Jump to content

Rootkit.Agent - having trouble removing


Recommended Posts

This morning I was unfortunate enough to get caught out by a web page which was obviously loaded - I've installed Malwarebytes' Anti Malware now which has fixed many of the problems resulting - however I've been left with MBAM reporting a finding of Rootkit.Agent, it offers to remove these on restart but a second scan shows they are back.

I've attached the MBAM log and a Hijackthis! log (wasn't sure if you prefer them posted or attached?) - alas removing these myself is over my head for now :)

Best regards

Matt

mbam_log_2008_12_04__18_11_54_.txt

mbam_log_2008_12_04__18_11_54_.txt

Link to post
Share on other sites

Hi Tigger - I could still use a hand. I have a bit of a free afternoon so was planning on wiping the machine as I've still been unsuccessful in killing this malware but if there is any chance of resolving this I'd much prefer to attempt to fix it over having to reinstall everything!

Best regards

Matt

Link to post
Share on other sites

Hijack this! log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 09:25:45, on 15/12/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Apple\iPhone Configuration Web Utility\iPhoneConfigurationWebUtilityService.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe

C:\Program Files\Microsoft SQL Server\MSSQL$SOPHOS\Binn\sqlservr.exe

C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe

C:\Program Files\SWiSH Studio2\burner\nmsaccessu.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\PDF Complete\pdfsvc.exe

c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe

c:\Program Files\Sophos\AutoUpdate\ALsvc.exe

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\Apple\iPhone Configuration Web Utility\ruby\bin\ruby.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\PDF Complete\pdfsty.exe

C:\WINDOWS\SMINST\Scheduler.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\UltraMon\UltraMon.exe

C:\Program Files\Common Files\AOL\1199356341\ee\AOLSoftware.exe

C:\Program Files\UltraMon\UltraMonTaskbar.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Bret Taylor\Stickies\Stickies.exe

C:\Program Files\Sophos\AutoUpdate\ALMon.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = google.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O1 - Hosts: 77.251.157.112 archaosguild.com # Archaos website

O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - c:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: IE Developer Toolbar BHO - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe"

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe

O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe

O4 - HKLM\..\Run: [scheduler] C:\WINDOWS\SMINST\Scheduler.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [ultraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1199356341\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [syslog] C:\Program Files\DrayTek Router Tools V3.7.1\SyslogRd.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [bar] C:\DOCUME~1\matt\LOCALS~1\Temp\snaxmrowec.tmp

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [stickies] C:\Program Files\Bret Taylor\Stickies\Stickies.exe

O4 - HKCU\..\Run: [Windows Live FolderShare] "C:\Documents and Settings\matt\Local Settings\Application Data\FolderShare\FolderShare.exe" /background

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe

O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll

O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = seriousagency.net

O17 - HKLM\Software\..\Telephony: DomainName = seriousagency.net

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = seriousagency.net

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = seriousagency.net

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = seriousagency.net

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O20 - AppInit_DLLs: aqidct.dll,c:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL

O20 - Winlogon Notify: eddpoeij - eddpoeij.dll (file missing)

O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe

O23 - Service: Apple iPhone Configuration Web Utility - Apple, Inc. - C:\Program Files\Apple\iPhone Configuration Web Utility\iPhoneConfigurationWebUtilityService.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe

O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)

O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\SWiSH Studio2\burner\nmsaccessu.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe

O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe

O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe

O23 - Service: Sophos AutoUpdate Service - Sophos Plc - c:\Program Files\Sophos\AutoUpdate\ALsvc.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--

End of file - 14351 bytes

MBAM Log

Malwarebytes' Anti-Malware 1.31

Database version: 1492

Windows 5.1.2600 Service Pack 3

15/12/2008 09:34:04

mbam-log-2008-12-15 (09-34-04).txt

Scan type: Quick Scan

Objects scanned: 71342

Time elapsed: 4 minute(s), 35 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ati3uuxx (Rootkit.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ati3uuxx (Rootkit.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ati3uuxx (Rootkit.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati3uuxx (Rootkit.Agent) -> Delete on reboot.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\drivers\ati3uuxx.sys (Rootkit.Agent) -> Delete on reboot.

C:\WINDOWS\Temp\BN10.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BNE.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BNF.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.

Sophos log

20081215 090715 Using detection data version 4.36E (detection engine 2.81.2). This version can detect 561704 items.

20081215 090715 User (NT AUTHORITY\LOCAL SERVICE) has started on-access scanning for this machine.

20081215 090825 User (NT AUTHORITY\SYSTEM) has stopped on-access scanning for this machine.

20081215 090828 Using detection data version 4.36E (detection engine 2.81.2). This version can detect 561797 items.

