Jump to content

Malwarebytes

MBAM and BitDefender fail to remove Vundo Trojan

- - - - -
Started by tonyb85, Oct 13 2009 06:50 AM

20 replies to this topic

#1
tonyb85
Posted 13 October 2009 - 06:50 AM

    New Member

  • Members
  • Pip
  • 10 posts
  • Gender:Male
  • Location:United States
First of all here is my OS info (in case it is needed):
Microsoft Windows XP
Media Center Edition
Version 2002
Service Pack 3

Previously I had a corporate copy of McAfee on my computer but it apparently allowed multiple viruses onto my computer. Since then I have removed McAfee and currently have a 30 day trial of BitDefender Internet Security 2010 running on the computer to hopefully prevent any further infection. I just recently disabled the computer's internet connection to avoid having viruses transmitted to other computers in my house on the same network. I downloaded MBAM and Trend Micro HijackThis and ran them and posted the logs below. Although MBAM says it does not find a Vundo trojan, BitDefender does find it (even after doing multiple MBAM scans and removals of infected files). BitDefender calls the virus "Trojan.Vundo.GMM" (without the quotes). I am not sure what I should do next (as I have tried using BitDefender and MBAM to remove the virus/es without success), any help you could offer me would be much appreciated.

Thank you in advance,
Tony

I have posted the logs from MBAM, HijackThis, and BitDefender Internet Security 2010 below (in that order).

MBAM LOG: (from Full Scan, not Quick Scan)

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

10/13/2009 1:11:58 AM
mbam-log-2009-10-13 (01-11-37).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 217697
Time elapsed: 59 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

HijackThis LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:23:53 AM, on 10/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe
C:\Program Files\Plaxo\3.22.0.7\PlaxoHelper_en.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\Clarus\Samsung Auto Backup\ISFRealTimeD.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Clarus\Samsung Auto Backup\ISFTimerD.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\BitDefender\BitDefender 2010\seccenter.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.mywa...idebar.jsp?p=DE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {517a881c-e126-49ad-8c06-0e71223b6ad0} - lobebafu.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {EFD500E1-9208-48E2-873D-D3A59FEC9483} - C:\WINDOWS\security\cacafx.dll (file missing)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2010\IEToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2010\IEShow.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\3.22.0.7\PlaxoHelper_en.exe -a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [PlaxoSysTray] C:\Program Files\Plaxo\3.22.0.7\PlaxoSysTray.exe
O4 - Startup: Samsung Auto Backup Guage.lnk = ?
O4 - Startup: Samsung Auto Backup Real-Time Daemon.lnk = ?
O4 - Startup: Samsung Auto Backup Scheduler.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1128006131468
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O20 - AppInit_DLLs: yiyawefo.dll
O20 - Winlogon Notify: cacafx - C:\WINDOWS\security\cacafx.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe
O23 - Service: dlbu_device - Dell - C:\WINDOWS\system32\dlbucoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 10676 bytes


BITDEFENDER 2010 INTERNET SECURITY SCAN LOG:


BitDefender Log File

Product: BitDefender Internet Security 2010
Version: BitDefender Antivirus Scanner
Scanning task: Deep System Scan
Log date: 10/12/2009 9:40:15 PM
Log path: C:\Documents and Settings\All Users\Application Data\BitDefender\Desktop\Profiles\Logs\deep_scan\1255401615_1_02.xml
Scan paths:
Path 0000: C:\
Scan Level:
Scan for viruses: Yes
Scan for adware: Yes
Scan for spyware: Yes
Scan for applications: Yes
Scan for dialers: Yes
Scan for rootkits: Yes
Scan for keyloggers: Yes
Virus Scanning Options:
Scan registry keys: Yes
Scan cookies: Yes
Scan boot sectors: Yes
Scan memory processes: Yes
Scan archives: Yes
Scan runtime packers: Yes
Scan e-mails: Yes
Scan all files: Yes
Heuristic Scan: Yes
Scanned extensions: not configured
Excluded extensions: not configured
Target Processing:
Default first action for infected objects: Disinfect
Default second action for infected objects: None
Default first action for suspect objects : None
Default second action for suspicious objects: None
Default action for hidden objects: None
Default first action for encrypted infected objects: Disinfect
Default second action for encrypted infected objects: None
Default first action for encrypted suspicious objects: None
Default second action for encrypted suspicious objects: None
Default action for password-protected objects: Log only
Scan Engines Summary
Virus signatures: 4336293
Archive plugins: 44
E-mail plugins: 6
Scan plugins: 13
System plugins: 5
Unpack plugins: 8
Basic
Scanned items: 415671
Infected items: 42
Suspect items: 0 (no suspected items have been detected)
Hidden items: 32
Resolved items: 38
Unresolved items: 36
Advanced
Skipped items: 144366
Password-protected items: 0
Over-compressed items: 0
Individual viruses found: 2
Scanned folders: 10169
Scanned boot sectors: 4
Scanned archives: 1863
Input-output errors: 0
Scanned processes: 89
Infected processes: 39
Scanned registry keys: 1264
Infected registry keys: 0
Scanned cookies: 76
Infected cookies: 0
Remaining issues:
Object Path
Threat Name
Final Status
<System>=>C:\WINDOWS\system32\yiyawefo.dll [1016] (disk)
Trojan.Vundo.GMM
Disinfect failed (object was not found)
<System>=>C:\WINDOWS\system32\yiyawefo.dll [1412] (memory dump)
Trojan.Vundo.GMM
Disinfect failed (object was not found)
<System>=>C:\WINDOWS\system32\yiyawefo.dll [1412] (disk)
Trojan.Vundo.GMM
Disinfect failed (object was not found)
<System>=>C:\WINDOWS\system32\yiyawefo.dll [1412] (full dump)
Trojan.Vundo.GMM
Disinfect failed (object was not found)
<System>=>C:\WINDOWS\system32\yiyawefo.dll [1456] (memory dump)
Trojan.Vundo.GMM
Disinfect failed (object was not found)
<System>=>C:\WINDOWS\system32\yiyawefo.dll [1456] (disk)
Trojan.Vundo.GMM
Disinfect failed (object was not found)
<System>=>C:\WINDOWS\system32\yiyawefo.dll [1456] (full dump)
Trojan.Vundo.GMM
Disinfect failed (object was not found)
<System>=>C:\WINDOWS\System32\yiyawefo.dll [1504] (disk)
Trojan.Vundo.GMM
Disinfect failed (object was not found)
<System>=>C:\WINDOWS\system32\yiyawefo.dll [1916] (memory dump)
Trojan.Vundo.GMM
Disinfect failed (object was not found)
<System>=>C:\WINDOWS\system32\yiyawefo.dll [1916] (disk)
Trojan.Vundo.GMM
Disinfect failed (object was not found)
<System>=>C:\WINDOWS\system32\yiyawefo.dll [1916] (full dump)
Trojan.Vundo.GMM
Disinfect failed (object was not found)
<System>=>C:\WINDOWS\system32\yiyawefo.dll [524] (memory dump)
Trojan.Vundo.GMM
Disinfect failed (object was not found)
<System>=>C:\WINDOWS\system32\yiyawefo.dll [524] (disk)
Trojan.Vundo.GMM
Disinfect failed (object was not found)
<System>=>C:\WINDOWS\system32\yiyawefo.dll [524] (full dump)
Trojan.Vundo.GMM
Disinfect failed (object was not found)
<System>=>C:\WINDOWS\system32\yiyawefo.dll [692] (memory dump)
Trojan.Vundo.GMM
Disinfect failed (object was not found)
<System>=>C:\WINDOWS\system32\yiyawefo.dll [692] (disk)
Trojan.Vundo.GMM
Disinfect failed (object was not found)
<System>=>C:\WINDOWS\system32\yiyawefo.dll [692] (full dump)
Trojan.Vundo.GMM
Disinfect failed (object was not found)
<System>=>C:\WINDOWS\system32\yiyawefo.dll [1300] (memory dump)
Trojan.Vundo.GMM
Disinfect failed (object was not found)
<System>=>C:\WINDOWS\system32\yiyawefo.dll [1300] (disk)
Trojan.Vundo.GMM
Disinfect failed (object was not found)
<System>=>C:\WINDOWS\system32\yiyawefo.dll [1300] (full dump)
Trojan.Vundo.GMM
Disinfect failed (object was not found)
<System>=>C:\WINDOWS\system32\yiyawefo.dll [1888] (memory dump)
Trojan.Vundo.GMM
Disinfect failed (object was not found)
<System>=>C:\WINDOWS\system32\yiyawefo.dll [1888] (disk)
Trojan.Vundo.GMM
Disinfect failed (object was not found)
<System>=>C:\WINDOWS\system32\yiyawefo.dll [1888] (full dump)
Trojan.Vundo.GMM
Disinfect failed (object was not found)
<System>=>C:\WINDOWS\system32\yiyawefo.dll [2128] (memory dump)
Trojan.Vundo.GMM
Disinfect failed (object was not found)
<System>=>C:\WINDOWS\system32\yiyawefo.dll [2128] (disk)
Trojan.Vundo.GMM
Disinfect failed (object was not found)
<System>=>C:\WINDOWS\system32\yiyawefo.dll [2128] (full dump)
Trojan.Vundo.GMM
Disinfect failed (object was not found)
<System>=>C:\WINDOWS\system32\yiyawefo.dll [2216] (memory dump)
Trojan.Vundo.GMM
Disinfect failed (object was not found)
<System>=>C:\WINDOWS\system32\yiyawefo.dll [2216] (disk)
Trojan.Vundo.GMM
Disinfect failed (object was not found)
<System>=>C:\WINDOWS\system32\yiyawefo.dll [2216] (full dump)
Trojan.Vundo.GMM
Disinfect failed (object was not found)
<System>=>C:\WINDOWS\system32\yiyawefo.dll [3836] (memory dump)
Trojan.Vundo.GMM
Disinfect failed (object was not found)
<System>=>C:\WINDOWS\system32\yiyawefo.dll [3836] (disk)
Trojan.Vundo.GMM
Disinfect failed (object was not found)
<System>=>C:\WINDOWS\system32\yiyawefo.dll [3836] (full dump)
Trojan.Vundo.GMM
Disinfect failed (object was not found)
<System>=>C:\WINDOWS\system32\yiyawefo.dll [2784] (memory dump)
Trojan.Vundo.GMM
Disinfect failed (object was not found)
<System>=>C:\WINDOWS\system32\yiyawefo.dll [2784] (disk)
Trojan.Vundo.GMM
Disinfect failed (object was not found)
<System>=>C:\WINDOWS\system32\yiyawefo.dll [2784] (full dump)
Trojan.Vundo.GMM
Disinfect failed (object was not found)
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP881\A0179624.dll
Trojan.Vundo.GMM
Disinfect failed (object was not found)

