MBAM and BitDefender fail to remove Vundo Trojan

[tonyb85]

First of all here is my OS info (in case it is needed):

Microsoft Windows XP

Media Center Edition

Version 2002

Service Pack 3

Previously I had a corporate copy of McAfee on my computer but it apparently allowed multiple viruses onto my computer. Since then I have removed McAfee and currently have a 30 day trial of BitDefender Internet Security 2010 running on the computer to hopefully prevent any further infection. I just recently disabled the computer's internet connection to avoid having viruses transmitted to other computers in my house on the same network. I downloaded MBAM and Trend Micro HijackThis and ran them and posted the logs below. Although MBAM says it does not find a Vundo trojan, BitDefender does find it (even after doing multiple MBAM scans and removals of infected files). BitDefender calls the virus "Trojan.Vundo.GMM" (without the quotes). I am not sure what I should do next (as I have tried using BitDefender and MBAM to remove the virus/es without success), any help you could offer me would be much appreciated.

Thank you in advance,

Tony

I have posted the logs from MBAM, HijackThis, and BitDefender Internet Security 2010 below (in that order).

MBAM LOG: (from Full Scan, not Quick Scan)

Malwarebytes' Anti-Malware 1.41

Database version: 2775

Windows 5.1.2600 Service Pack 3

10/13/2009 1:11:58 AM

mbam-log-2009-10-13 (01-11-37).txt

Scan type: Full Scan (C:\|D:\|E:\|)

Objects scanned: 217697

Time elapsed: 59 minute(s), 29 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

HijackThis LOG:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:23:53 AM, on 10/13/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\stsystra.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe

C:\Program Files\Plaxo\3.22.0.7\PlaxoHelper_en.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe

C:\Program Files\Clarus\Samsung Auto Backup\ISFRealTimeD.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Clarus\Samsung Auto Backup\ISFTimerD.exe

C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\BitDefender\BitDefender 2010\seccenter.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {517a881c-e126-49ad-8c06-0e71223b6ad0} - lobebafu.dll (file missing)

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: (no name) - {EFD500E1-9208-48E2-873D-D3A59FEC9483} - C:\WINDOWS\security\cacafx.dll (file missing)

O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2010\IEToolbar.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [iPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe"

O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2010\IEShow.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\3.22.0.7\PlaxoHelper_en.exe -a

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [PlaxoSysTray] C:\Program Files\Plaxo\3.22.0.7\PlaxoSysTray.exe

O4 - Startup: Samsung Auto Backup Guage.lnk = ?

O4 - Startup: Samsung Auto Backup Real-Time Daemon.lnk = ?

O4 - Startup: Samsung Auto Backup Scheduler.lnk = ?

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe (file missing)

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://locator.cdn.imageservr.com

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1128006131468

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab

O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O20 - AppInit_DLLs: yiyawefo.dll

O20 - Winlogon Notify: cacafx - C:\WINDOWS\security\cacafx.dll (file missing)

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe

O23 - Service: dlbu_device - Dell - C:\WINDOWS\system32\dlbucoms.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe

O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--

End of file - 10676 bytes

BITDEFENDER 2010 INTERNET SECURITY SCAN LOG:

BitDefender Log File

Product: BitDefender Internet Security 2010

Version: BitDefender Antivirus Scanner

Scanning task: Deep System Scan

Log date: 10/12/2009 9:40:15 PM

Log path: C:\Documents and Settings\All Users\Application Data\BitDefender\Desktop\Profiles\Logs\deep_scan\1255401615_1_02.xml

Scan paths:

Path 0000: C:\

Scan Level:

Scan for viruses: Yes

Scan for adware: Yes

Scan for spyware: Yes

Scan for applications: Yes

Scan for dialers: Yes

Scan for rootkits: Yes

Scan for keyloggers: Yes

Virus Scanning Options:

Scan registry keys: Yes

Scan cookies: Yes

Scan boot sectors: Yes

Scan memory processes: Yes

Scan archives: Yes

Scan runtime packers: Yes

Scan e-mails: Yes

Scan all files: Yes

Heuristic Scan: Yes

Scanned extensions: not configured

Excluded extensions: not configured

Target Processing:

Default first action for infected objects: Disinfect

Default second action for infected objects: None

Default first action for suspect objects : None

Default second action for suspicious objects: None

Default action for hidden objects: None

Default first action for encrypted infected objects: Disinfect

Default second action for encrypted infected objects: None

Default first action for encrypted suspicious objects: None

Default second action for encrypted suspicious objects: None

Default action for password-protected objects: Log only

Scan Engines Summary

Virus signatures: 4336293

Archive plugins: 44

E-mail plugins: 6

Scan plugins: 13

System plugins: 5

Unpack plugins: 8

Basic

Scanned items: 415671

Infected items: 42

Suspect items: 0 (no suspected items have been detected)

Hidden items: 32

Resolved items: 38

Unresolved items: 36

Advanced

Skipped items: 144366

Password-protected items: 0

Over-compressed items: 0

Individual viruses found: 2

Scanned folders: 10169

Scanned boot sectors: 4

Scanned archives: 1863

Input-output errors: 0

Scanned processes: 89

Infected processes: 39

Scanned registry keys: 1264

Infected registry keys: 0

Scanned cookies: 76

Infected cookies: 0

Remaining issues:

Object Path

Threat Name

Final Status

<System>=>C:\WINDOWS\system32\yiyawefo.dll [1016] (disk)

Trojan.Vundo.GMM

Disinfect failed (object was not found)

<System>=>C:\WINDOWS\system32\yiyawefo.dll [1412] (memory dump)

Trojan.Vundo.GMM

Disinfect failed (object was not found)

<System>=>C:\WINDOWS\system32\yiyawefo.dll [1412] (disk)

Trojan.Vundo.GMM

Disinfect failed (object was not found)

<System>=>C:\WINDOWS\system32\yiyawefo.dll [1412] (full dump)

Trojan.Vundo.GMM

Disinfect failed (object was not found)

<System>=>C:\WINDOWS\system32\yiyawefo.dll [1456] (memory dump)

Trojan.Vundo.GMM

Disinfect failed (object was not found)

<System>=>C:\WINDOWS\system32\yiyawefo.dll [1456] (disk)

Trojan.Vundo.GMM

Disinfect failed (object was not found)

<System>=>C:\WINDOWS\system32\yiyawefo.dll [1456] (full dump)

Trojan.Vundo.GMM

Disinfect failed (object was not found)

<System>=>C:\WINDOWS\System32\yiyawefo.dll [1504] (disk)

Trojan.Vundo.GMM

Disinfect failed (object was not found)

<System>=>C:\WINDOWS\system32\yiyawefo.dll [1916] (memory dump)

Trojan.Vundo.GMM

Disinfect failed (object was not found)

<System>=>C:\WINDOWS\system32\yiyawefo.dll [1916] (disk)

Trojan.Vundo.GMM

Disinfect failed (object was not found)

<System>=>C:\WINDOWS\system32\yiyawefo.dll [1916] (full dump)

Trojan.Vundo.GMM

Disinfect failed (object was not found)

<System>=>C:\WINDOWS\system32\yiyawefo.dll [524] (memory dump)

Trojan.Vundo.GMM

Disinfect failed (object was not found)

<System>=>C:\WINDOWS\system32\yiyawefo.dll [524] (disk)

Trojan.Vundo.GMM

Disinfect failed (object was not found)

<System>=>C:\WINDOWS\system32\yiyawefo.dll [524] (full dump)

Trojan.Vundo.GMM

Disinfect failed (object was not found)

<System>=>C:\WINDOWS\system32\yiyawefo.dll [692] (memory dump)

Trojan.Vundo.GMM

Disinfect failed (object was not found)

<System>=>C:\WINDOWS\system32\yiyawefo.dll [692] (disk)

Trojan.Vundo.GMM

Disinfect failed (object was not found)

<System>=>C:\WINDOWS\system32\yiyawefo.dll [692] (full dump)

Trojan.Vundo.GMM

Disinfect failed (object was not found)

<System>=>C:\WINDOWS\system32\yiyawefo.dll [1300] (memory dump)

Trojan.Vundo.GMM

Disinfect failed (object was not found)

<System>=>C:\WINDOWS\system32\yiyawefo.dll [1300] (disk)

Trojan.Vundo.GMM

Disinfect failed (object was not found)

<System>=>C:\WINDOWS\system32\yiyawefo.dll [1300] (full dump)

Trojan.Vundo.GMM

Disinfect failed (object was not found)

<System>=>C:\WINDOWS\system32\yiyawefo.dll [1888] (memory dump)

Trojan.Vundo.GMM

Disinfect failed (object was not found)

<System>=>C:\WINDOWS\system32\yiyawefo.dll [1888] (disk)

Trojan.Vundo.GMM

Disinfect failed (object was not found)

<System>=>C:\WINDOWS\system32\yiyawefo.dll [1888] (full dump)

Trojan.Vundo.GMM

Disinfect failed (object was not found)

<System>=>C:\WINDOWS\system32\yiyawefo.dll [2128] (memory dump)

Trojan.Vundo.GMM

Disinfect failed (object was not found)

<System>=>C:\WINDOWS\system32\yiyawefo.dll [2128] (disk)

Trojan.Vundo.GMM

Disinfect failed (object was not found)

<System>=>C:\WINDOWS\system32\yiyawefo.dll [2128] (full dump)

Trojan.Vundo.GMM

Disinfect failed (object was not found)

<System>=>C:\WINDOWS\system32\yiyawefo.dll [2216] (memory dump)

Trojan.Vundo.GMM

Disinfect failed (object was not found)

<System>=>C:\WINDOWS\system32\yiyawefo.dll [2216] (disk)

Trojan.Vundo.GMM

Disinfect failed (object was not found)

<System>=>C:\WINDOWS\system32\yiyawefo.dll [2216] (full dump)

Trojan.Vundo.GMM

Disinfect failed (object was not found)

<System>=>C:\WINDOWS\system32\yiyawefo.dll [3836] (memory dump)

Trojan.Vundo.GMM

Disinfect failed (object was not found)

<System>=>C:\WINDOWS\system32\yiyawefo.dll [3836] (disk)

Trojan.Vundo.GMM

Disinfect failed (object was not found)

<System>=>C:\WINDOWS\system32\yiyawefo.dll [3836] (full dump)

Trojan.Vundo.GMM

Disinfect failed (object was not found)

