Jump to content
titan-nerd

Windows Security Alert won't die!

Recommended Posts

Help! I tried updating malwrebytes, but was blocked. Finally got full scan to run, then it froze during the 'quarantining...' session. Finally got full scan to run in SAFE MODE (log below) selected 'Remove all', but log shows 'No action taken'. And 'Windows Security Alert' is still popping up over and over.

So, I:

1) ran full scan in safe mode (log below)

2) restarted in normal mode - virus still present

3) in safe mode, ran Hijackthis log (log below)

Below are the 2 logs - let me know what action should be taken - thanks in advance...

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 7.0.5730.11

9/6/2010 4:33:48 PM

mbam-log-2010-09-06 (16-33-48).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 403994

Time elapsed: 3 hour(s), 56 minute(s), 7 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 7

Registry Values Infected: 3

Registry Data Items Infected: 3

Folders Infected: 1

Files Infected: 12

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pragmarbcqhcpcrj (Trojan.DNSChanger) -> No action taken.

HKEY_CURRENT_USER\Software\pragma (Rootkit.TDSS) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA (Rootkit.TDSS) -> No action taken.

HKEY_CURRENT_USER\Software\Malware Defense (Rogue.MalwareDefense) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> No action taken.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\active security (Rogue.ActiveSecurity) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autorun_val (Rogue.AntiSpyCheck) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antispycheck 2.1 (Rogue.AntiSpyCheck) -> No action taken.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.74,93.188.161.7 -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{d0ff4584-cbef-4670-878e-8260e2debda9}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.74,93.188.161.7 -> No action taken.

Folders Infected:

C:\WINDOWS\PRAGMArbcqhcpcrj (Trojan.DNSChanger) -> No action taken.

Files Infected:

C:\Documents and Settings\jt2\Local Settings\Temp\PRAGMA348f.tmp (Trojan.Agent) -> No action taken.

C:\WINDOWS\PRAGMArbcqhcpcrj\PRAGMAd.sys (Trojan.DNSChanger) -> No action taken.

C:\WINDOWS\PRAGMArbcqhcpcrj\pragmabbr.dll (Trojan.DNSChanger) -> No action taken.

C:\WINDOWS\PRAGMArbcqhcpcrj\PRAGMAc.dll (Trojan.DNSChanger) -> No action taken.

C:\WINDOWS\PRAGMArbcqhcpcrj\PRAGMAcfg.ini (Trojan.DNSChanger) -> No action taken.

C:\WINDOWS\PRAGMArbcqhcpcrj\pragmaserf.dll (Trojan.DNSChanger) -> No action taken.

C:\WINDOWS\PRAGMArbcqhcpcrj\PRAGMAsrcr.dat (Trojan.DNSChanger) -> No action taken.

C:\Documents and Settings\All Users\Application Data\pragmamfeklnmal.dll (Rootkit.TDSS) -> No action taken.

C:\Documents and Settings\jt3\Local Settings\Temp\pragmamainqt.dll (Rootkit.TDSS) -> No action taken.

C:\Documents and Settings\Owner\Local Settings\Temp\pragmamainqt.dll (Rootkit.TDSS) -> No action taken.

C:\Documents and Settings\jt2\Local Settings\Temp\asd20.tmp.exe (Rogue.Installer) -> No action taken.

C:\Documents and Settings\jt2\Local Settings\Temp\wscsvc32.exe (Trojan.FakeAlert) -> No action taken.

------------------------

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 5:01:38 PM, on 9/6/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17080)

Boot mode: Safe mode

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Softex\OmniPass\OPXPApp.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\hjthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.iwon.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6092

O2 - BHO: Download Manager Browser Helper Object - {19C8E43B-07B3-49CB-BFFC-6777B593E6F8} - C:\PROGRA~1\COMMON~1\fluxDVD\DOWNLO~1\XEBDLH~1.DLL

O2 - BHO: Burn4Free Toolbar Helper - {D187A56B-A33F-4CBE-9D77-459FC0BAE012} - C:\Program Files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll

O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Burn4Free Toolbar - {4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - C:\Program Files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll

O4 - HKLM\..\Run: [urovawubixaxayu] rundll32.exe "C:\WINDOWS\ofesejadazayuju.dll",Startup

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe

O4 - HKLM\..\Run: [update] C:\WINDOWS\system32\7.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [sAUpdate] "C:\Program Files\Comcast\BBClient\Programs\SAUpdate.exe"

O4 - HKLM\..\Run: [sAClient] "C:\Program Files\Comcast\BBClient\Programs\RegCon.exe" /admincheck

O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NBAgent] "C:\Program Files\Nero\Nero 10\Nero BackItUp\NBAgent.exe" /WinStart

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [HB Kernel] RUNDLL32.EXE C:\WINDOWS\system32\HBKrnl.dll,DllRegisterServer

O4 - HKLM\..\Run: [CinemaNowMediaManagerApp] C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemaNowShell.exe -start

O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [bJPD HID Control] C:\Program Files\Canon\BJPV\TVMon.exe

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [fuinixsp] C:\Documents and Settings\jt2\Local Settings\Application Data\hblhjqcrp\aaposdpshdw.exe

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (rootkit-scan)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

O4 - HKCU\..\Run: [CTZDetec.exe] C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe

O4 - HKCU\..\Run: [Whanavade] rundll32.exe "C:\WINDOWS\kbdelh.dll",Startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [Notn] "C:\WINDOWS\system32\MANTEC~1\userinit.exe" -vt yazb

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Hpgfy] "C:\Program Files\Common Files\s?stem32\w?auboot.exe"

O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [sWHelper] "C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe" 1010011 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [sWHelper] "C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe" 1010011 (User 'Default user')

O4 - S-1-5-18 Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe (User 'SYSTEM')

O4 - .DEFAULT Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe (User 'Default user')

O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: MortCalcApplet - http://www.homeseekers.com/Applets/MortCal...tCalcApplet.cab

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/downloads/tgctlcm.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {AE6C4705-0F11-4ACB-BDD4-37F138BEF289} (Image Uploader Control) - http://www.ritzpix.com/net/Uploader/LPUploader41.cab

O16 - DPF: {BD4C7EDB-A392-11D9-8BFB-0040953018D7} (PhaseCaster Widget) - http://www.streamerp2p.com/sfiles/phasex.cab

O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://csufvpns.fullerton.edu/dana-cached/...perSetupSP1.cab

O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://csufvpns.fullerton.edu/dana-cached/...SetupClient.cab

O16 - DPF: {FCEAE646-DCF9-4D59-B994-6BD30A315139} - http://www.mtv.com/overdrive/bin/setup.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: CinemaNow Service - CinemaNow, Inc. - C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

O23 - Service: @C:\Program Files\Nero\Update\NASvc.exe,-200 (NAUpdate) - Nero AG - C:\Program Files\Nero\Update\NASvc.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: VPNGuardService - OPSWAT, Inc. - C:\Program Files\OPSWAT\VPNGuard\VPNGuardService.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 10902 bytes

mbam_log_2010_09_06__16_33_48_.txt

Share this post


Link to post
Share on other sites

Hi, titan-nerd :blink:

:blink:

Please download and run Rkill by Grinler from any of the following locations (Vista and Win7: to run the application, right click on Rkill and choose Run as an Administrator):

  1. rkill.exe
  2. rkill.com
  3. rkill.scr
  4. rkill.pif

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------


    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combofix.exe & follow the prompts.

[*]Install the Recovery Console if prompted.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\ComboFix.txt" .

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

Share this post


Link to post
Share on other sites

JSntgRvr - Thanks for your quick response. Question: Should these steps be done in 'normal' mode or safe mode?

I assumed normal...the pop ups start after about 30 seconds. Message says 'Application cannot be executed. The file regedit.exe is infected. Do you want to activate your abtivirus software now?'

I ran rkill from the desktop - messages continued. I left messages up and ran rkill a few more times - didn't seem to do anything.

I then ran combofix from the desktop - saw a quick status bar then it disappeared. checked for c:\combofix.txt file but there was just an old one from 2008. I deleted the old one, then ran it again - no file was created.

I will try again in safe mode (affected machine is desktop win xp sp3). Please let me know if this will work, or if normal mode is needed, other things to try to get rkill and combofix to run. Thanks.

Titan-Nerd

Share this post


Link to post
Share on other sites

If unable to run these applications in Safe Mode, then read and follow these steps:

Remove the current copy of Combofix, then please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]Install the Recovery Console if prompted.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" .

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

Share this post


Link to post
Share on other sites

Okay - i got these to run in safe mode. There was a problem w/combofix first time - as it finished, it rebooted the machine to normal mode. The viruses seemed to interfere as 'Preparing log report' message was up, then the window disappeared as well as all desktop icons. Only virus pop ups were left. Report file was empty (0kb).

Started over and everything ran fine without rebooting. Pasted below is the report - let me know what's next - thanks.

ComboFix 10-09-06.03 - Owner 09/07/2010 0:21.3.2 - x86 MINIMAL

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.272 [GMT -8:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

.

((((((((((((((((((((((((( Files Created from 2010-08-07 to 2010-09-07 )))))))))))))))))))))))))))))))

.

2010-09-07 01:00 . 2010-09-07 01:01 -------- d-----w- c:\program files\hjthis

2010-09-06 12:20 . 2010-09-06 12:20 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PCHealth

2010-09-06 12:10 . 2010-09-06 12:10 -------- d-----w- C:\88f47719129d11e046

2010-09-05 21:27 . 2010-09-05 21:27 -------- d-----w- c:\documents and settings\jt3\Local Settings\Application Data\Wildtangent

2010-09-05 21:27 . 2010-09-05 21:27 -------- d-----w- c:\documents and settings\jt3\Local Settings\Application Data\Apple Computer

2010-09-05 21:27 . 2010-09-05 21:27 -------- d-----w- c:\documents and settings\jt3\Application Data\Nero

2010-09-05 21:26 . 2010-09-05 21:26 -------- d-----w- c:\documents and settings\jt3\Local Settings\Application Data\{F42B5BD8-2F76-44AD-8AD7-DFDFB881A360}

2010-09-03 03:38 . 2010-04-29 23:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-09-03 03:38 . 2010-04-29 23:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-30 00:17 . 2010-08-30 00:17 -------- d-----w- C:\643794edde917d5bca7549770b

2010-08-28 15:10 . 2010-08-28 15:10 -------- d-----w- C:\Network Associates

2010-08-28 15:10 . 2010-08-28 15:10 -------- d-----w- c:\program files\Common Files\Network Associates

2010-08-28 04:17 . 2010-09-07 06:49 2838 ----a-w- c:\windows\Rbimuyo.dat

2010-08-28 04:17 . 2010-09-06 11:57 0 ----a-w- c:\windows\Cpeyu.bin

2010-08-28 04:17 . 2010-08-28 04:17 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{98BD4939-60FF-495D-A92A-31D2E5B99E5B}

2010-08-19 07:21 . 2010-08-20 03:43 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\veyxmgxve

2010-08-18 11:14 . 2010-08-18 11:14 -------- d-----w- C:\1fa8018bf28e3ac594cc9665cc2ad345

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-07 08:08 . 2003-04-10 11:18 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-09-05 21:46 . 2008-06-23 14:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-09-04 15:57 . 2010-09-05 21:19 158292 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Personal_32_1033.dat

2010-09-04 07:03 . 2004-03-25 06:05 -------- d-----w- c:\program files\Paint Shop Pro 6

2010-08-28 15:11 . 2004-09-15 05:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Network Associates

2010-08-28 15:11 . 2004-09-15 05:35 -------- d-----w- c:\program files\Network Associates

2010-07-26 00:21 . 2004-08-21 19:48 46464 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-30 12:31 . 2001-01-03 13:11 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-24 12:15 . 2004-02-07 01:05 832512 ----a-w- c:\windows\system32\wininet.dll

2010-06-24 12:15 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-06-24 12:15 . 2001-01-03 13:38 17408 ----a-w- c:\windows\system32\corpol.dll

2010-06-23 13:44 . 2001-01-03 13:12 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-21 15:27 . 2001-01-03 13:11 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-17 14:03 . 2001-01-03 13:38 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-14 14:31 . 2001-01-03 13:38 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe

2010-06-14 07:41 . 2001-01-03 13:11 1172480 ----a-w- c:\windows\system32\msxml3.dll

2007-05-28 07:42 . 2007-05-28 07:42 2874926 ----a-w- c:\program files\FLV PlayerRCATSetup.exe

2007-05-28 07:42 . 2007-05-28 07:41 25990392 ----a-w- c:\program files\FLV PlayerRCSetup.exe

2003-04-10 11:19 . 2003-04-10 11:19 32 --sha-w- c:\windows\{FC92DEF6-B98A-462F-BDEC-6F8042F11C76}.dat

2007-03-09 08:12 . 2007-03-09 08:12 27648 --sha-w- c:\windows\system32\AVSredirect.dll

2007-04-16 15:52 . 2007-04-16 15:52 7680 --sha-w- c:\windows\system32\dfxh.dll

2007-04-16 15:52 . 2007-04-16 15:52 7680 --sha-w- c:\windows\system32\vfdh.dll

2003-04-10 11:19 . 2003-04-10 11:19 32 --sha-w- c:\windows\system32\{9E165BF4-5E4A-49D1-BA74-00B57060829D}.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D187A56B-A33F-4CBE-9D77-459FC0BAE012}]

2009-02-01 03:28 806912 ----a-w- c:\program files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{4F11ACBB-393F-4C86-A214-FF3D0D155CC3}"= "c:\program files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll" [2009-02-01 806912]

[HKEY_CLASSES_ROOT\clsid\{4f11acbb-393f-4c86-a214-ff3d0d155cc3}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{4F11ACBB-393F-4C86-A214-FF3D0D155CC3}"= "c:\program files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll" [2009-02-01 806912]

[HKEY_CLASSES_ROOT\clsid\{4f11acbb-393f-4c86-a214-ff3d0d155cc3}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Hpgfy"="c:\program files\Common Files\s?stem32\w?auboot.exe" [?]