Resolved issues:
Object Path
Threat Name
Final Status
C:\Documents and Settings\Anthony\My Documents\undeletable\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - To Your Love.mp3.bd.ren
Rootkit-Hidden items:
Renamed
C:\Documents and Settings\Anthony\My Documents\undeletable\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - The Way Things Are.mp3.bd.ren
Rootkit-Hidden items:
Renamed
C:\Documents and Settings\Anthony\My Documents\undeletable\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - Paper Bag.mp3.bd.ren
Rootkit-Hidden items:
Renamed
C:\Documents and Settings\Anthony\My Documents\undeletable\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - On the Bound.mp3.bd.ren
Rootkit-Hidden items:
Renamed
C:\Documents and Settings\Anthony\My Documents\undeletable\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - Love Ridden.mp3.bd.ren
Rootkit-Hidden items:
Renamed
C:\Documents and Settings\Anthony\My Documents\undeletable\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - Limp.mp3.bd.ren
Rootkit-Hidden items:
Renamed
C:\Documents and Settings\Anthony\My Documents\undeletable\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - I Know.mp3.bd.ren
Rootkit-Hidden items:
Renamed
C:\Documents and Settings\Anthony\My Documents\undeletable\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - Get Gone.mp3.bd.ren
Rootkit-Hidden items:
Renamed
C:\Documents and Settings\Anthony\My Documents\undeletable\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - Fast as You Can.mp3.bd.ren
Rootkit-Hidden items:
Renamed
C:\Documents and Settings\Anthony\My Documents\undeletable\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - A Mistake.mp3.bd.ren
Rootkit-Hidden items:
Renamed
C:\Documents and Settings\Anthony\My Documents\undeletable\Fiona Apple\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - To Your Love.mp3.bd.ren
Rootkit-Hidden items:
Renamed
C:\Documents and Settings\Anthony\My Documents\undeletable\Fiona Apple\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - The Way Things Are.mp3.bd.ren
Rootkit-Hidden items:
Renamed
C:\Documents and Settings\Anthony\My Documents\undeletable\Fiona Apple\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - Paper Bag.mp3.bd.ren
Rootkit-Hidden items:
Renamed
C:\Documents and Settings\Anthony\My Documents\undeletable\Fiona Apple\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - On the Bound.mp3.bd.ren
Rootkit-Hidden items:
Renamed
C:\Documents and Settings\Anthony\My Documents\undeletable\Fiona Apple\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - Love Ridden.mp3.bd.ren
Rootkit-Hidden items:
Renamed
C:\Documents and Settings\Anthony\My Documents\undeletable\Fiona Apple\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - Limp.mp3.bd.ren
Rootkit-Hidden items:
Renamed
C:\Documents and Settings\Anthony\My Documents\undeletable\Fiona Apple\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - I Know.mp3.bd.ren
Rootkit-Hidden items:
Renamed
C:\Documents and Settings\Anthony\My Documents\undeletable\Fiona Apple\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - Get Gone.mp3.bd.ren
Rootkit-Hidden items:
Renamed
C:\Documents and Settings\Anthony\My Documents\undeletable\Fiona Apple\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - Fast as You Can.mp3.bd.ren
Rootkit-Hidden items:
Renamed
C:\Documents and Settings\Anthony\My Documents\undeletable\Fiona Apple\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - A Mistake.mp3.bd.ren
Rootkit-Hidden items:
Renamed
C:\Documents and Settings\Anthony\My Documents\My Music\Supertramp\Even in the Quietest Moments..\Supertramp - Lover Boy.mp3.bd.ren
Rootkit-Hidden items:
Renamed
C:\Documents and Settings\Anthony\My Documents\My Music\Supertramp\Even in the Quietest Moments..\Supertramp - Give a Little Bit.mp3.bd.ren
Rootkit-Hidden items:
Renamed
C:\Documents and Settings\Anthony\My Documents\My Music\Supertramp\Even in the Quietest Moments..\Supertramp - From Now On.mp3.bd.ren
Rootkit-Hidden items:
Renamed
C:\Documents and Settings\Anthony\My Documents\My Music\Supertramp\Even in the Quietest Moments..\Supertramp - From Now On(1).mp3.bd.ren
Rootkit-Hidden items:
Renamed
C:\Documents and Settings\Anthony\My Documents\My Music\Supertramp\Even in the Quietest Moments..\Supertramp - Fool's Overture.mp3.bd.ren
Rootkit-Hidden items:
Renamed
C:\Documents and Settings\Anthony\My Documents\My Music\Supertramp\Even in the Quietest Moments..\Supertramp - Fool's Overture(1).mp3.bd.ren
Rootkit-Hidden items:
Renamed
C:\Documents and Settings\Anthony\My Documents\My Music\Supertramp\Even in the Quietest Moments..\Supertramp - Even in the Quietest Moments.mp3.bd.ren
Rootkit-Hidden items:
Renamed
C:\Documents and Settings\Anthony\My Documents\My Music\Supertramp\Even in the Quietest Moments..\Supertramp - Even in the Quietest Moments(1).mp3.bd.ren
Rootkit-Hidden items:
Renamed
C:\Documents and Settings\Anthony\My Documents\My Music\Supertramp\Even in the Quietest Moments..\Supertramp - Downstream.mp3.bd.ren
Rootkit-Hidden items:
Renamed
C:\Documents and Settings\Anthony\My Documents\My Music\Supertramp\Even in the Quietest Moments..\Supertramp - Downstream(1).mp3.bd.ren
Rootkit-Hidden items:
Renamed
C:\Documents and Settings\Anthony\My Documents\My Music\Supertramp\Even in the Quietest Moments..\Supertramp - Babaji.mp3.bd.ren
Rootkit-Hidden items:
Renamed
C:\Documents and Settings\Anthony\My Documents\My Music\Supertramp\Even in the Quietest Moments..\Supertramp - Babaji(1).mp3.bd.ren
Rootkit-Hidden items:
Renamed
<System>=>C:\WINDOWS\system32\yiyawefo.dll [1016] (memory dump)
Trojan.Vundo.GPM
Deleted
<System>=>C:\WINDOWS\system32\yiyawefo.dll [1016] (full dump)
Trojan.Vundo.GPM
Deleted
<System>=>C:\WINDOWS\System32\yiyawefo.dll [1504] (memory dump)
Trojan.Vundo.GPM
Deleted
<System>=>C:\WINDOWS\System32\yiyawefo.dll [1504] (full dump)
Trojan.Vundo.GPM
Deleted
C:\WINDOWS\system32\yiyawefo.dll
Trojan.Vundo.GMM
Deleted after reboot
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP881\A0179680.dll
Trojan.Vundo.GMM
Deleted

#2
tonyb85
Posted 13 October 2009 - 07:00 AM

    New Member

  • Members
  • Pip
  • 10 posts
  • Gender:Male
  • Location:United States
I wanted to add that I attempted to install Superantispyware on my computer but errors came up during the installation which prevented it from being installed. I am not sure if this is due to the viral infection. I thought it might be, as another computer I have with no infection and the same BitDefender 2010 Internet Security 30-day trial installed on it had no problem installing and running Superantispyware. Just thought I should add that, as that program seems to be recommended quite often from what I have seen on this and other virus removal forums.

#3
Blade81
Posted 16 October 2009 - 07:36 PM

    Elite Member

  • Experts
  • PipPipPipPipPip
  • 1,229 posts
  • Gender:Male
  • Location:Finland
  • Interests:Floorball, football, music, computers..
Hi,

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop. Post them back to your topic.

Microsoft MVP Consumer Security 2008 2009 2010 2011
ASAP & UNITE member since 2006
Posted Image Posted Image

#4
tonyb85
Posted 17 October 2009 - 04:24 PM

    New Member

  • Members
  • Pip
  • 10 posts
  • Gender:Male
  • Location:United States
Attached File  Attach.zip   3.77K   25 downloads

Thanks for offering your help, Blade. I am not sure how to disable script blocking. Searching Google it sounded like script blocking might be enabled by Internet Explorer and/or my antivirus program (BitDefender Internet Security 2010). But I was unable to quickly figure out how to disable it, so I just ran DDS. The two text documents popped up, so I'm hoping it worked correctly (although it is possible script blocking was still enabled). If I need to disable script blocker and run the program again please let me know. I have copied and pasted the DDS.txt below and attached the Attach.txt at the top of this post (as the DDS program instructed).

Thanks again,
Tony


DDS.txt


DDS (Ver_09-10-13.01) - NTFSx86
Run by Anthony at 10:55:52.79 on Sat 10/17/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1270.704 [GMT -5:00]

AV: BitDefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe
C:\Program Files\Plaxo\3.22.0.7\PlaxoHelper_en.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\Clarus\Samsung Auto Backup\ISFGuage.exe
C:\Program Files\Clarus\Samsung Auto Backup\ISFRealTimeD.exe
C:\Program Files\Clarus\Samsung Auto Backup\ISFTimerD.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\BitDefender\BitDefender 2010\seccenter.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Anthony\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aol toolbar 3.1\aoltb.dll
mURLSearchHooks: H - No File
mWinlogon: SFCDisable=4 (0x4)
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {517a881c-e126-49ad-8c06-0e71223b6ad0} - lobebafu.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 3.1\aoltb.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {efd500e1-9208-48e2-873d-d3a59fec9483} - c:\windows\security\cacafx.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 3.1\aoltb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2010\IEToolbar.dll
TB: {821F87FF-8245-4972-9E28-732E92EC2F51} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [PlaxoUpdate] c:\program files\plaxo\3.22.0.7\PlaxoHelper_en.exe -a
uRun: [Aim6]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [PlaxoSysTray] c:\program files\plaxo\3.22.0.7\PlaxoSysTray.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [IPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2010\bdagent.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2010\IEShow.exe"
StartupFolder: c:\docume~1\anthony\startm~1\programs\startup\samsun~3.lnk - c:\program files\clarus\samsung auto backup\ISFGuage.exe
StartupFolder: c:\docume~1\anthony\startm~1\programs\startup\samsun~2.lnk - c:\program files\clarus\samsung auto backup\ISFRealTimeD.exe
StartupFolder: c:\docume~1\anthony\startm~1\programs\startup\samsun~1.lnk - c:\program files\clarus\samsung auto backup\ISFTimerD.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monitor.lnk - c:\program files\arcsoft\media card companion\MCC Monitor.exe
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\progra~1\aim\aim.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 3.1\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: imageservr.com\locator.cdn
Trusted Zone: musicmatch.com\online
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128006131468
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab
Notify: cacafx - c:\windows\security\cacafx.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: yiyawefo.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
LSA: Notification Packages = scecli talefake.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\anthony\applic~1\mozilla\firefox\profiles\afmeh64m.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R2 BDVEDISK;BDVEDISK;c:\program files\bitdefender\bitdefender 2010\bdvedisk.sys [2009-4-1 82696]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2009-9-17 152328]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2009-9-1 110856]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\arrakis3.exe [2009-9-13 183880]

