded the SP3 file. Neither one works.

I noticed that NOD32 picked up some virus activity while I was away from my computer. It seems to have attacked several times within just a few minutes on two different occasions. I ran a Dr. Web scan, and here's the log -

Process.exe;C:\Documents and Settings\TigerDistrict2;Tool.Prockill;;
InstallHelper.exe;C:\Program Files\Common Files\Motive;Probably DLOADER.Trojan;;

It looks like the same files from the beginning. What should I do?

Also, I'm having some weird problems with my Quickbooks POS software that's never happened until this virus started. The error that occurs when I try to reinstall it says:

Error Create Firewall Rule(s)!

Cannot execut a program. The command being executed was "c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @'C:\Documents and Settings\TigerDistrict2\Local
Settings\Temp\ip6d5xti.cmdline ".: at System.CodeDom.Compiler.Executor.ExecWaitWithCaptureUnimpersonated(SafeUserTokenHandle userToken, String cmd, String currentDir, TempFileCollection
temFiles, String& outputName, String& errorName, String trueCmdLine)
at System.CodeDom.Compiler.Executor.ExecWaitWithCapture(SafeUserTokenHandle userToken, String cmd, String currentDir, TempFileCollection temFiles, String& output Name, String& errorName,String trueCmdLine
at Microsoft.CSharpt.CSharpCodeGenerator.Compile(CompilerParameters options, String compilerDirectory, String compilerExe, String arguments, String& outputFile, Int32& nativeReturnValue, String trueArgs)
at Microsoft.CSharpt.CSharpCodeGenerator.FromFileBatch(CompilerParameters options, String[] fileNames)
at Microsoft.CSharpt.CSharpCodeGenerator.FromSourceBatch(CompilerParameters options, String[] sources)
at Microsoft.CSharpt.CSharpCodeGenerator.System.CodeDom.Compiler.ICodeCompiler.CompileAssemblyFromSourceBatch(CompilerParameters options, String[] sources)
at System.CodeDom.Compiler.CodeDomProvider.CompieAssemblyFromSource(CompilerParameters options, String[] sources)
at System.Xml.Serialization.Compiler.Compile(Assembly parent, String ns, XmlSerializerCompilerParameters xmlParameters, Evidence evidence)
at System.Xml.Serialization.TempAssembly.GenerateAssembly(XmlMapping[] xmlMappings, Type[] types, String defaultNamespace, Evidence evidence, XmlSerializerCompilerParameters parameters, Assembly assembly, Hashtable assembies)
at System.Xml.Serialization..ctor(XmlMapping[] xmlMappings, Type[] types, String defaultNamespace, String location, Evidence evidence)
at System.Xml.Serialization.GenerateTempAssembly(XmlMapping xml Mapping, Type type, String defaultNamespace)
at System.Xml.Serialization..ctor(Type type, String defaultNamespace)
at System.Xml.Serialization..ctor(Type type)
at Intuit.Spc.map.WindowsFirewallUtilities.Configuration.WindowsFirewall CreateInstance(string xmlConfig)
at Intuit.Spc.map.WindowsFirewallUtilities.Configuration.WindowsFirewall CreateInstanceFromFile(String filePath)
at Intuit.Spc.map.WindowsFirewallUtilities.Installer.WindowsFirewallException.InstallFirewall(String configPath, String productName, String productCode, Boolean isInstalling)
at Intuit.Spc.map.WindowsFirewallUtilities.Installer.WindowsFirewallException.InstallFirewall(MsiUtilities msiUtil, Boolean isInstalling)
at Intuit.Spc.map.WindowsFirewallUtilities.Installer.WindowsFirewallException.CreateFirewallRules2(MsiUtilities msiUtil)
at Intuit.Spc.map.WindowsFirewallUtilities.Installer.WindowsFirewallException.CreateFirewallRules(UInt32 installerContext)

This error wouldn't let me copy and paste, so I had to copy the screen and then type it out myself.

Sorry to bombard you with all of these issues at once...

Hope you had a good holiday.

Log in or Sign up

Active win32/tenga.gen virus - it took over

tigerdistr Inactive Thread Starter

tigerdistr Inactive Thread Starter

noahdfear Inactive

tigerdistr Inactive Thread Starter

noahdfear Inactive

tigerdistr Inactive Thread Starter

noahdfear Inactive

noahdfear Inactive

tigerdistr Inactive Thread Starter

tigerdistr Inactive Thread Starter

noahdfear Inactive

tigerdistr Inactive Thread Starter

noahdfear Inactive

tigerdistr Inactive Thread Starter

noahdfear Inactive

tigerdistr Inactive Thread Starter

noahdfear Inactive

tigerdistr Inactive Thread Starter

noahdfear Inactive

tigerdistr Inactive Thread Starter

Share This Page

Log in or Sign up

Active win32/tenga.gen virus - it took over

tigerdistr Inactive Thread Starter

tigerdistr Inactive Thread Starter

noahdfear Inactive

tigerdistr Inactive Thread Starter

noahdfear Inactive

tigerdistr Inactive Thread Starter

noahdfear Inactive

noahdfear Inactive

tigerdistr Inactive Thread Starter

tigerdistr Inactive Thread Starter

noahdfear Inactive

tigerdistr Inactive Thread Starter

noahdfear Inactive

tigerdistr Inactive Thread Starter

noahdfear Inactive

tigerdistr Inactive Thread Starter

noahdfear Inactive

tigerdistr Inactive Thread Starter

noahdfear Inactive

tigerdistr Inactive Thread Starter

Share This Page

Useful Searches