"CTZDetec.exe"="c:\program files\Creative\Creative Media Lite\CTZDetec.exe" [2007-12-18 401408]

"NVIEW"="nview.dll" [2003-03-03 831557]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2003-09-29 81990]

"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2003-09-10 135251]

"Zone Labs Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2005-08-30 980736]

"WT GameChannel"="c:\program files\WildTangent\Apps\GameChannel.exe" [2002-12-04 184800]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-29 180269]

"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]

"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-18 69632]

"SAUpdate"="c:\program files\Comcast\BBClient\Programs\SAUpdate.exe" [2002-12-20 36864]

"SAClient"="c:\program files\Comcast\BBClient\Programs\RegCon.exe" [2002-12-20 184320]

"Reminder"="c:\windows\Creator\Remind_XP.exe" [2003-03-18 331776]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]

"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]

"nwiz"="nwiz.exe" [2003-03-03 323584]

"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-03-03 4595712]

"NBAgent"="c:\program files\Nero\Nero 10\Nero BackItUp\NBAgent.exe" [2010-04-03 1234216]

"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]

"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-03-12 114688]

"CinemaNowMediaManagerApp"="c:\program files\CinemaNow\CinemaNow Media Manager\CinemaNowShell.exe" [2008-09-23 2022248]

"ccRegVfy"="c:\program files\Common Files\Symantec Shared\ccRegVfy.exe" [2003-12-03 58392]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2003-12-03 54296]

"CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-22 69632]

"BJPD HID Control"="c:\program files\Canon\BJPV\TVMon.exe" [2003-01-22 45056]

"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]

"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-08-01 684032]

"fuinixsp"="c:\documents and settings\jt2\Local Settings\Application Data\hblhjqcrp\aaposdpshdw.exe" [2010-09-04 241152]

"Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2004-01-02 54424]

"NVIEW"="nview.dll" [2003-03-03 831557]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"SWHelper"="c:\windows\system32\Macromed\Shockwave 10\PostUpdate.exe" [2010-08-29 53248]

c:\documents and settings\Owner\Start Menu\Programs\Startup\

spamsubtract.lnk - c:\program files\interMute\SpamSubtract\SpamSubtract.exe [2003-4-10 552960]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\

Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2004-3-23 49254]

America Online 8.0 Tray Icon.lnk - c:\program files\America Online 8.0\aoltray.exe [2003-12-11 36939]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2002-9-20 53248]

Updates from HP.lnk - c:\program files\Updates from HP\137903\Program\BackWeb-137903.exe [2003-4-9 16384]

VPNGuardUI.lnk - c:\program files\OPSWAT\VPNGuard\VPNGuardUI.exe [2005-9-6 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLinkedConnections"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]

2003-02-21 10:50 40960 ----a-w- c:\program files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\CinemaNow\\CinemaNow Media Manager\\CinemaNowShell.exe"=

"c:\\Documents and Settings\\Owner\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=

"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=

S1 NEOFLTR_610_13437;Juniper Networks TDI Filter Driver (NEOFLTR_610_13437);c:\windows\system32\drivers\NEOFLTR_610_13437.sys [7/30/2008 11:04 PM 64160]

S1 NEOFLTR_650_15255;Juniper Networks TDI Filter Driver (NEOFLTR_650_15255);c:\windows\system32\drivers\NEOFLTR_650_15255.SYS [3/19/2010 8:28 AM 85360]

S2 CinemaNow Service;CinemaNow Service;c:\program files\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe [9/22/2008 9:49 PM 138616]

S2 mrtRate;mrtRate; [x]

S2 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [3/25/2010 2:39 PM 490280]

S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/1/2007 8:31 PM 24652]

S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys --> c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [?]

S3 phy;phy;c:\windows\system32\drivers\phy.sys [4/19/2008 10:24 AM 1536]

S3 VPNGuardService;VPNGuardService;c:\program files\OPSWAT\VPNGuard\VPNGuardService.exe [9/6/2005 12:02 PM 294912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

Contents of the 'Scheduled Tasks' folder

2010-08-28 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 01:57]

2010-06-18 c:\windows\Tasks\Megan.job

- c:\program files\Nero\Nero 10\Nero BackItUp\NBCore.exe [2010-04-03 09:27]

2004-03-22 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job

- c:\progra~1\NORTON~1\NAVW32.exe [2002-11-15 09:31]

2008-05-27 c:\windows\Tasks\Symantec NetDetect.job

- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-04-10 22:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://my.iwon.com/

uInternet Settings,ProxyServer = http=127.0.0.1:6092

uInternet Settings,ProxyOverride = <local>;localhost

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

LSP: SpSubLSP.dll

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: MortCalcApplet - hxxp://www.homeseekers.com/Applets/MortCalcApplet/MortCalcApplet.cab

DPF: {BD4C7EDB-A392-11D9-8BFB-0040953018D7} - hxxp://www.streamerp2p.com/sfiles/phasex.cab

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://csufvpns.fullerton.edu/dana-cached/sc/JuniperSetupClient.cab

DPF: {FCEAE646-DCF9-4D59-B994-6BD30A315139} - hxxp://www.mtv.com/overdrive/bin/setup.exe

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-Whanavade - c:\windows\kbdelh.dll

HKCU-Run-Notn - c:\windows\system32\MANTEC~1\userinit.exe

HKLM-Run-Urovawubixaxayu - c:\windows\ofesejadazayuju.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-07 00:38

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTZDetec.exe = c:\program files\Creative\Creative Media Lite\CTZDetec.exe?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(276)

c:\program files\Softex\OmniPass\opxpgina.dll

- - - - - - - > 'explorer.exe'(532)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\msi.dll

.

Completion time: 2010-09-07 00:47:21

ComboFix-quarantined-files.txt 2010-09-07 08:47

ComboFix2.txt 2010-09-07 08:11

Pre-Run: 55,177,256,960 bytes free

Post-Run: 55,139,921,920 bytes free

- - End Of File - - 3BCDDDB8BA1CB911D2BF8DF569BBACB5

Share this post


Link to post
Share on other sites

Hi, titan-nerd :blink:

  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop

DirLook::

c:\program files\Common Files

c:\documents and settings\Owner\Local Settings\Application Data\{98BD4939-60FF-495D-A92A-31D2E5B99E5B}

c:\documents and settings\jt3\Local Settings\Application Data\{F42B5BD8-2F76-44AD-8AD7-DFDFB881A360}

Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"fuinixsp"=-

Folder::

c:\documents and settings\jt2\Local Settings\Application Data\hblhjqcrp

c:\documents and settings\Owner\Local Settings\Application Data\veyxmgxve

Suspect::

c:\windows\{FC92DEF6-B98A-462F-BDEC-6F8042F11C76}.dat

c:\windows\system32\AVSredirect.dll

c:\windows\system32\dfxh.dll

c:\windows\system32\vfdh.dll

c:\windows\system32\{9E165BF4-5E4A-49D1-BA74-00B57060829D}.dat

CFScriptB-4.gif

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.

If the upload is not automatically performed, Combofix will create a zipped file in the C:\Qoobox\Quarantine folder labeled in the form of [4]-Submit_Date_Time.zip. Please have this file uploaded to the following location:

http://www.bleepingcomputer.com/submit-malware.php?channel=4

Indicate a link to this address and let me know when ready.

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instructions below under Upgrading Java, to download and install the latest version.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure the following are checked
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases

[*]Click on My Computer under Scan.

[*]Once the scan is complete, it will display the results. Click on View Scan Report.

[*]You will see a list of infected items there. Click on Save Report As....

[*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

[*]Please post this log in your next reply.

Attention! Kaspersky Online Scanner 7.0 may fail to start if another anti-virus program is already installed and running on your computer. Please deactivate the anti-virus software installed on your computer prior to starting Kaspersky Online Scanner 7.0.

Upgrading Java :

  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 21 .
  • Click the JDK 6 Update 21 (JDK or JRE) "Download JRE" button to the right.
  • Select your Platform, Register and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation ( jre-6u21-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u21-windows-i586.exe and select "Run as an Administrator.")

Share this post


Link to post
Share on other sites

minor problem...i dragged the script to combofix and it started fine. it then asked if i wanted a newer version of combofix - i said yes. It then restarted combofix by itself (without the script?) and now appears to be running a new scan.

When it finishes, can i just rerun with the original script? Or do you need the new log to create a new script? I don't want to make any assumptions.

Update - during the 'scan', a meesage box came up: "ComboFix has detected the presence of rootkit activity and needs to reboot the machine". Am I okay to bring it back up in safe mode and restart with the original script? Let me know - thanks for your patience!

Titan-Nerd

Share this post


Link to post
Share on other sites

quick update - looks like combofix was using the script all along. Combofix successfully uploaded the log - let me know if you need me to manually upload it too.

Kapersky is updating the database now - i'll post the results when it's part is done - thanks.

Titan-Nerd

Share this post


Link to post
Share on other sites

DirLook Omitted for better viewing.

ComboFix 10-09-06.04 - Owner 09/07/2010 9:33:41.4.2 - x86 NETWORK

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.368 [GMT -8:00]

Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt

FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

file zipped: c:\WINDOWS\{FC92DEF6-B98A-462F-BDEC-6F8042F11C76}.dat

file zipped: c:\WINDOWS\system32\{9E165BF4-5E4A-49D1-BA74-00B57060829D}.dat

file zipped: c:\WINDOWS\system32\AVSredirect.dll

file zipped: c:\WINDOWS\system32\dfxh.dll

file zipped: c:\WINDOWS\system32\vfdh.dll

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\jt2\Local Settings\Application Data\hblhjqcrp

c:\documents and settings\jt2\Local Settings\Application Data\hblhjqcrp\aaposdpshdw.exe

c:\documents and settings\Owner\Local Settings\Application Data\veyxmgxve

Infected copy of C:\WINDOWS\system32\drivers\ipsec.sys was found and disinfected

Restored copy from - Kitty had a snack :blink:

.

((((((((((((((((((((((((( Files Created from 2010-08-07 to 2010-09-07 )))))))))))))))))))))))))))))))

.

2010-09-07 08:09:01 . 2010-09-07 08:09:01 46464 ----a-w- C:\Documents and Settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-09-07 01:00:29 . 2010-09-07 01:01:38 -------- d-----w- C:\Program Files\hjthis

2010-09-06 12:20:21 . 2010-09-06 12:20:21 -------- d-----w- C:\Documents and Settings\Owner\Local Settings\Application Data\PCHealth

2010-09-06 12:10:40 . 2010-09-06 12:10:42 -------- d-----w- C:\88f47719129d11e046

2010-09-05 21:27:55 . 2010-09-05 21:27:55 -------- d-----w- C:\Documents and Settings\jt3\Local Settings\Application Data\Wildtangent

2010-09-05 21:27:46 . 2010-09-05 21:27:46 -------- d-----w- C:\Documents and Settings\jt3\Local Settings\Application Data\Apple Computer

2010-09-05 21:27:46 . 2010-09-05 21:27:46 -------- d-----w- C:\Documents and Settings\jt3\Application Data\Nero

2010-09-05 21:26:45 . 2010-09-05 21:26:46 -------- d-----w- C:\Documents and Settings\jt3\Local Settings\Application Data\{F42B5BD8-2F76-44AD-8AD7-DFDFB881A360}

2010-09-03 03:38:26 . 2010-04-29 23:39:38 38224 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2010-09-03 03:38:24 . 2010-04-29 23:39:26 20952 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys

2010-08-30 00:17:33 . 2010-08-30 00:17:36 -------- d-----w- C:\643794edde917d5bca7549770b

2010-08-28 15:10:59 . 2010-08-28 15:10:59 -------- d-----w- C:\Network Associates

2010-08-28 15:10:39 . 2010-08-28 15:10:39 -------- d-----w- C:\Program Files\Common Files\Network Associates

2010-08-28 04:17:10 . 2010-09-07 06:49:53 2838 ----a-w- C:\WINDOWS\Rbimuyo.dat

2010-08-28 04:17:10 . 2010-09-06 11:57:47 0 ----a-w- C:\WINDOWS\Cpeyu.bin

2010-08-28 04:17:08 . 2010-08-28 04:17:08 -------- d-----w- C:\Documents and Settings\Owner\Local Settings\Application Data\{98BD4939-60FF-495D-A92A-31D2E5B99E5B}

2010-08-18 11:14:56 . 2010-08-18 11:14:56 -------- d-----w- C:\1fa8018bf28e3ac594cc9665cc2ad345

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-07 08:08:45 . 2003-04-10 11:18:48 -------- d-----w- C:\Program Files\Common Files\Symantec Shared

2010-09-05 21:46:47 . 2008-06-23 14:43:53 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware

2010-09-04 15:57:45 . 2010-09-05 21:19:23 158292 ----a-w- C:\WINDOWS\PCHealth\HelpCtr\Config\Cache\Personal_32_1033.dat

2010-09-04 07:03:12 . 2004-03-25 06:05:08 -------- d-----w- C:\Program Files\Paint Shop Pro 6

2010-08-28 15:11:20 . 2004-09-15 05:35:42 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Network Associates

2010-08-28 15:11:20 . 2004-09-15 05:35:30 -------- d-----w- C:\Program Files\Network Associates

2010-07-26 00:21:53 . 2004-08-21 19:48:08 46464 ----a-w- C:\Documents and Settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-30 12:31:35 . 2001-01-03 13:11:37 149504 ----a-w- C:\WINDOWS\system32\schannel.dll

2010-06-24 12:15:28 . 2004-02-07 01:05:06 832512 ----a-w- C:\WINDOWS\system32\wininet.dll