=============== Created Last 30 ================

2009-10-13 01:23 <DIR> --d----- c:\program files\Trend Micro
2009-10-12 05:55 1,011,342 a------- c:\windows\system32\budidepu.exe
2009-10-12 01:20 132 a------- c:\windows\system32\rezumatenoi.dat
2009-10-11 22:20 16 a------- c:\windows\system32\asdict.dat
2009-10-11 22:20 4 a------- c:\windows\system32\aspdict-en.dat
2009-10-11 18:45 <DIR> --d----- c:\docume~1\anthony\applic~1\BitDefender
2009-10-11 18:44 <DIR> --d----- c:\program files\BitDefender
2009-10-11 18:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\BitDefender
2009-10-11 18:43 <DIR> --d----- c:\program files\common files\BitDefender
2009-10-11 18:19 <DIR> -cd-h--- c:\windows\ie8
2009-10-11 13:34 <DIR> --d----- C:\Log
2009-10-11 13:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Clarus
2009-10-11 13:32 <DIR> --d----- c:\program files\Clarus
2009-09-18 20:25 <DIR> --d----- c:\docume~1\anthony\applic~1\Malwarebytes
2009-09-18 20:25 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-18 20:25 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-18 20:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-18 20:25 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-17 16:12 152,328 a------- c:\windows\system32\drivers\bdfm.sys
2009-09-17 16:11 105,736 a------- c:\windows\system32\drivers\bdhv.sys

==================== Find3M ====================

2009-10-11 18:03 1,011,385 a--sh--- c:\windows\system32\zufajudi.exe
2009-10-11 18:03 39,424 a--sh--- c:\windows\system32\bamukitu.dll
2009-10-11 18:03 28,160 a--sh--- c:\windows\system32\pamuyomi.dll
2009-09-01 15:24 110,856 a------- c:\windows\system32\drivers\bdfndisf.sys
2009-08-30 01:44 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-23 20:00 43,520 a------- c:\windows\system32\CmdLineExt03.dll
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 04:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2000-08-11 14:20 445,952 a------- c:\documents and settings\anthony\FCSS.EXE
2007-05-23 23:05 11,250 ---sh--- c:\windows\security\xfacac.bak1
2007-09-20 20:23 2,009,945 ---sh--- c:\windows\security\xfacac.bak2
2007-09-20 20:48 2,014,863 ---sh--- c:\windows\security\xfacac.ini2
2008-09-03 12:47 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090320080904\index.dat

============= FINISH: 10:56:53.82 ===============

#5
Blade81
Posted 17 October 2009 - 08:41 PM

    Elite Member

  • Experts
  • PipPipPipPipPip
  • 1,229 posts
  • Gender:Male
  • Location:Finland
  • Interests:Floorball, football, music, computers..
Hi Tony,

That's ok. If blocker had been active then you wouldn't had been able to create DDS logs at all :D


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingc...to-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.


  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds.txt log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
Microsoft MVP Consumer Security 2008 2009 2010 2011
ASAP & UNITE member since 2006
Posted Image Posted Image

#6
tonyb85
Posted 18 October 2009 - 05:57 AM

    New Member

  • Members
  • Pip
  • 10 posts
  • Gender:Male
  • Location:United States
Blade,

I have a few questions that I would like to have answered before I run ComboFix. I just want to make sure that everything is being done properly, as I have seen numerous warnings of how improper use of ComboFix can ruin a computer. First, I want you to know that I have fully read through the "instructions for running ComboFix tool" AND the thread on "How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs" at the links you provided at www.bleepingcomputer.com. Now for the questions. Sorry they are a bit detailed, but I just want to be sure I am doing everything right. I will number them just to keep them organized, in total there are 4 questions (the first 3 have lengthy descriptions).

QUESTIONS

1) This question is not directly related to ComboFix, but just about the help you are giving me in general. I noticed the following comment in the thread on "How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs" posted by "Animal", one of the BleepingComputer Site Administrators:

"I see you have a HJT log properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer. From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean."

My question is: Should I not be doing any more scans with BitDefender Internet Security 2010 to remove viruses/malware? I have done at least one scan (probably more like three or more) since I first asked for help on this site. Every time I do a scan BitDefender finds infected files and some of them it can delete or quarantine, but there are always some infected files that are unable to be deleted or quarantined. I don't want to make things more difficult/confusing for you. Please let me know.

2) This question is in regards to the instructions for disabling BitDefender given in the thread "How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs." I realize that is not your thread and that you may not use or be very familiar with BitDefender. Hopefully you can still answer this question though. The instructions that thread gives with regard to BitDefender is only how to disable the BitDefender Antivirus Shield. This is only one part of BitDefender's Internet Security. When I open BitDefender Internet Security 2010 (I am using the 30-day trial mode) by double-clicking the icon in the System Tray (using the advanced view where I can control all aspects of BitDefender's Internet Security), there are 12 tabs with the various internet security-related topics. Many of the tabs have options to disable various parts of the internet security - not just the Antivirus Tab which only allows the Antivirus Shield to be disabled. I will list the 12 Tabs below with the options they give for disabling certain parts of the internet security:

I) General - IRRELEVANT - no options for disabling internet security
II) Antivirus - Option to disable the Antivirus Shield Real-time protection
III) Antispam - Option to disable Antispam Real-time protection
IV) Parental Control - IRRELEVANT - no options for disabling internet security
V) Privacy Control - Option to disable Privacy Control (**see below for details on Privacy Control)
VI) Firewall - Option to disable Firewall
VII) Vulnerability - Option to disable Automatic Vulnerability Checking
VIII) Encryption - Option to disable IM Encryption
IX) Game/Laptop Mode - Option to turn off "Automatic Game Mode" Antivirus protection (not sure if this is relevant)
X) Home Network - IRRELEVANT - no options for disabling internet security
XI) Update - Option to disable Automatic Update for BitDefender (not sure if this is relevant)
XII) Registration - IRRELEVANT - no options for disabling internet security

**Privacy Control includes: Identity information blocking, Registry access attempt blocking, Cookie blocking, and Script blocking

My question is: What else should I disable in addition to the Antivirus shield? Should I just disable everything that I have not listed as "IRRELEVANT" to the Internet Security?

3) I ended up just disabling every BitDefender tab that I did not consider "IRRELEVANT" and attempted to run ComboFix. Unfortunately the initial steps of it did not seem to go exactly as explained in the ComboFix instructions on www.bleepingcomputer.com. As instructed, I closed all windows and then double-clicked the ComboFix.exe icon on my desktop. I then clicked the "Run" button at the Windows Open File Security Warning. After that, the first thing I saw happen was a little loading progress bar (about 2x5cm in size) pop up in the middle of the screen. Once that loading bar reached complete/full, my BitDefender Internet Security 2010 window opened (this is the same window that would normally open when I double-click the BitDefender Icon in my system tray - it was closed before I double-clicked ComboFix.exe, as instructed). After that my computer tower made two loud beeps (my tower, not my speakers). None of those things are mentioned as happening on the BleepingComputer's Instruction thread. The next thing that happened was that the ComboFix Disclaimer Screen (as shown in the thread) popped up. At that point I selected the "No" option because I was worried that things were not working properly and I wanted to check with you first. I repeated the same steps to get to the disclaimer screen (as instructed) about 5 times and each time things happened exactly as I have just explained. I have listed multiple questions related to this situation below.

My questions are:
I) Why do I never see the first blue "ComboFix is Preparing to Run" screen mentioned in the instructions at www.bleepingcomputer.com?
II) Are the things I am seeing/hearing normal - the loading progress bar, my internet security being opened either by itself or by ComboFix, the two beeps?
III) If the BitDefender Internet Security 2010 window opening is okay to have happen, should I close it before I click "Yes" at the disclaimer screen - or just leave it open?

4) My last question is short:
With all my BitDefender Internet Security 2010 disabled, is it safe to stay connected to the internet as requested in the ComboFix instruction thread? It says I need to be connected to the internet so that the Windows Recovery Console can be downloaded while ComboFix is doing its job. But I don't want to leave myself open to more viruses/malware and further infection of my computer. I noticed that there are also instructions for manually installing the Windows Recovery Console, but does ComboFix still need to have internet access to do its job?

Thank you very much again for sharing your time and expertise. I really appreciate your help.

#7
Blade81
Posted 18 October 2009 - 09:17 AM

    Elite Member

  • Experts
  • PipPipPipPipPip
  • 1,229 posts
  • Gender:Male
  • Location:Finland
  • Interests:Floorball, football, music, computers..
Shorter responses from my side :blink:

1) Yep, don't run any other scans than instructed during the cleaning process.
2) & 3) If you're able to turn off whole bitdefender do so.
4) You may keep it connected during ComboFix run.
Microsoft MVP Consumer Security 2008 2009 2010 2011
ASAP & UNITE member since 2006
Posted Image Posted Image

#8
tonyb85
Posted 20 October 2009 - 03:03 AM

    New Member

  • Members
  • Pip
  • 10 posts
  • Gender:Male
  • Location:United States
Attached File  10_19_09_Attach.txt   13.4K   24 downloads

I just decided to uninstall BitDefender to make sure that it would not interfere with ComboFix. I will just leave it uninstalled until you are done helping me, so that it doesn't run any more automated scans that might confuse for you. The only protection I have running now is the Windows Firewall (I turned it on after I ran ComboFix). I was not sure if you needed the new Attach.txt file included in this post, so I just put it in just in case.

The new Attach.zip file is at the beginning of this post. The ComboFix Log and new DDS Log are posted below in that order.

