winupgro.exe virus(mdelk.exe)

Computing.Net > Forums > Security and Virus > winupgro.exe virus(mdelk.exe)

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

winupgro.exe virus(mdelk.exe)

Name: amnesiak77
Date: December 19, 2008 at 05:27:37 Pacific
OS: xpsp3
CPU/Ram: amddualcore.2000mb
Product: Amd / AM2

Comment:

Hi,
Yesterday my computer got infected with some new virus. First it corrupted my nod32 then webroot spysweeper. Nod32 did not detect it.
I unintalled both, now I can not install any antivyrus program. I manage to install avast program , but when I try to run it it says not a valid win32 apliccation. I could not run Hijack this.
I manage to install program called Trojan remover. It founds the virus (mdelk.exebut can not delete it althought it says that it has been deleted. The virus is still there after reboot.
Any suggestions.

Sponsored Link

Ads by Google

Response Number 1

Name: jabuck
Date: December 19, 2008 at 06:29:55 Pacific

Reply:

Please download ComboFix to the desktop from one of the following links:
Link1
Link 2
Link 3
Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
In your case to run Combofix do the following:
1. Go offline turn off your Eset or any other antivirus that you have, and any antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.

Remember to re-enable the protection again afterwards before connecting to the Internet.

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.

Response Number 2

Name: amnesiak77
Date: December 20, 2008 at 08:41:12 Pacific

Reply:

Ok
I manage to delete this virus. I run combofix which has I belive deleted some files. I also used Trojan Remover. It deleted some stuff. Then I could run the windows in safe mode (before that I could not - restore point did not work eather my) Under system32 I deleted mdelk.exe and wgalogon.exe that started to nagin about my OS not being valid.
When I did that I could install nod32 again and ran a scan. The scan found the beagle(something) and nod32 could delete those infected files.
Now the OS seems ok.
Just for information, sorry for my not so good english typng.

Response Number 3

Name: Aapelus
Date: December 20, 2008 at 09:58:15 Pacific

Reply:

Thanks for information guys but I still have that virus. I cant use that Combofix file because because when I try to run it it says "C:\ Documents and settings\Aapeli\Desktop\combofix is not suitable win-32 application" (Or same in finnish). Futhermore, it says the same thing if I try to run a virus scan (like Antivir). I also tried to run my computer in safe mode and run system restoration ( I dont know the right word) as it was at yesterday. Well, I didnt succeed. Anyone has more ideas?

Response Number 4

Name: amnesiak77
Date: December 20, 2008 at 10:17:14 Pacific

Reply:

Maybe you should try to kill the process called winupgro.exe. Press (Ctrl+alt+delete)and under the tab Processes find that exe. Then try to run combofix again.

Response Number 5

Name: Aapelus
Date: December 20, 2008 at 10:52:42 Pacific

Reply:

I tried but it is'nt still working. Right now I'm loading "Spybot" which should be able to delete and locate that virus or at least I hope so.
Im still waiting for more hints if this won't work...

xpnetdiag.exe winupgro.exe winupgro.exe	winupgro winupgro winupgro
See More

Response Number 6

Name: amnesiak77
Date: December 20, 2008 at 11:17:48 Pacific

Reply:

You can also try to run beagle remover tool.
http://www.topshareware.com/Webroot...

Response Number 7

Name: Aapelus
Date: December 20, 2008 at 11:35:11 Pacific

Reply:

Argh, still not working. Does anyone know if I could delete/locate it with an online virus scan or something?
Im getting desperate...

Response Number 8

Name: amnesiak77
Date: December 20, 2008 at 11:53:33 Pacific

Reply:

Can you get in Windows in Safe mode?

Response Number 9

Name: jabuck
Date: December 20, 2008 at 12:05:25 Pacific

Reply:

amnesiak77, I doubt that your computer is fully cleaned yet although the symptoms are not there without seeing the logs and cleaning other areas of the computer it is possible for the baddie to regenerate itself.

Response Number 10

Name: jabuck
Date: December 20, 2008 at 12:15:05 Pacific

Reply:

Aapelus, It is dangerous to run Combofix without a helpers assistance, it can lock you computer if incorrectly run.
Also if you will start a new thread we will see if we can help you. Do not post any logs yet just state the problem that you are having with the computer..

Response Number 11

Name: amnesiak77
Date: December 20, 2008 at 13:15:35 Pacific

Reply:

Hi jabuck
Here is the log made by Hijack this.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:11:11, on 20.12.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.exe
D:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
D:\WINDOWS\system32\Rundll32.exe
D:\Program Files\ASUS\WLAN Card Utilities\Center.exe
D:\Program Files\Trust\MI-2500X OPTICAL MOUSE\Mouse32a.exe
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
E:\Program Files\Nod32\nod32kui.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Common Files\AVerMedia\AVerQuick\AVerQuick.exe
E:\Program Files\Nod32\nod32krn.exe
D:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
D:\Program Files\Webroot\Washer\WasherSvc.exe
D:\WINDOWS\system32\wscntfy.exe
C:\eMule\emule.exe
E:\foobar2000\foobar2000.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.si/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [CTSysVol] D:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Control Center] D:\Program Files\ASUS\WLAN Card Utilities\Center.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] D:\Program Files\Trust\MI-2500X OPTICAL MOUSE\Mouse32a.exe
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] E:\Program Files\CorelDraw12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=122208 serial=DR12WRN-5701988-WTE lang=EN
O4 - HKLM\..\Run: [amd_dc_opt] D:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [StartCCC] "D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [TrojanScanner] D:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKLM\..\Run: [nod32kui] "E:\Program Files\Nod32\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ISUSPM] "D:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [Index Washer] D:\Program Files\Webroot\Washer\WashIdx.exe "grega"
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = D:\Program Files\Microsoft Office\Office12\ONENOTEM.exe
O4 - Global Startup: AVerQuick.lnk = D:\Program Files\Common Files\AVerMedia\AVerQuick\AVerQuick.exe
O4 - Global Startup: Shortcut to SiOL ADSL dostop.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...
O17 - HKLM\System\CCS\Services\Tcpip\..\{04D5BDB2-C0D0-497F-8A0D-582123FC51B4}: NameServer = 193.189.160.23 193.189.160.13
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD7DB2A2-1DD9-4009-A790-888EB2CD1ECC}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{E8870077-FFEE-416F-802B-F1AC88210ED0}: NameServer = 192.168.1.1
O17 - HKLM\System\CS4\Services\Tcpip\..\{04D5BDB2-C0D0-497F-8A0D-582123FC51B4}: NameServer = 193.189.160.23 193.189.160.13
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - E:\Program Files\Nod32\nod32krn.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - D:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - D:\Program Files\Webroot\Washer\WasherSvc.exe
--
End of file - 5993 bytes

Response Number 12

Name: jabuck
Date: December 20, 2008 at 13:41:10 Pacific

Reply:

If you still have the combofix log located at C:\ComboFix.txt that you first run that would be the prefered log right now.