2010-06-24 12:15:26 . 2004-08-04 07:56:42 78336 ----a-w- C:\WINDOWS\system32\ieencode.dll

2010-06-24 12:15:26 . 2001-01-03 13:38:24 17408 ----a-w- C:\WINDOWS\system32\corpol.dll

2010-06-23 13:44:04 . 2001-01-03 13:12:58 1851904 ----a-w- C:\WINDOWS\system32\win32k.sys

2010-06-21 15:27:11 . 2001-01-03 13:11:46 354304 ----a-w- C:\WINDOWS\system32\drivers\srv.sys

2010-06-17 14:03:00 . 2001-01-03 13:38:43 80384 ----a-w- C:\WINDOWS\system32\iccvid.dll

2010-06-14 14:31:20 . 2001-01-03 13:38:41 744448 ----a-w- C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe

2010-06-14 07:41:45 . 2001-01-03 13:11:09 1172480 ----a-w- C:\WINDOWS\system32\msxml3.dll

2007-05-28 07:42:29 . 2007-05-28 07:42:24 2874926 ----a-w- C:\Program Files\FLV PlayerRCATSetup.exe

2007-05-28 07:42:23 . 2007-05-28 07:41:47 25990392 ----a-w- C:\Program Files\FLV PlayerRCSetup.exe

2003-04-10 11:19:40 . 2003-04-10 11:19:40 32 --sha-w- C:\WINDOWS\{FC92DEF6-B98A-462F-BDEC-6F8042F11C76}.dat

2007-03-09 08:12:32 . 2007-03-09 08:12:32 27648 --sha-w- C:\WINDOWS\system32\AVSredirect.dll

2007-04-16 15:52:53 . 2007-04-16 15:52:53 7680 --sha-w- C:\WINDOWS\system32\dfxh.dll

2007-04-16 15:52:53 . 2007-04-16 15:52:53 7680 --sha-w- C:\WINDOWS\system32\vfdh.dll

2003-04-10 11:19:40 . 2003-04-10 11:19:40 32 --sha-w- C:\WINDOWS\system32\{9E165BF4-5E4A-49D1-BA74-00B57060829D}.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D187A56B-A33F-4CBE-9D77-459FC0BAE012}]

2009-02-01 03:28:17 806912 ----a-w- C:\Program Files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{4F11ACBB-393F-4C86-A214-FF3D0D155CC3}"= "C:\Program Files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll" [2009-02-01 03:28:17 806912]

[HKEY_CLASSES_ROOT\clsid\{4f11acbb-393f-4c86-a214-ff3d0d155cc3}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{4F11ACBB-393F-4C86-A214-FF3D0D155CC3}"= "C:\Program Files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll" [2009-02-01 03:28:17 806912]

[HKEY_CLASSES_ROOT\clsid\{4f11acbb-393f-4c86-a214-ff3d0d155cc3}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Hpgfy"="C:\Program Files\Common Files\s?stem32\w?auboot.exe" [?]

"CTZDetec.exe"="C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe" [2007-12-18 22:20:00 401408]

"NVIEW"="nview.dll" [2003-03-03 18:44:00 831557]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" [2003-09-29 15:10:00 81990]

"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2003-09-10 11:11:00 135251]

"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2005-08-30 02:09:38 980736]

"WT GameChannel"="C:\Program Files\WildTangent\Apps\GameChannel.exe" [2002-12-04 07:24:50 184800]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-08-29 00:33:08 180269]

"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 15:01:00 155648]

"Share-to-Web Namespace Daemon"="c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-18 00:42:56 69632]

"SAUpdate"="C:\Program Files\Comcast\BBClient\Programs\SAUpdate.exe" [2002-12-20 22:38:52 36864]

"SAClient"="C:\Program Files\Comcast\BBClient\Programs\RegCon.exe" [2002-12-20 23:43:58 184320]

"Reminder"="C:\Windows\Creator\Remind_XP.exe" [2003-03-18 08:50:36 331776]

"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 04:42:26 212992]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 07:13:08 385024]

"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 22:57:10 81920]

"nwiz"="nwiz.exe" [2003-03-03 18:44:00 323584]

"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-03-03 18:44:00 4595712]

"NBAgent"="C:\Program Files\Nero\Nero 10\Nero BackItUp\NBAgent.exe" [2010-04-03 09:27:32 1234216]

"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-12 02:02:48 61440]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 21:10:32 267048]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 23:04:38 52736]

"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-03-12 00:11:56 114688]

"CinemaNowMediaManagerApp"="C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemaNowShell.exe" [2008-09-23 05:49:22 2022248]

"ccRegVfy"="c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2003-12-03 00:11:12 58392]

"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-12-03 00:11:04 54296]

"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-22 14:27:42 69632]

"BJPD HID Control"="C:\Program Files\Canon\BJPV\TVMon.exe" [2003-01-22 00:35:56 45056]

"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 05:26:26 368706]

"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-08-01 08:14:26 684032]

"Malwarebytes Anti-Malware (rootkit-scan)"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 23:39:32 1090952]

"DWQueuedReporting"="c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 09:01:00 437160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 00:12:28 1695232]

"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2004-01-02 22:20:24 54424]

"NVIEW"="nview.dll" [2003-03-03 18:44:00 831557]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"SWHelper"="C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe" [2010-08-29 23:49:58 53248]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\

spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe [2003-4-10 552960]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2004-3-23 49254]

America Online 8.0 Tray Icon.lnk - C:\Program Files\America Online 8.0\aoltray.exe [2003-12-11 36939]

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2002-9-20 53248]

Updates from HP.lnk - C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe [2003-4-9 16384]

VPNGuardUI.lnk - C:\Program Files\OPSWAT\VPNGuard\VPNGuardUI.exe [2005-9-6 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLinkedConnections"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]

2003-02-21 10:50:12 40960 ----a-w- C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"C:\\Program Files\\iTunes\\iTunes.exe"=

"C:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\CinemaNow\\CinemaNow Media Manager\\CinemaNowShell.exe"=

"C:\\Documents and Settings\\Owner\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=

"C:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=

R1 NEOFLTR_610_13437;Juniper Networks TDI Filter Driver (NEOFLTR_610_13437);C:\WINDOWS\system32\drivers\NEOFLTR_610_13437.sys [7/30/2008 11:04:20 PM 64160]

R1 NEOFLTR_650_15255;Juniper Networks TDI Filter Driver (NEOFLTR_650_15255);C:\WINDOWS\system32\drivers\NEOFLTR_650_15255.SYS [3/19/2010 8:28:05 AM 85360]

S2 CinemaNow Service;CinemaNow Service;C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe [9/22/2008 9:49:30 PM 138616]

S2 mrtRate;mrtRate; [x]

S2 NAUpdate;@C:\Program Files\Nero\Update\NASvc.exe,-200;C:\Program Files\Nero\Update\NASvc.exe [3/25/2010 2:39:22 PM 490280]

S2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [9/1/2007 8:31:57 PM 24652]

S3 PCDRDRV;Pcdr Helper Driver;\??\C:\PROGRA~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys --> C:\PROGRA~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [?]

S3 phy;phy;C:\WINDOWS\system32\drivers\phy.sys [4/19/2008 10:24:10 AM 1536]

S3 VPNGuardService;VPNGuardService;C:\Program Files\OPSWAT\VPNGuard\VPNGuardService.exe [9/6/2005 12:02:40 PM 294912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

Contents of the 'Scheduled Tasks' folder

2010-08-28 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 22:57:52 . 2008-04-12 01:57:18]

2010-06-18 C:\WINDOWS\Tasks\Megan.job

- C:\Program Files\Nero\Nero 10\Nero BackItUp\NBCore.exe [2010-04-03 09:27:32 . 2010-04-03 09:27:32]

2004-03-22 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job

- c:\PROGRA~1\NORTON~1\NAVW32.exe [2002-11-15 09:31:10 . 2002-11-15 09:31:10]

2008-05-27 C:\WINDOWS\Tasks\Symantec NetDetect.job

- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2003-04-10 11:18:53 . 2004-01-02 22:20:24]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://my.iwon.com/

uInternet Settings,ProxyServer = http=127.0.0.1:6092

uInternet Settings,ProxyOverride = <local>;localhost

IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

LSP: SpSubLSP.dll

DPF: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab

DPF: MortCalcApplet - hxxp://www.homeseekers.com/Applets/MortCalcApplet/MortCalcApplet.cab

DPF: {BD4C7EDB-A392-11D9-8BFB-0040953018D7} - hxxp://www.streamerp2p.com/sfiles/phasex.cab

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://csufvpns.fullerton.edu/dana-cached/sc/JuniperSetupClient.cab

DPF: {FCEAE646-DCF9-4D59-B994-6BD30A315139} - hxxp://www.mtv.com/overdrive/bin/setup.exe

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-07 09:49:39

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTZDetec.exe = C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(536)

C:\Program Files\Softex\OmniPass\opxpgina.dll

.

Completion time: 2010-09-07 10:00:07

ComboFix-quarantined-files.txt 2010-09-07 17:59:48

ComboFix2.txt 2010-09-07 08:47:22

ComboFix3.txt 2010-09-07 08:11:45

Pre-Run: 55,119,372,288 bytes free

Post-Run: 55,122,329,600 bytes free

- - End Of File - - 651A294D42E1EA9DD1AD874F7C7B28E7

Note:

Will give you a fix once Kaspersky had finished and a report is posted.

Share this post


Link to post
Share on other sites

Okay - the Kaspersky scan FINALLY finished. Below is the report - I look forward to the next step - thanks.

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Tuesday, September 7, 2010

Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Tuesday, September 07, 2010 11:39:03

Records in database: 4202275

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

A:\

C:\

D:\

E:\

F:\

G:\

H:\

I:\

J:\

Scan statistics:

Objects scanned: 239558

Threats found: 63

Infected objects found: 352

Suspicious objects found: 0

Scan duration: 08:01:16

File name / Threat / Threats count

C:\Documents and Settings\jt2\Application Data\Sun\Java\Deployment\cache\6.0\13\85b668d-70a9a555 Infected: Trojan.Java.Agent.l 1

C:\Documents and Settings\jt2\Application Data\Sun\Java\Deployment\cache\6.0\13\85b668d-70a9a555 Infected: Trojan-Downloader.Java.Agent.do 1

C:\Documents and Settings\jt2\Application Data\Sun\Java\Deployment\cache\6.0\13\85b668d-70a9a555 Infected: Trojan-Downloader.Java.Agent.dn 1

C:\Documents and Settings\jt2\Application Data\Sun\Java\Deployment\cache\6.0\57\588e0139-2bbf6a7a Infected: Trojan-Downloader.Java.Agent.dm 1

C:\Documents and Settings\jt2\Application Data\Sun\Java\Deployment\cache\6.0\57\588e0139-2bbf6a7a Infected: Trojan-Downloader.Java.Agent.dl 1

C:\Documents and Settings\jt2\Application Data\Sun\Java\Deployment\cache\6.0\57\588e0139-2bbf6a7a Infected: Exploit.Java.Agent.e 1

C:\Documents and Settings\jt2\Local Settings\Temp\12.tmp Infected: Trojan-Dropper.Win32.TDSS.gmv 1

C:\Documents and Settings\jt2\Local Settings\Temp\expand32xp.dll Infected: Trojan.Win32.FraudPack.bjbi 1

C:\Documents and Settings\jt2\Local Settings\Temp\gbMWbmyWSz.exe Infected: Trojan-Dropper.Win32.Agent.cybv 1

C:\Documents and Settings\jt2\Local Settings\Temp\google.exe Infected: Trojan.Win32.TDSS.bkep 1

C:\Documents and Settings\jt2\Local Settings\Temp\jar_cache7695.tmp Infected: Exploit.Java.CVE-2010-0094.a 2

C:\Documents and Settings\jt2\Local Settings\Temp\jar_cache7695.tmp Infected: Trojan-Downloader.JS.Agent.fns 1

C:\Documents and Settings\jt2\Local Settings\Temp\jar_cache7696.tmp Infected: Exploit.Java.Agent.cw 1

C:\Documents and Settings\jt2\Local Settings\Temp\jar_cache7696.tmp Infected: Exploit.Java.Agent.cu 1

C:\Documents and Settings\jt2\Local Settings\Temp\jar_cache7696.tmp Infected: Exploit.Java.Agent.cv 1

C:\Documents and Settings\jt2\Local Settings\Temp\wmsdk64_32.exe Infected: Trojan.Win32.Tdss.bkfi 1

C:\Documents and Settings\jt2\Local Settings\Temp\wrQqSiabnO.exe Infected: Trojan-Downloader.Win32.Mufanom.aeka 1

C:\Documents and Settings\jt2\Local Settings\Temporary Internet Files\Content.IE5\A9ZT1UJC\setup[1].exe Infected: Trojan-Downloader.Win32.Mufanom.aeka 1

C:\Documents and Settings\jt2\Local Settings\Temporary Internet Files\Content.IE5\A9ZT1UJC\setup[2].exe Infected: Trojan.Win32.Tdss.bkfi 1

C:\Documents and Settings\jt2\Local Settings\Temporary Internet Files\Content.IE5\EDX1ZAER\setup[1].exe Infected: Trojan-Dropper.Win32.Agent.cybv 1

C:\Documents and Settings\Megan\Application Data\Sun\Java\Deployment\cache\6.0\34\48d6abe2-2b17450c Infected: Trojan-Downloader.Java.Agent.al 1

C:\Documents and Settings\Megan\Local Settings\temp\checksum.exe Infected: Trojan-Dropper.Win32.Agent.deo 1

C:\Documents and Settings\Megan\Local Settings\temp\jar_cache21563.tmp Infected: Trojan-Downloader.Java.Agent.al 1