ComboFix Log

ComboFix 09-10-19.01 - Anthony 10/19/2009 21:09.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1270.846 [GMT -5:00]
Running from: c:\documents and settings\Anthony\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\mm.BOT
c:\program files\mm.BOT\Config\KeySet-1\amblxbow.cof
c:\program files\mm.BOT\Config\KeySet-1\curindx.wav
c:\program files\mm.BOT\Config\KeySet-1\wavindx.wav
c:\program files\mm.BOT\Config\KeySet-2\amblxbow.cof
c:\program files\mm.BOT\Config\KeySet-2\curindx.wav
c:\program files\mm.BOT\Config\KeySet-2\wavindx.wav
c:\program files\mm.BOT\Config\System\mm.PKID.Usr.CH
c:\program files\mm.BOT\Config\System\mm.PKID.Usr.ID
c:\program files\mm.BOT\Config\System\mm.PKID.Usr.PK
c:\program files\mm.BOT\Logs\Compiler.txt
c:\program files\mm.BOT\Logs\Picked_Items.txt
c:\program files\mm.BOT\Logs\ScanDrop_Items.txt
c:\program files\mm.BOT\Logs\Sold_Items.txt
c:\windows\Installer\6cf86.msp
c:\windows\security\xfacac.bak1
c:\windows\security\xfacac.bak2
c:\windows\security\xfacac.ini
c:\windows\security\xfacac.ini2
c:\windows\security\xfacac.tmp
c:\windows\system32\11478.exe
c:\windows\system32\15724.exe
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\29358.exe
c:\windows\system32\41.exe
c:\windows\system32\6334.exe
c:\windows\system32\acabrqdd.ini
c:\windows\system32\adtsgqot.ini
c:\windows\system32\advewkqt.ini
c:\windows\system32\aeoetwhh.ini
c:\windows\system32\affsyiev.ini
c:\windows\system32\anicojte.ini
c:\windows\system32\awntacmc.ini
c:\windows\system32\axektgol.ini
c:\windows\system32\bbjfjekq.ini
c:\windows\system32\bsjmoyda.ini
c:\windows\system32\bszip.dll
c:\windows\system32\bvycpbmv.ini
c:\windows\system32\bxoaudkv.ini
c:\windows\system32\caqbjgnx.ini
c:\windows\system32\cccjemng.ini
c:\windows\system32\cepeupya.ini
c:\windows\system32\cidvlpgc.ini
c:\windows\system32\crbxbltm.ini
c:\windows\system32\dnrkeexg.ini
c:\windows\system32\dopgsiii.ini
c:\windows\system32\dselxscf.ini
c:\windows\system32\dusawgtd.ini
c:\windows\system32\dxiqffva.ini
c:\windows\system32\dyhjgweq.ini
c:\windows\system32\dywahuno.ini
c:\windows\system32\eaxbeuyr.ini
c:\windows\system32\eedyiljh.ini
c:\windows\system32\eftsekth.ini
c:\windows\system32\egrpsohj.ini
c:\windows\system32\esirnpbw.ini
c:\windows\system32\essgrvtk.ini
c:\windows\system32\etsohqmc.ini
c:\windows\system32\fafsmyki.ini
c:\windows\system32\ffjbjgoy.ini
c:\windows\system32\ggvjmxoe.ini
c:\windows\system32\ghambqve.ini
c:\windows\system32\ghkykjbn.ini
c:\windows\system32\glcihujm.ini
c:\windows\system32\gpxabfbc.ini
c:\windows\system32\gqnyphnt.ini
c:\windows\system32\gtdhlgnf.ini
c:\windows\system32\gwflggmx.ini
c:\windows\system32\hcqxjffw.ini
c:\windows\system32\hihknxxx.ini
c:\windows\system32\hkwkyqoh.ini
c:\windows\system32\hlwsefvi.ini
c:\windows\system32\hseqmbro.ini
c:\windows\system32\ibwgptqr.ini
c:\windows\system32\iecjqytj.ini
c:\windows\system32\ifvrvvby.ini
c:\windows\system32\iinsvwko.ini
c:\windows\system32\iksbihoa.ini
c:\windows\system32\inyqeawo.ini
c:\windows\system32\jfhfwpyd.ini
c:\windows\system32\jglsjkbf.ini
c:\windows\system32\jhnuswde.ini
c:\windows\system32\jidndeaj.ini
c:\windows\system32\jodtweri.ini
c:\windows\system32\jrrvuxkh.ini
c:\windows\system32\jtppoaft.ini
c:\windows\system32\jwqqweet.ini
c:\windows\system32\kjomkvkh.ini
c:\windows\system32\klfybiij.ini
c:\windows\system32\lfwcygpl.ini
c:\windows\system32\ljtfxdox.ini
c:\windows\system32\lqdrbvkd.ini
c:\windows\system32\lrvsydhj.ini
c:\windows\system32\lsgapxej.ini
c:\windows\system32\lttkbuwn.ini
c:\windows\system32\lvckhxcf.ini
c:\windows\system32\lwotxtvq.ini
c:\windows\system32\lwyndixx.ini
c:\windows\system32\mjvtxonk.ini
c:\windows\system32\mmqslbgm.ini
c:\windows\system32\mpnqdmts.ini
c:\windows\system32\msigbden.ini
c:\windows\system32\mxmbpjir.ini
c:\windows\system32\myuivvlt.ini
c:\windows\system32\nhrfrpdv.ini
c:\windows\system32\njbkosig.ini
c:\windows\system32\nryskwar.ini
c:\windows\system32\nwirsyxc.ini
c:\windows\system32\ocxhnjrj.ini
c:\windows\system32\ofqpowyv.ini
c:\windows\system32\ohfrbxwa.ini
c:\windows\system32\oipsymrl.ini
c:\windows\system32\oksglwan.ini
c:\windows\system32\omaudfkn.ini
c:\windows\system32\palxjwll.ini
c:\windows\system32\pbcqbkin.ini
c:\windows\system32\pqpsaxea.ini
c:\windows\system32\qcytcxqt.ini
c:\windows\system32\qsbechhi.ini
c:\windows\system32\reyvmdjc.ini
c:\windows\system32\rlbovlim.ini
c:\windows\system32\rwborumv.ini
c:\windows\system32\sivaboqi.ini
c:\windows\system32\sjhkfgni.ini
c:\windows\system32\smlkpjhf.ini
c:\windows\system32\smqmdsmo.ini
c:\windows\system32\smucmxcq.ini
c:\windows\system32\snrgrbht.ini
c:\windows\system32\sntueuql.ini
c:\windows\system32\spdnpatf.ini
c:\windows\system32\spyjcgcp.ini
c:\windows\system32\syvovyvm.ini
c:\windows\system32\tqjdvqcc.ini
c:\windows\system32\trlytqxx.ini
c:\windows\system32\twfjcata.ini
c:\windows\system32\ufpphkee.ini
c:\windows\system32\ugdjdwhg.ini
c:\windows\system32\ukugmkvs.ini
c:\windows\system32\uomtuvbe.ini
c:\windows\system32\uqglonoo.ini
c:\windows\system32\urpnvgan.ini
c:\windows\system32\vabwwbfu.ini
c:\windows\system32\vcgrdclu.ini
c:\windows\system32\vgcrmcal.ini
c:\windows\system32\vgsligxh.ini
c:\windows\system32\voaflsku.ini
c:\windows\system32\vpgetrda.ini
c:\windows\system32\vrwcwtpl.ini
c:\windows\system32\vupxhkge.ini
c:\windows\system32\vvdddsne.ini
c:\windows\system32\vwpwerlr.ini
c:\windows\system32\wcvaghft.ini
c:\windows\system32\welnnybg.ini
c:\windows\system32\wsbsjcva.ini
c:\windows\system32\wsduajrw.ini
c:\windows\system32\wxbvuxyd.ini
c:\windows\system32\wytijxtw.ini
c:\windows\system32\xhwnhcvx.ini
c:\windows\system32\xhylkynb.ini
c:\windows\system32\xifopdpn.ini
c:\windows\system32\xukgkdvk.ini
c:\windows\system32\yekvraes.ini
c:\windows\system32\ymmdssfg.ini
c:\windows\system32\ypsjwiof.ini
c:\windows\system32\zufajudi.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2009-09-20 to 2009-10-20 )))))))))))))))))))))))))))))))
.

2009-10-17 16:15 . 2009-10-17 16:17 -------- d-----w- c:\documents and settings\Anthony\Local Settings\Application Data\WinZip
2009-10-17 16:14 . 2009-10-17 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-10-13 06:23 . 2009-10-13 06:23 -------- d-----w- c:\program files\Trend Micro
2009-10-12 10:55 . 2009-10-12 11:22 1011342 ----a-w- c:\windows\system32\budidepu.exe
2009-10-12 06:20 . 2009-10-20 01:55 132 ----a-w- c:\windows\system32\rezumatenoi.dat
2009-10-12 03:20 . 2009-10-12 03:20 4 ----a-w- c:\windows\system32\aspdict-en.dat
2009-10-12 03:20 . 2009-10-12 03:20 16 ----a-w- c:\windows\system32\asdict.dat
2009-10-11 23:53 . 2009-10-11 23:53 0 ----a-w- c:\windows\system32\wsbl.dat
2009-10-11 23:53 . 2009-10-11 23:53 0 ----a-w- c:\windows\system32\ph_white.dat
2009-10-11 23:53 . 2009-10-11 23:53 0 ----a-w- c:\windows\system32\ph_summ.dat
2009-10-11 23:53 . 2009-10-11 23:53 0 ----a-w- c:\windows\system32\ph_black.dat
2009-10-11 23:53 . 2009-10-11 23:53 0 ----a-w- c:\windows\system32\pcwords2.dat
2009-10-11 23:53 . 2009-10-11 23:53 0 ----a-w- c:\windows\system32\pcwords.dat
2009-10-11 23:44 . 2009-10-20 01:57 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2009-10-11 23:44 . 2009-10-11 23:44 -------- d-----w- c:\program files\BitDefender
2009-10-11 23:43 . 2009-10-20 01:57 -------- d-----w- c:\program files\Common Files\BitDefender
2009-10-11 23:19 . 2009-10-11 23:29 -------- dc-h--w- c:\windows\ie8
2009-10-11 18:34 . 2009-10-11 18:34 -------- d-----w- C:\Log
2009-10-11 18:34 . 2009-10-11 18:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Clarus
2009-10-11 18:32 . 2009-10-11 18:32 -------- d-----w- c:\program files\Clarus

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-20 02:16 . 2005-10-03 18:09 -------- d-----w- c:\program files\Plaxo
2009-10-20 01:51 . 2007-08-18 04:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-10-17 17:12 . 2005-09-10 05:49 -------- d-----w- c:\program files\Java
2009-10-13 00:32 . 2007-09-21 01:12 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-11 22:57 . 2005-09-19 14:17 98840 ----a-w- c:\documents and settings\Anthony\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-11 18:32 . 2005-09-10 05:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-19 01:25 . 2009-09-19 01:25 -------- d-----w- c:\documents and settings\Anthony\Application Data\Malwarebytes
2009-09-19 01:25 . 2009-09-19 01:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-19 01:25 . 2009-09-19 01:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-11 14:18 . 2004-08-19 20:49 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2009-09-19 01:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-09-19 01:25 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2004-08-19 20:49 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-03 13:01 . 2008-03-28 08:32 -------- d-----w- c:\program files\Diablo II
2009-08-29 08:08 . 2004-08-19 20:49 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-19 20:50 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-24 01:00 . 2009-08-24 00:57 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-08-23 08:06 . 2009-08-23 08:06 -------- d-----w- c:\program files\MSBuild
2009-08-23 08:06 . 2009-08-23 08:06 -------- d-----w- c:\program files\Reference Assemblies
2009-08-07 00:24 . 2004-08-19 21:04 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2004-08-19 21:04 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2005-09-29 15:02 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2004-08-19 21:04 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2004-08-19 21:04 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2004-08-19 20:49 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2004-08-19 21:04 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2004-08-19 21:04 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-19 20:49 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2004-08-19 20:49 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 03:59 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-07-31 20:23 . 2009-08-30 06:44 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-14 03:10 . 2009-10-11 23:48 46592 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
2008-03-28 06:26 . 2006-01-20 21:14 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-03-28 06:26 . 2006-01-20 21:14 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-03-28 06:26 . 2007-07-07 02:12 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-03-28 06:26 . 2007-07-07 02:12 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-03-28 06:26 . 2006-01-20 21:14 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2006-04-27 06:28 . 2006-04-27 03:59 652493 --sh--w- c:\windows\system32\rqtss.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"PlaxoUpdate"="c:\program files\Plaxo\3.22.0.7\PlaxoHelper_en.exe" [2009-07-10 378951]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-18 68856]
"PlaxoSysTray"="c:\program files\Plaxo\3.22.0.7\PlaxoSysTray.exe" [2009-07-10 20480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-06 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-06 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-06 114688]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-01-24 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-01-24 86016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-09-10 98304]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\STSYSTRA.EXE [2005-03-23 339968]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-01-24 1622016]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-9-10 24576]
Monitor.lnk - c:\program files\ArcSoft\Media Card Companion\MCC Monitor.exe [2006-6-20 110592]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Anthony^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Anthony\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Anthony^Start Menu^Programs^Startup^Registration Ghost Recon Advanced Warfighter.LNK]
path=c:\documents and settings\Anthony\Start Menu\Programs\Startup\Registration Ghost Recon Advanced Warfighter.LNK
backup=c:\windows\pss\Registration Ghost Recon Advanced Warfighter.LNKStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1138147086\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1138147086\\ee\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Ubisoft\\Ghost Recon Advanced Warfighter\\GRAW.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"c:\\Program Files\\Ubisoft\\Ghost Recon Advanced Warfighter 2\\graw2.exe"=
"c:\\Program Files\\Ubisoft\\Ghost Recon Advanced Warfighter 2\\graw2_dedicated.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\WINDOWS\\system32\\dllhost.exe"=