Response Number 13

Name: amnesiak77
Date: December 20, 2008 at 14:18:40 Pacific

Reply:

Sorry jabuck. I thought I posted it. I posted it to you using private message. I guess I did something wrong.
I dont have the combofix log anymore. All I have is a nod32 log that was made just after I manage to install the program and performed the scan and clean action.
Here it is, hope it helps:
Scanning Log
NOD32 version 3707 (20081219) NT
Checking CRC of NOD32.EXE: Status OK
Operating memory is OK.
Date: 20.12.2008 Time: 01:22:44
Anti-Stealth technology is enabled.
Scanned disks, folders and files: C:; D:; E:
Scanning interrupted by user!
Number of scanned files: 160
Number of threats found: 0
Time of completion: 01:22:48 Total scanning time: 4 sec (00:00:04)
Date: 20.12.2008 Time: 01:23:27
Anti-Stealth technology is enabled.
Scanned disks, folders and files: C:; D:; E:
C:\System Volume Information\MountPointManagerRemoteDatabase - error opening (Access denied) [4]
D:\pagefile.sys - error opening (File locked) [4]
D:\Documents and Settings\grega\NTUSER.DAT - error opening (File locked) [4]
D:\Documents and Settings\grega\ntuser.dat.LOG - error opening (File locked) [4]
D:\Documents and Settings\grega\Application Data\drivers\srosa.sys.vir - Win32/Bagle.QH worm - deleted
D:\Documents and Settings\grega\Application Data\drivers\winupgro.exe.vir - Win32/Bagle.QH worm - deleted
D:\Documents and Settings\grega\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
D:\Documents and Settings\grega\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
D:\Documents and Settings\grega\Local Settings\temp\BCGB2.tmp - error opening (File locked) [4]
D:\Documents and Settings\grega\Local Settings\temp\TEMP0298.cdx - error opening (File locked) [4]
D:\Documents and Settings\grega\Local Settings\temp\TEMP0298.dbf - error opening (File locked) [4]
D:\Documents and Settings\grega\Local Settings\temp\TEMP0300.cdx - error opening (File locked) [4]
D:\Documents and Settings\grega\Local Settings\temp\TEMP0300.dbf - error opening (File locked) [4]
D:\Documents and Settings\grega\Local Settings\temp\TEMP1158.cdx - error opening (File locked) [4]
D:\Documents and Settings\grega\Local Settings\temp\TEMP1158.dbf - error opening (File locked) [4]
D:\Documents and Settings\grega\Local Settings\temp\TEMP4892.cdx - error opening (File locked) [4]
D:\Documents and Settings\grega\Local Settings\temp\TEMP4892.dbf - error opening (File locked) [4]
D:\Documents and Settings\LocalService\NTUSER.DAT - error opening (File locked) [4]
D:\Documents and Settings\LocalService\ntuser.dat.LOG - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS016324E4-462B-4691-B961-4F057910E247.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS02218E74-533C-4B2D-8DA5-D44290133096.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS06DB4711-485A-4AAB-9A9F-B28BF0B538A5.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS07124E62-282D-4750-BC0A-9E53AAB7981B.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS0AAD8FB3-E5FE-4F7F-94CA-BFF9E54F28DE.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS0E500E2B-89FB-493D-BF7C-7BA4EC5070C5.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS0F5B23AF-9E49-4968-85D4-4788A04BB685.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS148E93A3-8998-4256-BCDE-035DD9995F3F.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS1D60698E-1686-45CB-95C7-8D1C3AF187A4.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS1FC7D901-BDE7-41EA-A766-28175CFE720A.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS240F5903-1A54-4DF3-8C65-3D0E46F19315.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS2579D2FD-842A-4DD5-B1BF-C424B7D0AF3B.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS2678E0D0-8570-4EFA-978E-CCADBF5729D8.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS311827A0-7168-4847-A414-D4989C6C4ED8.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS32DED3D0-0BC3-441D-A3DE-533A2BC69297.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS34C89392-F6C4-43B2-82EE-AFA39BC2DCE4.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS356796D5-3514-42B1-8162-6273A22AEFDB.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS35FD4088-6140-43D2-979E-C4967D99BA7A.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS386C7F0A-4F78-4CCB-BD9E-63F7E087A2BC.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3F05C35C-48DE-4224-B16F-3C4BC4C871D9.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4388C1E7-218F-4B32-9D7E-ABF19BA31608.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS44609F7E-B329-40FE-8278-542EBF9C11DD.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS447FBC60-BA82-4B1B-89B5-868D4E55DA04.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS44F635B0-F5D8-42C5-BFF6-661FD65B1BC0.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS49DA8712-7296-448C-94E5-E04A37B49564.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4A3D1746-0B98-4AF1-9B66-57D97429465B.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4BD1F714-288F-49A9-8CFB-B4AE0A13914A.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS506D5500-225B-4766-BEC3-F038053EBBB5.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS52DE325F-567E-4991-AC79-5ADDA09FD526.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS569C8DF1-B74C-4062-BFFB-30AEB29249A3.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS595BE45B-7712-4E2B-85BF-D35751D2F6A0.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS5B76D00C-9D7B-4454-9493-D75F2AE141BE.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS61B86E5D-F9EC-44DD-966A-826CBBE65A97.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS62F4831C-5387-4776-9A50-9E881022B5EF.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS64A752D7-A5D2-4E80-96A8-F57B03FE8543.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS64A8A1DD-463F-4AC9-8318-DCA747339A20.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS65FB01ED-615C-4E61-B6BF-D58B94728E17.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS67340D7A-68F6-45A5-8F69-9715A8E571F8.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6BFE9E3B-9D34-47FC-B034-B8232656D572.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6D776173-B654-4734-8CF2-AF9E8B8A12FF.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS77B78852-CA0C-4211-ABEC-A1C35A9FE67A.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS79A37599-6836-4E95-A795-59DF68248AA3.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS841EE1DD-EB5F-4321-83DD-935C59CDFFBF.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS8762DF43-FAD5-482F-AC08-2620F01CEEE5.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS89D5596D-1DD0-4121-BA34-F2F54D2C4BF8.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS8A923348-2B49-462F-8DF6-EC0248C67BFC.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS8B33D9F1-70EA-4C7C-A3EB-2C4056A635BE.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS8EBB059A-54ED-4587-8A89-FC3886141E7A.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS8F6CEDA7-A62F-4425-B5D6-B18EBBE200D9.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS8FC58A02-875B-42D1-96A2-58B40DC5F828.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS90E32ACE-4A20-40E9-B01B-825A6F96CE24.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS90E405DE-F436-41A5-BD55-E987645880F2.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS92941A03-9EC4-40F0-AE82-721459E12533.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS946D2BB0-3C8B-40AC-908E-E05D3A828D5B.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9B86354B-9C82-41FE-B030-AB952A092F86.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9CC770AC-0B68-45E3-8EE9-5846CDAFFF05.