C:\Documents and Settings\Megan\Local Settings\temp\PROJECT1.EXE Infected: Trojan.Win32.Genome.ewjd 1

C:\Documents and Settings\Megan\Local Settings\temp\SETUP1384.EXE Infected: Packed.Win32.PePatch.ix 1

C:\Documents and Settings\Owner\Application Data\Microsoft\Network\Connections\Cm\VPN10\postconnect.exe Infected: Trojan.Win32.Genome.eomg 1

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\14\527e030e-335583fe Infected: Trojan-Downloader.Java.Agent.ft 1

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\14\527e030e-335583fe Infected: Trojan-Downloader.Java.Agent.fu 1

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\14\527e030e-335583fe Infected: Trojan-Downloader.Java.Agent.fv 1

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\40\2b2d8ee8-253d86e0 Infected: Exploit.Java.Gimsh.a 1

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\java.class-37cb8dd2-2cd3c280.class Infected: Exploit.Java.Gimsh.a 1

C:\Program Files\Norton AntiVirus\Quarantine\0D9D2FA1 Infected: Trojan.Java.ClassLoader.Dummy.e 1

C:\Program Files\Norton AntiVirus\Quarantine\1F236686 Infected: Trojan.Java.Shiwow 1

C:\Program Files\Norton AntiVirus\Quarantine\24D42F51 Infected: Trojan.Java.ClassLoader.Dummy.e 1

C:\Program Files\Norton AntiVirus\Quarantine\46FD71E0 Infected: Exploit.Java.ByteVerify 1

C:\Program Files\Norton AntiVirus\Quarantine\5271207F Infected: Exploit.Java.ByteVerify 1

C:\Program Files\Norton AntiVirus\Quarantine\527B60C3 Infected: Trojan.Java.ClassLoader.c 1

C:\QooBox\Quarantine\C\Documents and Settings\jt2\Local Settings\Application Data\hblhjqcrp\aaposdpshdw.exe.vir Infected: Trojan-Dropper.Win32.Agent.cybv 1

C:\QooBox\Quarantine\C\Documents and Settings\Megan\Coreld32.dll.vir Infected: Trojan.Win32.Agent.ker 1

C:\QooBox\Quarantine\C\Documents and Settings\Owner\Coreld32.dll.vir Infected: Trojan.Win32.Agent.ker 1

C:\QooBox\Quarantine\C\Program Files\Common Files\SSTEM3~1\w?auboot.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gq 1

C:\QooBox\Quarantine\C\Program Files\Outerinfo\FF\components\FF.dll.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad 1

C:\QooBox\Quarantine\C\WINDOWS\kbdelh.dll.vir Infected: Trojan-Downloader.Win32.Mufanom.aegn 1

C:\QooBox\Quarantine\C\WINDOWS\mrofinu72.exe.vir Infected: Trojan-Downloader.Win32.Agent.kqk 1

C:\QooBox\Quarantine\C\WINDOWS\system32\asfjthj.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.asev 1

C:\QooBox\Quarantine\C\WINDOWS\system32\Drivers\ipsec.sys.vir Infected: Virus.Win32.TDSS.b 1

C:\QooBox\Quarantine\C\WINDOWS\system32\fdght.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.adpc 1

C:\QooBox\Quarantine\C\WINDOWS\system32\ghjyer.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.aoid 1

C:\QooBox\Quarantine\C\WINDOWS\system32\hmsdvf.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.asev 1

C:\QooBox\Quarantine\C\WINDOWS\system32\jkjkll.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.aoid 1

C:\QooBox\Quarantine\C\WINDOWS\system32\MANTEC~1\userinit.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.fe 1

C:\QooBox\Quarantine\C\WINDOWS\system32\SysWoWa8.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.zjk 1

C:\QooBox\Quarantine\C\WINDOWS\system32\tynjder.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.akzn 1

C:\QooBox\Quarantine\C\WINDOWS\system32\wefgh.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.akzn 1

C:\QooBox\Quarantine\C\WINDOWS\system32\xas.dll.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gl 1

C:\QooBox\Quarantine\[4]-Submit_2010-09-07_09.33.22.zip Infected: Trojan-GameThief.Win32.OnLineGames.sbsg 2

C:\quarantine\adv585[1].htm.Vir Infected: Exploit.HTML.ObjData 1

C:\quarantine\adv585[1].htm.Vir.0 Infected: Exploit.HTML.ObjData 1

C:\quarantine\archive[1].jar.Vir Infected: Trojan.Java.ClassLoader.z 1

C:\quarantine\archive[1].jar.Vir Infected: Trojan.Java.ClassLoader.ak 1

C:\quarantine\archive[1].jar.Vir Infected: Trojan-Downloader.Java.OpenConnection.v 1

C:\quarantine\archive[1].jar.Vir.0 Infected: Trojan.Java.ClassLoader.z 1

C:\quarantine\archive[1].jar.Vir.0 Infected: Trojan.Java.ClassLoader.ak 1

C:\quarantine\archive[1].jar.Vir.0 Infected: Trojan-Downloader.Java.OpenConnection.v 1

C:\quarantine\archive[1].jar.Vir.1 Infected: Trojan.Java.ClassLoader.z 1

C:\quarantine\archive[1].jar.Vir.1 Infected: Trojan.Java.ClassLoader.ak 1

C:\quarantine\archive[1].jar.Vir.1 Infected: Trojan-Downloader.Java.OpenConnection.v 1

C:\quarantine\archive[1].jar.Vir.10 Infected: Trojan.Java.ClassLoader.z 1

C:\quarantine\archive[1].jar.Vir.10 Infected: Trojan.Java.ClassLoader.ak 1

C:\quarantine\archive[1].jar.Vir.10 Infected: Trojan-Downloader.Java.OpenConnection.v 1

C:\quarantine\archive[1].jar.Vir.2 Infected: Trojan.Java.ClassLoader.z 1

C:\quarantine\archive[1].jar.Vir.2 Infected: Trojan.Java.ClassLoader.ak 1

C:\quarantine\archive[1].jar.Vir.2 Infected: Trojan-Downloader.Java.OpenConnection.v 1

C:\quarantine\archive[1].jar.Vir.3 Infected: Trojan.Java.ClassLoader.z 1

C:\quarantine\archive[1].jar.Vir.3 Infected: Trojan.Java.ClassLoader.ak 1

C:\quarantine\archive[1].jar.Vir.3 Infected: Trojan-Downloader.Java.OpenConnection.v 1

C:\quarantine\archive[1].jar.Vir.4 Infected: Trojan.Java.ClassLoader.z 1

C:\quarantine\archive[1].jar.Vir.4 Infected: Trojan.Java.ClassLoader.ak 1

C:\quarantine\archive[1].jar.Vir.4 Infected: Trojan-Downloader.Java.OpenConnection.v 1

C:\quarantine\archive[1].jar.Vir.5 Infected: Trojan.Java.ClassLoader.z 1

C:\quarantine\archive[1].jar.Vir.5 Infected: Trojan.Java.ClassLoader.ak 1

C:\quarantine\archive[1].jar.Vir.5 Infected: Trojan-Downloader.Java.OpenConnection.v 1

C:\quarantine\archive[1].jar.Vir.6 Infected: Trojan.Java.ClassLoader.z 1

C:\quarantine\archive[1].jar.Vir.6 Infected: Trojan.Java.ClassLoader.ak 1

C:\quarantine\archive[1].jar.Vir.6 Infected: Trojan-Downloader.Java.OpenConnection.v 1

C:\quarantine\archive[1].jar.Vir.7 Infected: Trojan.Java.ClassLoader.z 1

C:\quarantine\archive[1].jar.Vir.7 Infected: Trojan.Java.ClassLoader.ak 1

C:\quarantine\archive[1].jar.Vir.7 Infected: Trojan-Downloader.Java.OpenConnection.v 1

C:\quarantine\archive[1].jar.Vir.8 Infected: Trojan.Java.ClassLoader.z 1

C:\quarantine\archive[1].jar.Vir.8 Infected: Trojan.Java.ClassLoader.ak 1

C:\quarantine\archive[1].jar.Vir.8 Infected: Trojan-Downloader.Java.OpenConnection.v 1

C:\quarantine\archive[1].jar.Vir.9 Infected: Trojan.Java.ClassLoader.z 1

C:\quarantine\archive[1].jar.Vir.9 Infected: Trojan.Java.ClassLoader.ak 1

C:\quarantine\archive[1].jar.Vir.9 Infected: Trojan-Downloader.Java.OpenConnection.v 1

C:\quarantine\archive[2].jar.Vir Infected: Trojan.Java.ClassLoader.z 1

C:\quarantine\archive[2].jar.Vir Infected: Trojan.Java.ClassLoader.ak 1

C:\quarantine\archive[2].jar.Vir Infected: Trojan-Downloader.Java.OpenConnection.v 1

C:\quarantine\archive[2].jar.Vir.0 Infected: Trojan.Java.ClassLoader.z 1

C:\quarantine\archive[2].jar.Vir.0 Infected: Trojan.Java.ClassLoader.ak 1

C:\quarantine\archive[2].jar.Vir.0 Infected: Trojan-Downloader.Java.OpenConnection.v 1

C:\quarantine\classload[1].jar.Vir Infected: Trojan.Java.ClassLoader.c 1

C:\quarantine\classload[1].jar.Vir Infected: Exploit.Java.ByteVerify 1

C:\quarantine\classload[1].jar.Vir Infected: Trojan.Java.ClassLoader.Dummy.a 1

C:\quarantine\classload[1].jar.Vir Infected: Trojan-Downloader.Java.OpenConnection.v 1

C:\quarantine\classload[1].jar.Vir.0 Infected: Trojan.Java.ClassLoader.c 1

C:\quarantine\classload[1].jar.Vir.0 Infected: Exploit.Java.ByteVerify 1

C:\quarantine\classload[1].jar.Vir.0 Infected: Trojan.Java.ClassLoader.Dummy.a 1

C:\quarantine\classload[1].jar.Vir.0 Infected: Trojan-Downloader.Java.OpenConnection.v 1

C:\quarantine\classload[1].jar.Vir.1 Infected: Trojan.Java.ClassLoader.c 1

C:\quarantine\classload[1].jar.Vir.1 Infected: Exploit.Java.ByteVerify 1

C:\quarantine\classload[1].jar.Vir.1 Infected: Trojan.Java.ClassLoader.Dummy.a 1

C:\quarantine\classload[1].jar.Vir.1 Infected: Trojan-Downloader.Java.OpenConnection.v 1

C:\quarantine\ie0601a[1].jar.Vir Infected: Trojan.Java.ClassLoader.aq 1

C:\quarantine\ie0601a[1].jar.Vir Infected: Trojan-Downloader.Java.OpenStream.z 1

C:\quarantine\jara[1].jar.Vir Infected: Trojan.Java.Femad 4

C:\quarantine\jara[1].jar.Vir Infected: Trojan.Win32.Small.ev 1

C:\quarantine\jar[1].jar.Vir Infected: Trojan.Java.Femad 4

C:\quarantine\jar[1].jar.Vir Infected: Trojan.Win32.Small.ev 1

C:\quarantine\jar[1].jar.Vir.0 Infected: Trojan.Java.Femad 4

C:\quarantine\jar[1].jar.Vir.0 Infected: Trojan.Win32.Small.ev 1

C:\quarantine\java.jar-4f011c4-4e6309b5.zip.Vir Infected: Trojan-Downloader.Java.OpenConnection.aj 2

C:\quarantine\java.jar-4f011c4-4e6309b5.zip.Vir Infected: Exploit.Java.ByteVerify 2

C:\quarantine\loaderadv407.jar-e24c09d-7240ef2e.zip.Vir Infected: Trojan.Java.ClassLoader.h 1

C:\quarantine\loaderadv407.jar-e24c09d-7240ef2e.zip.Vir Infected: Trojan.Java.ClassLoader.d 1

C:\quarantine\loaderadv585[1].jar.Vir Infected: Trojan.Java.ClassLoader.h 1

C:\quarantine\loaderadv585[1].jar.Vir Infected: Trojan.Java.ClassLoader.d 1

C:\quarantine\U.exe.Vir Infected: Trojan-Spy.Win32.Zbot.awp 1

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP1416\A0545898.dll Infected: Trojan.Win32.TDSS.bkep 1

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP1416\A0545899.dll Infected: Trojan.Win32.TDSS.bkeo 1

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP1426\A0552496.sys Infected: Trojan.Win32.TDSS.beeb 1

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP1426\A0552497.dll Infected: Trojan.Win32.TDSS.beea 1

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP1426\A0552498.dll Infected: Trojan.Win32.TDSS.beea 1

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP1426\A0552500.dll Infected: Trojan.Win32.TDSS.beea 1

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP1428\A0554013.dll Infected: Trojan.Win32.Agent.ker 1

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP1428\A0554014.dll Infected: Trojan.Win32.Agent.ker 1

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP1428\A0554020.dll Infected: Trojan-Downloader.Win32.Mufanom.aegn 1

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP1428\A0554023.dll Infected: Trojan-GameThief.Win32.OnLineGames.asev 1

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP1428\A0554025.dll Infected: Trojan-GameThief.Win32.OnLineGames.adpc 1

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP1428\A0554027.dll Infected: Trojan-GameThief.Win32.OnLineGames.aoid 1

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP1428\A0554030.dll Infected: Trojan-GameThief.Win32.OnLineGames.asev 1

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP1428\A0554032.dll Infected: Trojan-GameThief.Win32.OnLineGames.aoid 1

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP1428\A0554038.dll Infected: Trojan-GameThief.Win32.OnLineGames.zjk 1

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP1428\A0554039.dll Infected: Trojan-GameThief.Win32.OnLineGames.akzn 1

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP1428\A0554040.dll Infected: Trojan-GameThief.Win32.OnLineGames.akzn 1