.
Contents of the 'Scheduled Tasks' folder

2009-10-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-08-18 23:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: imageservr.com\locator.cdn
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Anthony\Application Data\Mozilla\Firefox\Profiles\afmeh64m.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{517a881c-e126-49ad-8c06-0e71223b6ad0} - lobebafu.dll
BHO-{EFD500E1-9208-48E2-873D-D3A59FEC9483} - c:\windows\security\cacafx.dll
HKCU-Run-Aim6 - (no file)
Notify-cacafx - c:\windows\security\cacafx.dll
AddRemove-AOL Instant Messenger - c:\program files\AIM\uninstll.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-19 21:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1504)
c:\windows\system32\WININET.dll
c:\program files\Plaxo\3.22.0.7\plx_hook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\combofix\CF3621.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2009-10-20 21:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-20 02:25

Pre-Run: 79,506,972,672 bytes free
Post-Run: 79,240,556,544 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 95FD409BC2DCBA38E2FC5014754063EF


New DDS Log


DDS (Ver_09-10-13.01) - NTFSx86
Run by Anthony at 21:42:06.55 on Mon 10/19/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1270.809 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Plaxo\3.22.0.7\PlaxoHelper_en.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Anthony\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aol toolbar 3.1\aoltb.dll
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 3.1\aoltb.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 3.1\aoltb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [PlaxoUpdate] c:\program files\plaxo\3.22.0.7\PlaxoHelper_en.exe -a
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [PlaxoSysTray] c:\program files\plaxo\3.22.0.7\PlaxoSysTray.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [IPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monitor.lnk - c:\program files\arcsoft\media card companion\MCC Monitor.exe
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\progra~1\aim\aim.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 3.1\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: imageservr.com\locator.cdn
Trusted Zone: musicmatch.com\online
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128006131468
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab
Notify: igfxcui - igfxdev.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\anthony\applic~1\mozilla\firefox\profiles\afmeh64m.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-10-19 21:06 <DIR> a-dshr-- C:\cmdcons
2009-10-19 21:05 236,544 a------- c:\windows\PEV.exe
2009-10-19 21:05 161,792 a------- c:\windows\SWREG.exe
2009-10-19 21:05 98,816 a------- c:\windows\sed.exe
2009-10-13 01:23 <DIR> --d----- c:\program files\Trend Micro
2009-10-12 05:55 1,011,342 a------- c:\windows\system32\budidepu.exe
2009-10-12 01:20 132 a------- c:\windows\system32\rezumatenoi.dat
2009-10-11 22:20 16 a------- c:\windows\system32\asdict.dat
2009-10-11 22:20 4 a------- c:\windows\system32\aspdict-en.dat
2009-10-11 18:44 <DIR> --d----- c:\program files\BitDefender
2009-10-11 18:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\BitDefender
2009-10-11 18:43 <DIR> --d----- c:\program files\common files\BitDefender
2009-10-11 18:19 <DIR> -cd-h--- c:\windows\ie8
2009-10-11 13:34 <DIR> --d----- C:\Log
2009-10-11 13:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Clarus
2009-10-11 13:32 <DIR> --d----- c:\program files\Clarus

==================== Find3M ====================

2009-09-11 09:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-11 09:18 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-04 16:03 58,880 a------- c:\windows\system32\msasn1.dll
2009-09-04 16:03 58,880 -------- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 05:35 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-26 03:00 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-26 03:00 247,326 -------- c:\windows\system32\dllcache\strmdll.dll
2009-08-23 20:00 43,520 a------- c:\windows\system32\CmdLineExt03.dll
2009-08-06 19:24 327,896 a------- c:\windows\system32\dllcache\wucltui.dll
2009-08-06 19:24 209,632 a------- c:\windows\system32\dllcache\wuweb.dll
2009-08-06 19:24 35,552 a------- c:\windows\system32\dllcache\wups.dll
2009-08-06 19:24 53,472 a------- c:\windows\system32\dllcache\wuauclt.exe
2009-08-06 19:24 96,480 a------- c:\windows\system32\dllcache\cdm.dll
2009-08-06 19:23 575,704 a------- c:\windows\system32\dllcache\wuapi.dll
2009-08-06 19:23 1,929,952 a------- c:\windows\system32\dllcache\wuaueng.dll
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 04:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 20:44 2,189,184 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-04 10:13 2,145,280 -------- c:\windows\system32\ntoskrnl.exe
2009-08-04 10:13 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-04 09:20 2,023,936 -------- c:\windows\system32\ntkrnlpa.exe
2009-08-04 09:20 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-04 09:20 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-07-31 15:23 411,368 a------- c:\windows\system32\deploytk.dll
2000-08-11 14:20 445,952 a------- c:\documents and settings\anthony\FCSS.EXE
2008-09-03 12:47 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090320080904\index.dat

============= FINISH: 21:42:18.46 ===============

#9
Blade81
Posted 20 October 2009 - 08:04 AM

    Elite Member

  • Experts
  • PipPipPipPipPip
  • 1,229 posts
  • Gender:Male
  • Location:Finland
  • Interests:Floorball, football, music, computers..
Hi,

Are you familiar with c:\documents and settings\anthony\FCSS.EXE file?


Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\budidepu.exe
c:\windows\system32\rezumatenoi.dat
c:\windows\system32\rqtss.tmp
DDS::
Trusted Zone: imageservr.com\locator.cdn


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Uninstall old Adobe Reader versions and get the latest one (9.2) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.



Check here to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here. Fresh version can be obtained here.


Uninstall these vulnerable Javas:
Java 2 Runtime Environment, SE v1.4.2_03
Java™ 6 Update 5
Java™ 6 Update 7



Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


* Go here to run an online scanner from ESET.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • Make sure that the option Remove found threats is UNchecked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

Microsoft MVP Consumer Security 2008 2009 2010 2011
ASAP & UNITE member since 2006
Posted Image Posted Image

#10
AdvancedSetup
Posted 29 October 2009 - 09:24 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,575 posts
  • Gender:Male
  • Location:US
Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.

#11
AdvancedSetup
Posted 29 October 2009 - 10:34 PM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,575 posts
  • Gender:Male
  • Location:US
Post reopened at user request.
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.

#12
tonyb85
Posted 01 November 2009 - 06:06 AM

    New Member

  • Members
  • Pip
  • 10 posts
  • Gender:Male
  • Location:United States
Attached File  11_01_09_Attach.zip   3.79K   36 downloads

Blade,

Sorry, I have been really busy with work and family this past week and have not been able to get back to working on my problem computer. I really do appreciate your help though, and will make sure to post my future replies to your posts more quickly.

To answer your question, I am not familiar with the C:\documents and settings\anthony\FCSS.EXE file.

I ran ComboFix as instructed, by dragging the CFScript file onto ComboFix.exe. I uninstalled the old version of Adobe Reader I had and downloaded the new 9.2 version. I updated Adobe Flash for Internet Explorer. Since I no longer use Firefox, I just uninstalled Firefox rather than updating its Adobe Flash. I also uninstalled the vulnerable Java's as instructed. I ran ATF Cleaner.exe under both the "Main" and "Firefox" tabs (I uninstalled Firefox before that, but it still seemed to remove some files that Firefox had left on the computer). Lastly, I ran the online scanner from ESET. On the screen that had the option to check/uncheck "Remove found threats" it also had the option to check/uncheck "Scan archives". As you instructed, I unchecked the "Remove found threats" option. But I wasn't sure if I was supposed to check the "Scan archives" option, so I just left it unchecked. If that was not right, please let me know and I can re-run the ESET scanner.

At the top of this post I attached the new attach.zip file. Below I pasted the new logs for ComboFix, DDS, and the ESET Online Scanner, in that order. Thank you again for all of your help.


New ComboFix Log (dragging CFScript onto ComboFix.exe)

ComboFix 09-10-30.01 - Anthony 10/31/2009 22:11.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1270.828 [GMT -5:00]
Running from: c:\documents and settings\Anthony\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Anthony\Desktop\CFScript.txt
* Created a new restore point

FILE ::
"c:\windows\system32\budidepu.exe"
"c:\windows\system32\rezumatenoi.dat"
"c:\windows\system32\rqtss.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\budidepu.exe
c:\windows\system32\rezumatenoi.dat
c:\windows\system32\rqtss.tmp

.
((((((((((((((((((((((((( Files Created from 2009-10-01 to 2009-11-01 )))))))))))))))))))))))))))))))
.

2009-10-17 16:15 . 2009-10-17 16:17 -------- d-----w- c:\documents and settings\Anthony\Local Settings\Application Data\WinZip
2009-10-17 16:14 . 2009-10-17 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-10-13 06:23 . 2009-10-13 06:23 -------- d-----w- c:\program files\Trend Micro
2009-10-12 03:20 . 2009-10-12 03:20 4 ----a-w- c:\windows\system32\aspdict-en.dat
2009-10-12 03:20 . 2009-10-12 03:20 16 ----a-w- c:\windows\system32\asdict.dat
2009-10-11 23:53 . 2009-10-11 23:53 0 ----a-w- c:\windows\system32\wsbl.dat
2009-10-11 23:53 . 2009-10-11 23:53 0 ----a-w- c:\windows\system32\ph_white.dat
2009-10-11 23:53 . 2009-10-11 23:53 0 ----a-w- c:\windows\system32\ph_summ.dat
2009-10-11 23:53 . 2009-10-11 23:53 0 ----a-w- c:\windows\system32\ph_black.dat
2009-10-11 23:53 . 2009-10-11 23:53 0 ----a-w- c:\windows\system32\pcwords2.dat
2009-10-11 23:53 . 2009-10-11 23:53 0 ----a-w- c:\windows\system32\pcwords.dat
2009-10-11 23:44 . 2009-10-20 01:57 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2009-10-11 23:44 . 2009-10-11 23:44 -------- d-----w- c:\program files\BitDefender
2009-10-11 23:43 . 2009-10-20 01:57 -------- d-----w- c:\program files\Common Files\BitDefender
2009-10-11 23:19 . 2009-10-11 23:29 -------- dc-h--w- c:\windows\ie8
2009-10-11 18:34 . 2009-10-11 18:34 -------- d-----w- C:\Log
2009-10-11 18:34 . 2009-10-11 18:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Clarus
2009-10-11 18:32 . 2009-10-11 18:32 -------- d-----w- c:\program files\Clarus