<System>=>C:\WINDOWS\system32\yiyawefo.dll [2784] (memory dump)

Trojan.Vundo.GMM

Disinfect failed (object was not found)

<System>=>C:\WINDOWS\system32\yiyawefo.dll [2784] (disk)

Trojan.Vundo.GMM

Disinfect failed (object was not found)

<System>=>C:\WINDOWS\system32\yiyawefo.dll [2784] (full dump)

Trojan.Vundo.GMM

Disinfect failed (object was not found)

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP881\A0179624.dll

Trojan.Vundo.GMM

Disinfect failed (object was not found)

Resolved issues:

Object Path

Threat Name

Final Status

C:\Documents and Settings\Anthony\My Documents\undeletable\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - To Your Love.mp3.bd.ren

Rootkit-Hidden items:

Renamed

C:\Documents and Settings\Anthony\My Documents\undeletable\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - The Way Things Are.mp3.bd.ren

Rootkit-Hidden items:

Renamed

C:\Documents and Settings\Anthony\My Documents\undeletable\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - Paper Bag.mp3.bd.ren

Rootkit-Hidden items:

Renamed

C:\Documents and Settings\Anthony\My Documents\undeletable\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - On the Bound.mp3.bd.ren

Rootkit-Hidden items:

Renamed

C:\Documents and Settings\Anthony\My Documents\undeletable\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - Love Ridden.mp3.bd.ren

Rootkit-Hidden items:

Renamed

C:\Documents and Settings\Anthony\My Documents\undeletable\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - Limp.mp3.bd.ren

Rootkit-Hidden items:

Renamed

C:\Documents and Settings\Anthony\My Documents\undeletable\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - I Know.mp3.bd.ren

Rootkit-Hidden items:

Renamed

C:\Documents and Settings\Anthony\My Documents\undeletable\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - Get Gone.mp3.bd.ren

Rootkit-Hidden items:

Renamed

C:\Documents and Settings\Anthony\My Documents\undeletable\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - Fast as You Can.mp3.bd.ren

Rootkit-Hidden items:

Renamed

C:\Documents and Settings\Anthony\My Documents\undeletable\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - A Mistake.mp3.bd.ren

Rootkit-Hidden items:

Renamed

C:\Documents and Settings\Anthony\My Documents\undeletable\Fiona Apple\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - To Your Love.mp3.bd.ren

Rootkit-Hidden items:

Renamed

C:\Documents and Settings\Anthony\My Documents\undeletable\Fiona Apple\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - The Way Things Are.mp3.bd.ren

Rootkit-Hidden items:

Renamed

C:\Documents and Settings\Anthony\My Documents\undeletable\Fiona Apple\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - Paper Bag.mp3.bd.ren

Rootkit-Hidden items:

Renamed

C:\Documents and Settings\Anthony\My Documents\undeletable\Fiona Apple\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - On the Bound.mp3.bd.ren

Rootkit-Hidden items:

Renamed

C:\Documents and Settings\Anthony\My Documents\undeletable\Fiona Apple\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - Love Ridden.mp3.bd.ren

Rootkit-Hidden items:

Renamed

C:\Documents and Settings\Anthony\My Documents\undeletable\Fiona Apple\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - Limp.mp3.bd.ren

Rootkit-Hidden items:

Renamed

C:\Documents and Settings\Anthony\My Documents\undeletable\Fiona Apple\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - I Know.mp3.bd.ren

Rootkit-Hidden items:

Renamed

C:\Documents and Settings\Anthony\My Documents\undeletable\Fiona Apple\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - Get Gone.mp3.bd.ren

Rootkit-Hidden items:

Renamed

C:\Documents and Settings\Anthony\My Documents\undeletable\Fiona Apple\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - Fast as You Can.mp3.bd.ren

Rootkit-Hidden items:

Renamed

C:\Documents and Settings\Anthony\My Documents\undeletable\Fiona Apple\When the Pawn Hits the Conflicts He Thinks Like a King..\Fiona Apple - A Mistake.mp3.bd.ren

Rootkit-Hidden items:

Renamed

C:\Documents and Settings\Anthony\My Documents\My Music\Supertramp\Even in the Quietest Moments..\Supertramp - Lover Boy.mp3.bd.ren

Rootkit-Hidden items:

Renamed

C:\Documents and Settings\Anthony\My Documents\My Music\Supertramp\Even in the Quietest Moments..\Supertramp - Give a Little Bit.mp3.bd.ren

Rootkit-Hidden items:

Renamed

C:\Documents and Settings\Anthony\My Documents\My Music\Supertramp\Even in the Quietest Moments..\Supertramp - From Now On.mp3.bd.ren

Rootkit-Hidden items:

Renamed

C:\Documents and Settings\Anthony\My Documents\My Music\Supertramp\Even in the Quietest Moments..\Supertramp - From Now On(1).mp3.bd.ren

Rootkit-Hidden items:

Renamed

C:\Documents and Settings\Anthony\My Documents\My Music\Supertramp\Even in the Quietest Moments..\Supertramp - Fool's Overture.mp3.bd.ren

Rootkit-Hidden items:

Renamed

C:\Documents and Settings\Anthony\My Documents\My Music\Supertramp\Even in the Quietest Moments..\Supertramp - Fool's Overture(1).mp3.bd.ren

Rootkit-Hidden items:

Renamed

C:\Documents and Settings\Anthony\My Documents\My Music\Supertramp\Even in the Quietest Moments..\Supertramp - Even in the Quietest Moments.mp3.bd.ren

Rootkit-Hidden items:

Renamed

C:\Documents and Settings\Anthony\My Documents\My Music\Supertramp\Even in the Quietest Moments..\Supertramp - Even in the Quietest Moments(1).mp3.bd.ren

Rootkit-Hidden items:

Renamed

C:\Documents and Settings\Anthony\My Documents\My Music\Supertramp\Even in the Quietest Moments..\Supertramp - Downstream.mp3.bd.ren

Rootkit-Hidden items:

Renamed

C:\Documents and Settings\Anthony\My Documents\My Music\Supertramp\Even in the Quietest Moments..\Supertramp - Downstream(1).mp3.bd.ren

Rootkit-Hidden items:

Renamed

C:\Documents and Settings\Anthony\My Documents\My Music\Supertramp\Even in the Quietest Moments..\Supertramp - Babaji.mp3.bd.ren

Rootkit-Hidden items:

Renamed

C:\Documents and Settings\Anthony\My Documents\My Music\Supertramp\Even in the Quietest Moments..\Supertramp - Babaji(1).mp3.bd.ren

Rootkit-Hidden items:

Renamed

<System>=>C:\WINDOWS\system32\yiyawefo.dll [1016] (memory dump)

Trojan.Vundo.GPM

Deleted

<System>=>C:\WINDOWS\system32\yiyawefo.dll [1016] (full dump)

Trojan.Vundo.GPM

Deleted

<System>=>C:\WINDOWS\System32\yiyawefo.dll [1504] (memory dump)

Trojan.Vundo.GPM

Deleted

<System>=>C:\WINDOWS\System32\yiyawefo.dll [1504] (full dump)

Trojan.Vundo.GPM

Deleted

C:\WINDOWS\system32\yiyawefo.dll

Trojan.Vundo.GMM

Deleted after reboot

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP881\A0179680.dll

Trojan.Vundo.GMM

Deleted

[tonyb85]

I wanted to add that I attempted to install Superantispyware on my computer but errors came up during the installation which prevented it from being installed. I am not sure if this is due to the viral infection. I thought it might be, as another computer I have with no infection and the same BitDefender 2010 Internet Security 30-day trial installed on it had no problem installing and running Superantispyware. Just thought I should add that, as that program seems to be recommended quite often from what I have seen on this and other virus removal forums.

[Blade81]

Hi,

Download DDS and save it to your desktop from here or here or here.

Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  1. DDS.txt
     
  2. Attach.txt
     

  [*]Save both reports to your desktop. Post them back to your topic.

[tonyb85]

Attach.zip

Thanks for offering your help, Blade. I am not sure how to disable script blocking. Searching Google it sounded like script blocking might be enabled by Internet Explorer and/or my antivirus program (BitDefender Internet Security 2010). But I was unable to quickly figure out how to disable it, so I just ran DDS. The two text documents popped up, so I'm hoping it worked correctly (although it is possible script blocking was still enabled). If I need to disable script blocker and run the program again please let me know. I have copied and pasted the DDS.txt below and attached the Attach.txt at the top of this post (as the DDS program instructed).

Thanks again,

Tony

DDS.txt

DDS (Ver_09-10-13.01) - NTFSx86

Run by Anthony at 10:55:52.79 on Sat 10/17/2009

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1270.704 [GMT -5:00]

AV: BitDefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}

FW: BitDefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\stsystra.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe

C:\Program Files\Plaxo\3.22.0.7\PlaxoHelper_en.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe

C:\Program Files\Clarus\Samsung Auto Backup\ISFGuage.exe

C:\Program Files\Clarus\Samsung Auto Backup\ISFRealTimeD.exe

C:\Program Files\Clarus\Samsung Auto Backup\ISFTimerD.exe

svchost.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe

C:\Program Files\BitDefender\BitDefender 2010\seccenter.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Anthony\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uDefault_Page_URL = hxxp://www.dell4me.com/myway

uSearch Bar = hxxp://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE

uInternet Connection Wizard,ShellNext = iexplore

uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aol toolbar 3.1\aoltb.dll

mURLSearchHooks: H - No File

mWinlogon: SFCDisable=4 (0x4)

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: {517a881c-e126-49ad-8c06-0e71223b6ad0} - lobebafu.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 3.1\aoltb.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll

BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: {efd500e1-9208-48e2-873d-d3a59fec9483} - c:\windows\security\cacafx.dll

TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 3.1\aoltb.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2010\IEToolbar.dll

TB: {821F87FF-8245-4972-9E28-732E92EC2F51} - No File

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [PlaxoUpdate] c:\program files\plaxo\3.22.0.7\PlaxoHelper_en.exe -a

uRun: [Aim6]

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [PlaxoSysTray] c:\program files\plaxo\3.22.0.7\PlaxoSysTray.exe

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [iPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [bDAgent] "c:\program files\bitdefender\bitdefender 2010\bdagent.exe"

mRun: [bitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2010\IEShow.exe"