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP1428\A0555296.sys Infected: Virus.Win32.TDSS.b 1

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP1428\A0555362.exe Infected: Trojan-Dropper.Win32.Agent.cybv 1

C:\WINDOWS\system32\aclodt.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\acwccg.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\apffhf.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\aqoaae.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\bahahi.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\bclswv.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\befsqy.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\bgkgdn.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\bjjcqa.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\bkmcgi.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\boyuum.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\bsxnon.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\bvffml.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\byuyok.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\bzfkex.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\cfsxyx.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\cjbhxe.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\crdnzn.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\cseyfn.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\damlcd.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\davbsi.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\dddnka.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\dermfs.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\dfxh.dll Infected: Trojan-GameThief.Win32.OnLineGames.sbsg 1

C:\WINDOWS\system32\dgjsuz.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\dgzxli.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\djawri.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\drivers\phy.sys Infected: Trojan-Downloader.Win32.Apher.y 1

C:\WINDOWS\system32\dudrye.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\dxyfrj.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\ecrami.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\eeqaum.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\eodtau.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\essera.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\etehkf.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\euobjp.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\eyvkzb.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\ezlzib.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\ffisgk.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\fhoiho.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\fjfret.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\fmpvvm.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\fqigsn.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\frkrhk.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\frygts.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\fyqlgt.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\gcvkmx.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\gdcnuy.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\ggjgsl.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\gjhith.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\gjhsux.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\gunfef.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\hdzerv.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\hemzay.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\hlhcxh.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\hoehci.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\hohymi.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\hqdboq.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\hrrpab.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\hxwkck.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\hyipje.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\iafhlh.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\ilviju.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\ilxihj.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\infxpd.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\itauwy.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\jcboij.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\jirzfl.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\jiynxl.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\jjigaw.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\jnughb.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\jynpto.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\kgkrfn.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\kgrvts.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\kpkhkp.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\kuchut.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\kvobka.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\kwtrfb.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\kwtybz.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\kxvjhe.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\kzzwck.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\lbhfrx.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\ldzekt.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\leeemb.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\lkvbbr.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\lltjsn.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\lmybwo.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\lorntx.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\lqpmby.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\ltjwmofn.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\lxociz.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\mebczk.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\mfefns.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\miydwk.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\mkkzme.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\mklfoa.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\mmdwmj.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\mmelrl.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\myezcf.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\ndrlul.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\nkxwhy.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\nmtlzv.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\nrrwmh.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\nwtrdw.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\nyutlv.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\oaxqcd.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\ocrxiw.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\onpgem.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\onrdqh.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\oonbxa.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\orulgl.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\orwkax.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\otzspc.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\pkonph.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\pmmxrf.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\pznyax.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\qekube.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\qfikbs.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\qfkmrr.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\qjlncr.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\qnktjm.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\qpuvii.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\qsxuja.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\qujnqx.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\quztun.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\qxermw.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\rjebok.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\rmutwg.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\rrqlyp.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\rwahmj.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\rxgdxi.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\rzmvzq.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\sbejim.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\sckyac.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\sdnkwd.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\sjmzwy.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\skaijb.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\sphxnd.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\sqefrt.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\tboter.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\tcijpg.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\thdpkq.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\tlrjht.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\trhvrx.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\ttupyq.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\txoirc.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\tzmmhj.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\uexvfo.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\uflqfz.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\uggkxe.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\uijcvm.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\uioayz.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\ultdka.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\uncktc.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\uxdseh.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\uzjrhi.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\vfdh.dll Infected: Trojan-GameThief.Win32.OnLineGames.sbsg 1

C:\WINDOWS\system32\vfmiea.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\vozdvs.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\vyliru.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\wcfrxu.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\werhjc.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\wjsnwq.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\wjwghv.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\wkphvx.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\wmwdkp.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\wnjelw.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\wpivht.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\wqxvet.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\wxblni.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\wzmjzx.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\xagvda.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\xaufbt.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\xcbmub.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\xgyzci.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\xknsnt.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\xnzyez.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\xoitiv.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\xscyzv.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\xukiyv.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\xzchzx.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\yosioy.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\yrkhux.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\ytwezr.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\yvvxfg.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\yykqsq.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\zcazxd.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\zdygcr.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\zpjarj.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\zrneda.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

C:\WINDOWS\system32\ztnnsz.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\zuudgu.dll Infected: Trojan-GameThief.Win32.OnLineGames.abdt 1

C:\WINDOWS\system32\zxriut.dll Infected: Trojan-GameThief.Win32.OnLineGames.accm 1

Selected area has been scanned.

Share this post


Link to post
Share on other sites

Download TFC by OldTimer to your desktop

  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

Check Turn off System Restore.

Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

UN-Check *Turn off System Restore*.

Click Apply, and then click OK..

  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop

File::

C:\WINDOWS\system32\AVSredirect.dll

C:\WINDOWS\system32\dfxh.dll

C:\WINDOWS\system32\vfdh.dll

C:\WINDOWS\Rbimuyo.dat

C:\WINDOWS\Cpeyu.bin

C:\Documents and Settings\jt2\Local Settings\Temp\12.tmp

C:\Documents and Settings\Owner\Application Data\Microsoft\Network\Connections\Cm\VPN10\postconnect.exe