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9DA473C7-C54F-4DF7-921A-5F12B22BD20A.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9EE81945-7485-4AC1-A2C6-154679BFC665.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSA145BA52-D4E1-4BDB-A3CB-03A25B993888.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSA182D204-A773-4AAA-9CC6-CF1F0438B8F8.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSA2DD0929-C52A-4175-8DFA-90CA8BA38FC8.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSA7A37EDC-BCCD-4A0A-9B88-E430E629D036.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSA85E94D5-B8AF-45E8-ACDC-7E4889839E8D.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSA89678CE-EF86-4E36-BB65-7465AB54363B.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSAE049A05-709A-4FEF-A5F5-95AD13110592.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB0A84B40-FDC8-4AEB-9A6B-239D945C2193.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB1CB81C7-564F-45CF-AE89-190237721D88.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB38C9751-6D42-4EAD-A6D8-258EDD1499F8.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB9FDD7EA-6862-4397-86FB-108C4891DF55.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSBA907332-9207-45E7-B805-F6972E2E28F2.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSBC89D5D0-9DC1-4D44-824D-774CCC791D3A.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSBDF1AF7E-952D-4898-957F-0F0CCC3384A9.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSBDFBEE80-5627-4808-843F-BF7C21045D69.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC071AF1A-EEA0-4011-A8AA-37B3F7C00335.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC2E6E661-AD03-44A6-BF8E-255C4D6965CC.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSCB32489F-9BCE-40B4-9D43-D9053F82AB10.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSCB6FBECC-0227-4ADD-B8D9-36180BF1F780.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD26284A3-17DC-4EFD-B4DA-675CB9AB793A.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD589EF2D-3007-4CD4-8873-43DA845C2A9E.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD8AA7075-1A4E-4BDA-8113-51803C5A41B9.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSDA901029-E8E6-46AB-94C7-C8090FC8AFC4.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSDACBC53D-E58B-4764-A9CD-38EB2F8CE785.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSDB7A4940-5B98-4845-9C3F-F6AA431905FE.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSDCAA3CC8-D299-4A2A-A386-AB07391CEC22.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSDEFBFD97-6C29-4047-9665-6FBA1DD9A67C.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSDFDA18F4-1A35-4495-B53C-753F7CBE3C6E.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE4F6901D-68DB-479E-B736-4E0C2C79023A.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE605EFE0-E43D-485A-8F95-9DC2BF1A47D6.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE60F674A-3D8D-4DAF-BFE5-02DC6171DCAD.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE68495B5-6DBD-4CB7-AF5B-28B95E3BDAC7.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE68CFD9F-09E5-4F1D-89AC-DAEBE49D27B6.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE729320D-FBD2-4105-9524-BC089EAEB719.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE774706A-92FD-4845-BED6-21C475EC78AD.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE7E6B477-48F4-4035-ACB9-85A06E2347F0.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE88A8BF5-ADD0-42C6-A511-F865D6FFB860.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE91F3BAD-F240-4FE5-B4B0-F017DBFEEDA0.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE92D246D-9FE3-4FF3-BE4D-879BCA4C4815.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSEE79AD5A-6FD4-401E-83F3-A3C85415460C.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSEF859835-89C3-4906-8403-E2018F90D46B.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSF1747394-18F1-4310-8E63-05D04B64B9BC.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSF3F0002B-3FCC-47D1-B1B8-C32C9C6CDDE1.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSF901336A-0273-4BB5-9642-C0A0AC0049B8.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSF9D89DB1-C278-4EEA-B335-AB5C64C09962.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSFE76E572-407C-458F-8EF3-4D74F62F9BB2.tmp - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
D:\Documents and Settings\NetworkService\NTUSER.DAT - error opening (File locked) [4]
D:\Documents and Settings\NetworkService\ntuser.dat.LOG - error opening (File locked) [4]
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
D:\Qoobox\Quarantine\D\Documents and Settings\grega\Application Data\drivers\winupgro.exe.vir - Win32/Bagle.QH worm - deleted
D:\Qoobox\Quarantine\D\Documents and Settings\grega\Application Data\drivers\downld\134859.exe.vir - Win32/Bagle.QI worm - deleted
D:\Qoobox\Quarantine\D\Documents and Settings\grega\Application Data\drivers\downld\144453.exe.vir - Win32/Bagle.QI worm - deleted
D:\Qoobox\Quarantine\D\Documents and Settings\grega\Application Data\drivers\downld\152937.exe.vir - Win32/Bagle.QI worm - deleted
D:\Qoobox\Quarantine\D\Documents and Settings\grega\Application Data\drivers\downld\155343.exe.vir - Win32/Bagle.QI worm - deleted
D:\Qoobox\Quarantine\D\Documents and Settings\grega\Application Data\drivers\downld\157703.exe.vir - Win32/Bagle.QI worm - deleted
D:\Qoobox\Quarantine\D\Documents and Settings\grega\Application Data\drivers\downld\15836765.exe.vir - Win32/Bagle.QL worm - deleted
D:\Qoobox\Quarantine\D\Documents and Settings\grega\Application Data\drivers\downld\15899531.exe.vir - Win32/Bagle.QL worm - deleted
D:\Qoobox\Quarantine\D\Documents and Settings\grega\Application Data\drivers\downld\159625.exe.vir - Win32/Bagle.QI worm - deleted
D:\Qoobox\Quarantine\D\Documents and Settings\grega\Application Data\drivers\downld\16005890.exe.Vvir - Win32/Bagle.QM worm - deleted
D:\Qoobox\Quarantine\D\Documents and Settings\grega\Application Data\drivers\downld\161609.exe.vir - Win32/Bagle.QI worm - deleted
D:\Qoobox\Quarantine\D\Documents and Settings\grega\Application Data\drivers\downld\203843.exe.vir - Win32/Bagle.QI worm - deleted
D:\Qoobox\Quarantine\D\Documents and Settings\grega\Application Data\drivers\downld\280953.exe.vir - Win32/Bagle.QP worm - deleted
D:\Qoobox\Quarantine\D\Documents and Settings\grega\Application Data\drivers\downld\284687.exe.vir - Win32/Bagle.QO worm - deleted
D:\Qoobox\Quarantine\D\Documents and Settings\grega\Application Data\drivers\downld\30477234.exe.vir - Win32/Bagle.QI worm - deleted
D:\Qoobox\Quarantine\D\Documents and Settings\grega\Application Data\drivers\downld\30613984.exe.vir - Win32/Bagle.QP worm - deleted
D:\Qoobox\Quarantine\D\Documents and Settings\grega\Application Data\drivers\downld\30624468.exe.vir - Win32/Bagle.QP worm - deleted
D:\Qoobox\Quarantine\D\Documents and Settings\grega\Application Data\drivers\downld\30939390.exe.vir - Win32/Bagle.QL worm - deleted
D:\Qoobox\Quarantine\D\Documents and Settings\grega\Application Data\drivers\downld\31039203.exe.vir - Win32/Bagle.QM worm - deleted
D:\Qoobox\Quarantine\D\Documents and Settings\grega\Application Data\drivers\downld\315062.exe.vir - Win32/Bagle.QP worm - deleted
D:\Qoobox\Quarantine\D\Documents and Settings\grega\Application Data\drivers\downld\316718.exe.vir - Win32/Bagle.QO worm - deleted
D:\Qoobox\Quarantine\D\Documents and Settings\grega\Application Data\drivers\downld\574593.exe.vir - Win32/Bagle.QL worm - deleted
D:\Qoobox\Quarantine\D\Documents and Settings\grega\Application Data\drivers\downld\585734.exe.vir - Win32/Bagle.QL worm - deleted
D:\Qoobox\Quarantine\D\Documents and Settings\grega\Application Data\drivers\downld\593703.exe.vir - Win32/Bagle.QL worm - deleted