20081215 090828 User (NT AUTHORITY\SYSTEM) has started on-access scanning for this machine.

20081215 092042 File "C:\WINDOWS\Temp\BN10.tmp" belongs to virus/spyware 'Troj/Pushdo-Gen'.

20081215 092042 File "C:\WINDOWS\Temp\BN10.tmp" belongs to virus/spyware 'Mal/Pushdo-A'.

20081215 092042 On-access scanner has denied access to location "C:\WINDOWS\Temp\BN10.tmp" for user NT AUTHORITY\SYSTEM

20081215 092939 File "C:\WINDOWS\Temp\BN10.tmp" belongs to virus/spyware 'Troj/Pushdo-Gen'.

20081215 092939 File "C:\WINDOWS\Temp\BN10.tmp" belongs to virus/spyware 'Mal/Pushdo-A'.

20081215 092939 On-access scanner has denied access to location "C:\WINDOWS\Temp\BN10.tmp" for user SERIOUSAGENCY\matt

20081215 092939 File "C:\WINDOWS\Temp\BNE.tmp" belongs to virus/spyware 'Troj/Pushdo-Gen'.

20081215 092939 File "C:\WINDOWS\Temp\BNE.tmp" belongs to virus/spyware 'Mal/Pushdo-A'.

20081215 092939 On-access scanner has denied access to location "C:\WINDOWS\Temp\BNE.tmp" for user SERIOUSAGENCY\matt

20081215 092940 File "C:\WINDOWS\Temp\BNF.tmp" belongs to virus/spyware 'Troj/Agent-HNY'.

20081215 092940 On-access scanner has denied access to location "C:\WINDOWS\Temp\BNF.tmp" for user SERIOUSAGENCY\matt

20081215 093106 File "C:\WINDOWS\Temp\BN10.tmp" belongs to virus/spyware 'Troj/Pushdo-Gen'.

20081215 093106 File "C:\WINDOWS\Temp\BN10.tmp" belongs to virus/spyware 'Mal/Pushdo-A'.

20081215 093106 On-access scanner has denied access to location "C:\WINDOWS\Temp\BN10.tmp" for user SERIOUSAGENCY\matt

20081215 093403 File "C:\WINDOWS\Temp\BN10.tmp" belongs to virus/spyware 'Troj/Pushdo-Gen'.

20081215 093403 File "C:\WINDOWS\Temp\BN10.tmp" belongs to virus/spyware 'Mal/Pushdo-A'.

20081215 093403 On-access scanner has denied access to location "C:\WINDOWS\Temp\BN10.tmp" for user SERIOUSAGENCY\matt

20081215 093403 File "C:\WINDOWS\Temp\BNE.tmp" belongs to virus/spyware 'Troj/Pushdo-Gen'.

20081215 093403 File "C:\WINDOWS\Temp\BNE.tmp" belongs to virus/spyware 'Mal/Pushdo-A'.

20081215 093403 On-access scanner has denied access to location "C:\WINDOWS\Temp\BNE.tmp" for user SERIOUSAGENCY\matt

20081215 093403 File "C:\WINDOWS\Temp\BNF.tmp" belongs to virus/spyware 'Troj/Agent-HNY'.

20081215 093403 On-access scanner has denied access to location "C:\WINDOWS\Temp\BNF.tmp" for user SERIOUSAGENCY\matt

20081215 093404 File "C:\WINDOWS\Temp\BN10.tmp" belongs to virus/spyware 'Troj/Pushdo-Gen'.

20081215 093404 File "C:\WINDOWS\Temp\BN10.tmp" belongs to virus/spyware 'Mal/Pushdo-A'.

20081215 093404 On-access scanner has denied access to location "C:\WINDOWS\Temp\BN10.tmp" for user SERIOUSAGENCY\matt

20081215 093404 File "C:\WINDOWS\Temp\BNE.tmp" belongs to virus/spyware 'Troj/Pushdo-Gen'.

20081215 093404 File "C:\WINDOWS\Temp\BNE.tmp" belongs to virus/spyware 'Mal/Pushdo-A'.

20081215 093404 On-access scanner has denied access to location "C:\WINDOWS\Temp\BNE.tmp" for user SERIOUSAGENCY\matt

20081215 093404 File "C:\WINDOWS\Temp\BNF.tmp" belongs to virus/spyware 'Troj/Agent-HNY'.

20081215 093404 On-access scanner has denied access to location "C:\WINDOWS\Temp\BNF.tmp" for user SERIOUSAGENCY\matt

20081215 093537 Process 'c:\WINDOWS\system32\drivers\rqcxs.sys' exhibiting suspicious behavior pattern 'HIPS/RegMod-013'.

No action taken.

Please send a sample to Sophos.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.