C:\Program Files\Norton AntiVirus\Quarantine\0D9D2FA1

C:\Program Files\Norton AntiVirus\Quarantine\1F236686

C:\Program Files\Norton AntiVirus\Quarantine\24D42F51

C:\Program Files\Norton AntiVirus\Quarantine\46FD71E0

C:\Program Files\Norton AntiVirus\Quarantine\5271207F

C:\Program Files\Norton AntiVirus\Quarantine\527B60C3

C:\quarantine\adv585[1].htm.Vir

C:\quarantine\adv585[1].htm.Vir.0

C:\quarantine\archive[1].jar.Vir

C:\quarantine\archive[1].jar.Vir

C:\quarantine\archive[1].jar.Vir

C:\quarantine\archive[1].jar.Vir.0

C:\quarantine\archive[1].jar.Vir.0

C:\quarantine\archive[1].jar.Vir.0

C:\quarantine\archive[1].jar.Vir.1

C:\quarantine\archive[1].jar.Vir.1

C:\quarantine\archive[1].jar.Vir.1

C:\quarantine\archive[1].jar.Vir.10

C:\quarantine\archive[1].jar.Vir.10

C:\quarantine\archive[1].jar.Vir.10

C:\quarantine\archive[1].jar.Vir.2

C:\quarantine\archive[1].jar.Vir.2

C:\quarantine\archive[1].jar.Vir.2

C:\quarantine\archive[1].jar.Vir.3

C:\quarantine\archive[1].jar.Vir.3

C:\quarantine\archive[1].jar.Vir.3

C:\quarantine\archive[1].jar.Vir.4

C:\quarantine\archive[1].jar.Vir.4

C:\quarantine\archive[1].jar.Vir.4

C:\quarantine\archive[1].jar.Vir.5

C:\quarantine\archive[1].jar.Vir.5

C:\quarantine\archive[1].jar.Vir.5

C:\quarantine\archive[1].jar.Vir.6

C:\quarantine\archive[1].jar.Vir.6

C:\quarantine\archive[1].jar.Vir.6

C:\quarantine\archive[1].jar.Vir.7

C:\quarantine\archive[1].jar.Vir.7

C:\quarantine\archive[1].jar.Vir.7

C:\quarantine\archive[1].jar.Vir.8

C:\quarantine\archive[1].jar.Vir.8

C:\quarantine\archive[1].jar.Vir.8

C:\quarantine\archive[1].jar.Vir.9

C:\quarantine\archive[1].jar.Vir.9

C:\quarantine\archive[1].jar.Vir.9

C:\quarantine\archive[2].jar.Vir

C:\quarantine\archive[2].jar.Vir

C:\quarantine\archive[2].jar.Vir

C:\quarantine\archive[2].jar.Vir.0

C:\quarantine\archive[2].jar.Vir.0

C:\quarantine\archive[2].jar.Vir.0

C:\quarantine\classload[1].jar.Vir

C:\quarantine\classload[1].jar.Vir

C:\quarantine\classload[1].jar.Vir

C:\quarantine\classload[1].jar.Vir

C:\quarantine\classload[1].jar.Vir.0

C:\quarantine\classload[1].jar.Vir.0

C:\quarantine\classload[1].jar.Vir.0

C:\quarantine\classload[1].jar.Vir.0

C:\quarantine\classload[1].jar.Vir.1

C:\quarantine\classload[1].jar.Vir.1

C:\quarantine\classload[1].jar.Vir.1

C:\quarantine\classload[1].jar.Vir.1

C:\quarantine\ie0601a[1].jar.Vir

C:\quarantine\ie0601a[1].jar.Vir

C:\quarantine\jara[1].jar.Vir

C:\quarantine\jara[1].jar.Vir

C:\quarantine\jar[1].jar.Vir

C:\quarantine\jar[1].jar.Vir

C:\quarantine\jar[1].jar.Vir.0

C:\quarantine\jar[1].jar.Vir.0

C:\quarantine\java.jar-4f011c4-4e6309b5.zip.Vir

C:\quarantine\java.jar-4f011c4-4e6309b5.zip.Vir

C:\quarantine\loaderadv407.jar-e24c09d-7240ef2e.zip.Vir

C:\quarantine\loaderadv407.jar-e24c09d-7240ef2e.zip.Vir

C:\quarantine\loaderadv585[1].jar.Vir

C:\quarantine\loaderadv585[1].jar.Vir

C:\quarantine\U.exe.Vir

C:\WINDOWS\system32\aclodt.dll

C:\WINDOWS\system32\acwccg.dll

C:\WINDOWS\system32\apffhf.dll

C:\WINDOWS\system32\aqoaae.dll

C:\WINDOWS\system32\bahahi.dll

C:\WINDOWS\system32\bclswv.dll

C:\WINDOWS\system32\befsqy.dll

C:\WINDOWS\system32\bgkgdn.dll

C:\WINDOWS\system32\bjjcqa.dll

C:\WINDOWS\system32\bkmcgi.dll

C:\WINDOWS\system32\boyuum.dll

C:\WINDOWS\system32\bsxnon.dll

C:\WINDOWS\system32\bvffml.dll

C:\WINDOWS\system32\byuyok.dll

C:\WINDOWS\system32\bzfkex.dll

C:\WINDOWS\system32\cfsxyx.dll

C:\WINDOWS\system32\cjbhxe.dll

C:\WINDOWS\system32\crdnzn.dll

C:\WINDOWS\system32\cseyfn.dll

C:\WINDOWS\system32\damlcd.dll

C:\WINDOWS\system32\davbsi.dll

C:\WINDOWS\system32\dddnka.dll

C:\WINDOWS\system32\dermfs.dll

C:\WINDOWS\system32\dfxh.dll

C:\WINDOWS\system32\dgjsuz.dll

C:\WINDOWS\system32\dgzxli.dll

C:\WINDOWS\system32\djawri.dll

C:\WINDOWS\system32\drivers\phy.sys

C:\WINDOWS\system32\dudrye.dll

C:\WINDOWS\system32\dxyfrj.dll

C:\WINDOWS\system32\ecrami.dll

C:\WINDOWS\system32\eeqaum.dll

C:\WINDOWS\system32\eodtau.dll

C:\WINDOWS\system32\essera.dll

C:\WINDOWS\system32\etehkf.dll

C:\WINDOWS\system32\euobjp.dll

C:\WINDOWS\system32\eyvkzb.dll

C:\WINDOWS\system32\ezlzib.dll

C:\WINDOWS\system32\ffisgk.dll

C:\WINDOWS\system32\fhoiho.dll

C:\WINDOWS\system32\fjfret.dll

C:\WINDOWS\system32\fmpvvm.dll

C:\WINDOWS\system32\fqigsn.dll

C:\WINDOWS\system32\frkrhk.dll

C:\WINDOWS\system32\frygts.dll

C:\WINDOWS\system32\fyqlgt.dll

C:\WINDOWS\system32\gcvkmx.dll

C:\WINDOWS\system32\gdcnuy.dll

C:\WINDOWS\system32\ggjgsl.dll

C:\WINDOWS\system32\gjhith.dll

C:\WINDOWS\system32\gjhsux.dll

C:\WINDOWS\system32\gunfef.dll

C:\WINDOWS\system32\hdzerv.dll

C:\WINDOWS\system32\hemzay.dll

C:\WINDOWS\system32\hlhcxh.dll

C:\WINDOWS\system32\hoehci.dll

C:\WINDOWS\system32\hohymi.dll

C:\WINDOWS\system32\hqdboq.dll

C:\WINDOWS\system32\hrrpab.dll

C:\WINDOWS\system32\hxwkck.dll

C:\WINDOWS\system32\hyipje.dll

C:\WINDOWS\system32\iafhlh.dll

C:\WINDOWS\system32\ilviju.dll

C:\WINDOWS\system32\ilxihj.dll

C:\WINDOWS\system32\infxpd.dll

C:\WINDOWS\system32\itauwy.dll

C:\WINDOWS\system32\jcboij.dll

C:\WINDOWS\system32\jirzfl.dll

C:\WINDOWS\system32\jiynxl.dll

C:\WINDOWS\system32\jjigaw.dll

C:\WINDOWS\system32\jnughb.dll

C:\WINDOWS\system32\jynpto.dll

C:\WINDOWS\system32\kgkrfn.dll

C:\WINDOWS\system32\kgrvts.dll

C:\WINDOWS\system32\kpkhkp.dll

C:\WINDOWS\system32\kuchut.dll

C:\WINDOWS\system32\kvobka.dll

C:\WINDOWS\system32\kwtrfb.dll

C:\WINDOWS\system32\kwtybz.dll

C:\WINDOWS\system32\kxvjhe.dll

C:\WINDOWS\system32\kzzwck.dll

C:\WINDOWS\system32\lbhfrx.dll

C:\WINDOWS\system32\ldzekt.dll

C:\WINDOWS\system32\leeemb.dll

C:\WINDOWS\system32\lkvbbr.dll

C:\WINDOWS\system32\lltjsn.dll

C:\WINDOWS\system32\lmybwo.dll

C:\WINDOWS\system32\lorntx.dll

C:\WINDOWS\system32\lqpmby.dll

C:\WINDOWS\system32\ltjwmofn.dll

C:\WINDOWS\system32\lxociz.dll

C:\WINDOWS\system32\mebczk.dll

C:\WINDOWS\system32\mfefns.dll

C:\WINDOWS\system32\miydwk.dll

C:\WINDOWS\system32\mkkzme.dll

C:\WINDOWS\system32\mklfoa.dll

C:\WINDOWS\system32\mmdwmj.dll

C:\WINDOWS\system32\mmelrl.dll

C:\WINDOWS\system32\myezcf.dll

C:\WINDOWS\system32\ndrlul.dll

C:\WINDOWS\system32\nkxwhy.dll

C:\WINDOWS\system32\nmtlzv.dll

C:\WINDOWS\system32\nrrwmh.dll

C:\WINDOWS\system32\nwtrdw.dll

C:\WINDOWS\system32\nyutlv.dll

C:\WINDOWS\system32\oaxqcd.dll

C:\WINDOWS\system32\ocrxiw.dll

C:\WINDOWS\system32\onpgem.dll

C:\WINDOWS\system32\onrdqh.dll

C:\WINDOWS\system32\oonbxa.dll

C:\WINDOWS\system32\orulgl.dll

C:\WINDOWS\system32\orwkax.dll

C:\WINDOWS\system32\otzspc.dll

C:\WINDOWS\system32\pkonph.dll

C:\WINDOWS\system32\pmmxrf.dll

C:\WINDOWS\system32\pznyax.dll

C:\WINDOWS\system32\qekube.dll

C:\WINDOWS\system32\qfikbs.dll

C:\WINDOWS\system32\qfkmrr.dll

C:\WINDOWS\system32\qjlncr.dll

C:\WINDOWS\system32\qnktjm.dll

C:\WINDOWS\system32\qpuvii.dll

C:\WINDOWS\system32\qsxuja.dll

C:\WINDOWS\system32\qujnqx.dll

C:\WINDOWS\system32\quztun.dll

C:\WINDOWS\system32\qxermw.dll

C:\WINDOWS\system32\rjebok.dll

C:\WINDOWS\system32\rmutwg.dll

C:\WINDOWS\system32\rrqlyp.dll

C:\WINDOWS\system32\rwahmj.dll

C:\WINDOWS\system32\rxgdxi.dll

C:\WINDOWS\system32\rzmvzq.dll

C:\WINDOWS\system32\sbejim.dll

C:\WINDOWS\system32\sckyac.dll

C:\WINDOWS\system32\sdnkwd.dll

C:\WINDOWS\system32\sjmzwy.dll

C:\WINDOWS\system32\skaijb.dll

C:\WINDOWS\system32\sphxnd.dll

C:\WINDOWS\system32\sqefrt.dll

C:\WINDOWS\system32\tboter.dll

C:\WINDOWS\system32\tcijpg.dll

C:\WINDOWS\system32\thdpkq.dll

C:\WINDOWS\system32\tlrjht.dll

C:\WINDOWS\system32\trhvrx.dll

C:\WINDOWS\system32\ttupyq.dll

C:\WINDOWS\system32\txoirc.dll

C:\WINDOWS\system32\tzmmhj.dll

C:\WINDOWS\system32\uexvfo.dll

C:\WINDOWS\system32\uflqfz.dll

C:\WINDOWS\system32\uggkxe.dll

C:\WINDOWS\system32\uijcvm.dll

C:\WINDOWS\system32\uioayz.dll

C:\WINDOWS\system32\ultdka.dll

C:\WINDOWS\system32\uncktc.dll

C:\WINDOWS\system32\uxdseh.dll

C:\WINDOWS\system32\uzjrhi.dll

C:\WINDOWS\system32\vfdh.dll

C:\WINDOWS\system32\vfmiea.dll

C:\WINDOWS\system32\vozdvs.dll

C:\WINDOWS\system32\vyliru.dll

C:\WINDOWS\system32\wcfrxu.dll

C:\WINDOWS\system32\werhjc.dll

C:\WINDOWS\system32\wjsnwq.dll

C:\WINDOWS\system32\wjwghv.dll

C:\WINDOWS\system32\wkphvx.dll

C:\WINDOWS\system32\wmwdkp.dll

C:\WINDOWS\system32\wnjelw.dll

C:\WINDOWS\system32\wpivht.dll

C:\WINDOWS\system32\wqxvet.dll

C:\WINDOWS\system32\wxblni.dll

C:\WINDOWS\system32\wzmjzx.dll

C:\WINDOWS\system32\xagvda.dll

C:\WINDOWS\system32\xaufbt.dll

C:\WINDOWS\system32\xcbmub.dll

C:\WINDOWS\system32\xgyzci.dll

C:\WINDOWS\system32\xknsnt.dll

C:\WINDOWS\system32\xnzyez.dll

C:\WINDOWS\system32\xoitiv.dll

C:\WINDOWS\system32\xscyzv.dll

C:\WINDOWS\system32\xukiyv.dll

C:\WINDOWS\system32\xzchzx.dll

C:\WINDOWS\system32\yosioy.dll

C:\WINDOWS\system32\yrkhux.dll

C:\WINDOWS\system32\ytwezr.dll

C:\WINDOWS\system32\yvvxfg.dll

C:\WINDOWS\system32\yykqsq.dll

C:\WINDOWS\system32\zcazxd.dll

C:\WINDOWS\system32\zdygcr.dll

C:\WINDOWS\system32\zpjarj.dll

C:\WINDOWS\system32\zrneda.dll

C:\WINDOWS\system32\ztnnsz.dll

C:\WINDOWS\system32\zuudgu.dll

C:\WINDOWS\system32\zxriut.dll

Registry::

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Hpgfy"=-

CFScriptB-4.gif

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

Share this post


Link to post
Share on other sites

Okay - here is the latest combofix report (last 2 steps in normal mode - no virus pop-ups - am i cured?):

ComboFix 10-09-06.04 - Owner 09/07/2010 22:52:56.5.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.180 [GMT -8:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

* Resident AV is active

FILE ::

"c:\documents and settings\jt2\Local Settings\Temp\12.tmp"

"c:\documents and settings\Owner\Application Data\Microsoft\Network\Connections\Cm\VPN10\postconnect.exe"

"c:\program files\Norton AntiVirus\Quarantine\0D9D2FA1"

"c:\program files\Norton AntiVirus\Quarantine\1F236686"

"c:\program files\Norton AntiVirus\Quarantine\24D42F51"

"c:\program files\Norton AntiVirus\Quarantine\46FD71E0"

"c:\program files\Norton AntiVirus\Quarantine\5271207F"

"c:\program files\Norton AntiVirus\Quarantine\527B60C3"

"c:\quarantine\adv585[1].htm.Vir"

"c:\quarantine\adv585[1].htm.Vir.0"

"c:\quarantine\archive[1].jar.Vir"

"c:\quarantine\archive[1].jar.Vir.0"

"c:\quarantine\archive[1].jar.Vir.1"

"c:\quarantine\archive[1].jar.Vir.10"

"c:\quarantine\archive[1].jar.Vir.2"

"c:\quarantine\archive[1].jar.Vir.3"

"c:\quarantine\archive[1].jar.Vir.4"

"c:\quarantine\archive[1].jar.Vir.5"

"c:\quarantine\archive[1].jar.Vir.6"

"c:\quarantine\archive[1].jar.Vir.7"

"c:\quarantine\archive[1].jar.Vir.8"

"c:\quarantine\archive[1].jar.Vir.9"

"c:\quarantine\archive[2].jar.Vir"

"c:\quarantine\archive[2].jar.Vir.0"

"c:\quarantine\classload[1].jar.Vir"

"c:\quarantine\classload[1].jar.Vir.0"

"c:\quarantine\classload[1].jar.Vir.1"

"c:\quarantine\ie0601a[1].jar.Vir"

"c:\quarantine\jar[1].jar.Vir"

"c:\quarantine\jar[1].jar.Vir.0"

"c:\quarantine\jara[1].jar.Vir"

"c:\quarantine\java.jar-4f011c4-4e6309b5.zip.Vir"

"c:\quarantine\loaderadv407.jar-e24c09d-7240ef2e.zip.Vir"

"c:\quarantine\loaderadv585[1].jar.Vir"

"c:\quarantine\U.exe.Vir"

"c:\windows\Cpeyu.bin"

"c:\windows\Rbimuyo.dat"

"c:\windows\system32\aclodt.dll"

"c:\windows\system32\acwccg.dll"

"c:\windows\system32\apffhf.dll"

"c:\windows\system32\aqoaae.dll"

"c:\windows\system32\AVSredirect.dll"

"c:\windows\system32\bahahi.dll"

"c:\windows\system32\bclswv.dll"

"c:\windows\system32\befsqy.dll"

"c:\windows\system32\bgkgdn.dll"

"c:\windows\system32\bjjcqa.dll"

"c:\windows\system32\bkmcgi.dll"

"c:\windows\system32\boyuum.dll"

"c:\windows\system32\bsxnon.dll"

"c:\windows\system32\bvffml.dll"

"c:\windows\system32\byuyok.dll"

"c:\windows\system32\bzfkex.dll"

"c:\windows\system32\cfsxyx.dll"

"c:\windows\system32\cjbhxe.dll"

"c:\windows\system32\crdnzn.dll"

"c:\windows\system32\cseyfn.dll"

"c:\windows\system32\damlcd.dll"

"c:\windows\system32\davbsi.dll"

"c:\windows\system32\dddnka.dll"

"c:\windows\system32\dermfs.dll"

"c:\windows\system32\dfxh.dll"

"c:\windows\system32\dgjsuz.dll"

"c:\windows\system32\dgzxli.dll"

"c:\windows\system32\djawri.dll"

"c:\windows\system32\drivers\phy.sys"

"c:\windows\system32\dudrye.dll"

"c:\windows\system32\dxyfrj.dll"

"c:\windows\system32\ecrami.dll"

"c:\windows\system32\eeqaum.dll"

"c:\windows\system32\eodtau.dll"

"c:\windows\system32\essera.dll"

"c:\windows\system32\etehkf.dll"

"c:\windows\system32\euobjp.dll"

"c:\windows\system32\eyvkzb.dll"

"c:\windows\system32\ezlzib.dll"

"c:\windows\system32\ffisgk.dll"

"c:\windows\system32\fhoiho.dll"

"c:\windows\system32\fjfret.dll"

"c:\windows\system32\fmpvvm.dll"

"c:\windows\system32\fqigsn.dll"

"c:\windows\system32\frkrhk.dll"

"c:\windows\system32\frygts.dll"

"c:\windows\system32\fyqlgt.dll"

"c:\windows\system32\gcvkmx.dll"

"c:\windows\system32\gdcnuy.dll"

"c:\windows\system32\ggjgsl.dll"

"c:\windows\system32\gjhith.dll"

"c:\windows\system32\gjhsux.dll"

"c:\windows\system32\gunfef.dll"

"c:\windows\system32\hdzerv.dll"

"c:\windows\system32\hemzay.dll"

"c:\windows\system32\hlhcxh.dll"

"c:\windows\system32\hoehci.dll"

"c:\windows\system32\hohymi.dll"

"c:\windows\system32\hqdboq.dll"

"c:\windows\system32\hrrpab.dll"

"c:\windows\system32\hxwkck.dll"

"c:\windows\system32\hyipje.dll"

"c:\windows\system32\iafhlh.dll"

"c:\windows\system32\ilviju.dll"

"c:\windows\system32\ilxihj.dll"

"c:\windows\system32\infxpd.dll"

"c:\windows\system32\itauwy.dll"

"c:\windows\system32\jcboij.dll"

"c:\windows\system32\jirzfl.dll"

"c:\windows\system32\jiynxl.dll"

"c:\windows\system32\jjigaw.dll"

"c:\windows\system32\jnughb.dll"

"c:\windows\system32\jynpto.dll"

"c:\windows\system32\kgkrfn.dll"

"c:\windows\system32\kgrvts.dll"

"c:\windows\system32\kpkhkp.dll"

"c:\windows\system32\kuchut.dll"

"c:\windows\system32\kvobka.dll"

"c:\windows\system32\kwtrfb.dll"

"c:\windows\system32\kwtybz.dll"

"c:\windows\system32\kxvjhe.dll"

"c:\windows\system32\kzzwck.dll"

"c:\windows\system32\lbhfrx.dll"

"c:\windows\system32\ldzekt.dll"

"c:\windows\system32\leeemb.dll"

"c:\windows\system32\lkvbbr.dll"

"c:\windows\system32\lltjsn.dll"

"c:\windows\system32\lmybwo.dll"

"c:\windows\system32\lorntx.dll"

"c:\windows\system32\lqpmby.dll"

"c:\windows\system32\ltjwmofn.dll"

"c:\windows\system32\lxociz.dll"

"c:\windows\system32\mebczk.dll"

"c:\windows\system32\mfefns.dll"

"c:\windows\system32\miydwk.dll"

"c:\windows\system32\mkkzme.dll"

"c:\windows\system32\mklfoa.dll"

"c:\windows\system32\mmdwmj.dll"

"c:\windows\system32\mmelrl.dll"

"c:\windows\system32\myezcf.dll"

"c:\windows\system32\ndrlul.dll"

"c:\windows\system32\nkxwhy.dll"

"c:\windows\system32\nmtlzv.dll"