D:\Qoobox\Quarantine\D\Documents and Settings\grega\Application Data\drivers\downld\647000.exe.vir - Win32/Bagle.QI worm - deleted
D:\Qoobox\Quarantine\D\Documents and Settings\grega\Application Data\drivers\downld\650593.exe.vir - Win32/Bagle.QM worm - deleted
D:\Qoobox\Quarantine\D\Documents and Settings\grega\Application Data\drivers\downld\674390.exe.vir - Win32/Bagle.QL worm - deleted
D:\Qoobox\Quarantine\D\Documents and Settings\grega\Application Data\drivers\downld\695046.exe.vir - Win32/Bagle.QL worm - deleted
D:\Qoobox\Quarantine\D\Documents and Settings\grega\Application Data\drivers\downld\703625.exe.vir - Win32/Bagle.QL worm - deleted
D:\Qoobox\Quarantine\D\Documents and Settings\grega\Application Data\drivers\downld\705093.exe.vir - Win32/Bagle.QL worm - deleted
D:\Qoobox\Quarantine\D\Documents and Settings\grega\Application Data\drivers\downld\763203.exe.vir - Win32/Bagle.QM worm - deleted
D:\Qoobox\Quarantine\D\Documents and Settings\grega\Application Data\m\data.oct.vir - Win32/Bagle.QH worm - deleted
D:\Qoobox\Quarantine\D\Documents and Settings\grega\Application Data\m\shared\RGB Slider 1.0.czip.vir - Win32/Bagle.QH worm - deleted
D:\Qoobox\Quarantine\D\Program Files\DAEMON Tools Lite\daemon.exe.vir - Win32/Bagle.QH worm - deleted
D:\Qoobox\Quarantine\D\WINDOWS\system32\mdelk.exe.vir - Win32/Bagle.QI worm - deleted
D:\Qoobox\Quarantine\D\WINDOWS\system32\wintems.exe.vir - Win32/Bagle.QI worm - deleted
D:\System Volume Information\MountPointManagerRemoteDatabase - error opening (Access denied) [4]
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0059830.sys - Win32/Bagle.QH worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0059832.exe - Win32/Bagle.QI worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0059834.exe - Win32/Bagle.QI worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0059835.exe - Win32/Bagle.QI worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0059837.exe - Win32/Bagle.QI worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0059863.exe - Win32/Bagle.QI worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0059867.exe - Win32/Bagle.QI worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0059872.exe - Win32/Bagle.QO worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0059873.exe - Win32/Bagle.QO worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0059874.exe - Win32/Bagle.QP worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0059875.exe - Win32/Bagle.QI worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0059882.exe - Win32/Bagle.QI worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0059889.exe - Win32/Bagle.QI worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0059892.exe - Win32/Bagle.QI worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0059894.exe - Win32/Bagle.QL worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0059895.exe - Win32/Bagle.QL worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0059899.exe - Win32/Bagle.QI worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0059900.exe - Win32/Bagle.QM worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0059901.exe - Win32/Bagle.QM worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0059903.exe - Win32/Bagle.QM worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0059908.exe - Win32/Bagle.QI worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0059929.exe - Win32/Bagle.QI worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0059930.exe - Win32/Bagle.QI worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0059931.exe - Win32/Bagle.QI worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0059961.exe - Win32/Bagle.QI worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0059969.exe - Win32/Bagle.QP worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0059970.exe - Win32/Bagle.QO worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0059974.exe - Win32/Bagle.QI worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0059975.exe - Win32/Bagle.QI worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0059982.exe - Win32/Bagle.QP worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0059983.exe - Win32/Bagle.QP worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0059998.exe - Win32/Bagle.QL worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0060002.exe - Win32/Bagle.QM worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0060003.exe - Win32/Bagle.QM worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0060007.exe - Win32/Bagle.QO worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0060008.exe - Win32/Bagle.QP worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0060009.exe - Win32/Bagle.QP worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0060010.exe - Win32/Bagle.QO worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0060014.exe - Win32/Bagle.QP worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0060015.exe - Win32/Bagle.QO worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0060028.exe - Win32/Bagle.QP worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0060031.exe - Win32/Bagle.QO worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0060102.exe - Win32/Bagle.QL worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0060104.exe - Win32/Bagle.QL worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0060110.exe - Win32/Bagle.QL worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0060120.exe - Win32/Bagle.QM worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0060121.exe - Win32/Bagle.QI worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0060122.exe - Win32/Bagle.QM worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0060123.exe - Win32/Bagle.QM worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0060128.exe - Win32/Bagle.QL worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0060134.exe - Win32/Bagle.QL worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0060135.exe - Win32/Bagle.QL worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0060136.exe - Win32/Bagle.QL worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0060144.exe - Win32/Bagle.QM worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0060148.exe - Win32/Bagle.QM worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0060160.exe - Win32/Bagle.QH worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0060162.exe - Win32/Bagle.QP worm - deleted
D:\System Volume Information\_restore{1D075C07-8E9E-4C5F-942D-965F279C43A0}\RP157\A0060195.exe - Win32/Bagle.QH worm - deleted
D:\WINDOWS\system32\config\default - error opening (File locked) [4]
D:\WINDOWS\system32\config\default.LOG - error opening (File locked) [4]
D:\WINDOWS\system32\config\SAM - error opening (File locked) [4]
D:\WINDOWS\system32\config\SAM.LOG - error opening (File locked) [4]
D:\WINDOWS\system32\config\SECURITY - error opening (File locked) [4]
D:\WINDOWS\system32\config\SECURITY.LOG - error opening (File locked) [4]
D:\WINDOWS\system32\config\software - error opening (File locked) [4]
D:\WINDOWS\system32\config\software.LOG - error opening (File locked) [4]
D:\WINDOWS\system32\config\system - error opening (File locked) [4]
D:\WINDOWS\system32\config\system.LOG - error opening (File locked) [4]
D:\WINDOWS\system32\drivers\sptd.sys - error opening (File locked) [4]
E:\System Volume Information\MountPointManagerRemoteDatabase - error opening (Access denied) [4]
Number of scanned files: 145446
Number of threats found: 96
Number of files cleaned: 96
Time of completion: 01:55:10 Total scanning time: 1903 sec (00:31:43)
Notes:
[4] File cannot be opened. It may be in use by another application or operating system.