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-01 01:54 . 2007-08-18 04:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-01 01:54 . 2005-10-03 18:09 -------- d-----w- c:\program files\Plaxo
2009-10-17 17:12 . 2005-09-10 05:49 -------- d-----w- c:\program files\Java
2009-10-13 00:32 . 2007-09-21 01:12 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-11 22:57 . 2005-09-19 14:17 98840 ----a-w- c:\documents and settings\Anthony\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-11 18:32 . 2005-09-10 05:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-19 01:25 . 2009-09-19 01:25 -------- d-----w- c:\documents and settings\Anthony\Application Data\Malwarebytes
2009-09-19 01:25 . 2009-09-19 01:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-19 01:25 . 2009-09-19 01:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-11 14:18 . 2004-08-19 20:49 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2009-09-19 01:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-09-19 01:25 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2004-08-19 20:49 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-03 13:01 . 2008-03-28 08:32 -------- d-----w- c:\program files\Diablo II
2009-08-29 08:08 . 2004-08-19 20:49 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-19 20:50 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-24 01:00 . 2009-08-24 00:57 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-08-07 00:24 . 2004-08-19 21:04 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2004-08-19 21:04 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2005-09-29 15:02 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2004-08-19 21:04 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2004-08-19 21:04 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2004-08-19 20:49 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2004-08-19 21:04 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2004-08-19 21:04 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-19 20:49 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2004-08-19 20:49 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 03:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-09-14 03:10 . 2009-10-11 23:48 46592 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
2008-03-28 06:26 . 2006-01-20 21:14 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-03-28 06:26 . 2006-01-20 21:14 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-03-28 06:26 . 2007-07-07 02:12 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-03-28 06:26 . 2007-07-07 02:12 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-03-28 06:26 . 2006-01-20 21:14 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"PlaxoUpdate"="c:\program files\Plaxo\3.22.0.7\PlaxoHelper_en.exe" [2009-07-10 378951]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-18 68856]
"PlaxoSysTray"="c:\program files\Plaxo\3.22.0.7\PlaxoSysTray.exe" [2009-07-10 20480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-06 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-06 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-06 114688]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-01-24 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-01-24 86016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-09-10 98304]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\STSYSTRA.EXE [2005-03-23 339968]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-01-24 1622016]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-9-10 24576]
Monitor.lnk - c:\program files\ArcSoft\Media Card Companion\MCC Monitor.exe [2006-6-20 110592]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Anthony^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Anthony\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Anthony^Start Menu^Programs^Startup^Registration Ghost Recon Advanced Warfighter.LNK]
path=c:\documents and settings\Anthony\Start Menu\Programs\Startup\Registration Ghost Recon Advanced Warfighter.LNK
backup=c:\windows\pss\Registration Ghost Recon Advanced Warfighter.LNKStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1138147086\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1138147086\\ee\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Ubisoft\\Ghost Recon Advanced Warfighter\\GRAW.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"c:\\Program Files\\Ubisoft\\Ghost Recon Advanced Warfighter 2\\graw2.exe"=
"c:\\Program Files\\Ubisoft\\Ghost Recon Advanced Warfighter 2\\graw2_dedicated.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\WINDOWS\\system32\\dllhost.exe"=


--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - GTNDIS5
*NewlyCreated* - MBR
*NewlyCreated* - PCIIDEX_2
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
*Deregistered* - PCIIDEX_2
.
Contents of the 'Scheduled Tasks' folder

2009-11-01 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-08-18 23:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Anthony\Application Data\Mozilla\Firefox\Profiles\afmeh64m.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-31 22:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-11-01 22:19
ComboFix-quarantined-files.txt 2009-11-01 03:19
ComboFix2.txt 2009-10-20 02:25

Pre-Run: 79,421,681,664 bytes free
Post-Run: 79,383,916,544 bytes free

- - End Of File - - 55B6C7188D37575FA7223629B44B562B


New DDS Log


DDS (Ver_09-10-13.01) - NTFSx86
Run by Anthony at 0:13:45.50 on Sun 11/01/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1270.798 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Plaxo\3.22.0.7\PlaxoHelper_en.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Anthony\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aol toolbar 3.1\aoltb.dll
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 3.1\aoltb.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 3.1\aoltb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [PlaxoUpdate] c:\program files\plaxo\3.22.0.7\PlaxoHelper_en.exe -a
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [PlaxoSysTray] c:\program files\plaxo\3.22.0.7\PlaxoSysTray.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [IPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monitor.lnk - c:\program files\arcsoft\media card companion\MCC Monitor.exe
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\progra~1\aim\aim.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 3.1\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: musicmatch.com\online
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128006131468
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab
Notify: igfxcui - igfxdev.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-10-31 23:11 <DIR> --d----- c:\program files\ESET
2009-10-31 22:09 77,312 a------- c:\windows\MBR.exe
2009-10-31 22:09 <DIR> --d----- C:\ComboFix
2009-10-19 21:06 <DIR> a-dshr-- C:\cmdcons
2009-10-19 21:05 236,544 a------- c:\windows\PEV.exe
2009-10-19 21:05 161,792 a------- c:\windows\SWREG.exe
2009-10-19 21:05 98,816 a------- c:\windows\sed.exe
2009-10-13 01:23 <DIR> --d----- c:\program files\Trend Micro
2009-10-11 22:20 16 a------- c:\windows\system32\asdict.dat
2009-10-11 22:20 4 a------- c:\windows\system32\aspdict-en.dat
2009-10-11 18:44 <DIR> --d----- c:\program files\BitDefender
2009-10-11 18:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\BitDefender
2009-10-11 18:43 <DIR> --d----- c:\program files\common files\BitDefender
2009-10-11 18:19 <DIR> -cd-h--- c:\windows\ie8
2009-10-11 13:34 <DIR> --d----- C:\Log
2009-10-11 13:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Clarus
2009-10-11 13:32 <DIR> --d----- c:\program files\Clarus

==================== Find3M ====================

2009-09-11 09:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-11 09:18 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-04 16:03 58,880 a------- c:\windows\system32\msasn1.dll
2009-09-04 16:03 58,880 -------- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 05:35 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-26 03:00 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-26 03:00 247,326 -------- c:\windows\system32\dllcache\strmdll.dll
2009-08-23 20:00 43,520 a------- c:\windows\system32\CmdLineExt03.dll
2009-08-06 19:24 327,896 a------- c:\windows\system32\dllcache\wucltui.dll
2009-08-06 19:24 209,632 a------- c:\windows\system32\dllcache\wuweb.dll
2009-08-06 19:24 35,552 a------- c:\windows\system32\dllcache\wups.dll
2009-08-06 19:24 53,472 a------- c:\windows\system32\dllcache\wuauclt.exe
2009-08-06 19:24 96,480 a------- c:\windows\system32\dllcache\cdm.dll
2009-08-06 19:23 575,704 a------- c:\windows\system32\dllcache\wuapi.dll
2009-08-06 19:23 1,929,952 a------- c:\windows\system32\dllcache\wuaueng.dll
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 04:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 20:44 2,189,184 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-04 10:13 2,145,280 -------- c:\windows\system32\ntoskrnl.exe
2009-08-04 10:13 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-04 09:20 2,023,936 -------- c:\windows\system32\ntkrnlpa.exe
2009-08-04 09:20 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-04 09:20 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2000-08-11 14:20 445,952 a------- c:\documents and settings\anthony\FCSS.EXE
2008-09-03 12:47 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090320080904\index.dat

============= FINISH: 0:14:06.29 ===============


ESET Online Scanner Log


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=153bca6eddf4cc4f914c03ebe72538c2
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-11-01 05:05:54
# local_time=2009-11-01 12:05:54 (-0600, Central Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 712557 712557 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=120195
# found=284
# cleaned=0
# scan_time=2789
C:\Qoobox\Quarantine\C\WINDOWS\security\xfacac.bak1.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\security\xfacac.bak2.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\security\xfacac.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\security\xfacac.ini2.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\security\xfacac.tmp.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\acabrqdd.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\adtsgqot.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\advewkqt.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\aeoetwhh.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\affsyiev.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\anicojte.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\awntacmc.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\axektgol.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\bbjfjekq.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\bsjmoyda.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\bvycpbmv.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\bxoaudkv.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\caqbjgnx.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\cccjemng.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\cepeupya.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\cidvlpgc.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\crbxbltm.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\dnrkeexg.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\dopgsiii.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\dselxscf.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\dusawgtd.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\dxiqffva.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\dyhjgweq.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\dywahuno.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\eaxbeuyr.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\eedyiljh.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\eftsekth.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\egrpsohj.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\esirnpbw.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\essgrvtk.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\etsohqmc.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\fafsmyki.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\ffjbjgoy.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\ggvjmxoe.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\ghambqve.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\ghkykjbn.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\glcihujm.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\gpxabfbc.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\gqnyphnt.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\gtdhlgnf.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\gwflggmx.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\hcqxjffw.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\hihknxxx.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\hkwkyqoh.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\hlwsefvi.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\hseqmbro.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\ibwgptqr.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\iecjqytj.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\ifvrvvby.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\iinsvwko.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\iksbihoa.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\inyqeawo.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\jfhfwpyd.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\jglsjkbf.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\jhnuswde.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\jidndeaj.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\jodtweri.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\jrrvuxkh.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\jtppoaft.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\jwqqweet.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\kjomkvkh.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\klfybiij.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\lfwcygpl.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\ljtfxdox.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\lqdrbvkd.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\lrvsydhj.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\lsgapxej.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\lttkbuwn.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\lvckhxcf.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\lwotxtvq.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\lwyndixx.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\mjvtxonk.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\mmqslbgm.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\mpnqdmts.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\msigbden.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\mxmbpjir.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\myuivvlt.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\nhrfrpdv.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\njbkosig.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\nryskwar.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\nwirsyxc.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\ocxhnjrj.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\ofqpowyv.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\ohfrbxwa.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\oipsymrl.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\oksglwan.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\omaudfkn.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\palxjwll.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\pbcqbkin.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\pqpsaxea.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\qcytcxqt.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\qsbechhi.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\reyvmdjc.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\rlbovlim.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\rqtss.tmp.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\rwborumv.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\sivaboqi.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\sjhkfgni.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\smlkpjhf.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\smqmdsmo.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\smucmxcq.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\snrgrbht.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\sntueuql.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\spdnpatf.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\spyjcgcp.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\syvovyvm.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\tqjdvqcc.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\trlytqxx.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\twfjcata.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\ufpphkee.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\ugdjdwhg.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\ukugmkvs.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\uomtuvbe.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\uqglonoo.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\urpnvgan.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\vabwwbfu.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\vcgrdclu.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\vgcrmcal.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\vgsligxh.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\voaflsku.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\vpgetrda.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\vrwcwtpl.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\vupxhkge.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\vvdddsne.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\vwpwerlr.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\wcvaghft.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\welnnybg.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\wsbsjcva.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\wsduajrw.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\wxbvuxyd.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\wytijxtw.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\xhwnhcvx.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\xhylkynb.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\xifopdpn.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\xukgkdvk.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\yekvraes.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\ymmdssfg.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\ypsjwiof.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP871\A0177457.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP871\A0177459.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP871\A0177461.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181015.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181025.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181026.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181027.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181028.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181029.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181030.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181031.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181032.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181033.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181034.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181036.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181037.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181038.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181039.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181040.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181041.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181042.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181043.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181044.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181045.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181046.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181047.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181048.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181049.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181050.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181051.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181052.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181053.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181054.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181055.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181056.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181057.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181058.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181059.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181060.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181061.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181062.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181063.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181064.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181065.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181066.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181067.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181068.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181069.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181070.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181071.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181072.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181073.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181074.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181075.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181076.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181077.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181078.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181079.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181080.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181081.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181082.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181083.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181084.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181085.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181086.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181087.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181088.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181089.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181090.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181091.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181092.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181093.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181094.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181095.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181096.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181097.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181098.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181099.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181100.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181101.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181102.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181103.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181104.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181105.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181106.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181107.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181108.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181109.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181110.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181111.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181112.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181113.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181114.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181115.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181116.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181117.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181118.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181119.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181120.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181121.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181122.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181123.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181124.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181125.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181126.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181127.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181128.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181129.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181130.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181131.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181132.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181133.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181134.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181135.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181136.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181137.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181138.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181139.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181140.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181141.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181142.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181143.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181144.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181145.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181146.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181147.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181148.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181149.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181150.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181151.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181152.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181153.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181154.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181155.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181156.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181157.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181158.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181159.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181160.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181161.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181162.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