StartupFolder: c:\docume~1\anthony\startm~1\programs\startup\samsun~3.lnk - c:\program files\clarus\samsung auto backup\ISFGuage.exe

StartupFolder: c:\docume~1\anthony\startm~1\programs\startup\samsun~2.lnk - c:\program files\clarus\samsung auto backup\ISFRealTimeD.exe

StartupFolder: c:\docume~1\anthony\startm~1\programs\startup\samsun~1.lnk - c:\program files\clarus\samsung auto backup\ISFTimerD.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monitor.lnk - c:\program files\arcsoft\media card companion\MCC Monitor.exe

IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-us\local\search.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\progra~1\aim\aim.exe

IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 3.1\aoltb.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

Trusted Zone: imageservr.com\locator.cdn

Trusted Zone: musicmatch.com\online

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab

DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab

DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128006131468

DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab

Notify: cacafx - c:\windows\security\cacafx.dll

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: yiyawefo.dll

SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

LSA: Notification Packages = scecli talefake.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\anthony\applic~1\mozilla\firefox\profiles\afmeh64m.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.startup.homepage - hxxps://www.google.com

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R2 BDVEDISK;BDVEDISK;c:\program files\bitdefender\bitdefender 2010\bdvedisk.sys [2009-4-1 82696]

R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2009-9-17 152328]

R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2009-9-1 110856]

S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\arrakis3.exe [2009-9-13 183880]

=============== Created Last 30 ================

2009-10-13 01:23 <DIR> --d----- c:\program files\Trend Micro

2009-10-12 05:55 1,011,342 a------- c:\windows\system32\budidepu.exe

2009-10-12 01:20 132 a------- c:\windows\system32\rezumatenoi.dat

2009-10-11 22:20 16 a------- c:\windows\system32\asdict.dat

2009-10-11 22:20 4 a------- c:\windows\system32\aspdict-en.dat

2009-10-11 18:45 <DIR> --d----- c:\docume~1\anthony\applic~1\BitDefender

2009-10-11 18:44 <DIR> --d----- c:\program files\BitDefender

2009-10-11 18:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\BitDefender

2009-10-11 18:43 <DIR> --d----- c:\program files\common files\BitDefender

2009-10-11 18:19 <DIR> -cd-h--- c:\windows\ie8

2009-10-11 13:34 <DIR> --d----- C:\Log

2009-10-11 13:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Clarus

2009-10-11 13:32 <DIR> --d----- c:\program files\Clarus

2009-09-18 20:25 <DIR> --d----- c:\docume~1\anthony\applic~1\Malwarebytes

2009-09-18 20:25 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-18 20:25 19,160 a------- c:\windows\system32\drivers\mbam.sys

2009-09-18 20:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-09-18 20:25 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-09-17 16:12 152,328 a------- c:\windows\system32\drivers\bdfm.sys

2009-09-17 16:11 105,736 a------- c:\windows\system32\drivers\bdhv.sys

==================== Find3M ====================

2009-10-11 18:03 1,011,385 a--sh--- c:\windows\system32\zufajudi.exe

2009-10-11 18:03 39,424 a--sh--- c:\windows\system32\bamukitu.dll

2009-10-11 18:03 28,160 a--sh--- c:\windows\system32\pamuyomi.dll

2009-09-01 15:24 110,856 a------- c:\windows\system32\drivers\bdfndisf.sys

2009-08-30 01:44 411,368 a------- c:\windows\system32\deploytk.dll

2009-08-23 20:00 43,520 a------- c:\windows\system32\CmdLineExt03.dll

2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll

2009-08-05 04:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll

2000-08-11 14:20 445,952 a------- c:\documents and settings\anthony\FCSS.EXE

2007-05-23 23:05 11,250 ---sh--- c:\windows\security\xfacac.bak1

2007-09-20 20:23 2,009,945 ---sh--- c:\windows\security\xfacac.bak2

2007-09-20 20:48 2,014,863 ---sh--- c:\windows\security\xfacac.ini2

2008-09-03 12:47 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090320080904\index.dat

============= FINISH: 10:56:53.82 ===============

[Blade81]

Hi Tony,

That's ok. If blocker had been active then you wouldn't had been able to create DDS logs at all

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
   Remember to re-enable them afterwards.
   
2. Click Yes to allow ComboFix to continue scanning for malware.
   

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt

New dds.txt log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

[tonyb85]

Blade,

I have a few questions that I would like to have answered before I run ComboFix. I just want to make sure that everything is being done properly, as I have seen numerous warnings of how improper use of ComboFix can ruin a computer. First, I want you to know that I have fully read through the "instructions for running ComboFix tool" AND the thread on "How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs" at the links you provided at www.bleepingcomputer.com. Now for the questions. Sorry they are a bit detailed, but I just want to be sure I am doing everything right. I will number them just to keep them organized, in total there are 4 questions (the first 3 have lengthy descriptions).

QUESTIONS

1) This question is not directly related to ComboFix, but just about the help you are giving me in general. I noticed the following comment in the thread on "How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs" posted by "Animal", one of the BleepingComputer Site Administrators:

"I see you have a HJT log properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer. From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean."

My question is: Should I not be doing any more scans with BitDefender Internet Security 2010 to remove viruses/malware? I have done at least one scan (probably more like three or more) since I first asked for help on this site. Every time I do a scan BitDefender finds infected files and some of them it can delete or quarantine, but there are always some infected files that are unable to be deleted or quarantined. I don't want to make things more difficult/confusing for you. Please let me know.

2) This question is in regards to the instructions for disabling BitDefender given in the thread "How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs." I realize that is not your thread and that you may not use or be very familiar with BitDefender. Hopefully you can still answer this question though. The instructions that thread gives with regard to BitDefender is only how to disable the BitDefender Antivirus Shield. This is only one part of BitDefender's Internet Security. When I open BitDefender Internet Security 2010 (I am using the 30-day trial mode) by double-clicking the icon in the System Tray (using the advanced view where I can control all aspects of BitDefender's Internet Security), there are 12 tabs with the various internet security-related topics. Many of the tabs have options to disable various parts of the internet security - not just the Antivirus Tab which only allows the Antivirus Shield to be disabled. I will list the 12 Tabs below with the options they give for disabling certain parts of the internet security:

I) General - IRRELEVANT - no options for disabling internet security

II) Antivirus - Option to disable the Antivirus Shield Real-time protection

III) Antispam - Option to disable Antispam Real-time protection

IV) Parental Control - IRRELEVANT - no options for disabling internet security

V) Privacy Control - Option to disable Privacy Control (**see below for details on Privacy Control)

VI) Firewall - Option to disable Firewall

VII) Vulnerability - Option to disable Automatic Vulnerability Checking

VIII) Encryption - Option to disable IM Encryption

IX) Game/Laptop Mode - Option to turn off "Automatic Game Mode" Antivirus protection (not sure if this is relevant)

X) Home Network - IRRELEVANT - no options for disabling internet security

XI) Update - Option to disable Automatic Update for BitDefender (not sure if this is relevant)

XII) Registration - IRRELEVANT - no options for disabling internet security

**Privacy Control includes: Identity information blocking, Registry access attempt blocking, Cookie blocking, and Script blocking

My question is: What else should I disable in addition to the Antivirus shield? Should I just disable everything that I have not listed as "IRRELEVANT" to the Internet Security?

3) I ended up just disabling every BitDefender tab that I did not consider "IRRELEVANT" and attempted to run ComboFix. Unfortunately the initial steps of it did not seem to go exactly as explained in the ComboFix instructions on www.bleepingcomputer.com. As instructed, I closed all windows and then double-clicked the ComboFix.exe icon on my desktop. I then clicked the "Run" button at the Windows Open File Security Warning. After that, the first thing I saw happen was a little loading progress bar (about 2x5cm in size) pop up in the middle of the screen. Once that loading bar reached complete/full, my BitDefender Internet Security 2010 window opened (this is the same window that would normally open when I double-click the BitDefender Icon in my system tray - it was closed before I double-clicked ComboFix.exe, as instructed). After that my computer tower made two loud beeps (my tower, not my speakers). None of those things are mentioned as happening on the BleepingComputer's Instruction thread. The next thing that happened was that the ComboFix Disclaimer Screen (as shown in the thread) popped up. At that point I selected the "No" option because I was worried that things were not working properly and I wanted to check with you first. I repeated the same steps to get to the disclaimer screen (as instructed) about 5 times and each time things happened exactly as I have just explained. I have listed multiple questions related to this situation below.

My questions are:

I) Why do I never see the first blue "ComboFix is Preparing to Run" screen mentioned in the instructions at www.bleepingcomputer.com?

II) Are the things I am seeing/hearing normal - the loading progress bar, my internet security being opened either by itself or by ComboFix, the two beeps?

III) If the BitDefender Internet Security 2010 window opening is okay to have happen, should I close it before I click "Yes" at the disclaimer screen - or just leave it open?

4) My last question is short:

With all my BitDefender Internet Security 2010 disabled, is it safe to stay connected to the internet as requested in the ComboFix instruction thread? It says I need to be connected to the internet so that the Windows Recovery Console can be downloaded while ComboFix is doing its job. But I don't want to leave myself open to more viruses/malware and further infection of my computer. I noticed that there are also instructions for manually installing the Windows Recovery Console, but does ComboFix still need to have internet access to do its job?

Thank you very much again for sharing your time and expertise. I really appreciate your help.

[Blade81]

Shorter responses from my side

1) Yep, don't run any other scans than instructed during the cleaning process.

2) & 3) If you're able to turn off whole bitdefender do so.

4) You may keep it connected during ComboFix run.

[tonyb85]

10_19_09_Attach.txt

I just decided to uninstall BitDefender to make sure that it would not interfere with ComboFix. I will just leave it uninstalled until you are done helping me, so that it doesn't run any more automated scans that might confuse for you. The only protection I have running now is the Windows Firewall (I turned it on after I ran ComboFix). I was not sure if you needed the new Attach.txt file included in this post, so I just put it in just in case.

The new Attach.zip file is at the beginning of this post. The ComboFix Log and new DDS Log are posted below in that order.