Response Number 14

Name: jabuck
Date: December 20, 2008 at 14:30:14 Pacific

Reply:

Please post a new Combofix log, you probably still have it installed so just follow the directions to run it.
Please download ComboFix to the desktop from one of the following links:
Link1
Link 2
Link 3
Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
In your case to run Combofix do the following:
1. Go offline turn off your Eset antivirus, Spy Sweeper, and any other antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.

Remember to re-enable the protection again afterwards before connecting to the Internet.

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.

Response Number 15

Name: amnesiak77
Date: December 20, 2008 at 14:50:17 Pacific

Reply:

Here you go:
ComboFix 08-12-20.01 - grega 2008-12-20 23:41:31.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1495 [GMT 1:00]
Running from: d:\documents and settings\grega\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active
.
((((((((((((((((((((((((( Files Created from 2008-11-20 to 2008-12-20 )))))))))))))))))))))))))))))))
.
2008-12-20 00:59 . 2004-02-11 18:27 102,912 --a------ d:\windows\system32\islzma.dll
2008-12-20 00:59 . 2006-01-25 10:54 78,336 --a------ d:\windows\system32\drivers\ssi.sys
2008-12-20 00:50 . 2008-12-20 00:49 512,096 --a------ d:\windows\system32\drivers\amon.sys
2008-12-20 00:50 . 2008-12-20 00:49 298,104 --a------ d:\windows\system32\imon.dll
2008-12-20 00:50 . 2008-12-20 00:49 15,424 --a------ d:\windows\system32\drivers\nod32drv.sys
2008-12-19 23:29 . 2008-12-19 23:29 <DIR> d-------- d:\documents and settings\grega\Application Data\Prevx
2008-12-19 11:08 . 2008-12-19 11:08 <DIR> d-------- d:\documents and settings\All Users\Application Data\NortonInstaller
2008-12-19 08:20 . 2008-12-19 08:20 <DIR> d-------- d:\windows\[u]0[/u]9D796A099CB4A1AA5E5E026042DCF09.TMP
2008-12-19 08:18 . 2008-12-19 08:18 <DIR> d-------- d:\documents and settings\All Users\Application Data\BufferZone
2008-12-19 07:59 . 2008-12-19 08:18 <DIR> d-------- d:\documents and settings\All Users\Application Data\PrevxCSI
2008-12-19 07:26 . 2008-12-19 07:27 <DIR> d-------- d:\documents and settings\grega\Application Data\AdwareBot
2008-12-19 01:10 . 2008-12-19 01:10 <DIR> d-------- d:\program files\Trojan Remover
2008-12-19 01:10 . 2008-12-19 01:10 <DIR> d-------- d:\documents and settings\grega\Application Data\Simply Super Software
2008-12-19 01:10 . 2008-12-19 01:10 <DIR> d-------- d:\documents and settings\All Users\Application Data\Simply Super Software
2008-12-19 01:10 . 2006-05-25 14:52 162,304 --a------ d:\windows\system32\ztvunrar36.dll
2008-12-19 01:10 . 2003-02-02 19:06 153,088 --a------ d:\windows\system32\UNRAR3.dll
2008-12-19 01:10 . 2005-08-26 00:50 77,312 --a------ d:\windows\system32\ztvunace26.dll
2008-12-19 01:10 . 2002-03-06 00:00 75,264 --a------ d:\windows\system32\unacev2.dll
2008-12-19 01:10 . 2006-06-19 12:01 69,632 --a------ d:\windows\system32\ztvcabinet.dll
2008-12-19 00:21 . 2008-12-19 00:21 <DIR> d-------- d:\program files\Trend Micro
2008-12-18 12:11 . 2008-12-20 01:26 <DIR> d--h----- d:\documents and settings\grega\Application Data\drivers
2008-12-17 19:47 . 2008-04-14 00:15 32,128 --a------ d:\windows\system32\drivers\usbccgp.sys
2008-12-16 22:10 . 2008-12-19 00:57 <DIR> d-------- d:\documents and settings\All Users\Application Data\2DBoy
2008-12-15 23:38 . 2008-12-15 23:38 <DIR> d-------- d:\program files\PC Magazine Utilities
2008-12-08 12:58 . 2007-09-23 17:00 37,328 -ra------ d:\windows\system32\drivers\USBSER34.SYS
2008-12-08 12:36 . 2008-12-08 12:36 <DIR> d----c--- d:\windows\system32\DRVSTORE
2008-12-08 12:36 . 2006-05-24 10:40 188,416 --a------ d:\windows\system32\ftdiunin.exe
2008-12-08 12:36 . 2006-05-24 10:45 176,128 --a------ d:\windows\system32\ftd2xx.dll
2008-12-08 12:36 . 2006-05-24 10:47 106,496 --a------ d:\windows\system32\ftbusui.dll
2008-12-08 12:36 . 2006-05-24 10:42 102,400 --a------ d:\windows\system32\FTLang.dll
2008-12-08 12:36 . 2006-05-18 09:49 61,067 --a------ d:\windows\system32\drivers\ftser2k.sys
2008-12-08 12:36 . 2006-05-18 09:48 47,249 --a------ d:\windows\system32\drivers\ftdibus.sys
2008-12-08 12:36 . 2006-05-19 11:51 33,360 --a------ d:\windows\system32\ftserui2.dll
2008-12-08 12:36 . 2006-05-24 11:04 133 --a------ d:\windows\system32\ftdiun2k.ini
2008-12-07 00:04 . 2008-12-07 00:04 <DIR> d-------- d:\documents and settings\All Users\Application Data\ATI
2008-12-07 00:02 . 2008-07-31 21:05 593,920 --------- d:\windows\system32\ati2sgag.exe
2008-12-07 00:01 . 2008-12-07 00:03 1,117 --a------ d:\windows\ATICIM.INI
2008-12-06 12:57 . 2007-06-29 14:47 34,304 --a------ d:\windows\system32\drivers\AmdLLD.sys
2008-12-04 09:06 . 2008-12-04 09:06 <DIR> d-------- d:\program files\Karen's Power Tools
2008-12-04 09:05 . 2008-12-04 09:05 <DIR> d-------- d:\documents and settings\All Users\Application Data\Karen's Power Tools
2008-11-30 09:10 . 2008-12-01 00:39 <DIR> d-------- d:\program files\The Gamers Tools
2008-11-23 08:57 . 2008-11-30 21:33 <DIR> d-------- d:\program files\Tetron4
2008-11-22 18:25 . 2008-11-22 18:39 628 --a------ d:\windows\Rv.ini
2008-11-20 20:49 . 2008-11-20 20:49 <DIR> d-------- d:\program files\foobar2000
2008-11-20 20:49 . 2008-12-19 00:54 <DIR> d-------- d:\documents and settings\grega\Application Data\foobar2000
2008-11-20 08:28 . 2008-11-20 08:28 <DIR> d-------- d:\program files\Gigabyte
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-20 21:32 --------- d-----w d:\documents and settings\grega\Application Data\uTorrent
2008-12-20 19:31 --------- d---a-w d:\documents and settings\All Users\Application Data\TEMP
2008-12-20 10:32 --------- d-----w d:\documents and settings\grega\Application Data\Vso
2008-12-19 23:59 --------- d-----w d:\program files\Webroot
2008-12-18 23:47 --------- d-----w d:\documents and settings\grega\Application Data\Webroot
2008-12-16 17:17 --------- d-----w d:\documents and settings\grega\Application Data\Hamachi
2008-12-09 19:43 --------- d-----w d:\documents and settings\grega\Application Data\dvdcss