#13
Blade81
Posted 01 November 2009 - 08:45 AM

    Elite Member

  • Experts
  • PipPipPipPipPip
  • 1,229 posts
  • Gender:Male
  • Location:Finland
  • Interests:Floorball, football, music, computers..

Quote

Sorry, I have been really busy with work and family this past week and have not been able to get back to working on my problem computer. I really do appreciate your help though, and will make sure to post my future replies to your posts more quickly.
That's ok. I do understand <_<

Quote

To answer your question, I am not familiar with the C:\documents and settings\anthony\FCSS.EXE file.
Ok. You may delete it then.

ESET findings will be removed when ComboFix is uninstalled and system restore resetted (will be done in the final stage). How's the system running now?
Microsoft MVP Consumer Security 2008 2009 2010 2011
ASAP & UNITE member since 2006
Posted Image Posted Image

#14
tonyb85
Posted 02 November 2009 - 03:01 AM

    New Member

  • Members
  • Pip
  • 10 posts
  • Gender:Male
  • Location:United States
Thanks for the quick reply again.

As instructed, I deleted the C:\documents and settings\anthony\FCSS.EXE file.

I assume you mean the ESET files stored in the C:\Program Files\ESET folder. I am not familiar with how to reset system restore, but since you said that it will be done "in the final stage" I assume that you will tell me when and how to do it.

As for how the system is running now, I would say that it seems to be working fine (I have not noticed any current problems - aside from the obvious presence of viruses that show up in the scans you have me doing). The infected computer never really stopped working. If I remember correctly, the reason that I realized I had the virus/es was that I began to get fake alert pop-ups a few months or so before I first posted on this forum. Since you have begun helping me, I have not seen anymore fake alert pop-ups, but since then I have only enabled the computer's internet connection when I am running ComboFix or replying on this forum (not sure if the internet connection would factor into those pop-ups appearing). Aside from the fake alert pop-ups, there are two other issues I can think of that occurred occasionally in the past on the infected computer. I am not sure if these were caused by the virus/es or something else. The only other thing I can think of that may have caused these two other issues (if the virus/es did not cause them), is that I had a graphics card in my computer for about a year or two (up until about a few months before I began seeing the fake alert pop-ups) that said it was supposed to be used with a power supply with a slightly higher power output than the one that I had in my computer. Nevertheless the graphics card did work for the time period I had it installed, but it finally stopped working after a year or two (and I removed it a few months before I began getting the fake alert pop-ups). Below I have listed the two other issues that may be related to the virus/es or my old graphics card. I think these two issues began happening a year or two before I first began seeing the fake alert pop-ups (somewhere close to when I installed the graphics card). I don't believe I have had these two issues come up lately, although I have not been turning on the infected computer very often - less than five times per week (I only use the infected computer when I am following your instructions and posting logs to this forum). But I do believe the two issues were both occurring right up to the time that I removed the graphics card (and they may have even continued to occur while I was getting the fake alert pop-ups, a few months after the graphics card was removed - unfortunately, I am not sure about that).


1) This first issue happened somewhat irregularly. I am guessing that it probably happened somewhere between 1/10 to 1/20 of the times I turned on my computer (I never documented it though, so I am not sure). When I would turn on my computer, after Windows was done loading and I saw my usual desktop display, I was unable to open any programs (although I could double click things on the desktop; they just would not open) and if I scrolled my cursor anywhere over the Windows Taskbar and Start Menu I would just see the hour glass icon and not be able to open the Start Menu or anything on the Taskbar. I don't think I was able to use CTRL+ALT+DELETE to open Task Manager either, as I always had to resolve the issue by just powering down the computer tower. After powering down the computer and then turning the power on again, I do not think I ever had this issue twice in a row (on two consecutive start-ups).

2) This second issue happened more rarely. I am guessing that it happened maybe once or twice a month, maybe less (at that time I was using the computer every day). When I would be doing something on the computer (usually playing some newer, graphics-intensive game) a Blue Screen Of Death would appear and I would have to power down the pc and reboot. I don't remember what error the Blue Screen Of Death displayed. It may have been the same error every time. But I am not sure. When this first started happening I was not having the fake alert pop-ups and I was guessing that it may have been related to the Power Supply overheating as a result of the high power requirement of the graphics card (but that was just a guess).

Sorry those are kind of long descriptions, but I just wanted to be thorough. I have two other quick questions for you. Is there any sign that the virus/es I have on my computer are backdoor viruses and should I be worried about identity theft (e.g. credit card fraud) with infection that my computer had?

Thanks again for your help.

#15
Blade81
Posted 02 November 2009 - 09:20 AM

    Elite Member

  • Experts
  • PipPipPipPipPip
  • 1,229 posts
  • Gender:Male
  • Location:Finland
  • Interests:Floorball, football, music, computers..

Quote

Is there any sign that the virus/es I have on my computer are backdoor viruses and should I be worried about identity theft (e.g. credit card fraud) with infection that my computer had?
I don't see backdoor related stuff there. However, changing online passwords regularly is recommended.

Anyway, I think it's now time to do system resetting and other stuff :)


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis



Now lets uninstall ComboFix:
  • Click START then RUN
  • Now copy-paste Combofix /uninstall in the runbox and click OK

Next we remove all used tools.

Please download OTC and save it to desktop.
  • Double-click OTC.exe.
  • Click the CleanUp! button.
  • Select Yes when the
    Begin cleanup Process?
    prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.



UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

  • hosts file:
    • Every version of windows has a hosts file as part of them.
    • In a very basic sense, they are used to locate webpages.
    • We can customize a hosts file so that it blocks certain webpages.
    • However, it can slow down certain computers.
    • This is why using a hosts file is optional!!
    Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
    If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:

    • Click the start button (at the lower left hand corner of your screen)
    • Click run
    • In the dialog box, type services.msc
    • hit enter, then locate dns client
    • Highlight it, then double-click it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click ok



  • Get Anti Virus Software and keep it updated - Most AVs will update automatically, but if not I would recommend making updating the AV the first job every time the PC is connected to the internet. An AV that is using defs that are seven days old is not going to be much protection. If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out. See here to choose one

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
    See here to choose one if you don't have a 3rd party firewall.


Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade ;)
Microsoft MVP Consumer Security 2008 2009 2010 2011
ASAP & UNITE member since 2006
Posted Image Posted Image

#16
tonyb85
Posted 03 November 2009 - 08:00 AM

    New Member

  • Members
  • Pip
  • 10 posts
  • Gender:Male
  • Location:United States
I followed the steps you gave: resetting system restore, uninstalling ComboFix, downloading and running OTC Cleanup, getting every new update available from Windows Update.

The OTC Cleanup didn't remove all the tools we used (I assume it wasn't supposed to). I will just manually delete/uninstall what was left (HijackThis, dds.scr, ATF-Cleaner).

I am running Microsoft Office 2003 on my computer. I went to the Microsoft Office website, but it just redirected me to the Windows Update site for updates. I am assuming Microsoft Office just does all its updates through that site (as it offered me several updates for Office after redirecting me there).

As far as making Internet Explorer more secure, I actually only had to change one of the settings that you mentioned (as my settings were already identical to your suggestions). The only one that was different was that I had "Navigate windows and frames across different domains" set to Disable (so I changed it to Prompt).

I will read through that hosts file link when I have a little more time. As you said it is optional, and I want to make sure it is something that will do more good than harm.

As far as antivirus software and firewalls go, I have trouble telling what is the best to use. I looked at the links you provided, but there are a lot of options there. Preferably I would like something that is pretty self-sufficient (not requiring a lot of active involvement). I was wondering if the free antivirus and free firewalls work as well as the internet security packages that you have to pay for (e.g. Norton Antivirus, Kaspersky, BitDefender, etc.). What do you think about that?

For now I just re-installed the 30-day trial of BitDefender Total Security 2010. I'll just use that until I can figure out what other program(s) to use.

Even though I have Automatic Updates enabled for my computer is it still important to go to the Windows Update manually from time to time? I guess the only reason I would see is to install the optional updates that are not installed by the Automatic update feature.

Right now, the system is working smoothly. I will start using it again for regular computing in the next few days. If any problems come up I will keep you posted.

One last question. I am wondering what the best scan is to determine if your computer is infected with malware/viruses? I mean obviously if my BitDefender daily scans show something I will know there is something present. But is there a better scan that I should do occasionally to make sure that my computer is clean, like the MBAM scan or some other one? I have another computer that I would like to scan to make sure it is free of malware (it does not show any symptoms of being infected, but I just want to be sure).

Thanks again Blade. I really appreciate all your help.

#17
Blade81
Posted 03 November 2009 - 09:55 AM

    Elite Member

  • Experts
  • PipPipPipPipPip
  • 1,229 posts
  • Gender:Male
  • Location:Finland
  • Interests:Floorball, football, music, computers..
You're welcome ;)

Good free antivirus programs are:
Antivir
Avast!

Good commercial ones are from:
Kaspersky and
ESET

If you don't need an email scanner then free options will do their work.

Quote

For now I just re-installed the 30-day trial of BitDefender Total Security 2010. I'll just use that until I can figure out what other program(s) to use.
Remember that after trial is expired you won't get new definition updates -> BitDefender won't necessarily detect new threats.