ComboFix Log

ComboFix 09-10-19.01 - Anthony 10/19/2009 21:09.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1270.846 [GMT -5:00]

Running from: c:\documents and settings\Anthony\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\mm.BOT

c:\program files\mm.BOT\Config\KeySet-1\amblxbow.cof

c:\program files\mm.BOT\Config\KeySet-1\curindx.wav

c:\program files\mm.BOT\Config\KeySet-1\wavindx.wav

c:\program files\mm.BOT\Config\KeySet-2\amblxbow.cof

c:\program files\mm.BOT\Config\KeySet-2\curindx.wav

c:\program files\mm.BOT\Config\KeySet-2\wavindx.wav

c:\program files\mm.BOT\Config\System\mm.PKID.Usr.CH

c:\program files\mm.BOT\Config\System\mm.PKID.Usr.ID

c:\program files\mm.BOT\Config\System\mm.PKID.Usr.PK

c:\program files\mm.BOT\Logs\Compiler.txt

c:\program files\mm.BOT\Logs\Picked_Items.txt

c:\program files\mm.BOT\Logs\ScanDrop_Items.txt

c:\program files\mm.BOT\Logs\Sold_Items.txt

c:\windows\Installer\6cf86.msp

c:\windows\security\xfacac.bak1

c:\windows\security\xfacac.bak2

c:\windows\security\xfacac.ini

c:\windows\security\xfacac.ini2

c:\windows\security\xfacac.tmp

c:\windows\system32\11478.exe

c:\windows\system32\15724.exe

c:\windows\system32\18467.exe

c:\windows\system32\19169.exe

c:\windows\system32\26500.exe

c:\windows\system32\26962.exe

c:\windows\system32\29358.exe

c:\windows\system32\41.exe

c:\windows\system32\6334.exe

c:\windows\system32\acabrqdd.ini

c:\windows\system32\adtsgqot.ini

c:\windows\system32\advewkqt.ini

c:\windows\system32\aeoetwhh.ini

c:\windows\system32\affsyiev.ini

c:\windows\system32\anicojte.ini

c:\windows\system32\awntacmc.ini

c:\windows\system32\axektgol.ini

c:\windows\system32\bbjfjekq.ini

c:\windows\system32\bsjmoyda.ini

c:\windows\system32\bszip.dll

c:\windows\system32\bvycpbmv.ini

c:\windows\system32\bxoaudkv.ini

c:\windows\system32\caqbjgnx.ini

c:\windows\system32\cccjemng.ini

c:\windows\system32\cepeupya.ini

c:\windows\system32\cidvlpgc.ini

c:\windows\system32\crbxbltm.ini

c:\windows\system32\dnrkeexg.ini

c:\windows\system32\dopgsiii.ini

c:\windows\system32\dselxscf.ini

c:\windows\system32\dusawgtd.ini

c:\windows\system32\dxiqffva.ini

c:\windows\system32\dyhjgweq.ini

c:\windows\system32\dywahuno.ini

c:\windows\system32\eaxbeuyr.ini

c:\windows\system32\eedyiljh.ini

c:\windows\system32\eftsekth.ini

c:\windows\system32\egrpsohj.ini

c:\windows\system32\esirnpbw.ini

c:\windows\system32\essgrvtk.ini

c:\windows\system32\etsohqmc.ini

c:\windows\system32\fafsmyki.ini

c:\windows\system32\ffjbjgoy.ini

c:\windows\system32\ggvjmxoe.ini

c:\windows\system32\ghambqve.ini

c:\windows\system32\ghkykjbn.ini

c:\windows\system32\glcihujm.ini

c:\windows\system32\gpxabfbc.ini

c:\windows\system32\gqnyphnt.ini

c:\windows\system32\gtdhlgnf.ini

c:\windows\system32\gwflggmx.ini

c:\windows\system32\hcqxjffw.ini

c:\windows\system32\hihknxxx.ini

c:\windows\system32\hkwkyqoh.ini

c:\windows\system32\hlwsefvi.ini

c:\windows\system32\hseqmbro.ini

c:\windows\system32\ibwgptqr.ini

c:\windows\system32\iecjqytj.ini

c:\windows\system32\ifvrvvby.ini

c:\windows\system32\iinsvwko.ini

c:\windows\system32\iksbihoa.ini

c:\windows\system32\inyqeawo.ini

c:\windows\system32\jfhfwpyd.ini

c:\windows\system32\jglsjkbf.ini

c:\windows\system32\jhnuswde.ini

c:\windows\system32\jidndeaj.ini

c:\windows\system32\jodtweri.ini

c:\windows\system32\jrrvuxkh.ini

c:\windows\system32\jtppoaft.ini

c:\windows\system32\jwqqweet.ini

c:\windows\system32\kjomkvkh.ini

c:\windows\system32\klfybiij.ini

c:\windows\system32\lfwcygpl.ini

c:\windows\system32\ljtfxdox.ini

c:\windows\system32\lqdrbvkd.ini

c:\windows\system32\lrvsydhj.ini

c:\windows\system32\lsgapxej.ini

c:\windows\system32\lttkbuwn.ini

c:\windows\system32\lvckhxcf.ini

c:\windows\system32\lwotxtvq.ini

c:\windows\system32\lwyndixx.ini

c:\windows\system32\mjvtxonk.ini

c:\windows\system32\mmqslbgm.ini

c:\windows\system32\mpnqdmts.ini

c:\windows\system32\msigbden.ini

c:\windows\system32\mxmbpjir.ini

c:\windows\system32\myuivvlt.ini

c:\windows\system32\nhrfrpdv.ini

c:\windows\system32\njbkosig.ini

c:\windows\system32\nryskwar.ini

c:\windows\system32\nwirsyxc.ini

c:\windows\system32\ocxhnjrj.ini

c:\windows\system32\ofqpowyv.ini

c:\windows\system32\ohfrbxwa.ini

c:\windows\system32\oipsymrl.ini

c:\windows\system32\oksglwan.ini

c:\windows\system32\omaudfkn.ini

c:\windows\system32\palxjwll.ini

c:\windows\system32\pbcqbkin.ini

c:\windows\system32\pqpsaxea.ini

c:\windows\system32\qcytcxqt.ini

c:\windows\system32\qsbechhi.ini

c:\windows\system32\reyvmdjc.ini

c:\windows\system32\rlbovlim.ini

c:\windows\system32\rwborumv.ini

c:\windows\system32\sivaboqi.ini

c:\windows\system32\sjhkfgni.ini

c:\windows\system32\smlkpjhf.ini

c:\windows\system32\smqmdsmo.ini

c:\windows\system32\smucmxcq.ini

c:\windows\system32\snrgrbht.ini

c:\windows\system32\sntueuql.ini

c:\windows\system32\spdnpatf.ini

c:\windows\system32\spyjcgcp.ini

c:\windows\system32\syvovyvm.ini

c:\windows\system32\tqjdvqcc.ini

c:\windows\system32\trlytqxx.ini

c:\windows\system32\twfjcata.ini

c:\windows\system32\ufpphkee.ini

c:\windows\system32\ugdjdwhg.ini

c:\windows\system32\ukugmkvs.ini

c:\windows\system32\uomtuvbe.ini

c:\windows\system32\uqglonoo.ini

c:\windows\system32\urpnvgan.ini

c:\windows\system32\vabwwbfu.ini

c:\windows\system32\vcgrdclu.ini

c:\windows\system32\vgcrmcal.ini

c:\windows\system32\vgsligxh.ini

c:\windows\system32\voaflsku.ini

c:\windows\system32\vpgetrda.ini

c:\windows\system32\vrwcwtpl.ini

c:\windows\system32\vupxhkge.ini

c:\windows\system32\vvdddsne.ini

c:\windows\system32\vwpwerlr.ini

c:\windows\system32\wcvaghft.ini

c:\windows\system32\welnnybg.ini

c:\windows\system32\wsbsjcva.ini

c:\windows\system32\wsduajrw.ini

c:\windows\system32\wxbvuxyd.ini

c:\windows\system32\wytijxtw.ini

c:\windows\system32\xhwnhcvx.ini

c:\windows\system32\xhylkynb.ini

c:\windows\system32\xifopdpn.ini

c:\windows\system32\xukgkdvk.ini

c:\windows\system32\yekvraes.ini

c:\windows\system32\ymmdssfg.ini

c:\windows\system32\ypsjwiof.ini

c:\windows\system32\zufajudi.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_DOMAINSERVICE

((((((((((((((((((((((((( Files Created from 2009-09-20 to 2009-10-20 )))))))))))))))))))))))))))))))

.

2009-10-17 16:15 . 2009-10-17 16:17 -------- d-----w- c:\documents and settings\Anthony\Local Settings\Application Data\WinZip

2009-10-17 16:14 . 2009-10-17 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip

2009-10-13 06:23 . 2009-10-13 06:23 -------- d-----w- c:\program files\Trend Micro

2009-10-12 10:55 . 2009-10-12 11:22 1011342 ----a-w- c:\windows\system32\budidepu.exe

2009-10-12 06:20 . 2009-10-20 01:55 132 ----a-w- c:\windows\system32\rezumatenoi.dat

2009-10-12 03:20 . 2009-10-12 03:20 4 ----a-w- c:\windows\system32\aspdict-en.dat

2009-10-12 03:20 . 2009-10-12 03:20 16 ----a-w- c:\windows\system32\asdict.dat

2009-10-11 23:53 . 2009-10-11 23:53 0 ----a-w- c:\windows\system32\wsbl.dat

2009-10-11 23:53 . 2009-10-11 23:53 0 ----a-w- c:\windows\system32\ph_white.dat

2009-10-11 23:53 . 2009-10-11 23:53 0 ----a-w- c:\windows\system32\ph_summ.dat

2009-10-11 23:53 . 2009-10-11 23:53 0 ----a-w- c:\windows\system32\ph_black.dat

2009-10-11 23:53 . 2009-10-11 23:53 0 ----a-w- c:\windows\system32\pcwords2.dat

2009-10-11 23:53 . 2009-10-11 23:53 0 ----a-w- c:\windows\system32\pcwords.dat

2009-10-11 23:44 . 2009-10-20 01:57 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender

2009-10-11 23:44 . 2009-10-11 23:44 -------- d-----w- c:\program files\BitDefender

2009-10-11 23:43 . 2009-10-20 01:57 -------- d-----w- c:\program files\Common Files\BitDefender

2009-10-11 23:19 . 2009-10-11 23:29 -------- dc-h--w- c:\windows\ie8

2009-10-11 18:34 . 2009-10-11 18:34 -------- d-----w- C:\Log

2009-10-11 18:34 . 2009-10-11 18:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Clarus