"c:\windows\system32\nrrwmh.dll"

"c:\windows\system32\nwtrdw.dll"

"c:\windows\system32\nyutlv.dll"

"c:\windows\system32\oaxqcd.dll"

"c:\windows\system32\ocrxiw.dll"

"c:\windows\system32\onpgem.dll"

"c:\windows\system32\onrdqh.dll"

"c:\windows\system32\oonbxa.dll"

"c:\windows\system32\orulgl.dll"

"c:\windows\system32\orwkax.dll"

"c:\windows\system32\otzspc.dll"

"c:\windows\system32\pkonph.dll"

"c:\windows\system32\pmmxrf.dll"

"c:\windows\system32\pznyax.dll"

"c:\windows\system32\qekube.dll"

"c:\windows\system32\qfikbs.dll"

"c:\windows\system32\qfkmrr.dll"

"c:\windows\system32\qjlncr.dll"

"c:\windows\system32\qnktjm.dll"

"c:\windows\system32\qpuvii.dll"

"c:\windows\system32\qsxuja.dll"

"c:\windows\system32\qujnqx.dll"

"c:\windows\system32\quztun.dll"

"c:\windows\system32\qxermw.dll"

"c:\windows\system32\rjebok.dll"

"c:\windows\system32\rmutwg.dll"

"c:\windows\system32\rrqlyp.dll"

"c:\windows\system32\rwahmj.dll"

"c:\windows\system32\rxgdxi.dll"

"c:\windows\system32\rzmvzq.dll"

"c:\windows\system32\sbejim.dll"

"c:\windows\system32\sckyac.dll"

"c:\windows\system32\sdnkwd.dll"

"c:\windows\system32\sjmzwy.dll"

"c:\windows\system32\skaijb.dll"

"c:\windows\system32\sphxnd.dll"

"c:\windows\system32\sqefrt.dll"

"c:\windows\system32\tboter.dll"

"c:\windows\system32\tcijpg.dll"

"c:\windows\system32\thdpkq.dll"

"c:\windows\system32\tlrjht.dll"

"c:\windows\system32\trhvrx.dll"

"c:\windows\system32\ttupyq.dll"

"c:\windows\system32\txoirc.dll"

"c:\windows\system32\tzmmhj.dll"

"c:\windows\system32\uexvfo.dll"

"c:\windows\system32\uflqfz.dll"

"c:\windows\system32\uggkxe.dll"

"c:\windows\system32\uijcvm.dll"

"c:\windows\system32\uioayz.dll"

"c:\windows\system32\ultdka.dll"

"c:\windows\system32\uncktc.dll"

"c:\windows\system32\uxdseh.dll"

"c:\windows\system32\uzjrhi.dll"

"c:\windows\system32\vfdh.dll"

"c:\windows\system32\vfmiea.dll"

"c:\windows\system32\vozdvs.dll"

"c:\windows\system32\vyliru.dll"

"c:\windows\system32\wcfrxu.dll"

"c:\windows\system32\werhjc.dll"

"c:\windows\system32\wjsnwq.dll"

"c:\windows\system32\wjwghv.dll"

"c:\windows\system32\wkphvx.dll"

"c:\windows\system32\wmwdkp.dll"

"c:\windows\system32\wnjelw.dll"

"c:\windows\system32\wpivht.dll"

"c:\windows\system32\wqxvet.dll"

"c:\windows\system32\wxblni.dll"

"c:\windows\system32\wzmjzx.dll"

"c:\windows\system32\xagvda.dll"

"c:\windows\system32\xaufbt.dll"

"c:\windows\system32\xcbmub.dll"

"c:\windows\system32\xgyzci.dll"

"c:\windows\system32\xknsnt.dll"

"c:\windows\system32\xnzyez.dll"

"c:\windows\system32\xoitiv.dll"

"c:\windows\system32\xscyzv.dll"

"c:\windows\system32\xukiyv.dll"

"c:\windows\system32\xzchzx.dll"

"c:\windows\system32\yosioy.dll"

"c:\windows\system32\yrkhux.dll"

"c:\windows\system32\ytwezr.dll"

"c:\windows\system32\yvvxfg.dll"

"c:\windows\system32\yykqsq.dll"

"c:\windows\system32\zcazxd.dll"

"c:\windows\system32\zdygcr.dll"

"c:\windows\system32\zpjarj.dll"

"c:\windows\system32\zrneda.dll"

"c:\windows\system32\ztnnsz.dll"

"c:\windows\system32\zuudgu.dll"

"c:\windows\system32\zxriut.dll"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\jt2\Local Settings\Application Data\{FFC90E1E-637B-41A4-AC8B-F7C86978D03B}

c:\documents and settings\jt2\Local Settings\Application Data\{FFC90E1E-637B-41A4-AC8B-F7C86978D03B}\chrome.manifest

c:\documents and settings\jt2\Local Settings\Application Data\{FFC90E1E-637B-41A4-AC8B-F7C86978D03B}\chrome\content\_cfg.js

c:\documents and settings\jt2\Local Settings\Application Data\{FFC90E1E-637B-41A4-AC8B-F7C86978D03B}\chrome\content\overlay.xul

c:\documents and settings\jt2\Local Settings\Application Data\{FFC90E1E-637B-41A4-AC8B-F7C86978D03B}\install.rdf

c:\documents and settings\jt3\Local Settings\Application Data\{F42B5BD8-2F76-44AD-8AD7-DFDFB881A360}

c:\documents and settings\jt3\Local Settings\Application Data\{F42B5BD8-2F76-44AD-8AD7-DFDFB881A360}\chrome.manifest

c:\documents and settings\jt3\Local Settings\Application Data\{F42B5BD8-2F76-44AD-8AD7-DFDFB881A360}\chrome\content\_cfg.js

c:\documents and settings\jt3\Local Settings\Application Data\{F42B5BD8-2F76-44AD-8AD7-DFDFB881A360}\chrome\content\overlay.xul

c:\documents and settings\jt3\Local Settings\Application Data\{F42B5BD8-2F76-44AD-8AD7-DFDFB881A360}\install.rdf

c:\documents and settings\Owner\Application Data\Microsoft\Network\Connections\Cm\VPN10\postconnect.exe

c:\windows\Cpeyu.bin

c:\windows\Rbimuyo.dat

c:\windows\system32\aclodt.dll

c:\windows\system32\acwccg.dll

c:\windows\system32\apffhf.dll

c:\windows\system32\aqoaae.dll

c:\windows\system32\AVSredirect.dll

c:\windows\system32\bahahi.dll

c:\windows\system32\bclswv.dll

c:\windows\system32\befsqy.dll

c:\windows\system32\bgkgdn.dll

c:\windows\system32\bjjcqa.dll

c:\windows\system32\bkmcgi.dll

c:\windows\system32\boyuum.dll

c:\windows\system32\bsxnon.dll

c:\windows\system32\bvffml.dll

c:\windows\system32\byuyok.dll

c:\windows\system32\bzfkex.dll

c:\windows\system32\cfsxyx.dll

c:\windows\system32\cjbhxe.dll

c:\windows\system32\crdnzn.dll

c:\windows\system32\cseyfn.dll

c:\windows\system32\damlcd.dll

c:\windows\system32\davbsi.dll

c:\windows\system32\dddnka.dll

c:\windows\system32\dermfs.dll

c:\windows\system32\dfxh.dll

c:\windows\system32\dgjsuz.dll

c:\windows\system32\dgzxli.dll

c:\windows\system32\djawri.dll

c:\windows\system32\drivers\phy.sys

c:\windows\system32\dudrye.dll

c:\windows\system32\dxyfrj.dll

c:\windows\system32\ecrami.dll

c:\windows\system32\eeqaum.dll

c:\windows\system32\eodtau.dll

c:\windows\system32\essera.dll

c:\windows\system32\etehkf.dll

c:\windows\system32\euobjp.dll

c:\windows\system32\eyvkzb.dll

c:\windows\system32\ezlzib.dll

c:\windows\system32\ffisgk.dll

c:\windows\system32\fhoiho.dll

c:\windows\system32\fjfret.dll

c:\windows\system32\fmpvvm.dll

c:\windows\system32\fqigsn.dll

c:\windows\system32\frkrhk.dll

c:\windows\system32\frygts.dll

c:\windows\system32\fyqlgt.dll

c:\windows\system32\gcvkmx.dll

c:\windows\system32\gdcnuy.dll

c:\windows\system32\ggjgsl.dll

c:\windows\system32\gjhith.dll

c:\windows\system32\gjhsux.dll

c:\windows\system32\gunfef.dll

c:\windows\system32\hdzerv.dll

c:\windows\system32\hemzay.dll

c:\windows\system32\hlhcxh.dll

c:\windows\system32\hoehci.dll

c:\windows\system32\hohymi.dll

c:\windows\system32\hqdboq.dll

c:\windows\system32\hrrpab.dll

c:\windows\system32\hxwkck.dll

c:\windows\system32\hyipje.dll

c:\windows\system32\iafhlh.dll

c:\windows\system32\ilviju.dll

c:\windows\system32\ilxihj.dll

c:\windows\system32\infxpd.dll

c:\windows\system32\itauwy.dll

c:\windows\system32\jcboij.dll

c:\windows\system32\jirzfl.dll

c:\windows\system32\jiynxl.dll

c:\windows\system32\jjigaw.dll

c:\windows\system32\jnughb.dll

c:\windows\system32\jynpto.dll

c:\windows\system32\kgkrfn.dll

c:\windows\system32\kgrvts.dll

c:\windows\system32\kpkhkp.dll

c:\windows\system32\kuchut.dll

c:\windows\system32\kvobka.dll

c:\windows\system32\kwtrfb.dll

c:\windows\system32\kwtybz.dll

c:\windows\system32\kxvjhe.dll

c:\windows\system32\kzzwck.dll

c:\windows\system32\lbhfrx.dll

c:\windows\system32\ldzekt.dll

c:\windows\system32\leeemb.dll

c:\windows\system32\lkvbbr.dll

c:\windows\system32\lltjsn.dll

c:\windows\system32\lmybwo.dll

c:\windows\system32\lorntx.dll

c:\windows\system32\lqpmby.dll

c:\windows\system32\ltjwmofn.dll

c:\windows\system32\lxociz.dll

c:\windows\system32\mebczk.dll

c:\windows\system32\mfefns.dll

c:\windows\system32\miydwk.dll

c:\windows\system32\mkkzme.dll

c:\windows\system32\mklfoa.dll

c:\windows\system32\mmdwmj.dll

c:\windows\system32\mmelrl.dll

c:\windows\system32\myezcf.dll

c:\windows\system32\ndrlul.dll

c:\windows\system32\nkxwhy.dll

c:\windows\system32\nmtlzv.dll

c:\windows\system32\nrrwmh.dll

c:\windows\system32\nwtrdw.dll

c:\windows\system32\nyutlv.dll

c:\windows\system32\oaxqcd.dll

c:\windows\system32\ocrxiw.dll

c:\windows\system32\onpgem.dll

c:\windows\system32\onrdqh.dll

c:\windows\system32\oonbxa.dll

c:\windows\system32\orulgl.dll

c:\windows\system32\orwkax.dll

c:\windows\system32\otzspc.dll

c:\windows\system32\pkonph.dll

c:\windows\system32\pmmxrf.dll

c:\windows\system32\pznyax.dll

c:\windows\system32\qekube.dll

c:\windows\system32\qfikbs.dll

c:\windows\system32\qfkmrr.dll

c:\windows\system32\qjlncr.dll

c:\windows\system32\qnktjm.dll

c:\windows\system32\qpuvii.dll

c:\windows\system32\qsxuja.dll

c:\windows\system32\qujnqx.dll

c:\windows\system32\quztun.dll

c:\windows\system32\qxermw.dll

c:\windows\system32\rjebok.dll

c:\windows\system32\rmutwg.dll

c:\windows\system32\rrqlyp.dll

c:\windows\system32\rwahmj.dll

c:\windows\system32\rxgdxi.dll

c:\windows\system32\rzmvzq.dll

c:\windows\system32\sbejim.dll

c:\windows\system32\sckyac.dll

c:\windows\system32\sdnkwd.dll

c:\windows\system32\sjmzwy.dll

c:\windows\system32\skaijb.dll

c:\windows\system32\sphxnd.dll

c:\windows\system32\sqefrt.dll

c:\windows\system32\tboter.dll

c:\windows\system32\tcijpg.dll

c:\windows\system32\thdpkq.dll

c:\windows\system32\tlrjht.dll

c:\windows\system32\trhvrx.dll

c:\windows\system32\ttupyq.dll

c:\windows\system32\txoirc.dll

c:\windows\system32\tzmmhj.dll

c:\windows\system32\uexvfo.dll

c:\windows\system32\uflqfz.dll

c:\windows\system32\uggkxe.dll

c:\windows\system32\uijcvm.dll

c:\windows\system32\uioayz.dll

c:\windows\system32\ultdka.dll

c:\windows\system32\uncktc.dll

c:\windows\system32\uxdseh.dll

c:\windows\system32\uzjrhi.dll

c:\windows\system32\vfdh.dll

c:\windows\system32\vfmiea.dll

c:\windows\system32\vozdvs.dll

c:\windows\system32\vyliru.dll

c:\windows\system32\wcfrxu.dll

c:\windows\system32\werhjc.dll

c:\windows\system32\wjsnwq.dll

c:\windows\system32\wjwghv.dll

c:\windows\system32\wkphvx.dll

c:\windows\system32\wmwdkp.dll

c:\windows\system32\wnjelw.dll

c:\windows\system32\wpivht.dll

c:\windows\system32\wqxvet.dll

c:\windows\system32\wxblni.dll

c:\windows\system32\wzmjzx.dll

c:\windows\system32\xagvda.dll

c:\windows\system32\xaufbt.dll

c:\windows\system32\xcbmub.dll

c:\windows\system32\xgyzci.dll

c:\windows\system32\xknsnt.dll

c:\windows\system32\xnzyez.dll

c:\windows\system32\xoitiv.dll

c:\windows\system32\xscyzv.dll

c:\windows\system32\xukiyv.dll

c:\windows\system32\xzchzx.dll

c:\windows\system32\yosioy.dll

c:\windows\system32\yrkhux.dll

c:\windows\system32\ytwezr.dll

c:\windows\system32\yvvxfg.dll

c:\windows\system32\yykqsq.dll

c:\windows\system32\zcazxd.dll

c:\windows\system32\zdygcr.dll

c:\windows\system32\zpjarj.dll

c:\windows\system32\zrneda.dll

c:\windows\system32\ztnnsz.dll

c:\windows\system32\zuudgu.dll

c:\windows\system32\zxriut.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_phy

-------\Service_phy

((((((((((((((((((((((((( Files Created from 2010-08-08 to 2010-09-08 )))))))))))))))))))))))))))))))

.