Quote

One last question. I am wondering what the best scan is to determine if your computer is infected with malware/viruses? I mean obviously if my BitDefender daily scans show something I will know there is something present. But is there a better scan that I should do occasionally to make sure that my computer is clean, like the MBAM scan or some other one? I have another computer that I would like to scan to make sure it is free of malware (it does not show any symptoms of being infected, but I just want to be sure).
Each system should have both antivirus and antispyware scanner. MBAM is a good choice for the latter one. Just remember to keep its definitions up-to-date.
Microsoft MVP Consumer Security 2008 2009 2010 2011
ASAP & UNITE member since 2006
Posted Image Posted Image

#18
tonyb85
Posted 04 November 2009 - 02:33 PM

    New Member

  • Members
  • Pip
  • 10 posts
  • Gender:Male
  • Location:United States
I did a couple scans with BitDefender today and yesterday and a few items came up. BitDefender calls them Rootkit-Hidden Items (I do not believe they are related to the infection/viruses I had), but the only options BitDefender offers for dealing with the files is to “Ignore” them or “Make Visible (unhide).” Unfortunately neither of those options resolves the issues with those files and they continue to show up on every scan that BitDefender does. The files are all music/audio files from two different CD’s that I must have loaded on the computer (a while back). I don’t know if I still have the CD’s, but I would like to get rid of the files if I could. Whenever I try to delete the files I get the following error:

Error Deleting File or Folder
Cannot delete file: Cannot read from the source file or disk

It does not allow me to rename the file either (gives the following, essentially identical error).

Error Renaming File or Folder
Cannot rename file: Cannot read from the source file or disk

If I attempt to open the files I get the following error (with xxx referring to the file’s specific location on the C Drive):

C:\xxx refers to a location that is unavailable. It could be on a hard drive on this computer, or on a network. Check to make sure that the disk is properly inserted, or that you are connected to the internet or your network, and then try again. If it still cannot be located, the information might have been move to a different location.

I’m not sure if you know how to get rid of these problem files, but I haven’t had much luck searching for a solution on the internet so I figured I’d just ask.

I posted the BitDefender Log below (it says the files are resolved issues, but they still are unable to be deleted and show up on every BitDefender scan):

BitDefender Log File

Product: BitDefender Total Security 2010
Version: BitDefender Antivirus Scanner
Scanning task: Deep System Scan
Log date: 11/4/2009 12:03:28 AM
Log path: C:\Documents and Settings\All Users\Application Data\BitDefender\Desktop\Profiles\Logs\deep_scan\1257314608_1_01.xml

Scan paths:Path 0000: C:\

Scan Level:Scan for viruses: Yes
Scan for adware: Yes
Scan for spyware: Yes
Scan for applications: Yes
Scan for dialers: Yes
Scan for rootkits: Yes
Scan for keyloggers: Yes

Virus Scanning Options:Scan registry keys: Yes
Scan cookies: Yes
Scan boot sectors: Yes
Scan memory processes: Yes
Scan archives: Yes
Scan runtime packers: Yes
Scan e-mails: Yes
Scan all files: Yes
Heuristic Scan: Yes
Scanned extensions: not configured
Excluded extensions: not configured

Target Processing:Default first action for infected objects: Disinfect
Default second action for infected objects: None
Default first action for suspect objects : None
Default second action for suspicious objects: None
Default action for hidden objects: None
Default first action for encrypted infected objects: Disinfect
Default second action for encrypted infected objects: None
Default first action for encrypted suspicious objects: None
Default second action for encrypted suspicious objects: None
Default action for password-protected objects: Log only

Scan Engines SummaryVirus signatures: 4480941
Archive plugins: 44
E-mail plugins: 6
Scan plugins: 13
System plugins: 5
Unpack plugins: 8

BasicScanned items: 489209
Infected items: 0 (no infected items have been detected)
Suspect items: 0 (no suspected items have been detected)
Hidden items: 32
Resolved items: 32
Unresolved items: 0 (no issues remained unresolved)

AdvancedSkipped items: 23964
Password-protected items: 0
Over-compressed items: 0
Individual viruses found: 0
Scanned folders: 10341
Scanned boot sectors: 4
Scanned archives: 5706
Input-output errors: 0
Scanned processes: 94
Infected processes: 0
Scanned registry keys: 1384
Infected registry keys: 0
Scanned cookies: 51
Infected cookies: 0

Resolved issues:Object PathThreat NameFinal Status
C:\Documents and Settings\Anthony\My Documents\undeletable\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - To Your Love.mp3.bd.renRootkit-Hidden items:RenamedC:\Documents and Settings\Anthony\My Documents\undeletable\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - The Way Things Are.mp3.bd.renRootkit-Hidden items:RenamedC:\Documents and Settings\Anthony\My Documents\undeletable\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - Paper Bag.mp3.bd.renRootkit-Hidden items:RenamedC:\Documents and Settings\Anthony\My Documents\undeletable\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - On the Bound.mp3.bd.renRootkit-Hidden items:RenamedC:\Documents and Settings\Anthony\My Documents\undeletable\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - Love Ridden.mp3.bd.renRootkit-Hidden items:RenamedC:\Documents and Settings\Anthony\My Documents\undeletable\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - Limp.mp3.bd.renRootkit-Hidden items:RenamedC:\Documents and Settings\Anthony\My Documents\undeletable\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - I Know.mp3.bd.renRootkit-Hidden items:RenamedC:\Documents and Settings\Anthony\My Documents\undeletable\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - Get Gone.mp3.bd.renRootkit-Hidden items:RenamedC:\Documents and Settings\Anthony\My Documents\undeletable\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - Fast as You Can.mp3.bd.renRootkit-Hidden items:RenamedC:\Documents and Settings\Anthony\My Documents\undeletable\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - A Mistake.mp3.bd.renRootkit-Hidden items:RenamedC:\Documents and Settings\Anthony\My Documents\undeletable\Fiona Apple\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - To Your Love.mp3.bd.renRootkit-Hidden items:RenamedC:\Documents and Settings\Anthony\My Documents\undeletable\Fiona Apple\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - The Way Things Are.mp3.bd.renRootkit-Hidden items:RenamedC:\Documents and Settings\Anthony\My Documents\undeletable\Fiona Apple\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - Paper Bag.mp3.bd.renRootkit-Hidden items:RenamedC:\Documents and Settings\Anthony\My Documents\undeletable\Fiona Apple\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - On the Bound.mp3.bd.renRootkit-Hidden items:RenamedC:\Documents and Settings\Anthony\My Documents\undeletable\Fiona Apple\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - Love Ridden.mp3.bd.renRootkit-Hidden items:RenamedC:\Documents and Settings\Anthony\My Documents\undeletable\Fiona Apple\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - Limp.mp3.bd.renRootkit-Hidden items:RenamedC:\Documents and Settings\Anthony\My Documents\undeletable\Fiona Apple\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - I Know.mp3.bd.renRootkit-Hidden items:RenamedC:\Documents and Settings\Anthony\My Documents\undeletable\Fiona Apple\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - Get Gone.mp3.bd.renRootkit-Hidden items:RenamedC:\Documents and Settings\Anthony\My Documents\undeletable\Fiona Apple\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - Fast as You Can.mp3.bd.renRootkit-Hidden items:RenamedC:\Documents and Settings\Anthony\My Documents\undeletable\Fiona Apple\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - A Mistake.mp3.bd.renRootkit-Hidden items:RenamedC:\Documents and Settings\Anthony\My Documents\My Music\Supertramp\Even in the Quietest Moments..\Supertramp - Lover Boy.mp3.bd.renRootkit-Hidden items:RenamedC:\Documents and Settings\Anthony\My Documents\My Music\Supertramp\Even in the Quietest Moments..\Supertramp - Give a Little Bit.mp3.bd.renRootkit-Hidden items:RenamedC:\Documents and Settings\Anthony\My Documents\My Music\Supertramp\Even in the Quietest Moments..\Supertramp - From Now On.mp3.bd.renRootkit-Hidden items:RenamedC:\Documents and Settings\Anthony\My Documents\My Music\Supertramp\Even in the Quietest Moments..\Supertramp - From Now On(1).mp3.bd.renRootkit-Hidden items:RenamedC:\Documents and Settings\Anthony\My Documents\My Music\Supertramp\Even in the Quietest Moments..\Supertramp - Fool's Overture.mp3.bd.renRootkit-Hidden items:RenamedC:\Documents and Settings\Anthony\My Documents\My Music\Supertramp\Even in the Quietest Moments..\Supertramp - Fool's Overture(1).mp3.bd.renRootkit-Hidden items:RenamedC:\Documents and Settings\Anthony\My Documents\My Music\Supertramp\Even in the Quietest Moments..\Supertramp - Even in the Quietest Moments.mp3.bd.renRootkit-Hidden items:RenamedC:\Documents and Settings\Anthony\My Documents\My Music\Supertramp\Even in the Quietest Moments..\Supertramp - Even in the Quietest Moments(1).mp3.bd.renRootkit-Hidden items:RenamedC:\Documents and Settings\Anthony\My Documents\My Music\Supertramp\Even in the Quietest Moments..\Supertramp - Downstream.mp3.bd.renRootkit-Hidden items:RenamedC:\Documents and Settings\Anthony\My Documents\My Music\Supertramp\Even in the Quietest Moments..\Supertramp - Downstream(1).mp3.bd.renRootkit-Hidden items:RenamedC:\Documents and Settings\Anthony\My Documents\My Music\Supertramp\Even in the Quietest Moments..\Supertramp - Babaji.mp3.bd.renRootkit-Hidden items:RenamedC:\Documents and Settings\Anthony\My Documents\My Music\Supertramp\Even in the Quietest Moments..\Supertramp - Babaji(1).mp3.bd.renRootkit-Hidden items:Renamed

#19
Blade81
Posted 04 November 2009 - 03:35 PM

    Elite Member

  • Experts
  • PipPipPipPipPip
  • 1,229 posts
  • Gender:Male
  • Location:Finland
  • Interests:Floorball, football, music, computers..
Hi,

Since all the text was written there without line breaks it was a bit hard to read. Let's hope we got all the folder names here.

Click start->run->write cmd.exe and press enter. Copy-paste following three commands one by one to your command prompt window (press enter after each command):
rd /s /q "\\?\%userprofile%\My Documents\undeletable\When the Pawn Hits the Conflicts He Thinks Like a King.."
rd /s /q "\\?\%userprofile%\My Documents\undeletable\Fiona Apple\When the Pawn Hits the Conflicts He Thinks Like a King.."
rd /s /q "\\?\%userprofile%\My Documents\My Music\Supertramp\Even in the Quietest Moments.."

Let me know how it goes.
Microsoft MVP Consumer Security 2008 2009 2010 2011
ASAP & UNITE member since 2006
Posted Image Posted Image

#20
tonyb85
Posted 06 November 2009 - 05:56 PM

    New Member

  • Members
  • Pip
  • 10 posts
  • Gender:Male
  • Location:United States
Thanks Blade, that got rid of all the problem files. I'll let you know if anything else comes up.
Back to Resolved HijackThis Logs · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Computer Help
  3. Malware Removal - HijackThis Logs
  4. Resolved HijackThis Logs

Products

About

Partners

Follow Us