2009-10-11 18:32 . 2009-10-11 18:32 -------- d-----w- c:\program files\Clarus

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-20 02:16 . 2005-10-03 18:09 -------- d-----w- c:\program files\Plaxo

2009-10-20 01:51 . 2007-08-18 04:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2009-10-17 17:12 . 2005-09-10 05:49 -------- d-----w- c:\program files\Java

2009-10-13 00:32 . 2007-09-21 01:12 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-10-11 22:57 . 2005-09-19 14:17 98840 ----a-w- c:\documents and settings\Anthony\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-10-11 18:32 . 2005-09-10 05:54 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-09-19 01:25 . 2009-09-19 01:25 -------- d-----w- c:\documents and settings\Anthony\Application Data\Malwarebytes

2009-09-19 01:25 . 2009-09-19 01:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-19 01:25 . 2009-09-19 01:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-11 14:18 . 2004-08-19 20:49 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-10 19:54 . 2009-09-19 01:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-10 19:53 . 2009-09-19 01:25 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-04 21:03 . 2004-08-19 20:49 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-09-03 13:01 . 2008-03-28 08:32 -------- d-----w- c:\program files\Diablo II

2009-08-29 08:08 . 2004-08-19 20:49 916480 ----a-w- c:\windows\system32\wininet.dll

2009-08-26 08:00 . 2004-08-19 20:50 247326 ----a-w- c:\windows\system32\strmdll.dll

2009-08-24 01:00 . 2009-08-24 00:57 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll

2009-08-23 08:06 . 2009-08-23 08:06 -------- d-----w- c:\program files\MSBuild

2009-08-23 08:06 . 2009-08-23 08:06 -------- d-----w- c:\program files\Reference Assemblies

2009-08-07 00:24 . 2004-08-19 21:04 327896 ----a-w- c:\windows\system32\wucltui.dll

2009-08-07 00:24 . 2004-08-19 21:04 209632 ----a-w- c:\windows\system32\wuweb.dll

2009-08-07 00:24 . 2005-09-29 15:02 44768 ----a-w- c:\windows\system32\wups2.dll

2009-08-07 00:24 . 2004-08-19 21:04 35552 ----a-w- c:\windows\system32\wups.dll

2009-08-07 00:24 . 2004-08-19 21:04 53472 ----a-w- c:\windows\system32\wuauclt.exe

2009-08-07 00:24 . 2004-08-19 20:49 96480 ----a-w- c:\windows\system32\cdm.dll

2009-08-07 00:23 . 2004-08-19 21:04 575704 ----a-w- c:\windows\system32\wuapi.dll

2009-08-07 00:23 . 2004-08-19 21:04 1929952 ----a-w- c:\windows\system32\wuaueng.dll

2009-08-05 09:01 . 2004-08-19 20:49 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-04 15:13 . 2004-08-19 20:49 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe

2009-08-04 14:20 . 2004-08-04 03:59 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe

2009-07-31 20:23 . 2009-08-30 06:44 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-09-14 03:10 . 2009-10-11 23:48 46592 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll

2008-03-28 06:26 . 2006-01-20 21:14 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll

2008-03-28 06:26 . 2006-01-20 21:14 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2008-03-28 06:26 . 2007-07-07 02:12 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll

2008-03-28 06:26 . 2007-07-07 02:12 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll

2008-03-28 06:26 . 2006-01-20 21:14 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll

2006-04-27 06:28 . 2006-04-27 03:59 652493 --sh--w- c:\windows\system32\rqtss.tmp

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"PlaxoUpdate"="c:\program files\Plaxo\3.22.0.7\PlaxoHelper_en.exe" [2009-07-10 378951]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-18 68856]

"PlaxoSysTray"="c:\program files\Plaxo\3.22.0.7\PlaxoSysTray.exe" [2009-07-10 20480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-06 94208]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-06 77824]

"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-06 114688]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-01-24 7700480]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-01-24 86016]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-09-10 98304]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]

"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\STSYSTRA.EXE [2005-03-23 339968]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-01-24 1622016]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-9-10 24576]

Monitor.lnk - c:\program files\ArcSoft\Media Card Companion\MCC Monitor.exe [2006-6-20 110592]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk

backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk

backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Anthony^Start Menu^Programs^Startup^Adobe Gamma.lnk]

path=c:\documents and settings\Anthony\Start Menu\Programs\Startup\Adobe Gamma.lnk

backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Anthony^Start Menu^Programs^Startup^Registration Ghost Recon Advanced Warfighter.LNK]

path=c:\documents and settings\Anthony\Start Menu\Programs\Startup\Registration Ghost Recon Advanced Warfighter.LNK

backup=c:\windows\pss\Registration Ghost Recon Advanced Warfighter.LNKStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\America Online 9.0\\waol.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\1138147086\\ee\\aolsoftware.exe"=

"c:\\Program Files\\Common Files\\AOL\\1138147086\\ee\\aim6.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=

"c:\\Program Files\\Ubisoft\\Ghost Recon Advanced Warfighter\\GRAW.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=

"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=

"c:\\Program Files\\Ubisoft\\Ghost Recon Advanced Warfighter 2\\graw2.exe"=

"c:\\Program Files\\Ubisoft\\Ghost Recon Advanced Warfighter 2\\graw2_dedicated.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

"c:\\WINDOWS\\system32\\dllhost.exe"=

.

Contents of the 'Scheduled Tasks' folder

2009-10-20 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-08-18 23:36]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = iexplore

IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

Trusted Zone: imageservr.com\locator.cdn

Trusted Zone: musicmatch.com\online

FF - ProfilePath - c:\documents and settings\Anthony\Application Data\Mozilla\Firefox\Profiles\afmeh64m.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.startup.homepage - hxxps://www.google.com

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

BHO-{517a881c-e126-49ad-8c06-0e71223b6ad0} - lobebafu.dll

BHO-{EFD500E1-9208-48E2-873D-D3A59FEC9483} - c:\windows\security\cacafx.dll

HKCU-Run-Aim6 - (no file)

Notify-cacafx - c:\windows\security\cacafx.dll

AddRemove-AOL Instant Messenger - c:\program files\AIM\uninstll.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-19 21:16

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1504)

c:\windows\system32\WININET.dll

c:\program files\Plaxo\3.22.0.7\plx_hook.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe

c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe

c:\windows\ehome\ehRecvr.exe

c:\windows\ehome\ehSched.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\PnkBstrA.exe

c:\windows\system32\wdfmgr.exe

c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe

c:\windows\system32\dllhost.exe

c:\windows\system32\wscntfy.exe

c:\combofix\CF3621.exe

c:\windows\ehome\ehmsas.exe

.

**************************************************************************

.

Completion time: 2009-10-20 21:25 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-20 02:25

Pre-Run: 79,506,972,672 bytes free

Post-Run: 79,240,556,544 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 95FD409BC2DCBA38E2FC5014754063EF

New DDS Log

DDS (Ver_09-10-13.01) - NTFSx86

Run by Anthony at 21:42:06.55 on Mon 10/19/2009

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1270.809 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\stsystra.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Plaxo\3.22.0.7\PlaxoHelper_en.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Anthony\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = iexplore

uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aol toolbar 3.1\aoltb.dll

mURLSearchHooks: H - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 3.1\aoltb.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll

BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 3.1\aoltb.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [PlaxoUpdate] c:\program files\plaxo\3.22.0.7\PlaxoHelper_en.exe -a

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [PlaxoSysTray] c:\program files\plaxo\3.22.0.7\PlaxoSysTray.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [iPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monitor.lnk - c:\program files\arcsoft\media card companion\MCC Monitor.exe

IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-us\local\search.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\progra~1\aim\aim.exe

IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 3.1\aoltb.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

Trusted Zone: imageservr.com\locator.cdn

Trusted Zone: musicmatch.com\online

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab

DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab

DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128006131468

DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab

Notify: igfxcui - igfxdev.dll

SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\anthony\applic~1\mozilla\firefox\profiles\afmeh64m.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.startup.homepage - hxxps://www.google.com

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2009-10-19 21:06 <DIR> a-dshr-- C:\cmdcons

2009-10-19 21:05 236,544 a------- c:\windows\PEV.exe

2009-10-19 21:05 161,792 a------- c:\windows\SWREG.exe

2009-10-19 21:05 98,816 a------- c:\windows\sed.exe

2009-10-13 01:23 <DIR> --d----- c:\program files\Trend Micro

2009-10-12 05:55 1,011,342 a------- c:\windows\system32\budidepu.exe

2009-10-12 01:20 132 a------- c:\windows\system32\rezumatenoi.dat

2009-10-11 22:20 16 a------- c:\windows\system32\asdict.dat

2009-10-11 22:20 4 a------- c:\windows\system32\aspdict-en.dat

2009-10-11 18:44 <DIR> --d----- c:\program files\BitDefender

2009-10-11 18:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\BitDefender

2009-10-11 18:43 <DIR> --d----- c:\program files\common files\BitDefender

2009-10-11 18:19 <DIR> -cd-h--- c:\windows\ie8

2009-10-11 13:34 <DIR> --d----- C:\Log

2009-10-11 13:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Clarus

2009-10-11 13:32 <DIR> --d----- c:\program files\Clarus

==================== Find3M ====================

2009-09-11 09:18 136,192 a------- c:\windows\system32\msv1_0.dll

2009-09-11 09:18 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll

2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys

2009-09-04 16:03 58,880 a------- c:\windows\system32\msasn1.dll

2009-09-04 16:03 58,880 -------- c:\windows\system32\dllcache\msasn1.dll

2009-08-28 05:35 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe

2009-08-26 03:00 247,326 a------- c:\windows\system32\strmdll.dll

2009-08-26 03:00 247,326 -------- c:\windows\system32\dllcache\strmdll.dll

2009-08-23 20:00 43,520 a------- c:\windows\system32\CmdLineExt03.dll

2009-08-06 19:24 327,896 a------- c:\windows\system32\dllcache\wucltui.dll

2009-08-06 19:24 209,632 a------- c:\windows\system32\dllcache\wuweb.dll

2009-08-06 19:24 35,552 a------- c:\windows\system32\dllcache\wups.dll

2009-08-06 19:24 53,472 a------- c:\windows\system32\dllcache\wuauclt.exe

2009-08-06 19:24 96,480 a------- c:\windows\system32\dllcache\cdm.dll

2009-08-06 19:23 575,704 a------- c:\windows\system32\dllcache\wuapi.dll

2009-08-06 19:23 1,929,952 a------- c:\windows\system32\dllcache\wuaueng.dll

2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll

2009-08-05 04:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll

2009-08-04 20:44 2,189,184 -------- c:\windows\system32\dllcache\ntoskrnl.exe

2009-08-04 10:13 2,145,280 -------- c:\windows\system32\ntoskrnl.exe

2009-08-04 10:13 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe

2009-08-04 09:20 2,023,936 -------- c:\windows\system32\ntkrnlpa.exe

2009-08-04 09:20 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe

2009-08-04 09:20 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe

2009-07-31 15:23 411,368 a------- c:\windows\system32\deploytk.dll

2000-08-11 14:20 445,952 a------- c:\documents and settings\anthony\FCSS.EXE

2008-09-03 12:47 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090320080904\index.dat

============= FINISH: 21:42:18.46 ===============

[Blade81]

Hi,

Are you familiar with c:\documents and settings\anthony\FCSS.EXE file?

Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\budidepu.exe
c:\windows\system32\rezumatenoi.dat
c:\windows\system32\rqtss.tmp
DDS::
Trusted Zone: imageservr.com\locator.cdn

Save this as

CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe

Then post the resultant log.

Uninstall old Adobe Reader versions and get the latest one (9.2) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.

Check here to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here. Fresh version can be obtained here.

Uninstall these vulnerable Javas:

Java 2 Runtime Environment, SE v1.4.2_03

Java 6 Update 5

Java 6 Update 7

Download ATF (Atribune Temp File) Cleaner

[AdvancedSetup]

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

[AdvancedSetup]

Post reopened at user request.

[tonyb85]

11_01_09_Attach.zip

Blade,

Sorry, I have been really busy with work and family this past week and have not been able to get back to working on my problem computer. I really do appreciate your help though, and will make sure to post my future replies to your posts more quickly.

To answer your question, I am not familiar with the C:\documents and settings\anthony\FCSS.EXE file.

I ran ComboFix as instructed, by dragging the CFScript file onto ComboFix.exe. I uninstalled the old version of Adobe Reader I had and downloaded the new 9.2 version. I updated Adobe Flash for Internet Explorer. Since I no longer use Firefox, I just uninstalled Firefox rather than updating its Adobe Flash. I also uninstalled the vulnerable Java's as instructed. I ran ATF Cleaner.exe under both the "Main" and "Firefox" tabs (I uninstalled Firefox before that, but it still seemed to remove some files that Firefox had left on the computer). Lastly, I ran the online scanner from ESET. On the screen that had the option to check/uncheck "Remove found threats" it also had the option to check/uncheck "Scan archives". As you instructed, I unchecked the "Remove found threats" option. But I wasn't sure if I was supposed to check the "Scan archives" option, so I just left it unchecked. If that was not right, please let me know and I can re-run the ESET scanner.

At the top of this post I attached the new attach.zip file. Below I pasted the new logs for ComboFix, DDS, and the ESET Online Scanner, in that order. Thank you again for all of your help.

New ComboFix Log (dragging CFScript onto ComboFix.exe)

ComboFix 09-10-30.01 - Anthony 10/31/2009 22:11.2.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1270.828 [GMT -5:00]

Running from: c:\documents and settings\Anthony\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Anthony\Desktop\CFScript.txt

* Created a new restore point

FILE ::

"c:\windows\system32\budidepu.exe"

"c:\windows\system32\rezumatenoi.dat"

"c:\windows\system32\rqtss.tmp"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\budidepu.exe

c:\windows\system32\rezumatenoi.dat

c:\windows\system32\rqtss.tmp

.

((((((((((((((((((((((((( Files Created from 2009-10-01 to 2009-11-01 )))))))))))))))))))))))))))))))

.

2009-10-17 16:15 . 2009-10-17 16:17 -------- d-----w- c:\documents and settings\Anthony\Local Settings\Application Data\WinZip

2009-10-17 16:14 . 2009-10-17 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip

2009-10-13 06:23 . 2009-10-13 06:23 -------- d-----w- c:\program files\Trend Micro

2009-10-12 03:20 . 2009-10-12 03:20 4 ----a-w- c:\windows\system32\aspdict-en.dat

2009-10-12 03:20 . 2009-10-12 03:20 16 ----a-w- c:\windows\system32\asdict.dat

2009-10-11 23:53 . 2009-10-11 23:53 0 ----a-w- c:\windows\system32\wsbl.dat

2009-10-11 23:53 . 2009-10-11 23:53 0 ----a-w- c:\windows\system32\ph_white.dat

2009-10-11 23:53 . 2009-10-11 23:53 0 ----a-w- c:\windows\system32\ph_summ.dat

2009-10-11 23:53 . 2009-10-11 23:53 0 ----a-w- c:\windows\system32\ph_black.dat

2009-10-11 23:53 . 2009-10-11 23:53 0 ----a-w- c:\windows\system32\pcwords2.dat

2009-10-11 23:53 . 2009-10-11 23:53 0 ----a-w- c:\windows\system32\pcwords.dat

2009-10-11 23:44 . 2009-10-20 01:57 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender

2009-10-11 23:44 . 2009-10-11 23:44 -------- d-----w- c:\program files\BitDefender

2009-10-11 23:43 . 2009-10-20 01:57 -------- d-----w- c:\program files\Common Files\BitDefender

2009-10-11 23:19 . 2009-10-11 23:29 -------- dc-h--w- c:\windows\ie8

2009-10-11 18:34 . 2009-10-11 18:34 -------- d-----w- C:\Log

2009-10-11 18:34 . 2009-10-11 18:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Clarus

2009-10-11 18:32 . 2009-10-11 18:32 -------- d-----w- c:\program files\Clarus

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-01 01:54 . 2007-08-18 04:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2009-11-01 01:54 . 2005-10-03 18:09 -------- d-----w- c:\program files\Plaxo

2009-10-17 17:12 . 2005-09-10 05:49 -------- d-----w- c:\program files\Java

2009-10-13 00:32 . 2007-09-21 01:12 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-10-11 22:57 . 2005-09-19 14:17 98840 ----a-w- c:\documents and settings\Anthony\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-10-11 18:32 . 2005-09-10 05:54 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-09-19 01:25 . 2009-09-19 01:25 -------- d-----w- c:\documents and settings\Anthony\Application Data\Malwarebytes

2009-09-19 01:25 . 2009-09-19 01:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-19 01:25 . 2009-09-19 01:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-11 14:18 . 2004-08-19 20:49 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-10 19:54 . 2009-09-19 01:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-10 19:53 . 2009-09-19 01:25 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-04 21:03 . 2004-08-19 20:49 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-09-03 13:01 . 2008-03-28 08:32 -------- d-----w- c:\program files\Diablo II

2009-08-29 08:08 . 2004-08-19 20:49 916480 ------w- c:\windows\system32\wininet.dll

2009-08-26 08:00 . 2004-08-19 20:50 247326 ----a-w- c:\windows\system32\strmdll.dll

2009-08-24 01:00 . 2009-08-24 00:57 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll

2009-08-07 00:24 . 2004-08-19 21:04 327896 ----a-w- c:\windows\system32\wucltui.dll

2009-08-07 00:24 . 2004-08-19 21:04 209632 ----a-w- c:\windows\system32\wuweb.dll

2009-08-07 00:24 . 2005-09-29 15:02 44768 ----a-w- c:\windows\system32\wups2.dll

2009-08-07 00:24 . 2004-08-19 21:04 35552 ----a-w- c:\windows\system32\wups.dll

2009-08-07 00:24 . 2004-08-19 21:04 53472 ------w- c:\windows\system32\wuauclt.exe

2009-08-07 00:24 . 2004-08-19 20:49 96480 ----a-w- c:\windows\system32\cdm.dll

2009-08-07 00:23 . 2004-08-19 21:04 575704 ----a-w- c:\windows\system32\wuapi.dll

2009-08-07 00:23 . 2004-08-19 21:04 1929952 ----a-w- c:\windows\system32\wuaueng.dll

2009-08-05 09:01 . 2004-08-19 20:49 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-04 15:13 . 2004-08-19 20:49 2145280 ------w- c:\windows\system32\ntoskrnl.exe

2009-08-04 14:20 . 2004-08-04 03:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe

2009-09-14 03:10 . 2009-10-11 23:48 46592 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll

2008-03-28 06:26 . 2006-01-20 21:14 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll

2008-03-28 06:26 . 2006-01-20 21:14 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2008-03-28 06:26 . 2007-07-07 02:12 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll

2008-03-28 06:26 . 2007-07-07 02:12 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll

2008-03-28 06:26 . 2006-01-20 21:14 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"PlaxoUpdate"="c:\program files\Plaxo\3.22.0.7\PlaxoHelper_en.exe" [2009-07-10 378951]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-18 68856]

"PlaxoSysTray"="c:\program files\Plaxo\3.22.0.7\PlaxoSysTray.exe" [2009-07-10 20480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-06 94208]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-06 77824]

"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-06 114688]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-01-24 7700480]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-01-24 86016]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-09-10 98304]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]

"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\STSYSTRA.EXE [2005-03-23 339968]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-01-24 1622016]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-9-10 24576]

Monitor.lnk - c:\program files\ArcSoft\Media Card Companion\MCC Monitor.exe [2006-6-20 110592]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk

backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk

backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Anthony^Start Menu^Programs^Startup^Adobe Gamma.lnk]

path=c:\documents and settings\Anthony\Start Menu\Programs\Startup\Adobe Gamma.lnk

backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Anthony^Start Menu^Programs^Startup^Registration Ghost Recon Advanced Warfighter.LNK]

path=c:\documents and settings\Anthony\Start Menu\Programs\Startup\Registration Ghost Recon Advanced Warfighter.LNK

backup=c:\windows\pss\Registration Ghost Recon Advanced Warfighter.LNKStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\America Online 9.0\\waol.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\1138147086\\ee\\aolsoftware.exe"=

"c:\\Program Files\\Common Files\\AOL\\1138147086\\ee\\aim6.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=

"c:\\Program Files\\Ubisoft\\Ghost Recon Advanced Warfighter\\GRAW.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=

"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=

"c:\\Program Files\\Ubisoft\\Ghost Recon Advanced Warfighter 2\\graw2.exe"=

"c:\\Program Files\\Ubisoft\\Ghost Recon Advanced Warfighter 2\\graw2_dedicated.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

"c:\\WINDOWS\\system32\\dllhost.exe"=

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2

*NewlyCreated* - GTNDIS5

*NewlyCreated* - MBR

*NewlyCreated* - PCIIDEX_2

*Deregistered* - CLASSPNP_2

*Deregistered* - mbr

*Deregistered* - PCIIDEX_2

.