2008-12-06 23:02 --------- d-----w d:\program files\ATI Technologies
2008-12-06 11:57 --------- d-----w d:\program files\AMD
2008-11-27 21:10 --------- d-----w d:\program files\Hamachi
2008-11-22 10:20 --------- d-----w d:\documents and settings\grega\Application Data\Corel
2008-11-22 10:09 --------- d-----w d:\program files\Common Files\InstallShield
2008-11-18 17:52 --------- d-----w d:\documents and settings\grega\Application Data\ATI
2008-11-17 08:13 --------- d-----w d:\program files\MSXML 4.0
2008-11-16 22:05 --------- d-----w d:\program files\AudioShell
2008-11-16 21:42 --------- d-----w d:\program files\DVD Audio Extractor
2008-11-16 21:42 --------- d-----w d:\program files\AmiPicLite
2008-11-15 17:44 --------- d-----w d:\documents and settings\grega\Application Data\AccurateRip
2008-11-15 17:40 --------- d-----w d:\program files\Exact Audio Copy
2008-11-15 08:54 --------- d-----w d:\program files\Nero
2008-11-15 08:54 --------- d-----w d:\program files\Common Files\Ahead
2008-11-11 12:44 --------- d-----w d:\program files\Tensons
2008-11-11 07:02 --------- d-----w d:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-11 06:52 --------- d-----w d:\program files\Microsoft Works
2008-11-11 06:51 --------- d-----w d:\program files\MSBuild
2008-11-11 06:50 --------- d-----w d:\program files\Microsoft.NET
2008-11-10 22:40 --------- d-----w d:\documents and settings\All Users\Application Data\Corel
2008-11-10 22:38 --------- d-----w d:\program files\Common Files\Corel
2008-11-10 21:59 --------- d-----w d:\documents and settings\grega\Application Data\InstallShield
2008-11-10 21:59 --------- d-----w d:\documents and settings\All Users\Application Data\InstallShield
2008-11-08 07:41 --------- d-----w d:\program files\MSN Messenger
2008-11-05 20:19 --------- d-----w d:\documents and settings\grega\Application Data\ImgBurn
2008-11-05 18:54 47,360 ----a-w d:\windows\system32\drivers\pcouffin.sys
2008-11-05 18:54 47,360 ----a-w d:\documents and settings\grega\Application Data\pcouffin.sys
2008-11-05 18:54 --------- d-----w d:\program files\DVDFab Platinum 3
2008-11-05 18:52 --------- d-----w d:\program files\ImgBurn
2008-11-05 18:39 --------- d--h--w d:\program files\InstallShield Installation Information
2008-11-05 18:39 --------- d-----w d:\program files\Common Files\COWON
2008-11-05 18:24 --------- d-----w d:\program files\MagicISO
2008-11-03 16:34 --------- d-----w d:\program files\Ahead
2008-11-03 00:35 --------- d-----w d:\documents and settings\All Users\Application Data\Nero
2008-11-03 00:21 --------- d-----w d:\documents and settings\grega\Application Data\Ahead
2008-11-02 10:48 --------- d-----w d:\documents and settings\grega\Application Data\zweitgeist
2008-11-02 01:30 --------- d-----w d:\documents and settings\grega\Application Data\Red Alert 3
2008-11-01 12:18 --------- d-----w d:\documents and settings\grega\Application Data\COWON
2008-10-31 10:19 --------- d-----w d:\program files\K-Lite Codec Pack
2008-10-28 16:28 --------- d-----w d:\program files\Folder Marker
2008-10-28 12:36 717,296 ----a-w d:\windows\system32\drivers\sptd.sys
2008-10-28 12:36 --------- d-----w d:\documents and settings\grega\Application Data\DAEMON Tools
2008-10-27 17:34 --------- d-----w d:\program files\Trust
2008-10-26 23:52 --------- d-----w d:\documents and settings\All Users\Application Data\TrackMania United
2008-10-26 22:26 --------- d-----w d:\program files\Monkey's Audio
2008-10-26 22:24 --------- d-----w d:\program files\Medieval Software
2008-10-26 07:16 --------- d-----w d:\documents and settings\grega\Application Data\vlc
2008-10-26 07:15 --------- d-----w d:\program files\VideoLAN
2008-10-25 14:08 --------- d-----w d:\documents and settings\All Users\Application Data\vsosdk
2008-10-25 09:26 --------- d-----w d:\documents and settings\All Users\Application Data\Trymedia
2008-10-25 09:20 --------- d-----w d:\documents and settings\All Users\Application Data\NOS
2008-10-25 08:28 --------- d-----w d:\program files\Common Files\Adobe AIR
2008-10-25 08:28 --------- d-----w d:\program files\Common Files\Adobe
2008-10-25 08:03 20,747 ----a-w d:\windows\system32\drivers\AegisP.sys
2008-10-25 08:03 --------- d-----w d:\program files\ASUS
2008-10-25 07:59 --------- d-----w d:\documents and settings\LocalService\Application Data\Webroot
2008-10-25 07:36 --------- d-----w d:\program files\UltraISO
2008-10-25 07:36 --------- d-----w d:\program files\Common Files\EZB Systems
2008-10-25 07:33 --------- d-----w d:\documents and settings\grega\Application Data\Media Player Classic
2008-10-25 07:32 --------- d-----w d:\program files\Common Files\Webroot Shared
2008-10-25 07:32 --------- d-----w d:\documents and settings\All Users\Application Data\Webroot
2008-10-24 23:19 --------- d-----w d:\program files\AVerMedia
2008-10-24 23:18 --------- d-----w d:\program files\Common Files\AVerMedia
2008-10-24 23:06 --------- d-----w d:\program files\uTorrent
2008-10-24 20:46 --------- d-----w d:\program files\7-Zip
2008-10-24 20:29 --------- d-----w d:\documents and settings\grega\Application Data\SiOL
2008-10-24 20:25 --------- d-----w d:\program files\SiOL
2008-10-24 20:25 --------- d-----w d:\documents and settings\All Users\Application Data\{4BF33A15-171B-454E-8A15-E7E0C8D3D1CA}
2008-10-24 20:18 --------- d-----w d:\program files\Logitech
2008-10-24 20:18 --------- d-----w d:\program files\Common Files\Logitech
2008-10-24 19:20 --------- d-----w d:\program files\Creative
2008-10-24 19:20 --------- d-----w d:\program files\Common Files\ACD Systems
2008-10-24 19:20 --------- d-----w d:\documents and settings\grega\Application Data\ACD Systems
2008-10-24 19:20 --------- d-----w d:\documents and settings\All Users\Application Data\ACD Systems
2008-10-24 18:48 --------- d-----w d:\program files\microsoft frontpage
2008-10-24 18:44 --------- d-----w d:\program files\Windows Media Connect 2
2008-10-24 18:11 --------- d-----w d:\program files\FLAC
2008-10-24 17:25 --------- d-----w d:\documents and settings\grega\Application Data\teamspeak2
2008-10-24 17:19 25,280 ----a-w d:\windows\system32\drivers\hamachi.sys