2010-09-07 08:09 . 2010-09-07 08:09 46464 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-09-07 01:00 . 2010-09-07 01:01 -------- d-----w- c:\program files\hjthis

2010-09-06 12:20 . 2010-09-06 12:20 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PCHealth

2010-09-06 12:10 . 2010-09-06 12:10 -------- d-----w- C:\88f47719129d11e046

2010-09-05 21:27 . 2010-09-05 21:27 -------- d-----w- c:\documents and settings\jt3\Local Settings\Application Data\Wildtangent

2010-09-05 21:27 . 2010-09-05 21:27 -------- d-----w- c:\documents and settings\jt3\Local Settings\Application Data\Apple Computer

2010-09-05 21:27 . 2010-09-05 21:27 -------- d-----w- c:\documents and settings\jt3\Application Data\Nero

2010-09-03 03:38 . 2010-04-29 23:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-09-03 03:38 . 2010-04-29 23:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-09-03 03:34 . 2010-09-03 03:34 -------- d-----w- c:\documents and settings\jt2\Local Settings\Application Data\Wildtangent

2010-09-01 04:05 . 2010-09-01 04:05 -------- d-----w- c:\documents and settings\jt2\Local Settings\Application Data\PCHealth

2010-08-30 00:17 . 2010-08-30 00:17 -------- d-----w- C:\643794edde917d5bca7549770b

2010-08-28 15:10 . 2010-08-28 15:10 -------- d-----w- C:\Network Associates

2010-08-28 15:10 . 2010-08-28 15:10 -------- d-----w- c:\program files\Common Files\Network Associates

2010-08-28 04:17 . 2010-08-28 04:17 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{98BD4939-60FF-495D-A92A-31D2E5B99E5B}

2010-08-22 07:55 . 2010-08-22 07:55 -------- d-----w- c:\documents and settings\jt2\Application Data\Apple Computer

2010-08-22 07:55 . 2010-08-22 07:55 46464 ----a-w- c:\documents and settings\jt2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-08-18 11:14 . 2010-08-18 11:14 -------- d-----w- C:\1fa8018bf28e3ac594cc9665cc2ad345

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-08 07:16 . 2003-04-10 11:18 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-09-07 06:43 . 2010-09-07 06:43 452104 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.12\setup.exe

2010-09-05 21:46 . 2008-06-23 14:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-09-04 15:57 . 2010-09-05 21:19 158292 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Personal_32_1033.dat

2010-09-04 07:03 . 2004-03-25 06:05 -------- d-----w- c:\program files\Paint Shop Pro 6

2010-08-28 15:11 . 2004-09-15 05:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Network Associates

2010-08-28 15:11 . 2004-09-15 05:35 -------- d-----w- c:\program files\Network Associates

2010-07-26 00:21 . 2004-08-21 19:48 46464 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-07-25 07:39 . 2010-07-25 07:39 -------- d-----w- c:\documents and settings\jt2\Application Data\Nero

2010-06-30 12:31 . 2001-01-03 13:11 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-24 12:15 . 2004-02-07 01:05 832512 ----a-w- c:\windows\system32\wininet.dll

2010-06-24 12:15 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-06-24 12:15 . 2001-01-03 13:38 17408 ----a-w- c:\windows\system32\corpol.dll

2010-06-23 13:44 . 2001-01-03 13:12 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-21 15:27 . 2001-01-03 13:11 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-17 14:03 . 2001-01-03 13:38 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-14 14:31 . 2001-01-03 13:38 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe

2010-06-14 07:41 . 2001-01-03 13:11 1172480 ----a-w- c:\windows\system32\msxml3.dll

2010-06-13 07:42 . 2010-06-13 07:42 5208192 ----a-w- c:\documents and settings\All Users\Application Data\Cisco Systems\Cisco Connect\Update\Connect.exe

2010-06-13 07:42 . 2010-06-13 07:42 4096 ----a-w- c:\documents and settings\All Users\Application Data\Cisco Systems\Cisco Connect\Update\._Setup.exe

2010-06-13 07:42 . 2010-06-13 07:42 4096 ----a-w- c:\documents and settings\All Users\Application Data\Cisco Systems\Cisco Connect\Update\._Connect.exe

2007-05-28 07:42 . 2007-05-28 07:42 2874926 ----a-w- c:\program files\FLV PlayerRCATSetup.exe

2007-05-28 07:42 . 2007-05-28 07:41 25990392 ----a-w- c:\program files\FLV PlayerRCSetup.exe

2003-04-10 11:19 . 2003-04-10 11:19 32 --sha-w- c:\windows\{FC92DEF6-B98A-462F-BDEC-6F8042F11C76}.dat

2003-04-10 11:19 . 2003-04-10 11:19 32 --sha-w- c:\windows\system32\{9E165BF4-5E4A-49D1-BA74-00B57060829D}.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D187A56B-A33F-4CBE-9D77-459FC0BAE012}]

2009-02-01 03:28 806912 ----a-w- c:\program files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{4F11ACBB-393F-4C86-A214-FF3D0D155CC3}"= "c:\program files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll" [2009-02-01 806912]

[HKEY_CLASSES_ROOT\clsid\{4f11acbb-393f-4c86-a214-ff3d0d155cc3}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{4F11ACBB-393F-4C86-A214-FF3D0D155CC3}"= "c:\program files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll" [2009-02-01 806912]

[HKEY_CLASSES_ROOT\clsid\{4f11acbb-393f-4c86-a214-ff3d0d155cc3}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTZDetec.exe"="c:\program files\Creative\Creative Media Lite\CTZDetec.exe" [2007-12-18 401408]

"NVIEW"="nview.dll" [2003-03-03 831557]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2003-09-29 81990]

"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2003-09-10 135251]

"Zone Labs Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2005-08-30 980736]

"WT GameChannel"="c:\program files\WildTangent\Apps\GameChannel.exe" [2002-12-04 184800]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-29 180269]

"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]

"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-18 69632]

"SAUpdate"="c:\program files\Comcast\BBClient\Programs\SAUpdate.exe" [2002-12-20 36864]

"SAClient"="c:\program files\Comcast\BBClient\Programs\RegCon.exe" [2002-12-20 184320]

"Reminder"="c:\windows\Creator\Remind_XP.exe" [2003-03-18 331776]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]

"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]

"nwiz"="nwiz.exe" [2003-03-03 323584]

"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-03-03 4595712]

"NBAgent"="c:\program files\Nero\Nero 10\Nero BackItUp\NBAgent.exe" [2010-04-03 1234216]

"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]

"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-03-12 114688]

"CinemaNowMediaManagerApp"="c:\program files\CinemaNow\CinemaNow Media Manager\CinemaNowShell.exe" [2008-09-23 2022248]

"ccRegVfy"="c:\program files\Common Files\Symantec Shared\ccRegVfy.exe" [2003-12-03 58392]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2003-12-03 54296]

"CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-22 69632]

"BJPD HID Control"="c:\program files\Canon\BJPV\TVMon.exe" [2003-01-22 45056]

"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]

"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-08-01 684032]

"Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2004-01-02 54424]

"NVIEW"="nview.dll" [2003-03-03 831557]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"SWHelper"="c:\windows\system32\Macromed\Shockwave 10\PostUpdate.exe" [2010-08-29 53248]

c:\documents and settings\Owner\Start Menu\Programs\Startup\

spamsubtract.lnk - c:\program files\interMute\SpamSubtract\SpamSubtract.exe [2003-4-10 552960]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2004-3-23 49254]

America Online 8.0 Tray Icon.lnk - c:\program files\America Online 8.0\aoltray.exe [2003-12-11 36939]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2002-9-20 53248]

Updates from HP.lnk - c:\program files\Updates from HP\137903\Program\BackWeb-137903.exe [2003-4-9 16384]

VPNGuardUI.lnk - c:\program files\OPSWAT\VPNGuard\VPNGuardUI.exe [2005-9-6 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLinkedConnections"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]

2003-02-21 10:50 40960 ----a-w- c:\program files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\CinemaNow\\CinemaNow Media Manager\\CinemaNowShell.exe"=

"c:\\Documents and Settings\\Owner\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=

"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=

R1 NEOFLTR_610_13437;Juniper Networks TDI Filter Driver (NEOFLTR_610_13437);c:\windows\system32\drivers\NEOFLTR_610_13437.sys [7/30/2008 11:04 PM 64160]

R1 NEOFLTR_650_15255;Juniper Networks TDI Filter Driver (NEOFLTR_650_15255);c:\windows\system32\drivers\NEOFLTR_650_15255.SYS [3/19/2010 8:28 AM 85360]

R2 CinemaNow Service;CinemaNow Service;c:\program files\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe [9/22/2008 9:49 PM 138616]

R2 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [3/25/2010 2:39 PM 490280]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/1/2007 8:31 PM 24652]

R3 VPNGuardService;VPNGuardService;c:\program files\OPSWAT\VPNGuard\VPNGuardService.exe [9/6/2005 12:02 PM 294912]

S2 mrtRate;mrtRate; [x]

S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys --> c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

Contents of the 'Scheduled Tasks' folder

2010-08-28 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 01:57]

2010-06-18 c:\windows\Tasks\Megan.job

- c:\program files\Nero\Nero 10\Nero BackItUp\NBCore.exe [2010-04-03 09:27]

2004-03-22 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job

- c:\progra~1\NORTON~1\NAVW32.exe [2002-11-15 09:31]

2008-05-27 c:\windows\Tasks\Symantec NetDetect.job

- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-04-10 22:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://my.iwon.com/

uInternet Settings,ProxyServer = http=127.0.0.1:6092

uInternet Settings,ProxyOverride = <local>;localhost

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

LSP: SpSubLSP.dll

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: MortCalcApplet - hxxp://www.homeseekers.com/Applets/MortCalcApplet/MortCalcApplet.cab

DPF: {BD4C7EDB-A392-11D9-8BFB-0040953018D7} - hxxp://www.streamerp2p.com/sfiles/phasex.cab

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://csufvpns.fullerton.edu/dana-cached/sc/JuniperSetupClient.cab

DPF: {FCEAE646-DCF9-4D59-B994-6BD30A315139} - hxxp://www.mtv.com/overdrive/bin/setup.exe

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-07 23:16

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTZDetec.exe = c:\program files\Creative\Creative Media Lite\CTZDetec.exe?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(620)

c:\program files\Softex\OmniPass\opxpgina.dll

- - - - - - - > 'lsass.exe'(676)

c:\windows\system32\SpSubLSP.dll

- - - - - - - > 'explorer.exe'(3828)

c:\windows\system32\WININET.dll

c:\docume~1\Owner\LOCALS~1\Temp\IadHide4.dll

c:\windows\system32\nView.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\msi.dll

c:\program files\Hummingbird\Connectivity\9.00\Hummingbird Neighborhood\heshell.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\windows\system32\CTsvcCDA.exe

c:\program files\Creative\Shared Files\CTDevSrv.exe

c:\program files\Network Associates\Common Framework\FrameworkService.exe

c:\program files\Network Associates\VirusScan\mcshield.exe

c:\program files\Network Associates\VirusScan\vstskmgr.exe

c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe

c:\windows\System32\nvsvc32.exe

c:\program files\Softex\OmniPass\Omniserv.exe

c:\program files\Softex\OmniPass\OPXPApp.exe

c:\windows\wanmpsvc.exe

c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

c:\windows\system32\rundll32.exe

c:\program files\CinemaNow\CinemaNow Media Manager\CNRpc.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\OPSWAT\VPNGuard\hfcheck.exe

.

**************************************************************************

.

Completion time: 2010-09-07 23:27:16 - machine was rebooted

ComboFix-quarantined-files.txt 2010-09-08 07:27

ComboFix2.txt 2010-09-07 18:00

ComboFix3.txt 2010-09-07 08:47

ComboFix4.txt 2010-09-07 08:11

Pre-Run: 68,359,819,264 bytes free

Post-Run: 68,339,822,592 bytes free

- - End Of File - - BCA94B474FBB0BC8AC1EF60A6EED8497

Share this post


Link to post
Share on other sites
Okay - here is the latest combofix report (last 2 steps in normal mode - no virus pop-ups - am i cured?):

I believe you are, congratulations.

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix.

  • Rename Combofix to Uninstall and click on it. That should remove the application.

Manually remove any tool left.

Create a Restore point:

  1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  2. In the System Restore dialog box, click Create a restore point, and then click Next.
  3. Type a description for your restore point, such as "After Cleanup", then click Create.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

  1. Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  2. AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  3. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  4. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  5. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  6. ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Miekiemoes.

Best wishes! wavey.gif

Share this post


Link to post
Share on other sites

Thank you so much. I'm headed back to work, but will do these last steps and follow your advice tonight. You do awesome work here - thanks again!

titan-nerd

Share this post


Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.