Contents of the 'Scheduled Tasks' folder

2009-11-01 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-08-18 23:36]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = iexplore

IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

Trusted Zone: musicmatch.com\online

FF - ProfilePath - c:\documents and settings\Anthony\Application Data\Mozilla\Firefox\Profiles\afmeh64m.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.startup.homepage - hxxps://www.google.com

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-31 22:17

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2009-11-01 22:19

ComboFix-quarantined-files.txt 2009-11-01 03:19

ComboFix2.txt 2009-10-20 02:25

Pre-Run: 79,421,681,664 bytes free

Post-Run: 79,383,916,544 bytes free

- - End Of File - - 55B6C7188D37575FA7223629B44B562B

New DDS Log

DDS (Ver_09-10-13.01) - NTFSx86

Run by Anthony at 0:13:45.50 on Sun 11/01/2009

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1270.798 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\stsystra.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Plaxo\3.22.0.7\PlaxoHelper_en.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Anthony\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = iexplore

uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aol toolbar 3.1\aoltb.dll

mURLSearchHooks: H - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 3.1\aoltb.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll

BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 3.1\aoltb.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [PlaxoUpdate] c:\program files\plaxo\3.22.0.7\PlaxoHelper_en.exe -a

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [PlaxoSysTray] c:\program files\plaxo\3.22.0.7\PlaxoSysTray.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [iPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [sunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monitor.lnk - c:\program files\arcsoft\media card companion\MCC Monitor.exe

IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-us\local\search.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\progra~1\aim\aim.exe

IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 3.1\aoltb.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

Trusted Zone: musicmatch.com\online

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab

DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab

DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128006131468

DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab

DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab

Notify: igfxcui - igfxdev.dll

SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2009-10-31 23:11 <DIR> --d----- c:\program files\ESET

2009-10-31 22:09 77,312 a------- c:\windows\MBR.exe

2009-10-31 22:09 <DIR> --d----- C:\ComboFix

2009-10-19 21:06 <DIR> a-dshr-- C:\cmdcons

2009-10-19 21:05 236,544 a------- c:\windows\PEV.exe

2009-10-19 21:05 161,792 a------- c:\windows\SWREG.exe

2009-10-19 21:05 98,816 a------- c:\windows\sed.exe

2009-10-13 01:23 <DIR> --d----- c:\program files\Trend Micro

2009-10-11 22:20 16 a------- c:\windows\system32\asdict.dat

2009-10-11 22:20 4 a------- c:\windows\system32\aspdict-en.dat

2009-10-11 18:44 <DIR> --d----- c:\program files\BitDefender

2009-10-11 18:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\BitDefender

2009-10-11 18:43 <DIR> --d----- c:\program files\common files\BitDefender

2009-10-11 18:19 <DIR> -cd-h--- c:\windows\ie8

2009-10-11 13:34 <DIR> --d----- C:\Log

2009-10-11 13:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Clarus

2009-10-11 13:32 <DIR> --d----- c:\program files\Clarus

==================== Find3M ====================

2009-09-11 09:18 136,192 a------- c:\windows\system32\msv1_0.dll

2009-09-11 09:18 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll

2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys

2009-09-04 16:03 58,880 a------- c:\windows\system32\msasn1.dll

2009-09-04 16:03 58,880 -------- c:\windows\system32\dllcache\msasn1.dll

2009-08-28 05:35 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe

2009-08-26 03:00 247,326 a------- c:\windows\system32\strmdll.dll

2009-08-26 03:00 247,326 -------- c:\windows\system32\dllcache\strmdll.dll

2009-08-23 20:00 43,520 a------- c:\windows\system32\CmdLineExt03.dll

2009-08-06 19:24 327,896 a------- c:\windows\system32\dllcache\wucltui.dll

2009-08-06 19:24 209,632 a------- c:\windows\system32\dllcache\wuweb.dll

2009-08-06 19:24 35,552 a------- c:\windows\system32\dllcache\wups.dll

2009-08-06 19:24 53,472 a------- c:\windows\system32\dllcache\wuauclt.exe

2009-08-06 19:24 96,480 a------- c:\windows\system32\dllcache\cdm.dll

2009-08-06 19:23 575,704 a------- c:\windows\system32\dllcache\wuapi.dll

2009-08-06 19:23 1,929,952 a------- c:\windows\system32\dllcache\wuaueng.dll

2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll

2009-08-05 04:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll

2009-08-04 20:44 2,189,184 -------- c:\windows\system32\dllcache\ntoskrnl.exe

2009-08-04 10:13 2,145,280 -------- c:\windows\system32\ntoskrnl.exe

2009-08-04 10:13 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe

2009-08-04 09:20 2,023,936 -------- c:\windows\system32\ntkrnlpa.exe

2009-08-04 09:20 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe

2009-08-04 09:20 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe

2000-08-11 14:20 445,952 a------- c:\documents and settings\anthony\FCSS.EXE

2008-09-03 12:47 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090320080904\index.dat

============= FINISH: 0:14:06.29 ===============

ESET Online Scanner Log

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=153bca6eddf4cc4f914c03ebe72538c2

# end=finished

# remove_checked=false

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2009-11-01 05:05:54

# local_time=2009-11-01 12:05:54 (-0600, Central Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 712557 712557 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=120195

# found=284

# cleaned=0

# scan_time=2789

C:\Qoobox\Quarantine\C\WINDOWS\security\xfacac.bak1.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\security\xfacac.bak2.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\security\xfacac.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\security\xfacac.ini2.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\security\xfacac.tmp.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\acabrqdd.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\adtsgqot.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\advewkqt.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\aeoetwhh.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\affsyiev.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\anicojte.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\awntacmc.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\axektgol.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\bbjfjekq.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\bsjmoyda.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\bvycpbmv.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\bxoaudkv.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\caqbjgnx.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\cccjemng.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\cepeupya.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\cidvlpgc.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\crbxbltm.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\dnrkeexg.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\dopgsiii.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\dselxscf.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\dusawgtd.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\dxiqffva.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\dyhjgweq.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\dywahuno.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\eaxbeuyr.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\eedyiljh.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\eftsekth.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\egrpsohj.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\esirnpbw.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\essgrvtk.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\etsohqmc.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\fafsmyki.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\ffjbjgoy.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\ggvjmxoe.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\ghambqve.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\ghkykjbn.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\glcihujm.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\gpxabfbc.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\gqnyphnt.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\gtdhlgnf.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\gwflggmx.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\hcqxjffw.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\hihknxxx.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\hkwkyqoh.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\hlwsefvi.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\hseqmbro.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\ibwgptqr.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\iecjqytj.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\ifvrvvby.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\iinsvwko.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\iksbihoa.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\inyqeawo.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\jfhfwpyd.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\jglsjkbf.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\jhnuswde.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\jidndeaj.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\jodtweri.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\jrrvuxkh.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\jtppoaft.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\jwqqweet.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\kjomkvkh.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\klfybiij.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\lfwcygpl.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\ljtfxdox.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\lqdrbvkd.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\lrvsydhj.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\lsgapxej.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\lttkbuwn.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\lvckhxcf.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\lwotxtvq.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\lwyndixx.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\mjvtxonk.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\mmqslbgm.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\mpnqdmts.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\msigbden.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\mxmbpjir.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\myuivvlt.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\nhrfrpdv.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\njbkosig.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\nryskwar.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\nwirsyxc.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\ocxhnjrj.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\ofqpowyv.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\ohfrbxwa.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\oipsymrl.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\oksglwan.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\omaudfkn.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\palxjwll.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\pbcqbkin.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\pqpsaxea.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\qcytcxqt.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\qsbechhi.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\reyvmdjc.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\rlbovlim.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\rqtss.tmp.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\rwborumv.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\sivaboqi.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\sjhkfgni.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\smlkpjhf.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\smqmdsmo.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\smucmxcq.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\snrgrbht.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\sntueuql.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\spdnpatf.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\spyjcgcp.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\syvovyvm.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\tqjdvqcc.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\trlytqxx.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\twfjcata.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\ufpphkee.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\ugdjdwhg.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\ukugmkvs.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\uomtuvbe.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\uqglonoo.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\urpnvgan.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\vabwwbfu.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\vcgrdclu.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\vgcrmcal.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\vgsligxh.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\voaflsku.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\vpgetrda.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\vrwcwtpl.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\vupxhkge.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\vvdddsne.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\vwpwerlr.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\wcvaghft.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\welnnybg.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\wsbsjcva.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\wsduajrw.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\wxbvuxyd.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\wytijxtw.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\xhwnhcvx.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\xhylkynb.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\xifopdpn.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\xukgkdvk.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\yekvraes.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\ymmdssfg.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\ypsjwiof.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP871\A0177457.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP871\A0177459.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP871\A0177461.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181015.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181025.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181026.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181027.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181028.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181029.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181030.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181031.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181032.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181033.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181034.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181036.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181037.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181038.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181039.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181040.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181041.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181042.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181043.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181044.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181045.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181046.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181047.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181048.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181049.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181050.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181051.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181052.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181053.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181054.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181055.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181056.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181057.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181058.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181059.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181060.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181061.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181062.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181063.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181064.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181065.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181066.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181067.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181068.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181069.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181070.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181071.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181072.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181073.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181074.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181075.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181076.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181077.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181078.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181079.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181080.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181081.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181082.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181083.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181084.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181085.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181086.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181087.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181088.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181089.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181090.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181091.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181092.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181093.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181094.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181095.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181096.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181097.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181098.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181099.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181100.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181101.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181102.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181103.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181104.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181105.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181106.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181107.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181108.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181109.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181110.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181111.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181112.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181113.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181114.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181115.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181116.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181117.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181118.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181119.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181120.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181121.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181122.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181123.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181124.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181125.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181126.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181127.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181128.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181129.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181130.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181131.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181132.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181133.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181134.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181135.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181136.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181137.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181138.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181139.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181140.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181141.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181142.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181143.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181144.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181145.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181146.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181147.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181148.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181149.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181150.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181151.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181152.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181153.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181154.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181155.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181156.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181157.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181158.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181159.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181160.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181161.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP888\A0181162.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

[Blade81]

Sorry, I have been really busy with work and family this past week and have not been able to get back to working on my problem computer. I really do appreciate your help though, and will make sure to post my future replies to your posts more quickly.