2008-10-24 11:21 455,296 ----a-w d:\windows\system32\drivers\mrxsmb.sys
2008-10-16 13:13 202,776 ----a-w d:\windows\system32\wuweb.dll
2008-10-16 13:13 1,809,944 ----a-w d:\windows\system32\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w d:\windows\system32\wuapi.dll
2008-10-16 13:12 323,608 ----a-w d:\windows\system32\wucltui.dll
2008-10-16 13:09 92,696 ----a-w d:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 ----a-w d:\windows\system32\wuauclt.exe
2008-09-30 15:43 1,286,152 ----a-w d:\windows\system32\msxml4.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="d:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="d:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"UpdReg"="d:\windows\UpdReg.exe" [2000-05-11 90112]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Control Center"="d:\program files\ASUS\WLAN Card Utilities\Center.exe" [2006-08-15 1696256]
"FLMOFFICE4DMOUSE"="d:\program files\Trust\MI-2500X OPTICAL MOUSE\Mouse32a.exe" [2008-10-27 370176]
"GrooveMonitor"="d:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"CorelDRAW Graphics Suite 11b"="e:\program files\CorelDraw12\Languages\EN\Programs\Registration.exe" [2003-11-25 729088]
"amd_dc_opt"="d:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"StartCCC"="d:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-07-16 61440]
"TrojanScanner"="d:\program files\Trojan Remover\Trjscan.exe" [2008-12-19 1230728]
"nod32kui"="e:\program files\Nod32\nod32kui.exe" [2008-12-20 949376]
"SpySweeper"="d:\program files\Webroot\Spy Sweeper\SpySweeper.exe" [2006-01-25 3405312]
"P17Helper"="P17.dll" [2005-05-03 d:\windows\system32\P17.dll]
d:\documents and settings\grega\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - d:\program files\Microsoft Office\Office12\ONENOTEM.exe [2006-10-26 98632]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"e:\\Igre\\Red Alert 2\\game.exe"=
"d:\\Program Files\\Hamachi\\hamachi.exe"=
"e:\\Program Files\\Teamspeak2_RC2-Server\\server_windows.exe"=
"d:\\WINDOWS\\system32\\dpvsetup.exe"=
"e:\\Igre\\TrackMania United\\TmUnited.exe"=
"e:\\Igre\\Counter-Strike Source\\hl2.exe"=
"d:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"d:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.exe"=
"d:\\Program Files\\Microsoft Office\\Office12\\GROOVE.exe"=
"d:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.exe"=
"e:\\Igre\\Red Alert 2\\gamemd.exe"=
"d:\\Program Files\\Gigabyte\\BIOS\\GWF32.exe"=
"e:\\Igre\\FalconAF\\FalconAF.exe"=
"e:\\Igre\\rFactor\\rFactor.exe"=
R0 SSI;SSI;d:\windows\system32\Drivers\SSI.SYS [2008-12-20 78336]
R1 nod32drv;nod32drv;d:\windows\system32\drivers\nod32drv.sys [2008-12-20 15424]
R2 wwEngineSvc;Window Washer Engine;d:\program files\Webroot\Washer\WasherSvc.exe [2008-10-25 598856]
R3 ASNDIS5;ASNDIS5 Protocol Driver;\??\d:\windows\system32\ASNDIS5.SYS [2008-10-24 16269]
R3 AVerBDA3x;AVerMedia SAA713x BDA Service;d:\windows\system32\DRIVERS\AVerBDA3x.sys [2008-10-25 1176192]
R3 FStarForce;FStarForce;d:\windows\system32\DRIVERS\FStarForce.sys [2008-10-28 7680]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d6ed4630-a8c9-11dd-a637-806d6172696f}]
\Shell\AutoRun\command - F:\Run.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db0bae35-a1ec-11dd-8ef3-0016e65cbe1d}]
\Shell\AutoRun\command - G:\autorun.exe
\Shell\readit\command - notepad readme.doc
*Newly Created Service* - ASNDIS5
.
Contents of the 'Scheduled Tasks' folder
2008-12-20 d:\windows\Tasks\AdwareBot Scheduled Scan.job
- d:\program files\AdwareBot\AdwareBot.exe []
2008-12-20 d:\windows\Tasks\AdwareBot Scheduled Scan.job
- d:\program files\AdwareBot []
2008-12-17 d:\windows\Tasks\At1.job
- d:\windows\system32\o8R10d05.exe []
2008-12-20 d:\windows\Tasks\At10.job
- d:\windows\system32\o8R10d05.exe []
2008-12-20 d:\windows\Tasks\At11.job
- d:\windows\system32\o8R10d05.exe []
2008-12-20 d:\windows\Tasks\At12.job
- d:\windows\system32\o8R10d05.exe []
2008-12-20 d:\windows\Tasks\At13.job
- d:\windows\system32\o8R10d05.exe []
2008-12-20 d:\windows\Tasks\At14.job
- d:\windows\system32\o8R10d05.exe []
2008-12-20 d:\windows\Tasks\At15.job
- d:\windows\system32\o8R10d05.exe []
2008-12-20 d:\windows\Tasks\At16.job
- d:\windows\system32\o8R10d05.exe []
2008-12-20 d:\windows\Tasks\At17.job
- d:\windows\system32\o8R10d05.exe []
2008-12-20 d:\windows\Tasks\At18.job
- d:\windows\system32\o8R10d05.exe []
2008-12-20 d:\windows\Tasks\At19.job
- d:\windows\system32\o8R10d05.exe []
2008-12-20 d:\windows\Tasks\At2.job
- d:\windows\system32\o8R10d05.exe []
2008-12-20 d:\windows\Tasks\At20.job
- d:\windows\system32\o8R10d05.exe []
2008-12-20 d:\windows\Tasks\At21.job
- d:\windows\system32\o8R10d05.exe []
2008-12-20 d:\windows\Tasks\At22.job
- d:\windows\system32\o8R10d05.exe []
2008-12-20 d:\windows\Tasks\At23.job
- d:\windows\system32\o8R10d05.exe []
2008-12-20 d:\windows\Tasks\At24.job
- d:\windows\system32\o8R10d05.exe []
2008-12-20 d:\windows\Tasks\At3.job
- d:\windows\system32\o8R10d05.exe []
2008-12-20 d:\windows\Tasks\At4.job
- d:\windows\system32\o8R10d05.exe []
2008-12-20 d:\windows\Tasks\At5.job
- d:\windows\system32\o8R10d05.exe []
2008-12-20 d:\windows\Tasks\At6.job
- d:\windows\system32\o8R10d05.exe []
2008-12-20 d:\windows\Tasks\At7.job
- d:\windows\system32\o8R10d05.exe []
2008-12-20 d:\windows\Tasks\At8.job
- d:\windows\system32\o8R10d05.exe []
2008-12-20 d:\windows\Tasks\At9.job
- d:\windows\system32\o8R10d05.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.si/
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: d:\windows\system32\imon.dll
TCP: {BD7DB2A2-1DD9-4009-A790-888EB2CD1ECC} = 192.168.1.1
TCP: {E8870077-FFEE-416F-802B-F1AC88210ED0} = 192.168.1.1
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-20 23:43:20
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(792)
d:\windows\system32\Ati2evxx.dll
d:\windows\system32\WRLogonNTF.dll
- - - - - - - > 'lsass.exe'(848)
d:\windows\system32\imon.dll
.
Completion time: 2008-12-20 23:43:57
ComboFix-quarantined-files.txt 2008-12-20 22:43:55
Pre-Run: 534.704.128 bytes free
Post-Run: 595,668,992 bytes free
294 --- E O F --- 2008-11-17 08:46:01