That's ok. I do understand

To answer your question, I am not familiar with the C:\documents and settings\anthony\FCSS.EXE file.

Ok. You may delete it then.

ESET findings will be removed when ComboFix is uninstalled and system restore resetted (will be done in the final stage). How's the system running now?

[tonyb85]

Thanks for the quick reply again.

As instructed, I deleted the C:\documents and settings\anthony\FCSS.EXE file.

I assume you mean the ESET files stored in the C:\Program Files\ESET folder. I am not familiar with how to reset system restore, but since you said that it will be done "in the final stage" I assume that you will tell me when and how to do it.

As for how the system is running now, I would say that it seems to be working fine (I have not noticed any current problems - aside from the obvious presence of viruses that show up in the scans you have me doing). The infected computer never really stopped working. If I remember correctly, the reason that I realized I had the virus/es was that I began to get fake alert pop-ups a few months or so before I first posted on this forum. Since you have begun helping me, I have not seen anymore fake alert pop-ups, but since then I have only enabled the computer's internet connection when I am running ComboFix or replying on this forum (not sure if the internet connection would factor into those pop-ups appearing). Aside from the fake alert pop-ups, there are two other issues I can think of that occurred occasionally in the past on the infected computer. I am not sure if these were caused by the virus/es or something else. The only other thing I can think of that may have caused these two other issues (if the virus/es did not cause them), is that I had a graphics card in my computer for about a year or two (up until about a few months before I began seeing the fake alert pop-ups) that said it was supposed to be used with a power supply with a slightly higher power output than the one that I had in my computer. Nevertheless the graphics card did work for the time period I had it installed, but it finally stopped working after a year or two (and I removed it a few months before I began getting the fake alert pop-ups). Below I have listed the two other issues that may be related to the virus/es or my old graphics card. I think these two issues began happening a year or two before I first began seeing the fake alert pop-ups (somewhere close to when I installed the graphics card). I don't believe I have had these two issues come up lately, although I have not been turning on the infected computer very often - less than five times per week (I only use the infected computer when I am following your instructions and posting logs to this forum). But I do believe the two issues were both occurring right up to the time that I removed the graphics card (and they may have even continued to occur while I was getting the fake alert pop-ups, a few months after the graphics card was removed - unfortunately, I am not sure about that).

1) This first issue happened somewhat irregularly. I am guessing that it probably happened somewhere between 1/10 to 1/20 of the times I turned on my computer (I never documented it though, so I am not sure). When I would turn on my computer, after Windows was done loading and I saw my usual desktop display, I was unable to open any programs (although I could double click things on the desktop; they just would not open) and if I scrolled my cursor anywhere over the Windows Taskbar and Start Menu I would just see the hour glass icon and not be able to open the Start Menu or anything on the Taskbar. I don't think I was able to use CTRL+ALT+DELETE to open Task Manager either, as I always had to resolve the issue by just powering down the computer tower. After powering down the computer and then turning the power on again, I do not think I ever had this issue twice in a row (on two consecutive start-ups).

2) This second issue happened more rarely. I am guessing that it happened maybe once or twice a month, maybe less (at that time I was using the computer every day). When I would be doing something on the computer (usually playing some newer, graphics-intensive game) a Blue Screen Of Death would appear and I would have to power down the pc and reboot. I don't remember what error the Blue Screen Of Death displayed. It may have been the same error every time. But I am not sure. When this first started happening I was not having the fake alert pop-ups and I was guessing that it may have been related to the Power Supply overheating as a result of the high power requirement of the graphics card (but that was just a guess).

Sorry those are kind of long descriptions, but I just wanted to be thorough. I have two other quick questions for you. Is there any sign that the virus/es I have on my computer are backdoor viruses and should I be worried about identity theft (e.g. credit card fraud) with infection that my computer had?

Thanks again for your help.

[Blade81]

Is there any sign that the virus/es I have on my computer are backdoor viruses and should I be worried about identity theft (e.g. credit card fraud) with infection that my computer had?

I don't see backdoor related stuff there. However, changing online passwords regularly is recommended.

Anyway, I think it's now time to do system resetting and other stuff

THESE STEPS ARE VERY IMPORTANT

Let's reset system restore

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

Check Turn off System Restore.

Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

UN-Check *Turn off System Restore*.

Click Apply, and then click OK.

NOTE: only do this ONCE,NOT on a regular basis

Now lets uninstall ComboFix:

• Click START then RUN
  
• Now copy-paste Combofix /uninstall in the runbox and click OK
  

Next we remove all used tools.

Please download OTC and save it to desktop.

• Double-click OTC.exe.
  
• Click the CleanUp! button.
  
• Select Yes when the
  Begin cleanup Process?
  prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes, if not delete it by yourself.
  

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

Make your Internet Explorer more secure

This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.

Click once on the Security tab

Click once on the Internet icon so it becomes highlighted.

Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

• hosts file:
  
  • Every version of windows has a hosts file as part of them.
    
  • In a very basic sense, they are used to locate webpages.
    
  • We can customize a hosts file so that it blocks certain webpages.
    
  • However, it can slow down certain computers.
    
  • This is why using a hosts file is optional!!
    

  Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here

  If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:

  1. 
     
     
  2. Click the start button (at the lower left hand corner of your screen)
     
  3. Click run
     
  4. In the dialog box, type services.msc
     
  5. hit enter, then locate dns client
     
  6. Highlight it, then double-click it.
     
  7. On the dropdown box, change the setting from automatic to manual.
     
  8. Click ok
     

  [*]Get Anti Virus Software and keep it updated - Most AVs will update automatically, but if not I would recommend making updating the AV the first job every time the PC is connected to the internet. An AV that is using defs that are seven days old is not going to be much protection. If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out. See here to choose one

  [*]Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.

  See here to choose one if you don't have a 3rd party firewall.

Just a final reminder for you. I am trying to stress these two points.

UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.

Make sure all of your security programs are up to date.

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,

Blade

[tonyb85]

I followed the steps you gave: resetting system restore, uninstalling ComboFix, downloading and running OTC Cleanup, getting every new update available from Windows Update.

The OTC Cleanup didn't remove all the tools we used (I assume it wasn't supposed to). I will just manually delete/uninstall what was left (HijackThis, dds.scr, ATF-Cleaner).

I am running Microsoft Office 2003 on my computer. I went to the Microsoft Office website, but it just redirected me to the Windows Update site for updates. I am assuming Microsoft Office just does all its updates through that site (as it offered me several updates for Office after redirecting me there).

As far as making Internet Explorer more secure, I actually only had to change one of the settings that you mentioned (as my settings were already identical to your suggestions). The only one that was different was that I had "Navigate windows and frames across different domains" set to Disable (so I changed it to Prompt).

I will read through that hosts file link when I have a little more time. As you said it is optional, and I want to make sure it is something that will do more good than harm.

As far as antivirus software and firewalls go, I have trouble telling what is the best to use. I looked at the links you provided, but there are a lot of options there. Preferably I would like something that is pretty self-sufficient (not requiring a lot of active involvement). I was wondering if the free antivirus and free firewalls work as well as the internet security packages that you have to pay for (e.g. Norton Antivirus, Kaspersky, BitDefender, etc.). What do you think about that?

For now I just re-installed the 30-day trial of BitDefender Total Security 2010. I'll just use that until I can figure out what other program(s) to use.

Even though I have Automatic Updates enabled for my computer is it still important to go to the Windows Update manually from time to time? I guess the only reason I would see is to install the optional updates that are not installed by the Automatic update feature.

Right now, the system is working smoothly. I will start using it again for regular computing in the next few days. If any problems come up I will keep you posted.

One last question. I am wondering what the best scan is to determine if your computer is infected with malware/viruses? I mean obviously if my BitDefender daily scans show something I will know there is something present. But is there a better scan that I should do occasionally to make sure that my computer is clean, like the MBAM scan or some other one? I have another computer that I would like to scan to make sure it is free of malware (it does not show any symptoms of being infected, but I just want to be sure).

Thanks again Blade. I really appreciate all your help.

[Blade81]

You're welcome

Good free antivirus programs are:

Antivir

Avast!

Good commercial ones are from:

Kaspersky and

ESET

If you don't need an email scanner then free options will do their work.

For now I just re-installed the 30-day trial of BitDefender Total Security 2010. I'll just use that until I can figure out what other program(s) to use.

Remember that after trial is expired you won't get new definition updates -> BitDefender won't necessarily detect new threats.

One last question. I am wondering what the best scan is to determine if your computer is infected with malware/viruses? I mean obviously if my BitDefender daily scans show something I will know there is something present. But is there a better scan that I should do occasionally to make sure that my computer is clean, like the MBAM scan or some other one? I have another computer that I would like to scan to make sure it is free of malware (it does not show any symptoms of being infected, but I just want to be sure).

Each system should have both antivirus and antispyware scanner. MBAM is a good choice for the latter one. Just remember to keep its definitions up-to-date.

[tonyb85]

I did a couple scans with BitDefender today and yesterday and a few items came up. BitDefender calls them Rootkit-Hidden Items (I do not believe they are related to the infection/viruses I had), but the only options BitDefender offers for dealing with the files is to

[Blade81]

Hi,

Since all the text was written there without line breaks it was a bit hard to read. Let's hope we got all the folder names here.

Click start->run->write cmd.exe and press enter. Copy-paste following three commands one by one to your command prompt window (press enter after each command):

rd /s /q "\\?\%userprofile%\My Documents\undeletable\When the Pawn Hits the Conflicts He Thinks Like a King.."

rd /s /q "\\?\%userprofile%\My Documents\undeletable\Fiona Apple\When the Pawn Hits the Conflicts He Thinks Like a King.."

rd /s /q "\\?\%userprofile%\My Documents\My Music\Supertramp\Even in the Quietest Moments.."

Let me know how it goes.

[tonyb85]

Thanks Blade, that got rid of all the problem files. I'll let you know if anything else comes up.

[Blade81]

You're welcome