Response Number 16

Name: jabuck
Date: December 20, 2008 at 15:24:56 Pacific

Reply:

Go to start> control panel> add/remove programs and remove this rogue program if found:
Adwarebot
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, Or File, etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
d:\windows\[u]0[/u]9D796A099CB4A1AA5E5E026042DCF09.TMP
d:\windows\Tasks\At1.job
d:\windows\system32\o8R10d05.exe
d:\windows\Tasks\At10.job
d:\windows\Tasks\At11.job
d:\windows\Tasks\At12.job
d:\windows\Tasks\At13.job
d:\windows\Tasks\At14.job
d:\windows\Tasks\At15.job
d:\windows\Tasks\At16.job
d:\windows\Tasks\At17.job
d:\windows\Tasks\At18.job
d:\windows\Tasks\At19.job
d:\windows\Tasks\At2.job
d:\windows\Tasks\At20.job
d:\windows\Tasks\At21.job
d:\windows\Tasks\At22.job
d:\windows\Tasks\At23.job
d:\windows\Tasks\At24.job
d:\windows\Tasks\At3.job
d:\windows\Tasks\At4.job
d:\windows\Tasks\At5.job
d:\windows\Tasks\At6.job
d:\windows\Tasks\At7.job
d:\windows\Tasks\At8.job
d:\windows\Tasks\At9.job

Folder::
d:\windows\Tasks
d:\documents and settings\grega\Application Data\AdwareBot
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner
Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component
1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
3.Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
4. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
5. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
6. Click View scan report at the bottom.
7. Click the Save Report As... button.
8. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**
To optimize scanning time and produce a more sensible report for review:
Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Response Number 17

Name: amnesiak77
Date: December 20, 2008 at 16:58:21 Pacific

Reply:

Ok, I did as suggested. Kaspersky Online Scanner did not find any infected or suspicious files.
So, I got this one by starting exe file of something or some other way?
Anyway thanks.

Response Number 18

Name: jabuck
Date: December 20, 2008 at 17:22:53 Pacific

Reply:

I can't be sure of where it came from but usually like any other spyware/virus through a program that was downloaded, email or web site.
A good chance it was from the rogue program you uninstalled.
You computer appears to be clean
Go to start> run> type in combofix /u (note the space after combofix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.
Go to start> control panel> add/remove programs and uninstall these programs:
Hijack This
Kaspersky
You should keep AFT Cleaner and run it weekly.

You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster
Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.
How is the computer operating?

Response Number 19

Name: amnesiak77
Date: December 20, 2008 at 23:27:59 Pacific

Reply:

Thanks for all the help.
The computer is operating normaly. Nothing unusuall.

Response Number 20

Name: jabuck
Date: December 21, 2008 at 07:11:14 Pacific

Reply:

Glad we could help.

Response Number 21

Name: fr0gman
Date: December 21, 2008 at 20:23:35 Pacific

Reply:

Well it seems that I have this bug as well. I cannot run any AV nor ComboFix. When I try the system either locks or I get the invalid Win32 message. I cannot run system restore nor can I boot into Safe Mode.
Any ideas???

Response Number 22

Name: jabuck
Date: December 21, 2008 at 20:37:52 Pacific

Reply:

fr0gman, please start a thread of your own and we will try to help. Do not post any logs yet just state the probelm and what you have done so far.

Response Number 23

Name: amvinfe
Date: December 27, 2008 at 09:01:18 Pacific

Reply:

to be able to run ComboFix you should rename before downloading an alpha-numeric name, for example co@123fi.exe
by ;)
amvinfe at suspectfile dot com

Response Number 24

Name: helpus
Date: December 28, 2008 at 13:33:06 Pacific

Reply:

THANK YOU FOR YOUR HELP ON THIS SITE!!
All of our anti-virus progrms were corrupted of the virus and didnt work even after we got rid of the virus. We had to install the original setup files.
Can this virus have had any affect on the graphics card? Now my computer suddenly every 20 minutes or so goes dead (the screen goes black and I can't do anything). When this happened, I have to rebot. Once reboting didnt help, I had to disconnect the electrisity and only by this I got it working again. Now after the virus, I noticed to that while my computer is starting up there is a lot of pixeling and coulors blinking and flashing in lines etc.
Is my graphic card affected by the virus and being destryed because of it. Or is it just a coincydence that my card is breaking down?
After ATF-Cleaner we had 377 errors/impuritys and the ATF program only cleaned away 16 of them due to that we did not own the program. Should we be worried?
Shorty my questions are:
1. Is my graphics card affected by the virus?
2. Is the virus still on my computer?
3. Should i be worried of all the 377 errors?
4. Why didn't my F-secure find the virus even though we scanned it before opening?
Im looking forward for your quick answers!
Best regards
Helpus

Response Number 25

Name: amvinfe
Date: December 29, 2008 at 13:35:13 Pacific

Reply:

Hi,
this malware (a variant of the Bagle) certainly removes the sound card driver, disable the display of files and folders hidden and system, turn off the SafeBoot, as you said, or almost all programs for security: antivirus, antispyware, HIPS modules ...
Frankly damaged the graphics card is the first time that I have read it, I would not have been there instead incorrect removals.
To understand if the malware is still on your computer, run a scan with SystemScan:
download to your desktop
http://www.suspectfile.com/systemscan
open it and make sure that all options are checked, click on "Scan Now" at the end of the scan will be released (always on your desktop inside the folder suspectfile) two files.
Go to office http://www.freefilehosting.net the zip file and write in your next reply URL where I can get it.
[b] Remember the scan with no connection with the antivirus disabled unless then resume scanning finished. [/ b]
[i] NB
the duration of the scan may be long, it might even seem that the program is not working, do not worry is not so;)
[color = red] SystemScan is recognized, [u] mistake [/ u], by some antivirus as infected. [/ color]
[/ i]
--
Ciao,
Marco

Sponsored Link

Ads by Google

Some kind of virus in my ...

Computer locking up

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: winupgro.exe virus(mdelk.exe)

winupgro.exe virus

Summary

www.computing.net/answers/security/winupgroexe-virus/24101.html

winupgro.exe - beagle virus issue

Summary

www.computing.net/answers/security/winupgroexe-beagle-virus-issue/24128.html

winupgro.exe virus

Summary

www.computing.net/answers/security/winupgroexe-virus/24168.html

From the Geek Dictionary
quit - In computing parlance, to quit an application is to directly or indirectly ...

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes In 7 Days.
Discuss in The Lounge
Poll History

Recent Posts
GeForce v Radeon

Batch file to synch FTP folder with local

Google Redirect/Invalid Security/Virus

wireless network overview

Monitor Screen Resolution

All Awaiting Reply

Tom's News
Woman Tracks Down Club Attacker on Facebook

Geolocation Functions Come to Twitter

New Craigslist Trend: Trade Sex for Rent?

Law Firm Investigates MS Over Xbox Live Bans

Amazon Charges $25 for Palm Pixi and $80 for Pre

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE